diff --git a/.update-changes.cfg b/.update-changes.cfg index e3d04b7422..ed23fb4565 100644 --- a/.update-changes.cfg +++ b/.update-changes.cfg @@ -7,15 +7,7 @@ function new_version_hook # test suite repos to check out on a CI system. version=$1 - if [ -d testing/external/zeek-testing ]; then - echo "Updating testing/external/commit-hash.zeek-testing" - ( cd testing/external/zeek-testing && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.zeek-testing - git add testing/external/commit-hash.zeek-testing - fi + ./testing/scripts/update-external-repo-pointer.sh testing/external/zeek-testing testing/external/commit-hash.zeek-testing - if [ -d testing/external/zeek-testing-private ]; then - echo "Updating testing/external/commit-hash.zeek-testing-private" - ( cd testing/external/zeek-testing-private && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.zeek-testing-private - git add testing/external/commit-hash.zeek-testing-private - fi + ./testing/scripts/update-external-repo-pointer.sh testing/external/zeek-testing-private testing/external/commit-hash.zeek-testing-private } diff --git a/CHANGES b/CHANGES index e1f0882198..18e2d85a74 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,280 @@ +2.6-249 | 2019-04-26 19:26:44 -0700 + + * Fix parsing of hybrid IPv6-IPv4 addr literals with no zero compression (Jon Siwek, Corelight) + +2.6-246 | 2019-04-25 10:22:11 -0700 + + * Add Zeexygen cross-reference links for some events (Jon Siwek, Corelight) + +2.6-245 | 2019-04-23 18:42:02 -0700 + + * Expose TCP analyzer utility functions to derived classes (Vern Paxson, Corelight) + +2.6-243 | 2019-04-22 19:42:52 -0700 + + * GH-234: rename Broxygen to Zeexygen along with roles/directives (Jon Siwek, Corelight) + + * All "Broxygen" usages have been replaced in + code, documentation, filenames, etc. + + * Sphinx roles/directives like ":bro:see" are now ":zeek:see" + + * The "--broxygen" command-line option is now "--zeexygen" + +2.6-242 | 2019-04-22 22:43:09 +0200 + + * update SSL consts from TLS 1.3 (Johanna Amann) + +2.6-241 | 2019-04-22 12:38:06 -0700 + + * Add 'g' character to conn.log history field to flag content gaps (Vern Paxson, Corelight) + + There's also a small change to TCP state machine that distrusts ACKs + appearing at the end of connections (in FIN or RST) such that they won't + count towards revealing a true content gap. + +2.6-237 | 2019-04-19 12:00:37 -0700 + + * GH-236: Add zeek_script_loaded event, deprecate bro_script_loaded (Jon Siwek, Corelight) + + Existing handlers for bro_script_loaded automatically alias to the new + zeek_script_loaded event, but emit a deprecation warning. + +2.6-236 | 2019-04-19 11:16:35 -0700 + + * Add zeek_init/zeek_done events and deprecate bro_init/bro_done (Seth Hall, Corelight) + + Any existing handlers for bro_init and bro_done will automatically alias + to the new zeek_init and zeek_done events such that code will not break, + but will emit a deprecation warning. + +2.6-232 | 2019-04-18 09:34:13 +0200 + + * Prevent topk_merge from crashing when second argument is empty set (Jeff Barber) + +2.6-230 | 2019-04-17 16:44:16 -0700 + + * Fix unit test failures on case-insensitive file systems (Jon Siwek, Corelight) + +2.6-227 | 2019-04-16 17:44:31 -0700 + + * GH-237: add `@load foo.bro` -> foo.zeek fallback (Jon Siwek, Corelight) + + When failing to locate a script with explicit .bro suffix, check for + whether one with a .zeek suffix exists and use it instead. + +2.6-225 | 2019-04-16 16:07:49 -0700 + + * Use .zeek file suffix in unit tests (Jon Siwek, Corelight) + +2.6-223 | 2019-04-16 11:56:00 -0700 + + * Update tests and baselines due to renaming all scripts (Daniel Thayer) + + * Rename all scripts to have ".zeek" file extension (Daniel Thayer) + + * Add test cases to verify new file extension is recognized (Daniel Thayer) + + * Fix the core/load-duplicates.bro test (Daniel Thayer) + + * Update script search logic for new .zeek file extension (Daniel Thayer) + + When searching for script files, look for both the new and old file + extensions. If a file with ".zeek" can't be found, then search for + a file with ".bro" as a fallback. + + * Remove unnecessary ".bro" from @load directives (Daniel Thayer) + +2.6-212 | 2019-04-12 10:12:31 -0700 + + * smb2_write_response event added (Mauro Palumbo) + +2.6-210 | 2019-04-10 09:54:27 -0700 + + * Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight) + +2.6-208 | 2019-04-10 11:36:17 +0000 + + * Improve PE file analysis (Jon Siwek, Corelight) + + * Set PE analyzer CMake dependencies correctly (Jon Siwek, Corelight) + +2.6-205 | 2019-04-05 17:06:26 -0700 + + * Add script to update external test repo commit pointers (Jon Siwek, Corelight) + +2.6-203 | 2019-04-04 16:35:52 -0700 + + * Update DTLS error handling (Johanna Amann, Corelight) + + - Adds tuning options: SSL::dtls_max_version_errors and + SSL::dtls_max_reported_version_errors + +2.6-200 | 2019-04-03 09:44:53 -0700 + + * Fix reporter net_weird API usage for unknown_mobility_type + (Jon Siwek, Corelight) + + * Remove variable content from weird names + + This changes many weird names to move non-static content from the + weird name into the "addl" field to help ensure the total number of + weird names is reasonably bounded. Note the net_weird and flow_weird + events do not have an "addl" parameter, so information may no longer + be available in those cases -- to make it available again we'd need + to either (1) define new events that contain such a parameter, or + (2) change net_weird/flow_weird event signature (which is a breaking + change for user-code at the moment). + + Also, the generic handling of binpac exceptions for analyzers which + to not otherwise catch and handle them has been changed from a Weird + to a ProtocolViolation. + + Finally, a new "file_weird" event has been added for reporting + weirdness found during file analysis. (Jon Siwek, Corelight) + +2.6-197 | 2019-04-03 09:08:58 -0700 + + * Make Syslog analyzer accept non-conformant messages that omit Priority. + (Jon Siwek, Corelight) + +2.6-195 | 2019-03-27 12:36:34 -0700 + + * Reduce weird-stats overhead (Justin Azoff, Corelight) + +2.6-193 | 2019-03-27 10:53:01 -0700 + + * Update now-broken Broker API usages (Jon Siwek, Corelight) + + Related to https://github.com/zeek/broker/pull/38, see Broker's NEWS file + for C++ code migration hints. + +2.6-192 | 2019-03-25 17:49:18 -0700 + + * Deprecate str_shell_escape, add safe_shell_quote replacement (Jon Siwek, Corelight) + +2.6-191 | 2019-03-25 16:43:10 -0700 + + * Add support for SMB filenames to the intel framework (Stephen Hosom) + +2.6-186 | 2019-03-25 09:41:57 -0700 + + * Added policy script for intel removal. (Jan Grashoefer) + + * Added Intel::filter_item hook to filter intelligence items. (Jan Grashoefer) + +2.6-178 | 2019-03-21 14:10:44 -0700 + + * Add support for parsing SMB 3.1.1 NegotiateContextList response values (Mauro Palumbo) + +2.6-175 | 2019-03-20 19:25:11 -0700 + + * Parse SMB2 TRANSFORM_HEADER messages and generate new smb2_transform_header event (Mauro Palumbo) + +2.6-172 | 2019-03-20 17:59:30 -0700 + + * Fix smb_files.log missing FUID field in read/write actions (Mauro Palumbo) + +2.6-169 | 2019-03-19 19:12:47 -0700 + + * Add support for NFLOG link-layer type (Ryan Denniston) + +2.6-167 | 2019-03-18 13:58:28 -0700 + + * GH-307: Build binpac as a shared lib, not static by default (Jon Siwek, Corelight) + +2.6-166 | 2019-03-18 11:45:35 -0700 + + * Add source file path control options for Input and Intel frameworks (Christian Kreibich, Corelight) + + This introduces the following redefinable string constants, empty by + default: + + - InputAscii::path_prefix + - InputBinary::path_prefix + - Intel::path_prefix + +2.6-164 | 2019-03-15 19:45:48 -0700 + + * Migrate table-based for-loops to key-value iteration (Jon Siwek, Corelight) + + * GH-154: Extend for-loops to allow iteration over a table's key-value pairs (Zeke Medley) + +2.6-161 | 2019-03-15 12:59:31 -0700 + + * Fix SSH remote_location geo-data not being logged for successful authNs. (Michael Dopheide) + +2.6-159 | 2019-03-14 16:39:52 -0700 + + * Move NEWS file back into main repo from zeek-docs (Jon Siwek, Corelight) + +2.6-158 | 2019-03-14 16:23:30 -0700 + + * Fix signed/unsigned comparison compiler warning (Jon Siwek, Corelight) + +2.6-157 | 2019-03-14 16:18:13 +0000 + + * GH-250: Add VXLAN decapsulation support (Henrik Lund Kramshoej; Jon Siwek, Corelight) + + Zeek now automatically decapsulates VXLAN traffic on UDP port + 4789. It will log such sessions as Tunnel::VXLAN in tunnel.log and + proceed to analyze the inner payload. Two options allow to tune + the analysis: + + * "Tunnel::vxlan_ports" allows to tune the set of VXLAN ports + to analyze/decapsulate. + + * "Tunnel::validate_vxlan_checksums" allows for tuning of how + checksums associated with the outer UDP header of a possible + VXLAN tunnel are handled. + + A new "vxlan_packet" event also provides per-packet access to + VXLAN traffic. + +2.6-154 | 2019-03-13 17:28:26 -0700 + + * Decrease memory usage via deferred list/dict initialization (Justin Azoff, Corelight) + +2.6-152 | 2019-03-13 13:46:17 -0700 + + * Add field to the default http.log for the Origin header (Nate Guagenti) + +2.6-149 | 2019-03-13 18:21:59 +0000 + + * GH-289: Add options to limit entries in http.log file fields. The + "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields + as well as their "resp" counterparts are now limited to having + "HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which + are 15 by default. The limit can also be ignored case-by-case via + the "HTTP::max_files_policy" hook. (Jon Siwek, Corelight) + + * GH-282: Remove JSON formatter's range restriction on numbers. It + now produces numbers as large as is required to match the data it + needs to represent. (Jon Siwek, Corelight) + + * GH-281: Improve parsing of Google Pixel user agent. (Jon Siwek, + Corelight) + + * GH-286: Check for record type mismatch in ternary operator. (Jon + Siwek, Corelight) + +2.6-141 | 2019-03-08 18:36:25 -0800 + + * Improve DNS query queuing logic (Jon Siwek, Corelight) + +2.6-140 | 2019-03-08 16:21:42 -0800 + + * Improve performance of DNS policy scripts (Justin Azoff, Corelight) + +2.6-135 | 2019-03-07 13:14:00 -0800 + + * Fix typos in dnp3-protocol.pac (g0nzu1) + +2.6-132 | 2019-03-06 15:30:58 -0800 + + * GH-219: revert a breaking change to |x| operator for interval/time (Jon Siwek, Corelight) + 2.6-130 | 2019-02-22 14:56:41 -0600 * Make input framework parse whitespace around various data types. (Johanna Amann, Corelight) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3c82a6d9ff..cfe0b29ed9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -97,7 +97,15 @@ FindRequiredPackage(ZLIB) if (NOT BINPAC_EXE_PATH AND EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt) + + set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY}) + + if ( BUILD_STATIC_BINPAC ) + set(ENABLE_STATIC_ONLY true) + endif() + add_subdirectory(aux/binpac) + set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED}) endif () FindRequiredPackage(BinPAC) @@ -286,10 +294,14 @@ if ( BROKER_ROOT_DIR ) set(brodeps ${brodeps} ${BROKER_LIBRARY} ${CAF_LIBRARIES}) include_directories(BEFORE ${BROKER_INCLUDE_DIR}) else () + set(ENABLE_STATIC_ONLY_SAVED ${ENABLE_STATIC_ONLY}) + if ( BUILD_STATIC_BROKER ) set(ENABLE_STATIC_ONLY true) endif() + add_subdirectory(aux/broker) + set(ENABLE_STATIC_ONLY ${ENABLE_STATIC_ONLY_SAVED}) if ( BUILD_STATIC_BROKER ) set(brodeps ${brodeps} broker_static) diff --git a/NEWS b/NEWS deleted file mode 120000 index 318c73d3e5..0000000000 --- a/NEWS +++ /dev/null @@ -1 +0,0 @@ -doc/install/NEWS.rst \ No newline at end of file diff --git a/NEWS b/NEWS new file mode 100644 index 0000000000..b93aa2300b --- /dev/null +++ b/NEWS @@ -0,0 +1,2530 @@ + +This document summarizes the most important changes in the current Bro +release. For an exhaustive list of changes, see the ``CHANGES`` file +(note that submodules, such as Broker, come with their own ``CHANGES``.) + +Zeek 3.0.0 +========== + +New Functionality +----------------- + +- Added support for DNSSEC resource records RRSIG, DNSKEY, DS, NSEC, and NSEC3. + The associated events are: + + - dns_RRSIG + - dns_DNSKEY + - dns_DS + - dns_NSEC + - dns_NSEC3 + +- Bro's Plugin framework now allows a patch version. If a patch version is not + provided, it will default to 0. To specify this, modify the plugin + Configuration class in your ``src/Plugin.cc`` and set + ``config.version.patch``. Note that the default plugin skeleton + includes a unit test whose Baseline has the plugin version number in + it and that will now fail due to the version number now including a + patch number. For those that want to keep the unit test, simply adapt + the unit test/baseline to include the new plugin patch number. + +- The default http.log not includes a field for the HTTP request Origin header. + +- Support for decapsulating VXLAN tunnels. + +- The for-loop syntax now allows for iterating over key-value pairs of tables. + Previously, a separate lookup within the loop was required to obtain the + value at a given index/key, but now this works:: + + local t: table[count] of string = table(); + t[1] = "hello"; + t[55] = "goodbye"; + + for ( key, value in t ) + print key, value; + +- Added options for controlling the source path/prefix for Input and + Intel framework files: + + - InputAscii::path_prefix + - InputBinary::path_prefix + - Intel::path_prefix + +- Support for NFLOG link-layer type. + +- Support for some SMB 3.x features + + - An ``smb2_transform_header`` event is raised after parsing + TRANSFORM_HEADER structures associated with encrypted messages. + + - The ``SMB2::NegotiateResponse`` record now contains + ``negotiate_context_count`` and ``negotiate_context_values`` fields + containing capability information found in an SMB 3.1.1 dialect's + negotiation message. + +- Added a new hook, ``Intel::filter_item``, to assist in filtering and + removal of intelligence items that are about to be inserted. + +- Add support for SMB filenames in the intel framework. + +- Added a new event for weirdness found via file analysis: ``file_weird``. + +- The conn.log "history" field supports a new character 'G' or 'g' + (capital for originator, lowercase responder) to indicate a content + gap in the TCP stream. These are recorded logarithmically. + +Changed Functionality +--------------------- + +- ``$prefix/share/bro/site/local.bro`` has been renamed to + ``local.zeek``. If you have made customizations to that file, it + will no longer be loaded by default by BroControl (ZeekControl), + but you can simply copy it to ``local.zeek`. You may also want to + remove old ``local.bro`` files to avoid potential confusion. + +- All scripts ending in ``.bro`` that ship with the Zeek source tree have + been renamed to ``.zeek``. + +- The search logic for the ``@load`` script directive now prefers files + ending in ``.zeek``, but will fallback to loading a ``.bro`` file if + it exists. E.g. ``@load foo`` will first check for a ``foo.zeek`` + file to load and then otherwise ``foo.bro``. Note that + ``@load foo.bro`` (with the explicit ``.bro`` file suffix) prefers + in the opposite order: it first checks for ``foo.bro`` and then + falls back to a ``foo.zeek``, if it exists. + +- The for-loop index variable for vectors has been changed from + 'int' to 'count' type. It's unlikely this would alter/break any + script behavior unless they were explicitly inspecting the variable's + type (and there's typically no reason to do that). + +- The startup/initialization behavior has changed such that any errors + encountered while processing the ``bro_init()`` event will cause the + process to terminate rather than continue on the main run loop. + +- The ``dns_state`` field within ``connection`` records has changed: the + ``pending_queries`` and ``pending_replies`` fields are now ``&optional``, + and there is a new field ``pending_query`` that is populated before + ``pending_queries``. If you have scripts that access the ``pending_queries`` + or ``pending_replies`` fields, they will need to be updated. + This change was made to improve performance. + +- The ternary operator (" ? : ") now enforces that + if "" and "" are both records, they are of the same + type. It was always assumed that they were, but code might have + still worked even if not. + +- The "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields + as well as their "resp" counterparts are now limited to having + "HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which are 15 + by default. The limit can also be ignored case-by-case via the + "HTTP::max_files_policy" hook. + +- The binpac library is now only compiled as a shared library by default. + To revert back to compiling only a static library, there's the + ``--enable-static-binpac`` configure option. + +- The Broker C++ API has some breaking changes, see it's own NEWS file for + details on how to migrate old code. + +- Some Weirds associated with generic binpac parsing exceptions in analyzers + that didn't otherwise handle them (like syslog, modbus, dnp3) are now + a ProtocolViolation instead + +- Weird names that contained variable content and may result in an unbounded + number of weird names have been renamed to remove the variable content + (which has been made available in the "addl" field of conn_weirds): + + - "unknown_dce_rpc_auth_type_%d" -> unknown_dce_rpc_auth_type + - "gtp_invalid_info_element_%d" -> gtp_invalid_info_element + - "unknown_netbios_type:" 0x%x -> unknown_netbios_type + - "excess_netbios_hdr_len" (%d > %d) -> excess_netbios_hdr_len + - "deficit_netbios_hdr_len" (%d > %d) -> deficit_netbios_hdr_len + - "bad_RPC_program (%d)" -> bad_RPC_program + - "unknown_MOUNT_request(%u)" -> unknown_MOUNT_request + - "unknown_NFS_request(%u)" -> unknown_NFS_request + - "RPC resync: discard %d bytes\n" -> RPC_resync + - "RPC_message_too_long (%d64)" -> RPC_message_too_long + - "socks5_unsupported_authentication_method_%d" -> socks5_unsupported_authentication_method + - "socks5_unsupported_authentication_%d_%d" -> socks5_unsupported_authentication + - "ssh_unknown_kex_algorithm=%s" -> ssh_unknown_kex_algorithm + - "Encountered unknown type in server name ssl extension: %d" -> ssl_ext_unknown_server_name_type + - "UDP_datagram_length_mismatch(%d!=%d)" -> UDP_datagram_length_mismatch + - "OPENSSL Could not parse OCSP request (fuid %s)" -> openssl_ocsp_request_parse_error + - "OPENSSL Could not parse OCSP response (fuid %s)" -> openssl_ocsp_response_parse_error + - "Could not parse X509 certificate (fuid %s)" -> x509_cert_parse_error + - "Certificate with invalid BasicConstraint. fuid %s" -> x509_invalid_basic_constraint + - "Could not parse subject alternative names. fuid %s" -> x509_san_parse_error + - "DNS-field does not contain an IA5String. fuid %s" -> x509_san_non_string + - "Weird IP address length %d in subject alternative name. fuid %s" -> x509_san_ip_length + - "Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length" -> x509_utc_length + - "Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)" -> x509_utc_format + - "Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length" -> x509_gen_time_length + - "Invalid time type in X509 certificate (fuid %s)" -> x509_invalid_time_type + - "Could not parse time in X509 certificate (fuid %s) -- additional char after time" -> x509_time_add_char + - "Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset" -> x509_time_offset_underflow + - "Could not parse time in X509 certificate (fuid %s) -- unknown offset type" -> x509_time_offset_type + - "X509::GetExtensionFromBIO: %s" -> x509_get_ext_from_bio + - "unknown_mobility_type_%d" -> unknown_mobility_type + - "unknown_routing_type_%d" -> unknown_routing_type + - "unknown_protocol_%d" -> unknown_protocol + - "unknown_gre_version_%d" -> unknown_gre_version + - "unknown_gre_protocol_%u16" -> unknown_gre_protocol + +- The "missed_bytes" field of conn.log can be calculated slightly differently + in some cases: ACKs that reveal a content gap, but also come at + the end of a connection (in a FIN or RST) are considered unreliable + and aren't counted as true gaps. + +- The Broxygen component, which is used to generate our Doxygen-like + scripting API documentation has been renamed to Zeexygen. This likely has + no breaking or visible changes for most users, except in the case one + used it to generate their own documentation via the ``--broxygen`` flag, + which is now named ``--zeexygen``. Besides that, the various documentation + in scripts has also been updated to replace Sphinx cross-referencing roles + and directives like ":bro:see:" with ":zeek:zee:". + +Removed Functionality +--------------------- + +Deprecated Functionality +------------------------ + +- The ``str_shell_escape` function is now deprecated, use ``safe_shell_quote`` + instead. The later will automatically return a value that is enclosed + in double-quotes. + +- The ``bro_init``, ``bro_done``, and ``bro_script_loaded`` events are now + deprecated, use ``zeek_init``, ``zeek_done``, and + ``zeek_script_loaded`` instead. Any existing event handlers for + the deprecated versions will automatically alias to the new events + such that existing code will not break, but will emit a deprecation + warning. + +Bro 2.6 +======= + +New Functionality +----------------- + +- Bro has switched to using the new Broker library for all its + communication. Broker's API has been completely redesigned (compared + to the version in 2.5), and much of its implementation has been + redone. There's a new script-level "broker" framework that + supersedes the old "communication" framework, which is now + deprecated. All scripts that ship with Bro have been ported to use + Broker. BroControl has likewise been ported to use Broker. + + For more about the new Broker framework, see + https://www.bro.org/sphinx-git/frameworks/broker.html. There's also + a guide there for porting existing Bro scripts to Broker. For more + about Broker itself, including its API for external applications, + see https://bro-broker.readthedocs.io/en/stable + + When using BroControl, the function of proxies has changed with + Broker. If you are upgrading and have configured more than one proxy + currenty, we recommend going back down to a single proxy node now. + That should be fine unless you are using custom scripts doing + significant data distribution through the new cluster framework. + + A side effect of the switch to using Broker is that each Bro node now runs + as a single process instead of two. Also, the number of file descriptors + being polled in Bro's main event loop has been reduced (1 per worker + versus 5). This should increase the number of workers one can + use before reaching the common 1024 file descriptor limitation of + "select()". + +- Bro now has new "is" and "as" script operators for dynamic + type-checking and casting. + + - "v as T" casts a value v into a value of type T, assuming that's + possible (if not, it triggers a runtime error). + + - "v is T" returns a boolean indicating whether value v can be + casted into type T (i.e., if true then "v as T" will succeed). + + This casting supports three cases currently: (1) a value of + declared type "any" can be casted to its actual underlying type; + (2) Broker values can be casted to their corresponding script + types; and (3) all values can be casted to their declared types + (i.e., a no-op). + + Example for "any":: + + # cat a.bro + function check(a: any) + { + local s: string = "default"; + + if ( a is string ) + s = (a as string); + + print fmt("s=%s", s); + } + + event bro_init() + { + check("Foo"); + check(1); + } + + # bro a.bro + s=Foo + s=default + +- The existing "switch" statement got extended to now also support switching by + type rather than value. The new syntax supports two type-based versions + of "case": + + - "case type T: ...": Take branch if operand can be casted to type T. + + - "case type T as x: ... ": Take branch if operand can be casted + to type T, and make the casted value available through ID "x". + + Multiple types can be listed per branch, separated by commas. + However, one cannot mix cases with expressions and types inside a + single switch statement. + + Example:: + + function switch_one(v: any) + { + switch (v) { + case type string: + print "It's a string!"; + break; + + case type count as c: + print "It's a count!", c; + break; + + case type bool, type addr: + print "It's a bool or address!"; + break; + + default: + print "Something else!"; + break; + } + } + +- Bro now comes with a new "configuration framework" that allows + updating script options dynamically at runtime. This functionality + consists of three larger pieces working together: + + - Option variables: The new "option" keyword allows variables to be + declared as runtime options. Such variables cannot be changed + using normal assignments. Instead, they can be changed using the + new function "Config::set_value". This function will automatically + apply the change to all nodes in a cluster. Note that options can also + be changed using the new function "Option::set", but this function will + not send the change to any other nodes, so Config::set_value should + typically be used instead of Option::set. + + Various redef-able constants in the standard Bro scripts have + been converted to runtime options. This change will not affect any + user scripts because the initial value of runtime options can still be + redefined with a "redef" declaration. Example:: + + option testvar = "old value"; + redef testvar = "new value"; + + It is possible to "subscribe" to an option through + "Option::set_change_handler", which will trigger a handler callback + when an option changes. Change handlers can optionally modify + values before they are applied by returning the desired value, or + reject updates by returning the old value. Priorities can be + specified if there are several handlers for one option. + + Example script:: + + option testbool: bool = T; + + function option_changed(ID: string, new_value: bool): bool + { + print fmt("Value of %s changed from %s to %s", ID, testbool, new_value); + return new_value; + } + + event bro_init() + { + print "Old value", testbool; + Option::set_change_handler("testbool", option_changed); + Option::set("testbool", F); + print "New value", testbool; + } + + - Script-level configuration framework: The new script framework + base/framework/config facilitates reading in new option values + from external files at runtime. The format for these files looks + like this:: + + [option name][tab/spaces][new variable value] + + Configuration files to read can be specified by adding them to + "Config::config_files". + + Usage example:: + + redef Config::config_files += { "/path/to/config.dat" }; + + module TestConfig; + + export { + option testbool: bool = F; + } + + The specified file will now be monitored continuously for changes, so + that writing "TestConfig::testbool T" into ``/path/to/config.dat`` will + automatically update the option's value accordingly. + + The configuration framework creates a ``config.log`` that shows all + value changes that took place. + + - Config reader: Internally, the configuration framework uses a new + type of input reader to read such configuration files into Bro. + The reader uses the option name to look up the type that variable + has, converts the read value to the correct type, and then updates + the option's value. Example script use:: + + type Idx: record { + option_name: string; + }; + + type Val: record { + option_val: string; + }; + + global currconfig: table[string] of string = table(); + + event InputConfig::new_value(name: string, source: string, id: string, value: any) + { + print id, value; + } + + event bro_init() + { + Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); + } + +- Support for OCSP and Signed Certificate Timestamp. This adds the + following events and BIFs: + + - Events: + + - ocsp_request + - ocsp_request_certificate + - ocsp_response_status + - ocsp_response_bytes + - ocsp_response_certificate + - ocsp_extension + - x509_ocsp_ext_signed_certificate_timestamp + - ssl_extension_signed_certificate_timestamp + + - Functions: + + - sct_verify + - x509_subject_name_hash + - x509_issuer_name_hash + - x509_spki_hash + +- The SSL scripts provide a new hook "ssl_finishing(c: connection)" + to trigger actions after the handshake has concluded. + +- New functionality has been added to the TLS parser, adding several + events. These events mostly extract information from the server and client + key exchange messages. The new events are: + + - ssl_ecdh_server_params + - ssl_dh_server_params + - ssl_server_signature + - ssl_ecdh_client_params + - ssl_dh_client_params + - ssl_rsa_client_pms + + Since "ssl_ecdh_server_params" contains more information than the old + "ssl_server_curve" event, "ssl_server_curve" is now marked as deprecated. + +- The "ssl_application_data" event was retired and replaced with + "ssl_plaintext_data". + +- Some SSL events were changed and now provide additional data. These events + are: + + - ssl_client_hello + - ssl_server_hello + - ssl_encrypted_data + + If you use these events, you can make your scripts work on old and new + versions of Bro by wrapping the event definition in an "@if", for example:: + + @if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) ) + event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) + @else + event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) + @endif + +- Functions for retrieving files by their ID have been added: + + - Files::file_exists + - Files::lookup_File + +- New functions in the logging API: + + - Log::get_filter_names + - Log::enable_stream + +- HTTP now recognizes and skips upgraded/websocket connections. A new event, + "http_connection_upgrade", is raised in such cases. + +- A new hook, HTTP::sqli_policy, may be used to whitelist requests that + could otherwise be counted as SQL injection attempts. + +- Added a MOUNT3 protocol parser + + - This is not enabled by default (no ports are registered and no + DPD signatures exist, so no connections will end up attaching the + new Mount analyzer). If it were to be activated by users, the + following events are available: + + - mount_proc_null + - mount_proc_mnt + - mount_proc_umnt + - mount_proc_umnt_all + - mount_proc_not_implemented + - mount_reply_status + +- Added new NFS events: + + - nfs_proc_symlink + - nfs_proc_link + - nfs_proc_sattr + +- The SMB scripts in ``policy/protocols/smb`` are now moved into + ``base/protocols/smb`` and loaded/enabled by default. If you previously + loaded these scripts from their ``policy/`` location (in local.bro or + other custom scripts) you may now remove/change those although they + should still work since ``policy/protocols/smb`` is simply a placeholder + script that redirects to the new ``base/`` location. + +- Added new SMB events: + + - smb1_transaction_secondary_request + - smb1_transaction2_secondary_request + - smb1_transaction_response + +- Bro can now decrypt Kerberos tickets, and retrieve the authentication from + them, given a suitable keytab file. + +- Added support for bitwise operations on "count" values. '&', '|' and + '^' are binary "and", "or" and "xor" operators, and '~' is a unary + ones-complement operator. + +- The '&' and '|' operators can apply to patterns, too. p1 & p2 yields + a pattern that represents matching p1 followed by p2, and p1 | p2 yields + a pattern representing matching p1 or p2. The p1 | p2 functionality was + semi-present in previous versions of Bro, but required constants as + its operands; now you can use any pattern-valued expressions. + +- You can now specify that a pattern matches in a case-insensitive + fashion by adding 'i' to the end of its specification. So for example + /fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar". + + You can achieve the same functionality for a subpattern enclosed in + parentheses by adding "?i:" to the open parenthesis. So for example + /foo|(?i:bar)/ will match "BaR", but not "FoO". + + For both ways of specifying case-insensitivity, characters enclosed in + double quotes remain case-sensitive. So for example /"foo"/i will not + match "Foo", but it will match "foo". + +- "make install" now installs Bro's include headers (and more) into + "--prefix" so that compiling plugins no longer needs access to a + source/build tree. For OS distributions, this also facilitates + creating "bro-devel" packages providing all files necessary to build + plugins. + +- Bro now supports PPPoE over QinQ. + +- Bro now supports OpenSSL 1.1. + +- The new connection/conn.log history character 'W' indicates that + the originator ('w' = responder) advertised a TCP zero window + (instructing the peer to not send any data until receiving a + non-zero window). + +- The connection/conn.log history characters 'C' (checksum error seen), + 'T' (retransmission seen), and 'W' (zero window advertised) are now + repeated in a logarithmic fashion upon seeing multiple instances + of the corresponding behavior. Thus a connection with 2 C's in its + history means that the originator sent >= 10 packets with checksum + errors; 3 C's means >= 100, etc. + +- The above connection history behaviors occurring multiple times + (i.e., starting at 10 instances, than again for 100 instances, + etc.) generate corresponding events: + + - tcp_multiple_checksum_errors + - udp_multiple_checksum_errors + - tcp_multiple_zero_windows + - tcp_multiple_retransmissions + + Each has the same form, e.g.:: + + event tcp_multiple_retransmissions(c: connection, is_orig: bool, + threshold: count); + +- Added support for set union, intersection, difference, and comparison + operations. The corresponding operators for the first three are + "s1 | s2", "s1 & s2", and "s1 - s2". Relationals are in terms + of subsets, so "s1 < s2" yields true if s1 is a proper subset of s2 + and "s1 == s2" if the two sets have exactly the same elements. + "s1 <= s2" holds for subsets or equality, and similarly "s1 != s2", + "s1 > s2", and "s1 >= s2" have the expected meanings in terms + of non-equality, proper superset, and superset-or-equal. + +- An expression of the form "v += e" will append the value of the expression + "e" to the end of the vector "v" (of course assuming type-compatibility). + "redef v += { a, b, c }" will similarly extend a vector previously declared + with &redef by appending the result of expressions "a", "b", and "c" to + the vector at initialization-time. + +- A new "@deprecated" directive was added. It marks a script-file as + deprecated. + +Changed Functionality +--------------------- + +- All communication is now handled through Broker, requiring changes + to existing scripts to port them over to the new API. The Broker + framework documentation comes with a porting guide. + +- The DHCP analyzer and its script-layer interface have been rewritten. + + - Supports more DHCP options than before. + + - The DHCP log now represents DHCP sessions based on transaction ID + and works on Bro cluster deployments. + + - Removed the ``policy/protocols/dhcp/known-devices-and-hostnames.bro`` + script since it's generally less relevant now with the updated log. + + - Removed the ``base/protocols/dhcp/utils.bro`` script and thus the + "reverse_ip" function. + + - Replaced all DHCP events with the single "dhcp_message" event. + The list of removed events includes: + + - dhcp_discover + - dhcp_offer + - dhcp_request + - dhcp_decline + - dhcp_ack + - dhcp_nak + - dhcp_release + - dhcp_inform + + - A new script, ``policy/protocols/dhcp/deprecated_events.bro``, may be + loaded to aid those transitioning away from the list of "removed" + events above. The script provides definitions for the old events + and automatically generates them from a "dhcp_message" handler, thus + providing equivalent functionality to the previous Bro release. + Such usage emits deprecation warnings. + +- Removed ``policy/misc/known-devices.bro`` script and thus + ``known_devices.log`` will no longer be created. + +- The "--with-binpac" configure option has changed to mean "path + to the binpac executable" instead of "path to binpac installation root". + +- The MIME types used to identify X.509 certificates in SSL + connections changed from "application/pkix-cert" to + "application/x-x509-user-cert" for host certificates and + "application/x-x509-ca-cert" for CA certificates. + +- The "ssl_server_curve" event is considered deprecated and will be removed + in the future. See the new "ssl_ecdh_server_params" event for a + replacement. + +- The Socks analyzer no longer logs passwords by default. This + brings its behavior in line with the FTP/HTTP analyzers which also + do not log passwords by default. + + To restore the previous behavior and log Socks passwords, use:: + + redef SOCKS::default_capture_password = T; + +- The DNS base scripts no longer generate some noisy and annoying + weirds: + + - dns_unmatched_msg + - dns_unmatched_msg_quantity + - dns_unmatched_reply + +- The "tunnel_parents" field of ``conn.log`` is now marked ``&optional``, so, + in the default configuration of logs, this field will show "-" + instead of "(empty)" for connections that lack any tunneling. + +- SMB event argument changes: + + - "smb1_transaction_request" now has two additional arguments, "parameters" + and "data" strings + + - "smb1_transaction2_request" now has an additional "args" record argument + +- The "SMB::write_cmd_log" option has been removed and the corresponding + logic moving to ``policy/protocols/smb/log-cmds.bro`` which can simply + be loaded to produce the same effect of toggling the old flag on. + +- SSL event argument changes: + + - "ssl_server_signature" now has an additional argument + "signature_and_hashalgorithm". + +- The "dnp3_header_block" event no longer has the "start" parameter. + +- The "string_to_pattern()" and now-deprecated "merge_pattern()" + built-ins are no longer restricted to only be called at initialization time. + +- GeoIP Legacy Database support has been replaced with GeoIP2 MaxMind DB + format support. + + - This updates the "lookup_location" and "lookup_asn" BIFs to use + libmaxminddb. The motivation for this is that MaxMind is discontinuing + GeoLite Legacy databases: no updates after April 1, 2018, no downloads + after January 2, 2019. It's also noted that all GeoIP Legacy databases + may be discontinued as they are superseded by GeoIP2. + +- "Weird" events are now generally suppressed/sampled by default according to + some tunable parameters: + + - Weird::sampling_whitelist + - Weird::sampling_threshold + - Weird::sampling_rate + - Weird::sampling_duration + + Those options can be changed if one needs the previous behavior of + a "net_weird", "flow_weird", or "conn_weird" event being raised for + every single event. + + The original ``weird.log`` may not differ much with these changes, + except in the cases where a particular weird type exceeds the + sampling threshold. + + Otherwise, there is a new ``weird_stats.log`` generated via + ``policy/misc/weird-stats.bro`` which contains concise summaries + of weird counts per type per time period. + +- Improved DCE-RPC analysis via tracking of context identifier mappings + + - These DCE-RPC events now contain an additional context-id argument: + + - dce_rpc_bind + - dce_rpc_request + - dce_rpc_response + + - Added new events: + + - dce_rpc_alter_context + - dce_rpc_alter_context_resp + +- The default value of ``Pcap::snaplen`` changed from 8192 to 9216 bytes + to better accommodate jumbo frames. + +- Improvements to ``ntlm.log`` to fix incorrect reporting of login + success/failure. Also, the "status" field was removed and + "server_nb_computer_name", "server_dns_computer_name", and + "server_tree_name" fields added. + +- BroControl: The output of the broctl "top" command has changed slightly. + The "Proc" column has been removed from the output. This column previously + indicated whether each Bro process was the "parent" or "child", but this + is no longer relevant because each Bro node now runs as a single process. + +- The ``DNP3::function_codes`` name for request 0x21 has been corrected from + "AUTHENTICATE_ERR" to "AUTHENTICATE_REQ_NR". + +- The ``DNS::query_types`` names for resource records 41 and 100 have been + corrected from "EDNS" to "OPT" and "DINFO" to "UINFO", respectively. + +Removed Functionality +--------------------- + +- We no longer maintain any Bro plugins as part of the Bro + distribution. Most of the plugins that used to be in aux/plugins have + been moved over to use the Bro Package Manager instead. See + https://packages.bro.org for a list of Bro packages currently + available. + +- The "ocsp_request" event no longer has "requestorName" parameter. + +- The node-specific ``site/local-*.bro`` scripts have been removed. + +- BroControl: The "IPv6Comm" and "ZoneID" options are no longer + available (though Broker should be able to handle IPv6 automatically). + +Deprecated Functionality +------------------------ + +- The old communication system is now deprecated and scheduled for + removal with the next Bro release. This includes the "communication" + framework, the ``&sychronized`` attributes, and the existing + communication-related BiFs. Use Broker instead. + +- The infrastructure for serializing Bro values into a binary + representation is now deprecated and scheduled for removal with the + next Bro release. This includes the ``&persistent`` attribute, as well + as BIFs like "send_id()". Use Broker data stores and the new + configuration framework instead. + +- Mixing of scalars and vectors, such as "v + e" yielding a vector + corresponding to the vector v with the scalar e added to each of + its elements, has been deprecated. + +- The built-in function "merge_pattern()" has been deprecated. It will + be replaced by the '&' operator for patterns. + +- The undocumented feature of using "&&" and "||" operators for patterns + has been deprecated. + +- BroControl: The "update" command is deprecated and scheduled for + removal with the next Bro release. Bro's new configuration framework + is taking its place. + +Bro 2.5.5 +========= + +Bro 2.5.5 primarily addresses security issues. + +- Fix array bounds checking in BinPAC: for arrays that are fields within + a record, the bounds check was based on a pointer to the start of the + record rather than the start of the array field, potentially resulting + in a buffer over-read. + +- Fix SMTP command string comparisons: the number of bytes compared was + based on the user-supplied string length and can lead to incorrect + matches. e.g. giving a command of "X" incorrectly matched + "X-ANONYMOUSTLS" (and an empty commands match anything). + +The following changes address potential vectors for Denial of Service +reported by Christian Titze & Jan Grashöfer of Karlsruhe Institute of +Technology: + +- "Weird" events are now generally suppressed/sampled by default according + to some tunable parameters: + + - Weird::sampling_whitelist + - Weird::sampling_threshold + - Weird::sampling_rate + - Weird::sampling_duration + + Those options can be changed if one needs the previous behavior of + a "net_weird", "flow_weird", or "conn_weird" event being raised for + every single event. Otherwise, there is a new weird_stats.log which + contains concise summaries of weird counts per type per time period + and the original weird.log may not differ much either, except in + the cases where a particular weird type exceeds the sampling threshold. + These changes help improve performance issues resulting from excessive + numbers of weird events. + +- Improved handling of empty lines in several text protocol analyzers + that can cause performance issues when seen in long sequences. + +- Add 'smtp_excessive_pending_cmds' weird which serves as a notification + for when the "pending command" queue has reached an upper limit and + been cleared to prevent one from attempting to slowly exhaust memory. + +Bro 2.5.4 +========= + +Bro 2.5.4 primarily fixes security issues: + +* Multiple fixes and improvements to BinPAC generated code related to + array parsing, with potential impact to all Bro's BinPAC-generated + analyzers in the form of buffer over-reads or other invalid memory + accesses depending on whether a particular analyzer incorrectly + assumed that the evaulated-array-length expression is actually the + number of elements that were parsed out from the input. + +* The NCP analyzer (not enabled by default and also updated to actually + work with newer Bro APIs in the release) performed a memory allocation + based directly on a field in the input packet and using signed integer + storage. This could result in a signed integer overflow and memory + allocations of negative or very large size, leading to a crash or + memory exhaustion. The new NCP::max_frame_size tuning option now + limits the maximum amount of memory that can be allocated. + +There's also the following bug fixes: + +* A memory leak in the SMBv1 analyzer. + +* The MySQL analyzer was generally not working as intended, for example, + it now is able to parse responses that contain multiple results/rows. + +Bro 2.5.3 +========= + +Bro 2.5.3 fixes a security issue in Binpac generated code. In some cases +the code generated by binpac could lead to an integer overflow which can +lead to out of bound reads and allow a remote attacker to crash Bro; there +is also a possibility that this can be exploited in other ways. + +Bro 2.5.2 +========= + +Bro 2.5.2 fixes a security issue in the ContentLine analyzer. In rare cases +a bug in the ContentLine analyzer can lead to an out of bound write of a single +byte. This allows a remote attacker to crash Bro; there also is a possibility +this can be exploited in other ways. CVE-2017-1000458 has been assigned to this +issue. + +Bro 2.5.1 +========= + +New Functionality +----------------- + +- Bro now includes bifs for rename, unlink, and rmdir. + +- Bro now includes events for two extensions used by TLS 1.3: + ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes + +- Bro now includes hooks that can be used to interact with log processing + on the C++ level. + +- Bro now supports ERSPAN. Currently this ignores the ethernet header that is + carried over the tunnel; if a MAC is logged currently only the outer MAC + is returned. + +- Added a new BroControl option CrashExpireInterval to enable + "broctl cron" to remove crash directories that are older than the + specified number of days (the default value is 0, which means crash + directories never expire). + +- Added a new BroControl option MailReceivingPackets to control + whether or not "broctl cron" will mail a warning when it notices + that no packets were seen on an interface. + +- There is a new broctl command-line option "--version" which outputs + the BroControl version. + +Changed Functionality +--------------------- + +- The input framework's Ascii reader is now more resilient. If an input + is marked to reread a file when it changes and the file didn't exist + during a check Bro would stop watching the file in previous versions. + The same could happen with bad data in a line of a file. These + situations do not cause Bro to stop watching input files anymore. The + old behavior is available through settings in the Ascii reader. + +- The RADIUS scripts have been reworked. Requests are now logged even if + there is no response. The new framed_addr field in the log indicates + if the radius server is hinting at an address for the client. The ttl + field indicates how quickly the server is replying to the network access + server. + +- With the introduction of the Bro package manager, the Bro plugin repository + is considered deprecated. The af_packet, postgresql, and tcprs plugins have + already been removed and are available via bro-pkg. + +Bro 2.5 +======= + +New Dependencies +---------------- + +- Bro now requires a compiler with C++11 support for building the + source code. + +- Bro now requires Python instead of Perl to compile the source code. + +- When enabling Broker (which is disabled by default), Bro now requires + version 0.14 of the C++ Actor Framework. + +New Functionality +----------------- + +- SMB analyzer. This is the rewrite that has been in development for + several years. The scripts are currently not loaded by default and + must be loaded manually by loading policy/protocols/smb. The next + release will load the smb scripts by default. + + - Implements SMB1+2. + - Fully integrated with the file analysis framework so that files + transferred over SMB can be analyzed. + - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC + analyzer. + - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, + and dce_rpc.log + - Not every possible SMB command or functionality is implemented, but + generally, file handling should work whenever files are transferred. + Please speak up on the mailing list if there is an obvious oversight. + +- Bro now includes the NetControl framework. The framework allows for easy + interaction of Bro with hard- and software switches, firewalls, etc. + New log files: netcontrol.log, netcontrol_catch_release.log, + netcontrol_drop.log, and netcontrol_shunt.log. + +- Bro now includes the OpenFlow framework which exposes the data structures + necessary to interface to OpenFlow capable hardware. + +- Bro's Intelligence Framework was refactored and new functionality + has been added: + + - The framework now supports the new indicator type Intel::SUBNET. + As subnets are matched against seen addresses, the new field 'matched' + in intel.log was introduced to indicate which indicator type(s) caused + the hit. + + - The new function remove() allows to delete intelligence items. + + - The intel framework now supports expiration of intelligence items. + Expiration can be configured using the new Intel::item_expiration constant + and can be handled by using the item_expired() hook. The new script + do_expire.bro removes expired items. + + - The new hook extend_match() allows extending the framework. The new + policy script whitelist.bro uses the hook to implement whitelisting. + + - Intel notices are now suppressible and mails for intel notices now + list the identified services as well as the intel source. + +- There is a new file entropy analyzer for files. + +- Bro now supports the remote framebuffer protocol (RFB) that is used by + VNC servers for remote graphical displays. New log file: rfb.log. + +- Bro now supports the Radiotap header for 802.11 frames. + +- Bro now has rudimentary IMAP and XMPP analyzers examining the initial + phases of the protocol. Right now these analyzers only identify + STARTTLS sessions, handing them over to TLS analysis. These analyzers + do not yet analyze any further IMAP/XMPP content. + +- New funtionality has been added to the SSL/TLS analyzer: + + - Bro now supports (draft) TLS 1.3. + + - The new event ssl_extension_signature_algorithm() allows access to the + TLS signature_algorithms extension that lists client supported signature + and hash algorithm pairs. + + - The new event ssl_extension_key_share gives access to the supported named + groups in TLS 1.3. + + - The new event ssl_application_data gives information about application data + that is exchanged before encryption fully starts. This is used to detect + when encryption starts in TLS 1.3. + +- Bro now tracks VLAN IDs. To record them inside the connection log, + load protocols/conn/vlan-logging.bro. + +- A new dns_CAA_reply() event gives access to DNS Certification Authority + Authorization replies. + +- A new per-packet event raw_packet() provides access to layer 2 + information. Use with care, generating events per packet is + expensive. + +- A new built-in function, decode_base64_conn() for Base64 decoding. + It works like decode_base64() but receives an additional connection + argument that will be used for decoding errors into weird.log + (instead of reporter.log). + +- A new get_current_packet_header() bif returns the headers of the current + packet. + +- Three new built-in functions for handling set[subnet] and table[subnet]: + + - check_subnet(subnet, table) checks if a specific subnet is a member + of a set/table. This is different from the "in" operator, which always + performs a longest prefix match. + + - matching_subnets(subnet, table) returns all subnets of the set or table + that contain the given subnet. + + - filter_subnet_table(subnet, table) works like matching_subnets, but returns + a table containing all matching entries. + +- Several built-in functions for handling IP addresses and subnets were added: + + - is_v4_subnet(subnet) checks whether a subnet specification is IPv4. + + - is_v6_subnet(subnet) checks whether a subnet specification is IPv6. + + - addr_to_subnet(addr) converts an IP address to a /32 subnet. + + - subnet_to_addr(subnet) returns the IP address part of a subnet. + + - subnet_width(subnet) returns the width of a subnet. + +- The IRC analyzer now recognizes StartTLS sessions and enables the SSL + analyzer for them. + +- The misc/stats.bro script is now loaded by default and logs more Bro + execution statistics to the stats.log file than it did previously. It + now also uses the standard Bro log format. + +- A set of new built-in functions for gathering execution statistics: + + get_net_stats(), get_conn_stats(), get_proc_stats(), + get_event_stats(), get_reassembler_stats(), get_dns_stats(), + get_timer_stats(), get_file_analysis_stats(), get_thread_stats(), + get_gap_stats(), get_matcher_stats() + +- Two new functions haversine_distance() and haversine_distance_ip() + for calculating geographic distances. The latter function requires that Bro + be built with libgeoip. + +- Table expiration timeout expressions are evaluated dynamically as + timestamps are updated. + +- The pcap buffer size can be set through the new option Pcap::bufsize. + +- Input framework readers stream types Table and Event can now define a custom + event (specified by the new "error_ev" field) to receive error messages + emitted by the input stream. This can, e.g., be used to raise notices in + case errors occur when reading an important input source. + +- The logging framework now supports user-defined record separators, + renaming of column names, as well as extension data columns that can + be added to specific or all logfiles (e.g., to add new names). + +- The new "bro-config" script can be used to determine the Bro installation + paths. + +- New BroControl functionality in aux/broctl: + + - There is a new node type "logger" that can be specified in + node.cfg (that file has a commented-out example). The purpose of + this new node type is to receive logs from all nodes in a cluster + in order to reduce the load on the manager node. However, if + there is no "logger" node, then the manager node will handle + logging as usual. + + - The post-terminate script will send email if it fails to archive + any log files. These mails can be turned off by changing the + value of the new BroControl option MailArchiveLogFail. + + - Added the ability for "broctl deploy" to reload the BroControl + configuration (both broctl.cfg and node.cfg). This happens + automatically if broctl detects any changes to those config files + since the last time the config was loaded. Note that this feature + is relevant only when using the BroControl shell interactively. + + - The BroControl plugin API has a new function "broctl_config". + This gives plugin authors the ability to add their own script code + to the autogenerated broctl-config.bro script. + + - There is a new BroControl plugin for custom load balancing. This + plugin can be used by setting "lb_method=custom" for your worker + nodes in node.cfg. To support packet source plugins, it allows + configuration of a prefix and suffix for the interface name. + +- New Bro plugins in aux/plugins: + + - af_packet: Native AF_PACKET support. + - kafka : Log writer interfacing to Kafka. + - myricom: Native Myricom SNF v3 support. + - pf_ring: Native PF_RING support. + - postgresql: A PostgreSQL reader/writer. + - redis: An experimental log writer for Redis. + - tcprs: A TCP-level analyzer detecting retransmissions, reordering, and more. + +Changed Functionality +--------------------- + +- Log changes: + + - Connections + + The 'history' field gains two new flags: '^' indicates that + Bro heuristically flipped the direction of the connection. + 't/T' indicates the first TCP payload retransmission from + originator or responder, respectively. + + - Intelligence + + New field 'matched' to indicate which indicator type(s) caused the hit. + + - DNS + + New 'rtt' field to indicate the round trip time between when a + request was sent and when a reply started. + + - SMTP + + New 'cc' field which includes the 'Cc' header from MIME + messages sent over SMTP. + + Changes in 'mailfrom' and 'rcptto' fields to remove some + non-address cruft that will tend to be found. The main + example is the change from ``""`` to + ``"user@domain.com"``. + + - HTTP + + Removed 'filename' field (which was seldomly used). + + New 'orig_filenames' and 'resp_filenames' fields which each + contain a vector of filenames seen in entities transferred. + + - stats.log + + The following fields have been added: active_tcp_conns, + active_udp_conns, active_icmp_conns, tcp_conns, udp_conns, + icmp_conns, timers, active_timers, files, active_files, dns_requests, + active_dns_requests, reassem_tcp_size, reassem_file_size, + reassem_frag_size, reassem_unknown_size. + + The following fields have been renamed: lag -> pkt_lag. + + The following fields have been removed: pkts_recv. + +- The BrokerComm and BrokerStore namespaces were renamed to Broker. + The Broker "print()" function was renamed to Broker::send_print(), and + the "event()" function was renamed to Broker::send_event(). + +- The constant ``SSH::skip_processing_after_detection`` was removed. The + functionality was replaced by the new constant + ``SSH::disable_analyzer_after_detection``. + +- The ``net_stats()`` and ``resource_usage()`` functions have been + removed, and their functionality is now provided by the new execution + statistics functions (see above). + +- Some script-level identifiers have changed their names: + + - snaplen -> Pcap::snaplen + - precompile_pcap_filter() -> Pcap::precompile_pcap_filter() + - install_pcap_filter() -> Pcap::install_pcap_filter() + - pcap_error() -> Pcap::error() + +- TCP analysis was changed to process connections without the initial + SYN packet. In the past, connections without a full handshake were + treated as partial, meaning that most application-layer analyzers + would refuse to inspect the payload. Now, Bro will consider these + connections as complete and all analyzers will process them normally. + +- The ``policy/misc/capture-loss.bro`` script is now loaded by default. + +- The traceroute detection script package ``policy/misc/detect-traceroute`` + is no longer loaded by default. + +- Changed BroControl functionality in aux/broctl: + + - The networks.cfg file now contains private IP space 172.16.0.0/12 + by default. + + - Upon startup, if broctl can't get IP addresses from the "ifconfig" + command for any reason, then broctl will now also try to use the + "ip" command. + + - BroControl will now automatically search the Bro plugin directory + for BroControl plugins (in addition to all the other places where + BroControl searches). This enables automatic loading of + BroControl plugins that are provided by a Bro plugin. + + - Changed the default value of the StatusCmdShowAll option so that + the "broctl status" command runs faster. This also means that + there is no longer a "Peers" column in the status output by + default. + + - Users can now specify a more granular log expiration interval. The + BroControl option LogExpireInterval can be set to an arbitrary + time interval instead of just an integer number of days. The time + interval is specified as an integer followed by a time unit: + "day", "hr", or "min". For backward compatibility, an integer + value without a time unit is still interpreted as a number of + days. + + - Changed the text of crash report emails. Now crash reports tell + the user to forward the mail to the Bro team only when a backtrace + is included in the crash report. If there is no backtrace, then + the crash report includes instructions on how to get backtraces + included in future crash reports. + + - There is a new option SitePolicyScripts that replaces SitePolicyStandalone + (the old option is still available, but will be removed in the next + release). + +Removed Functionality +--------------------- + +- The app-stats scripts have been removed because they weren't + being maintained and they were becoming inaccurate (as a result, the + app_stats.log is also gone). They were also prone to needing more regular + updates as the internet changed and will likely be more relevant if + maintained externally. + +- The event ack_above_hole() has been removed, as it was a subset + of content_gap() and led to plenty of noise. + +- The command line options ``--analyze``, ``--set-seed``, and + ``--md5-hashkey`` have been removed. + +- The packaging scripts pkg/make-\*-packages are gone. They aren't + used anymore for the binary Bro packages that the project + distributes; haven't been supported in a while; and have + problems. + +Deprecated Functionality +------------------------ + +- The built-in functions decode_base64_custom() and + encode_base64_custom() are no longer needed and will be removed + in the future. Their functionality is now provided directly by + decode_base64() and encode_base64(), which take an optional + parameter to change the Base64 alphabet. + +Bro 2.4 +======= + +New Functionality +----------------- + +- Bro now has support for external plugins that can extend its core + functionality, like protocol/file analysis, via shared libraries. + Plugins can be developed and distributed externally, and will be + pulled in dynamically at startup (the environment variables + BRO_PLUGIN_PATH and BRO_PLUGIN_ACTIVATE can be used to specify the + locations and names of plugins to activate). Currently, a plugin + can provide custom protocol analyzers, file analyzers, log writers, + input readers, packet sources and dumpers, and new built-in functions. + A plugin can furthermore hook into Bro's processing at a number of + places to add custom logic. + + See https://www.bro.org/sphinx-git/devel/plugins.html for more + information on writing plugins. + +- Bro now has support for the MySQL wire protocol. Activity gets + logged into mysql.log. + +- Bro now parses DTLS traffic. Activity gets logged into ssl.log. + +- Bro now has support for the Kerberos KRB5 protocol over TCP and + UDP. Activity gets logged into kerberos.log. + +- Bro now has an RDP analyzer. Activity gets logged into rdp.log. + +- Bro now has a file analyzer for Portable Executables. Activity gets + logged into pe.log. + +- Bro now has support for the SIP protocol over UDP. Activity gets + logged into sip.log. + +- Bro now features a completely rewritten, enhanced SSH analyzer. The + new analyzer is able to determine if logins failed or succeeded in + most circumstances, logs a lot more more information about SSH + sessions, supports v1, and introduces the intelligence type + ``Intel::PUBKEY_HASH`` and location ``SSH::IN_SERVER_HOST_KEY``. The + analayzer also generates a set of additional events + (``ssh_auth_successful``, ``ssh_auth_failed``, ``ssh_auth_attempted``, + ``ssh_auth_result``, ``ssh_capabilities``, ``ssh2_server_host_key``, + ``ssh1_server_host_key``, ``ssh_encrypted_packet``, + ``ssh2_dh_server_params``, ``ssh2_gss_error``, ``ssh2_ecc_key``). See + next section for incompatible SSH changes. + +- Bro's file analysis now supports reassembly of files that are not + transferred/seen sequentially. The default file reassembly buffer + size is set with the ``Files::reassembly_buffer_size`` variable. + +- Bro's file type identification has been greatly improved (new file types, + bug fixes, and performance improvements). + +- Bro's scripting language now has a ``while`` statement:: + + while ( i < 5 ) + print ++i; + + ``next`` and ``break`` can be used inside the loop's body just like + with ``for`` loops. + +- Bro now integrates Broker, a new communication library. See + aux/broker/README for more information on Broker, and + doc/frameworks/broker.rst for the corresponding Bro script API. + + With Broker, Bro has the similar capabilities of exchanging events and + logs with remote peers (either another Bro process or some other + application that uses Broker). It also includes a key-value store + API that can be used to share state between peers and optionally + allow data to persist on disk for longer-term storage. + + Broker support is by default off for now; it can be enabled at + configure time with --enable-broker. It requires CAF version 0.13+ + (https://github.com/actor-framework/actor-framework) as well as a + C++11 compiler (e.g. GCC 4.8+ or Clang 3.3+). + + Broker will become a mandatory dependency in future Bro versions and + replace the current communication and serialization system. + +- Add --enable-c++11 configure flag to compile Bro's source code in + C++11 mode with a corresponding compiler. Note that 2.4 will be the + last version of Bro that compiles without C++11 support. + +- The SSL analysis now alerts when encountering SSL connections with + old protocol versions or unsafe cipher suites. It also gained + extended reporting of weak keys, caching of already validated + certificates, and full support for TLS record defragmentation. SSL generally + became much more robust and added several fields to ssl.log (while + removing some others). + +- A new icmp_sent_payload event provides access to ICMP payload. + +- The input framework's raw reader now supports seeking by adding an + option "offset" to the config map. Positive offsets are interpreted + to be from the beginning of the file, negative from the end of the + file (-1 is end of file). + +- One can now raise events when a connection crosses a given size + threshold in terms of packets or bytes. The primary API for that + functionality is in base/protocols/conn/thresholds.bro. + +- There is a new command-line option -Q/--time that prints Bro's execution + time and memory usage to stderr. + +- BroControl now has a new command "deploy" which is equivalent to running + the "check", "install", "stop", and "start" commands (in that order). + +- BroControl now has a new option "StatusCmdShowAll" that controls whether + or not the broctl "status" command gathers all of the status information. + This option can be used to make the "status" command run significantly + faster (in this case, the "Peers" column will not be shown in the output). + +- BroControl now has a new option "StatsLogEnable" that controls whether + or not broctl will record information to the "stats.log" file. This option + can be used to make the "broctl cron" command run slightly faster (in this + case, "broctl cron" will also no longer send email about not seeing any + packets on the monitoring interfaces). + +- BroControl now has a new option "MailHostUpDown" which controls whether or + not the "broctl cron" command will send email when it notices that a host + in the cluster is up or down. + +- BroControl now has a new option "CommandTimeout" which specifies the number + of seconds to wait for a command that broctl ran to return results. + +Changed Functionality +--------------------- + +- bro-cut has been rewritten in C, and is hence much faster. + +- File analysis + + * Removed ``fa_file`` record's ``mime_type`` and ``mime_types`` + fields. The event ``file_sniff`` has been added which provides + the same information. The ``mime_type`` field of ``Files::Info`` + also still has this info. + + * The earliest point that new mime type information is available is + in the ``file_sniff`` event which comes after the ``file_new`` and + ``file_over_new_connection`` events. Scripts which inspected mime + type info within those events will need to be adapted. (Note: for + users that worked w/ versions of Bro from git, for a while there was + also an event called ``file_mime_type`` which is now replaced with + the ``file_sniff`` event). + + * Removed ``Files::add_analyzers_for_mime_type`` function. + + * Removed ``offset`` parameter of the ``file_extraction_limit`` + event. Since file extraction now internally depends on file + reassembly for non-sequential files, "offset" can be obtained + with other information already available -- adding together + ``seen_bytes`` and ``missed_bytes`` fields of the ``fa_file`` + record gives how many bytes have been written so far (i.e. + the "offset"). + +- The SSH changes come with a few incompatibilities. The following + events have been renamed: + + * ``SSH::heuristic_failed_login`` to ``ssh_auth_failed`` + * ``SSH::heuristic_successful_login`` to ``ssh_auth_successful`` + + The ``SSH::Info`` status field has been removed and replaced with + the ``auth_success`` field. This field has been changed from a + string that was previously ``success``, ``failure`` or + ``undetermined`` to a boolean. a boolean that is ``T``, ``F``, or + unset. + +- The has_valid_octets function now uses a string_vec parameter instead of + string_array. + +- conn.log gained a new field local_resp that works like local_orig, + just for the responder address of the connection. + +- GRE tunnels are now identified as ``Tunnel::GRE`` instead of + ``Tunnel::IP``. + +- The default name for extracted files changed from extract-protocol-id + to extract-timestamp-protocol-id. + +- The weird named "unmatched_HTTP_reply" has been removed since it can + be detected at the script-layer and is handled correctly by the + default HTTP scripts. + +- When adding a logging filter to a stream, the filter can now inherit + a default ``path`` field from the associated ``Log::Stream`` record. + +- When adding a logging filter to a stream, the + ``Log::default_path_func`` is now only automatically added to the + filter if it has neither a ``path`` nor a ``path_func`` already + explicitly set. Before, the default path function would always be set + for all filters which didn't specify their own ``path_func``. + +- BroControl now establishes only one ssh connection from the manager to + each remote host in a cluster configuration (previously, there would be + one ssh connection per remote Bro process). + +- BroControl now uses SQLite to record state information instead of a + plain text file (the file "spool/broctl.dat" is no longer used). + On FreeBSD, this means that there is a new dependency on the package + "py27-sqlite3". + +- BroControl now records the expected running state of each Bro node right + before each start or stop. The "broctl cron" command uses this info to + either start or stop Bro nodes as needed so that the actual state matches + the expected state (previously, "broctl cron" could only start nodes in + the "crashed" state, and could never stop a node). + +- BroControl now sends all normal command output (i.e., not error messages) + to stdout. Error messages are still sent to stderr, however. + +- The capability of processing NetFlow input has been removed for the + time being. Therefore, the -y/--flowfile and -Y/--netflow command-line + options have been removed, and the netflow_v5_header and netflow_v5_record + events have been removed. + +- The -D/--dfa-size command-line option has been removed. + +- The -L/--rule-benchmark command-line option has been removed. + +- The -O/--optimize command-line option has been removed. + +- The deprecated fields "hot" and "addl" have been removed from the + connection record. Likewise, the functions append_addl() and + append_addl_marker() have been removed. + +- Log files now escape non-printable characters consistently as "\xXX'. + Furthermore, backslashes are escaped as "\\", making the + representation fully reversible. + +Deprecated Functionality +------------------------ + +- The split* family of functions are to be replaced with alternate + versions that return a vector of strings rather than a table of + strings. This also allows deprecation for some related string + concatenation/extraction functions. Note that the new functions use + 0-based indexing, rather than 1-based. + + The full list of now deprecated functions is: + + * split: use split_string instead. + + * split1: use split_string1 instead. + + * split_all: use split_string_all instead. + + * split_n: use split_string_n instead. + + * cat_string_array: see join_string_vec instead. + + * cat_string_array_n: see join_string_vec instead. + + * join_string_array: see join_string_vec instead. + + * sort_string_array: use sort instead. + + * find_ip_addresses: use extract_ip_addresses instead. + +Bro 2.3 +======= + +Dependencies +------------ + +- Libmagic is no longer a dependency. + +New Functionality +----------------- + +- Support for GRE tunnel decapsulation, including enhanced GRE + headers. GRE tunnels are treated just like IP-in-IP tunnels by + parsing past the GRE header in between the delivery and payload IP + packets. + +- The DNS analyzer now actually generates the dns_SRV_reply() event. + It had been documented before, yet was never raised. + +- Bro now uses "file magic signatures" to identify file types. These + are defined via two new constructs in the signature rule parsing + grammar: "file-magic" gives a regular expression to match against, + and "file-mime" gives the MIME type string of content that matches + the magic and an optional strength value for the match. (See also + "Changed Functionality" below for changes due to switching from + using libmagic to such signatures.) + +- A new built-in function, "file_magic", can be used to get all file + magic matches and their corresponding strength against a given chunk + of data. + +- The SSL analyzer now supports heartbeats as well as a few + extensions, including server_name, alpn, and ec-curves. + +- The SSL analyzer comes with Heartbleed detector script in + protocols/ssl/heartbleed.bro. Note that loading this script changes + the default value of "SSL::disable_analyzer_after_detection" from true + to false to prevent encrypted heartbeats from being ignored. + +- StartTLS is now supported for SMTP and POP3. + +- The X509 analyzer can now perform OSCP validation. + +- Bro now has analyzers for SNMP and Radius, which produce corresponding + snmp.log and radius.log output (as well as various events of course). + +- BroControl has a new option "BroPort" which allows a user to specify + the starting port number for Bro. + +- BroControl has a new option "StatsLogExpireInterval" which allows a + user to specify when entries in the stats.log file expire. + +- BroControl has a new option "PFRINGClusterType" which allows a user + to specify a PF_RING cluster type. + +- BroControl now supports PF_RING+DNA. There is also a new option + "PFRINGFirstAppInstance" that allows a user to specify the starting + application instance number for processes running on a DNA cluster. + See the BroControl documentation for more details. + +- BroControl now warns a user to run "broctl install" if Bro has + been upgraded or if the broctl or node configuration has changed + since the most recent install. + +Changed Functionality +--------------------- + +- string slices now exclude the end index (e.g., "123"[1:2] returns + "2"). Generally, Bro's string slices now behave similar to Python. + +- ssl_client_hello() now receives a vector of ciphers, instead of a + set, to preserve their order. + +- Notice::end_suppression() has been removed. + +- Bro now parses X.509 extensions headers and, as a result, the + corresponding event got a new signature: + + event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info); + +- In addition, there are several new, more specialized events for a + number of x509 extensions. + +- Generally, all x509 events and handling functions have changed their + signatures. + +- X509 certificate verification now returns the complete certificate + chain that was used for verification. + +- Bro no longer special-cases SYN/FIN/RST-filtered traces by not + reporting missing data. Instead, if Bro never sees any data segments + for analyzed TCP connections, the new + base/misc/find-filtered-trace.bro script will log a warning in + reporter.log and to stderr. The old behavior can be reverted by + redef'ing "detect_filtered_trace". + +- We have removed the packet sorter component. + +- Bro no longer uses libmagic to identify file types but instead now + comes with its own signature library (which initially is still + derived from libmagic's database). This leads to a number of further + changes with regards to MIME types: + + * The second parameter of the "identify_data" built-in function + can no longer be used to get verbose file type descriptions, + though it can still be used to get the strongest matching file + magic signature. + + * The "file_transferred" event's "descr" parameter no longer + contains verbose file type descriptions. + + * The BROMAGIC environment variable no longer changes any behavior + in Bro as magic databases are no longer used/installed. + + * Removed "binary" and "octet-stream" mime type detections. They + don't provide any more information than an uninitialized + mime_type field. + + * The "fa_file" record now contains a "mime_types" field that + contains all magic signatures that matched the file content + (where the "mime_type" field is just a shortcut for the + strongest match). + +- dns_TXT_reply() now supports more than one string entry by receiving + a vector of strings. + +- BroControl now runs the "exec" and "df" broctl commands only once + per host, instead of once per Bro node. The output of these + commands has been changed slightly to include both the host and + node names. + +- Several performance improvements were made. Particular emphasis + was put on the File Analysis system, which generally will now emit + far fewer file handle request events due to protocol analyzers now + caching that information internally. + +Bro 2.2 +======= + +New Functionality +----------------- + +- A completely overhauled intelligence framework for consuming + external intelligence data. It provides an abstracted mechanism + for feeding data into the framework to be matched against the + data available. It also provides a function named ``Intel::match`` + which makes any hits on intelligence data available to the + scripting language. + + Using input framework, the intel framework can load data from + text files. It can also update and add data if changes are + made to the file being monitored. Files to monitor for + intelligence can be provided by redef-ing the + ``Intel::read_files`` variable. + + The intel framework is cluster-ready. On a cluster, the + manager is the only node that needs to load in data from disk, + the cluster support will distribute the data across a cluster + automatically. + + Scripts are provided at ``policy/frameworks/intel/seen`` that + provide a broad set of sources of data to feed into the intel + framwork to be matched. + +- A new file analysis framework moves most of the processing of file + content from script-land into the core, where it belongs. See + ``doc/file-analysis.rst``, or the online documentation, for more + information. + + Much of this is an internal change, but the framework also comes + with the following user-visible functionality (some of that was + already available before but is done differently, and more + efficiently, now): + + - HTTP: + + * Identify MIME type of messages. + * Extract messages to disk. + * Compute MD5 for messages. + + - SMTP: + + * Identify MIME type of messages. + * Extract messages to disk. + * Compute MD5 for messages. + * Provide access to start of entity data. + + - FTP data transfers: + + * Identify MIME types of data. + * Record to disk. + + - IRC DCC transfers: Record to disk. + + - Support for analyzing data transferred via HTTP range requests. + + - A binary input reader interfaces the input framework with the + file analysis, allowing to inject files on disk into Bro's + content processing. + +- A new framework for computing a wide array of summary statistics, + such as counters and thresholds checks, standard deviation and mean, + set cardinality, top K, and more. The framework operates in + real-time, independent of the underlying data, and can aggregate + information from many independent monitoring points (including + clusters). It provides a transparent, easy-to-use user interface, + and can optionally deploy a set of probabilistic data structures for + memory-efficient operation. The framework is located in + ``scripts/base/frameworks/sumstats``. + + A number of new applications now ship with Bro that are built on top + of the summary statistics framework: + + * Scan detection: Detectors for port and address scans. See + ``policy/misc/scan.bro`` (these scan detectors used to exist in + Bro versions <2.0; it's now back, but quite different). + + * Tracerouter detector: ``policy/misc/detect-traceroute.bro`` + + * Web application detection/measurement: + ``policy/misc/app-stats/*`` + + * FTP and SSH brute-forcing detector: + ``policy/protocols/ftp/detect-bruteforcing.bro``, + ``policy/protocols/ssh/detect-bruteforcing.bro`` + + * HTTP-based SQL injection detector: + ``policy/protocols/http/detect-sqli.bro`` (existed before, but + now ported to the new framework) + +- GridFTP support. This is an extension to the standard FTP analyzer + and includes: + + - An analyzer for the GSI mechanism of GSSAPI FTP AUTH method. + GSI authentication involves an encoded TLS/SSL handshake over + the FTP control session. For FTP sessions that attempt GSI + authentication, the ``service`` field of the connection log + will include ``gridftp`` (as well as also ``ftp`` and + ``ssl``). + + - An example of a GridFTP data channel detection script. It + relies on the heuristics of GridFTP data channels commonly + default to SSL mutual authentication with a NULL bulk cipher + and that they usually transfer large datasets (default + threshold of script is 1 GB). For identified GridFTP data + channels, the ``services`` fields of the connection log will + include ``gridftp-data``. + +- Modbus and DNP3 support. Script-level support is only basic at this + point but see ``src/analyzer/protocol/{modbus,dnp3}/events.bif``, or + the online documentation, for the events Bro generates. For Modbus, + there are also some example policies in + ``policy/protocols/modbus/*``. + +- The documentation now includes a new introduction to writing Bro + scripts. See ``doc/scripting/index.rst`` or, much better, the online + version. There's also the beginning of a chapter on "Using Bro" in + ``doc/using/index.rst``. + +- GPRS Tunnelling Protocol (GTPv1) decapsulation. + +- The scripting language now provide "hooks", a new flavor of + functions that share characteristics of both standard functions and + events. They are like events in that multiple bodies can be defined + for the same hook identifier. They are more like functions in the + way they are invoked/called, because, unlike events, their execution + is immediate and they do not get scheduled through an event queue. + Also, a unique feature of a hook is that a given hook handler body + can short-circuit the execution of remaining hook handlers simply by + exiting from the body as a result of a ``break`` statement (as + opposed to a ``return`` or just reaching the end of the body). See + ``doc/scripts/builtins.rst``, or the online documentation, for more + informatin. + +- Bro's language now has a working ``switch`` statement that generally + behaves like C-style switches (except that case labels can be + comprised of multiple literal constants delimited by commas). Only + atomic types are allowed for now. Case label bodies that don't + execute a ``return`` or ``break`` statement will fall through to + subsequent cases. A ``default`` case label is supported. + +- Bro's language now has a new set of types ``opaque of X``. Opaque + values can be passed around like other values but they can only be + manipulated with BiF functions, not with other operators. Currently, + the following opaque types are supported:: + + opaque of md5 + opaque of sha1 + opaque of sha256 + opaque of cardinality + opaque of topk + opaque of bloomfilter + + These go along with the corrsponding BiF functions ``md5_*``, + ``sha1_*``, ``sha256_*``, ``entropy_*``, etc. . Note that where + these functions existed before, they have changed their signatures + to work with opaques types rather than global state. + +- The scripting language now supports constructing sets, tables, + vectors, and records by name:: + + type MyRecordType: record { + c: count; + s: string &optional; + }; + + global r: MyRecordType = record($c = 7); + + type MySet: set[MyRec]; + global s = MySet([$c=1], [$c=2]); + +- Strings now support the subscript operator to extract individual + characters and substrings (e.g., ``s[4]``, ``s[1:5]``). The index + expression can take up to two indices for the start and end index of + the substring to return (e.g. ``mystring[1:3]``). + +- Functions now support default parameters, e.g.:: + + global foo: function(s: string, t: string &default="abc", u: count &default=0); + +- Scripts can now use two new "magic constants" ``@DIR`` and + ``@FILENAME`` that expand to the directory path of the current + script and just the script file name without path, respectively. + +- ``ssl.log`` now also records the subject client and issuer + certificates. + +- The ASCII writer can now output CSV files on a per filter basis. + +- New SQLite reader and writer plugins for the logging framework allow + to read/write persistent data from on disk SQLite databases. + +- A new packet filter framework supports BPF-based load-balancing, + shunting, and sampling; plus plugin support to customize filters + dynamically. + +- Bro now provides Bloom filters of two kinds: basic Bloom filters + supporting membership tests, and counting Bloom filters that track + the frequency of elements. The corresponding functions are:: + + bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter + bloomfilter_basic_init2(k: count, cells: count, name: string &default=""): opaque of bloomfilter + bloomfilter_counting_init(k: count, cells: count, max: count, name: string &default=""): opaque of bloomfilter + bloomfilter_add(bf: opaque of bloomfilter, x: any) + bloomfilter_lookup(bf: opaque of bloomfilter, x: any): count + bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter + bloomfilter_clear(bf: opaque of bloomfilter) + + See ``src/probabilistic/bloom-filter.bif``, or the online + documentation, for full documentation. + +- Bro now provides a probabilistic data structure for computing + "top k" elements. The corresponding functions are:: + + topk_init(size: count): opaque of topk + topk_add(handle: opaque of topk, value: any) + topk_get_top(handle: opaque of topk, k: count) + topk_count(handle: opaque of topk, value: any): count + topk_epsilon(handle: opaque of topk, value: any): count + topk_size(handle: opaque of topk): count + topk_sum(handle: opaque of topk): count + topk_merge(handle1: opaque of topk, handle2: opaque of topk) + topk_merge_prune(handle1: opaque of topk, handle2: opaque of topk) + + See ``src/probabilistic/top-k.bif``, or the online documentation, + for full documentation. + +- Bro now provides a probabilistic data structure for computing set + cardinality, using the HyperLogLog algorithm. The corresponding + functions are:: + + hll_cardinality_init(err: double, confidence: double): opaque of cardinality + hll_cardinality_add(handle: opaque of cardinality, elem: any): bool + hll_cardinality_merge_into(handle1: opaque of cardinality, handle2: opaque of cardinality): bool + hll_cardinality_estimate(handle: opaque of cardinality): double + hll_cardinality_copy(handle: opaque of cardinality): opaque of cardinality + + See ``src/probabilistic/cardinality-counter.bif``, or the online + documentation, for full documentation. + +- ``base/utils/exec.bro`` provides a module to start external + processes asynchronously and retrieve their output on termination. + ``base/utils/dir.bro`` uses it to monitor a directory for changes, + and ``base/utils/active-http.bro`` for providing an interface for + querying remote web servers. + +- BroControl can now pin Bro processes to CPUs on supported platforms: + To use CPU pinning, a new per-node option ``pin_cpus`` can be + specified in node.cfg if the OS is either Linux or FreeBSD. + +- BroControl now returns useful exit codes. Most BroControl commands + return 0 if everything was OK, and 1 otherwise. However, there are + a few exceptions. The "status" and "top" commands return 0 if all Bro + nodes are running, and 1 if not all nodes are running. The "cron" + command always returns 0 (but it still sends email if there were any + problems). Any command provided by a plugin always returns 0. + +- BroControl now has an option "env_vars" to set Bro environment variables. + The value of this option is a comma-separated list of environment variable + assignments (e.g., "VAR1=value, VAR2=another"). The "env_vars" option + can apply to all Bro nodes (by setting it in broctl.cfg), or can be + node-specific (by setting it in node.cfg). Environment variables in + node.cfg have priority over any specified in broctl.cfg. + +- BroControl now supports load balancing with PF_RING while sniffing + multiple interfaces. Rather than assigning the same PF_RING cluster ID + to all workers on a host, cluster ID assignment is now based on which + interface a worker is sniffing (i.e., all workers on a host that sniff + the same interface will share a cluster ID). This is handled by + BroControl automatically. + +- BroControl has several new options: MailConnectionSummary (for + disabling the sending of connection summary report emails), + MailAlarmsInterval (for specifying a different interval to send alarm + summary emails), CompressCmd (if archived log files will be compressed, + this specifies the command that will be used to compress them), + CompressExtension (if archived log files will be compressed, this + specifies the file extension to use). + +- BroControl comes with its own test-suite now. ``make test`` in + ``aux/broctl`` will run it. + +In addition to these, Bro 2.2 comes with a large set of smaller +extensions, tweaks, and fixes across the whole code base, including +most submodules. + +Changed Functionality +--------------------- + +- Previous versions of ``$prefix/share/bro/site/local.bro`` (where + "$prefix" indicates the installation prefix of Bro), aren't compatible + with Bro 2.2. This file won't be overwritten when installing over a + previous Bro installation to prevent clobbering users' modifications, + but an example of the new version is located in + ``$prefix/share/bro/site/local.bro.example``. So if no modification + has been done to the previous local.bro, just copy the new example + version over it, else merge in the differences. For reference, + a common error message when attempting to use an outdated local.bro + looks like:: + + fatal error in /usr/local/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) + +- The type of ``Software::vulnerable_versions`` changed to allow + more flexibility and range specifications. An example usage: + + .. code:: bro + + const java_1_6_vuln = Software::VulnerableVersionRange( + $max = Software::Version($major = 1, $minor = 6, $minor2 = 0, $minor3 = 44) + ); + + const java_1_7_vuln = Software::VulnerableVersionRange( + $min = Software::Version($major = 1, $minor = 7), + $max = Software::Version($major = 1, $minor = 7, $minor2 = 0, $minor3 = 20) + ); + + redef Software::vulnerable_versions += { + ["Java"] = set(java_1_6_vuln, java_1_7_vuln) + }; + +- The interface to extracting content from application-layer protocols + (including HTTP, SMTP, FTP) has changed significantly due to the + introduction of the new file analysis framework (see above). + +- Removed the following, already deprecated, functionality: + + * Scripting language: + - ``&disable_print_hook attribute``. + + * BiF functions: + - ``parse_dotted_addr()``, ``dump_config()``, + ``make_connection_persistent()``, ``generate_idmef()``, + ``split_complete()`` + + - ``md5_*``, ``sha1_*``, ``sha256_*``, and ``entropy_*`` have + all changed their signatures to work with opaque types (see + above). + +- Removed a now unused argument from ``do_split`` helper function. + +- ``this`` is no longer a reserved keyword. + +- The Input Framework's ``update_finished`` event has been renamed to + ``end_of_data``. It will now not only fire after table-reads have + been completed, but also after the last event of a whole-file-read + (or whole-db-read, etc.). + +- Renamed the option defining the frequency of alarm summary mails to + ``Logging::default_alarm_mail_interval``. When using BroControl, the + value can now be set with the new broctl.cfg option + ``MailAlarmsInterval``. + +- We have completely rewritten the ``notice_policy`` mechanism. It now + no longer uses a record of policy items but a ``hook``, a new + language element that's roughly equivalent to a function with + multiple bodies (see above). For existing code, the two main changes + are: + + - What used to be a ``redef`` of ``Notice::policy`` now becomes a + hook implementation. Example: + + Old:: + + redef Notice::policy += { + [$pred(n: Notice::Info) = { + return n$note == SSH::Login && n$id$resp_h == 10.0.0.1; + }, + $action = Notice::ACTION_EMAIL] + }; + + New:: + + hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 ) + add n$actions[Notice::ACTION_EMAIL]; + } + + - notice() is now likewise a hook, no longer an event. If you + have handlers for that event, you'll likely just need to change + the type accordingly. Example: + + Old:: + + event notice(n: Notice::Info) { ... } + + New:: + + hook notice(n: Notice::Info) { ... } + +- The ``notice_policy.log`` is gone. That's a result of the new notice + policy setup. + +- Removed the ``byte_len()`` and ``length()`` bif functions. Use the + ``|...|`` operator instead. + +- The ``SSH::Login`` notice has been superseded by an corresponding + intelligence framework observation (``SSH::SUCCESSFUL_LOGIN``). + +- ``PacketFilter::all_packets`` has been replaced with + ``PacketFilter::enable_auto_protocol_capture_filters``. + +- We removed the BitTorrent DPD signatures pending further updates to + that analyzer. + +- In previous versions of BroControl, running "broctl cron" would create + a file ``$prefix/logs/stats/www`` (where "$prefix" indicates the + installation prefix of Bro). Now, it is created as a directory. + Therefore, if you perform an upgrade install and you're using BroControl, + then you may see an email (generated by "broctl cron") containing an + error message: "error running update-stats". To fix this problem, + either remove that file (it is not needed) or rename it. + +- Due to lack of maintenance the Ruby bindings for Broccoli are now + deprecated, and the build process no longer includes them by + default. For the time being, they can still be enabled by + configuring with ``--enable-ruby``, however we plan to remove + Broccoli's Ruby support with the next Bro release. + +Bro 2.1 +======= + +New Functionality +----------------- + +- Bro now comes with extensive IPv6 support. Past versions offered + only basic IPv6 functionality that was rarely used in practice as it + had to be enabled explicitly. IPv6 support is now fully integrated + into all parts of Bro including protocol analysis and the scripting + language. It's on by default and no longer requires any special + configuration. + + Some of the most significant enhancements include support for IPv6 + fragment reassembly, support for following IPv6 extension header + chains, and support for tunnel decapsulation (6to4 and Teredo). The + DNS analyzer now handles AAAA records properly, and DNS lookups that + Bro itself performs now include AAAA queries, so that, for example, + the result returned by script-level lookups is a set that can + contain both IPv4 and IPv6 addresses. Support for the most common + ICMPv6 message types has been added. Also, the FTP EPSV and EPRT + commands are now handled properly. Internally, the way IP addresses + are stored has been improved, so Bro can handle both IPv4 + and IPv6 by default without any special configuration. + + In addition to Bro itself, the other Bro components have also been + made IPv6-aware by default. In particular, significant changes were + made to trace-summary, PySubnetTree, and Broccoli to support IPv6. + +- Bro now decapsulates tunnels via its new tunnel framework located in + scripts/base/frameworks/tunnels. It currently supports Teredo, + AYIYA, IP-in-IP (both IPv4 and IPv6), and SOCKS. For all these, it + logs the outer tunnel connections in both conn.log and tunnel.log, + and then proceeds to analyze the inner payload as if it were not + tunneled, including also logging that session in conn.log. For + SOCKS, it generates a new socks.log in addition with more + information. + +- Bro now features a flexible input framework that allows users to + integrate external information in real-time into Bro while it's + processing network traffic. The most direct use-case at the moment + is reading data from ASCII files into Bro tables, with updates + picked up automatically when the file changes during runtime. See + doc/input.rst for more information. + + Internally, the input framework is structured around the notion of + "reader plugins" that make it easy to interface to different data + sources. We will add more in the future. + +- BroControl now has built-in support for host-based load-balancing + when using either PF_RING, Myricom cards, or individual interfaces. + Instead of adding a separate worker entry in node.cfg for each Bro + worker process on each worker host, it is now possible to just + specify the number of worker processes on each host and BroControl + configures everything correctly (including any neccessary enviroment + variables for the balancers). + + This change adds three new keywords to the node.cfg file (to be used + with worker entries): lb_procs (specifies number of workers on a + host), lb_method (specifies what type of load balancing to use: + pf_ring, myricom, or interfaces), and lb_interfaces (used only with + "lb_method=interfaces" to specify which interfaces to load-balance + on). + +- Bro's default ASCII log format is not exactly the most efficient way + for storing and searching large volumes of data. An alternatives, + Bro now comes with experimental support for two alternative output + formats: + + * DataSeries: an efficient binary format for recording structured + bulk data. DataSeries is developed and maintained at HP Labs. + See doc/logging-dataseries for more information. + + * ElasticSearch: a distributed RESTful, storage engine and search + engine built on top of Apache Lucene. It scales very well, both + for distributed indexing and distributed searching. See + doc/logging-elasticsearch.rst for more information. + + Note that at this point, we consider Bro's support for these two + formats as prototypes for collecting experience with alternative + outputs. We do not yet recommend them for production (but welcome + feedback!) + + +Changed Functionality +--------------------- + +The following summarizes the most important differences in existing +functionality. Note that this list is not complete, see CHANGES for +the full set. + +- Changes in dependencies: + + * Bro now requires CMake >= 2.6.3. + + * On Linux, Bro now links in tcmalloc (part of Google perftools) + if found at configure time. Doing so can significantly improve + memory and CPU use. + + On the other platforms, the new configure option + --enable-perftools can be used to enable linking to tcmalloc. + (Note that perftools's support for non-Linux platforms may be + less reliable). + +- The configure switch --enable-brov6 is gone. + +- DNS name lookups performed by Bro now also query AAAA records. The + results of the A and AAAA queries for a given hostname are combined + such that at the scripting layer, the name resolution can yield a + set with both IPv4 and IPv6 addresses. + +- The connection compressor was already deprecated in 2.0 and has now + been removed from the code base. + +- We removed the "match" statement, which was no longer used by any of + the default scripts, nor was it likely to be used by anybody anytime + soon. With that, "match" and "using" are no longer reserved keywords. + +- The syntax for IPv6 literals changed from "2607:f8b0:4009:802::1012" + to "[2607:f8b0:4009:802::1012]". When an IP address variable or IP + address literal is enclosed in pipes (for example, + ``|[fe80::db15]|``) the result is now the size of the address in + bits (32 for IPv4 and 128 for IPv6). + +- Bro now spawns threads for doing its logging. From a user's + perspective not much should change, except that the OS may now show + a bunch of Bro threads. + +- We renamed the configure option --enable-perftools to + --enable-perftools-debug to indicate that the switch is only relevant + for debugging the heap. + +- Bro's ICMP analyzer now handles both IPv4 and IPv6 messages with a + joint set of events. The `icmp_conn` record got a new boolean field + 'v6' that indicates whether the ICMP message is v4 or v6. + +- Log postprocessor scripts get an additional argument indicating the + type of the log writer in use (e.g., "ascii"). + +- BroControl's make-archive-name script also receives the writer + type, but as its 2nd(!) argument. If you're using a custom version + of that script, you need to adapt it. See the shipped version for + details. + +- Signature files can now be loaded via the new "@load-sigs" + directive. In contrast to the existing (and still supported) + signature_files constant, this can be used to load signatures + relative to the current script (e.g., "@load-sigs ./foo.sig"). + +- The options "tunnel_port" and "parse_udp_tunnels" have been removed. + Bro now supports decapsulating tunnels directly for protocols it + understands. + +- ASCII logs now record the time when they were opened/closed at the + beginning and end of the file, respectively (wall clock). The + options LogAscii::header_prefix and LogAscii::include_header have + been renamed to LogAscii::meta_prefix and LogAscii::include_meta, + respectively. + +- The ASCII writers "header_*" options have been renamed to "meta_*" + (because there's now also a footer). + +- Some built-in functions have been removed: "addr_to_count" (use + "addr_to_counts" instead), "bro_has_ipv6" (this is no longer + relevant because Bro now always supports IPv6), "active_connection" + (use "connection_exists" instead), and "connection_record" (use + "lookup_connection" instead). + +- The "NFS3::mode2string" built-in function has been renamed to + "file_mode". + +- Some built-in functions have been changed: "exit" (now takes the + exit code as a parameter), "to_port" (now takes a string as + parameter instead of a count and transport protocol, but + "count_to_port" is still available), "connect" (now takes an + additional string parameter specifying the zone of a non-global IPv6 + address), and "listen" (now takes three additional parameters to + enable listening on IPv6 addresses). + +- Some Bro script variables have been renamed: + "LogAscii::header_prefix" has been renamed to + "LogAscii::meta_prefix", "LogAscii::include_header" has been renamed + to "LogAscii::include_meta". + +- Some Bro script variables have been removed: "tunnel_port", + "parse_udp_tunnels", "use_connection_compressor", + "cc_handle_resets", "cc_handle_only_syns", and + "cc_instantiate_on_data". + +- A couple events have changed: the "icmp_redirect" event now includes + the target and destination addresses and any Neighbor Discovery + options in the message, and the last parameter of the + "dns_AAAA_reply" event has been removed because it was unused. + +- The format of the ASCII log files has changed very slightly. Two + new lines are automatically added, one to record the time when the + log was opened, and the other to record the time when the log was + closed. + +- In BroControl, the option (in broctl.cfg) "CFlowAddr" was renamed to + "CFlowAddress". + + +Bro 2.0 +======= + +As the version number jump from 1.5 suggests, Bro 2.0 is a major +upgrade and lots of things have changed. Most importantly, we have +rewritten almost all of Bro's default scripts from scratch, using +quite different structure now and focusing more on operational +deployment. The result is a system that works much better "out of the +box", even without much initial site-specific configuration. The +down-side is that 1.x configurations will need to be adapted to work +with the new version. The two rules of thumb are: + + (1) If you have written your own Bro scripts + that do not depend on any of the standard scripts formerly + found in ``policy/``, they will most likely just keep working + (although you might want to adapt them to use some of the new + features, like the new logging framework; see below). + + (2) If you have custom code that depends on specifics of 1.x + default scripts (including most configuration tuning), that is + unlikely to work with 2.x. We recommend to start by using just + the new scripts first, and then port over any customizations + incrementally as necessary (they may be much easier to do now, + or even unnecessary). Send mail to the Bro user mailing list + if you need help. + +Below we summarize changes from 1.x to 2.x in more detail. This list +isn't complete, see the ``CHANGES`` file in the distribution. +for the full story. + +Script Organization +------------------- + +In versions before 2.0, Bro scripts were all maintained in a flat +directory called ``policy/`` in the source tree. This directory is now +renamed to ``scripts/`` and contains major subdirectories ``base/``, +``policy/``, and ``site/``, each of which may also be subdivided +further. + +The contents of the new ``scripts/`` directory, like the old/flat +``policy/`` still gets installed under the ``share/bro`` +subdirectory of the installation prefix path just like previous +versions. For example, if Bro was compiled like ``./configure +--prefix=/usr/local/bro && make && make install``, then the script +hierarchy can be found in ``/usr/local/bro/share/bro``. + +The main +subdirectories of that hierarchy are as follows: + +- ``base/`` contains all scripts that are loaded by Bro by default + (unless the ``-b`` command line option is used to run Bro in a + minimal configuration). Note that is a major conceptual change: + rather than not loading anything by default, Bro now uses an + extensive set of default scripts out of the box. + + The scripts under this directory generally either accumulate/log + useful state/protocol information for monitored traffic, configure a + default/recommended mode of operation, or provide extra Bro + scripting-layer functionality that has no significant performance cost. + +- ``policy/`` contains all scripts that a user will need to explicitly + tell Bro to load. These are scripts that implement + functionality/analysis that not all users may want to use and may have + more significant performance costs. For a new installation, you + should go through these and see what appears useful to load. + +- ``site/`` remains a directory that can be used to store locally + developed scripts. It now comes with some preinstalled example + scripts that contain recommended default configurations going beyond + the ``base/`` setup. E.g. ``local.bro`` loads extra scripts from + ``policy/`` and does extra tuning. These files can be customized in + place without being overwritten by upgrades/reinstalls, unlike + scripts in other directories. + +With version 2.0, the default ``BROPATH`` is set to automatically +search for scripts in ``policy/``, ``site/`` and their parent +directory, but **not** ``base/``. Generally, everything under +``base/`` is loaded automatically, but for users of the ``-b`` option, +it's important to know that loading a script in that directory +requires the extra ``base/`` path qualification. For example, the +following two scripts: + +* ``$PREFIX/share/bro/base/protocols/ssl/main.bro`` +* ``$PREFIX/share/bro/policy/protocols/ssl/validate-certs.bro`` + +are referenced from another Bro script like: + +.. code:: bro + + @load base/protocols/ssl/main + @load protocols/ssl/validate-certs + +Notice how ``policy/`` can be omitted as a convenience in the second +case. ``@load`` can now also use relative path, e.g., ``@load +../main``. + + +Logging Framework +----------------- + +- The logs generated by scripts that ship with Bro are entirely redone + to use a standardized, machine parsable format via the new logging + framework. Generally, the log content has been restructured towards + making it more directly useful to operations. Also, several + analyzers have been significantly extended and thus now log more + information. Take a look at ``ssl.log``. + + * A particular format change that may be useful to note is that the + ``conn.log`` ``service`` field is derived from DPD instead of + well-known ports (while that was already possible in 1.5, it was + not the default). + + * Also, ``conn.log`` now reports raw number of packets/bytes per + endpoint. + +- The new logging framework makes it possible to extend, customize, + and filter logs very easily. + +- A common pattern found in the new scripts is to store logging stream + records for protocols inside the ``connection`` records so that + state can be collected until enough is seen to log a coherent unit + of information regarding the activity of that connection. This + state is now frequently seen/accessible in event handlers, for + example, like ``c$`` where ```` is replaced by + the name of the protocol. This field is added to the ``connection`` + record by ``redef``'ing it in a + ``base/protocols//main.bro`` script. + +- The logging code has been rewritten internally, with script-level + interface and output backend now clearly separated. While ASCII + logging is still the default, we will add further output types in + the future (binary format, direct database logging). + + +Notice Framework +---------------- + +The way users interact with "notices" has changed significantly in order +to make it easier to define a site policy and more extensible for adding +customized actions. + + +New Default Settings +-------------------- + +- Dynamic Protocol Detection (DPD) is now enabled/loaded by default. + +- The default packet filter now examines all packets instead of + dynamically building a filter based on which protocol analysis scripts + are loaded. See ``PacketFilter::all_packets`` for how to revert to old + behavior. + +API Changes +----------- + +- The ``@prefixes`` directive works differently now. + Any added prefixes are now searched for and loaded *after* all input + files have been parsed. After all input files are parsed, Bro + searches ``BROPATH`` for prefixed, flattened versions of all of the + parsed input files. For example, if ``lcl`` is in ``@prefixes``, and + ``site.bro`` is loaded, then a file named ``lcl.site.bro`` that's in + ``BROPATH`` would end up being automatically loaded as well. Packages + work similarly, e.g. loading ``protocols/http`` means a file named + ``lcl.protocols.http.bro`` in ``BROPATH`` gets loaded automatically. + +- The ``make_addr`` BIF now returns a ``subnet`` versus an ``addr`` + + +Variable Naming +--------------- + +- ``Module`` is more widely used for namespacing. E.g. the new + ``site.bro`` exports the ``local_nets`` identifier (among other + things) into the ``Site`` module. + +- Identifiers may have been renamed to conform to new `scripting + conventions + `_ + + +Removed Functionality +--------------------- + +We have remove a bunch of functionality that was rarely used and/or +had not been maintained for a while already: + + - The ``net`` script data type. + - The ``alarm`` statement; use the notice framework instead. + - Trace rewriting. + - DFA state expiration in regexp engine. + - Active mapping. + - Native DAG support (may come back eventually) + - ClamAV support. + - The connection compressor is now disabled by default, and will + be removed in the future. + +BroControl Changes +------------------ + +BroControl looks pretty much similar to the version coming with Bro 1.x, +but has been cleaned up and streamlined significantly internally. + +BroControl has a new ``process`` command to process a trace on disk +offline using a similar configuration to what BroControl installs for +live analysis. + +BroControl now has an extensive plugin interface for adding new +commands and options. Note that this is still considered experimental. + +We have removed the ``analysis`` command, and BroControl currently +does not send daily alarm summaries anymore (this may be restored +later). + +Development Infrastructure +-------------------------- + +Bro development has moved from using SVN to Git for revision control. +Users that want to use the latest Bro development snapshot by checking it out +from the source repositories should see the `development process +`_. Note that all the various +sub-components now reside in their own repositories. However, the +top-level Bro repository includes them as git submodules so it's easy +to check them all out simultaneously. + +Bro now uses `CMake `_ for its build system so +that is a new required dependency when building from source. + +Bro now comes with a growing suite of regression tests in +``testing/``. diff --git a/VERSION b/VERSION index fadaf6e549..acde488fd3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-130 +2.6-249 diff --git a/aux/bifcl b/aux/bifcl index 0fae77f96a..1b5375e9f8 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 0fae77f96abe63c93c2b8ab902651ad42e5d6de4 +Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f diff --git a/aux/binpac b/aux/binpac index 24d7a40fa8..04c7e27a22 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 24d7a40fa81c906510150fb89ff15579be282bb2 +Subproject commit 04c7e27a22491a91ee309877253da0922d0822bc diff --git a/aux/broccoli b/aux/broccoli index d583984372..8668422406 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit d5839843727b2dd17f2f85159522879f0d455318 +Subproject commit 8668422406cb74f4f0c574a0c9b6365a21f3e81a diff --git a/aux/broctl b/aux/broctl index 1748d8fe7f..39ae4a469d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 1748d8fe7fa2f32d775045079dd11d3048cb1696 +Subproject commit 39ae4a469d6ae86c12b49020b361da4fcab24b5b diff --git a/aux/broker b/aux/broker index 7065ab0d25..56408c5582 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 7065ab0d25f3db797b0290724da87c02c262827c +Subproject commit 56408c5582c80db6774c8b25642149dfb542345a diff --git a/aux/zeek-aux b/aux/zeek-aux index 46411f7e42..ba482418c4 160000 --- a/aux/zeek-aux +++ b/aux/zeek-aux @@ -1 +1 @@ -Subproject commit 46411f7e4235f119fea5f38fc0329a60631400e3 +Subproject commit ba482418c4e16551fd7b9128a4082348ef2842f0 diff --git a/cmake b/cmake index 6135c1a663..5521da04df 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 6135c1a6639dfbfcf9b1fd720fa6a96118b3ab43 +Subproject commit 5521da04df0190e3362e4c5164df5c2c8884dd2c diff --git a/configure b/configure index ada9d21322..98bfc5308d 100755 --- a/configure +++ b/configure @@ -53,6 +53,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --enable-jemalloc link against jemalloc --enable-broccoli build or install the Broccoli library (deprecated) --enable-static-broker build broker statically (ignored if --with-broker is specified) + --enable-static-binpac build binpac statically (ignored if --with-binpac is specified) --disable-broctl don't install Broctl --disable-auxtools don't build or install auxiliary tools --disable-perftools don't try to build with Google Perftools @@ -227,6 +228,9 @@ while [ $# -ne 0 ]; do --enable-static-broker) append_cache_entry BUILD_STATIC_BROKER BOOL true ;; + --enable-static-binpac) + append_cache_entry BUILD_STATIC_BINPAC BOOL true + ;; --disable-broctl) append_cache_entry INSTALL_BROCTL BOOL false ;; diff --git a/doc b/doc index 650a136dcc..073bb08473 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 650a136dccefe44fa276e4fb06d9dc854f9ab06c +Subproject commit 073bb08473b8172b8bb175e0702204f15f522392 diff --git a/man/bro.8 b/man/bro.8 index 66d0fc4f20..a4c54d48f6 100644 --- a/man/bro.8 +++ b/man/bro.8 @@ -99,7 +99,7 @@ Record process status in file \fB\-W\fR,\ \-\-watchdog activate watchdog timer .TP -\fB\-X\fR,\ \-\-broxygen +\fB\-X\fR,\ \-\-zeexygen generate documentation based on config file .TP \fB\-\-pseudo\-realtime[=\fR] @@ -150,7 +150,7 @@ ASCII log file extension Output file for script execution statistics .TP .B BRO_DISABLE_BROXYGEN -Disable Broxygen documentation support +Disable Zeexygen (Broxygen) documentation support .SH AUTHOR .B bro was written by The Bro Project . diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 96c682871a..189c9b9df8 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -2,8 +2,8 @@ include(InstallPackageConfigFile) install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING PATTERN "site/local*" EXCLUDE - PATTERN "test-all-policy.bro" EXCLUDE - PATTERN "*.bro" + PATTERN "test-all-policy.zeek" EXCLUDE + PATTERN "*.zeek" PATTERN "*.sig" PATTERN "*.fp" ) @@ -11,6 +11,6 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING # Install all local* scripts as config files since they are meant to be # user modify-able. InstallPackageConfigFile( - ${CMAKE_CURRENT_SOURCE_DIR}/site/local.bro + ${CMAKE_CURRENT_SOURCE_DIR}/site/local.zeek ${BRO_SCRIPT_INSTALL_PATH}/site - local.bro) + local.zeek) diff --git a/scripts/base/files/extract/__load__.bro b/scripts/base/files/extract/__load__.zeek similarity index 100% rename from scripts/base/files/extract/__load__.bro rename to scripts/base/files/extract/__load__.zeek diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.zeek similarity index 92% rename from scripts/base/files/extract/main.bro rename to scripts/base/files/extract/main.zeek index b2d1907e01..93288c5127 100644 --- a/scripts/base/files/extract/main.bro +++ b/scripts/base/files/extract/main.zeek @@ -29,12 +29,12 @@ export { ## to know where to write the file to. If not specified, then ## a filename in the format "extract--" is ## automatically assigned (using the *source* and *id* - ## fields of :bro:see:`fa_file`). + ## fields of :zeek:see:`fa_file`). extract_filename: string &optional; ## The maximum allowed file size in bytes of *extract_filename*. - ## Once reached, a :bro:see:`file_extraction_limit` event is + ## Once reached, a :zeek:see:`file_extraction_limit` event is ## raised and the analyzer will be removed unless - ## :bro:see:`FileExtract::set_limit` is called to increase the + ## :zeek:see:`FileExtract::set_limit` is called to increase the ## limit. A value of zero means "no limit". extract_limit: count &default=default_limit; }; @@ -75,7 +75,7 @@ event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, f$info$extracted_size = limit; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); } diff --git a/scripts/base/files/hash/__load__.bro b/scripts/base/files/hash/__load__.zeek similarity index 100% rename from scripts/base/files/hash/__load__.bro rename to scripts/base/files/hash/__load__.zeek diff --git a/scripts/base/files/hash/main.bro b/scripts/base/files/hash/main.zeek similarity index 100% rename from scripts/base/files/hash/main.bro rename to scripts/base/files/hash/main.zeek diff --git a/scripts/base/files/pe/__load__.bro b/scripts/base/files/pe/__load__.zeek similarity index 100% rename from scripts/base/files/pe/__load__.bro rename to scripts/base/files/pe/__load__.zeek diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.zeek similarity index 100% rename from scripts/base/files/pe/consts.bro rename to scripts/base/files/pe/consts.zeek diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.zeek similarity index 98% rename from scripts/base/files/pe/main.bro rename to scripts/base/files/pe/main.zeek index 972e8a31c8..688c161177 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.zeek @@ -1,6 +1,6 @@ module PE; -@load ./consts.bro +@load ./consts export { redef enum Log::ID += { LOG }; @@ -55,7 +55,7 @@ redef record fa_file += { const pe_mime_types = { "application/x-dosexec" }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types); Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]); diff --git a/scripts/base/files/unified2/__load__.bro b/scripts/base/files/unified2/__load__.zeek similarity index 100% rename from scripts/base/files/unified2/__load__.bro rename to scripts/base/files/unified2/__load__.zeek diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.zeek similarity index 98% rename from scripts/base/files/unified2/main.bro rename to scripts/base/files/unified2/main.zeek index 9d9ef15d79..1a9841d5b1 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.zeek @@ -193,7 +193,7 @@ event Input::end_of_data(name: string, source: string) start_watching(); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2, $path="unified2"]); @@ -289,9 +289,9 @@ event file_state_remove(f: fa_file) { # In case any events never had matching packets, flush # the extras to the log. - for ( i in f$u2_events ) + for ( i, ev in f$u2_events ) { - Log::write(LOG, create_info(f$u2_events[i])); + Log::write(LOG, create_info(ev)); } } } diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.zeek similarity index 100% rename from scripts/base/files/x509/__load__.bro rename to scripts/base/files/x509/__load__.zeek diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.zeek similarity index 99% rename from scripts/base/files/x509/main.bro rename to scripts/base/files/x509/main.zeek index b6fdde5494..e674ae8888 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.zeek @@ -29,7 +29,7 @@ export { global log_x509: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]); diff --git a/scripts/base/frameworks/analyzer/__load__.bro b/scripts/base/frameworks/analyzer/__load__.zeek similarity index 100% rename from scripts/base/frameworks/analyzer/__load__.bro rename to scripts/base/frameworks/analyzer/__load__.zeek diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.zeek similarity index 96% rename from scripts/base/frameworks/analyzer/main.bro rename to scripts/base/frameworks/analyzer/main.zeek index 39b0d573fd..0775768dca 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -5,7 +5,7 @@ ##! particular analyzer for new connections. ##! ##! Protocol analyzers are identified by unique tags of type -##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP`. +##! :zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`. ##! These tags are defined internally by ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. @@ -17,7 +17,7 @@ module Analyzer; export { ## If true, all available analyzers are initially disabled at startup. ## One can then selectively enable them with - ## :bro:id:`Analyzer::enable_analyzer`. + ## :zeek:id:`Analyzer::enable_analyzer`. global disable_all = F &redef; ## Enables an analyzer. Once enabled, the analyzer may be used for analysis @@ -109,7 +109,7 @@ export { ## Automatically creates a BPF filter for the specified protocol based ## on the data supplied for the protocol through the - ## :bro:see:`Analyzer::register_for_ports` function. + ## :zeek:see:`Analyzer::register_for_ports` function. ## ## tag: The analyzer tag. ## @@ -135,7 +135,7 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( disable_all ) __disable_all_analyzers(); diff --git a/scripts/base/frameworks/broker/__load__.bro b/scripts/base/frameworks/broker/__load__.zeek similarity index 100% rename from scripts/base/frameworks/broker/__load__.bro rename to scripts/base/frameworks/broker/__load__.zeek diff --git a/scripts/base/frameworks/broker/log.bro b/scripts/base/frameworks/broker/log.zeek similarity index 98% rename from scripts/base/frameworks/broker/log.bro rename to scripts/base/frameworks/broker/log.zeek index 2461cb8d54..bd76684b74 100644 --- a/scripts/base/frameworks/broker/log.bro +++ b/scripts/base/frameworks/broker/log.zeek @@ -30,7 +30,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]); } diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.zeek similarity index 92% rename from scripts/base/frameworks/broker/main.bro rename to scripts/base/frameworks/broker/main.zeek index 9be261eaf1..f64ff0ce14 100644 --- a/scripts/base/frameworks/broker/main.bro +++ b/scripts/base/frameworks/broker/main.zeek @@ -10,19 +10,19 @@ export { ## Default interval to retry listening on a port if it's currently in ## use already. Use of the BRO_DEFAULT_LISTEN_RETRY environment variable ## (set as a number of seconds) will override this option and also - ## any values given to :bro:see:`Broker::listen`. + ## any values given to :zeek:see:`Broker::listen`. const default_listen_retry = 30sec &redef; ## Default address on which to listen. ## - ## .. bro:see:: Broker::listen + ## .. zeek:see:: Broker::listen const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef; ## Default interval to retry connecting to a peer if it cannot be made to ## work initially, or if it ever becomes disconnected. Use of the ## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of ## seconds) will override this option and also any values given to - ## :bro:see:`Broker::peer`. + ## :zeek:see:`Broker::peer`. const default_connect_retry = 30sec &redef; ## If true, do not use SSL for network connections. By default, SSL will @@ -47,7 +47,7 @@ export { const ssl_certificate = "" &redef; ## Passphrase to decrypt the private key specified by - ## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid + ## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid ## certificates for all peers. const ssl_passphrase = "" &redef; @@ -96,7 +96,7 @@ export { ## Forward all received messages to subscribing peers. const forward_messages = F &redef; - ## Whether calling :bro:see:`Broker::peer` will register the Broker + ## Whether calling :zeek:see:`Broker::peer` will register the Broker ## system as an I/O source that will block the process from shutting ## down. For example, set this to false when you are reading pcaps, ## but also want to initaiate a Broker peering and still shutdown after @@ -107,7 +107,7 @@ export { ## id is appended when writing to a particular stream. const default_log_topic_prefix = "bro/logs/" &redef; - ## The default implementation for :bro:see:`Broker::log_topic`. + ## The default implementation for :zeek:see:`Broker::log_topic`. function default_log_topic(id: Log::ID, path: string): string { return default_log_topic_prefix + cat(id); @@ -116,7 +116,7 @@ export { ## A function that will be called for each log entry to determine what ## broker topic string will be used for sending it to peers. The ## default implementation will return a value based on - ## :bro:see:`Broker::default_log_topic_prefix`. + ## :zeek:see:`Broker::default_log_topic_prefix`. ## ## id: the ID associated with the log stream entry that will be sent. ## @@ -232,7 +232,7 @@ export { ## ## Returns: the bound port or 0/? on failure. ## - ## .. bro:see:: Broker::status + ## .. zeek:see:: Broker::status global listen: function(a: string &default = default_listen_address, p: port &default = default_port, retry: interval &default = default_listen_retry): port; @@ -252,7 +252,7 @@ export { ## it's a new peer. The actual connection may not be established ## until a later point in time. ## - ## .. bro:see:: Broker::status + ## .. zeek:see:: Broker::status global peer: function(a: string, p: port &default=default_port, retry: interval &default=default_connect_retry): bool; @@ -262,12 +262,12 @@ export { ## just means that we won't exchange any further information with it ## unless peering resumes later. ## - ## a: the address used in previous successful call to :bro:see:`Broker::peer`. + ## a: the address used in previous successful call to :zeek:see:`Broker::peer`. ## - ## p: the port used in previous successful call to :bro:see:`Broker::peer`. + ## p: the port used in previous successful call to :zeek:see:`Broker::peer`. ## ## Returns: true if the arguments match a previously successful call to - ## :bro:see:`Broker::peer`. + ## :zeek:see:`Broker::peer`. ## ## TODO: We do not have a function yet to terminate a connection. global unpeer: function(a: string, p: port): bool; @@ -298,7 +298,7 @@ export { ## Register interest in all peer event messages that use a certain topic ## prefix. Note that subscriptions may not be altered immediately after - ## calling (except during :bro:see:`bro_init`). + ## calling (except during :zeek:see:`zeek_init`). ## ## topic_prefix: a prefix to match against remote message topics. ## e.g. an empty prefix matches everything and "a" matches @@ -309,10 +309,10 @@ export { ## Unregister interest in all peer event messages that use a topic prefix. ## Note that subscriptions may not be altered immediately after calling - ## (except during :bro:see:`bro_init`). + ## (except during :zeek:see:`zeek_init`). ## ## topic_prefix: a prefix previously supplied to a successful call to - ## :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`. + ## :zeek:see:`Broker::subscribe` or :zeek:see:`Broker::forward`. ## ## Returns: true if interest in the topic prefix is no longer advertised. global unsubscribe: function(topic_prefix: string): bool; @@ -320,8 +320,8 @@ export { ## Register a topic prefix subscription for events that should only be ## forwarded to any subscribing peers and not raise any event handlers ## on the receiving/forwarding node. i.e. it's the same as - ## :bro:see:`Broker::subscribe` except matching events are not raised - ## on the receiver, just forwarded. Use :bro:see:`Broker::unsubscribe` + ## :zeek:see:`Broker::subscribe` except matching events are not raised + ## on the receiver, just forwarded. Use :zeek:see:`Broker::unsubscribe` ## with the same argument to undo this operation. ## ## topic_prefix: a prefix to match against remote message topics. @@ -346,9 +346,9 @@ export { ## Stop automatically sending an event to peers upon local dispatch. ## - ## topic: a topic originally given to :bro:see:`Broker::auto_publish`. + ## topic: a topic originally given to :zeek:see:`Broker::auto_publish`. ## - ## ev: an event originally given to :bro:see:`Broker::auto_publish`. + ## ev: an event originally given to :zeek:see:`Broker::auto_publish`. ## ## Returns: true if automatic events will not occur for the topic/event ## pair. diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.zeek similarity index 99% rename from scripts/base/frameworks/broker/store.bro rename to scripts/base/frameworks/broker/store.zeek index 2e216afa93..dace2032c9 100644 --- a/scripts/base/frameworks/broker/store.bro +++ b/scripts/base/frameworks/broker/store.zeek @@ -353,7 +353,7 @@ export { ## ## Returns: a set with the keys. If you expect the keys to be of ## non-uniform type, consider using - ## :bro:see:`Broker::set_iterator` to iterate over the result. + ## :zeek:see:`Broker::set_iterator` to iterate over the result. global keys: function(h: opaque of Broker::Store): QueryResult; ## Deletes all of a store's content, it will be empty afterwards. diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.zeek similarity index 94% rename from scripts/base/frameworks/cluster/__load__.bro rename to scripts/base/frameworks/cluster/__load__.zeek index 20060357a4..e3b318c1d5 100644 --- a/scripts/base/frameworks/cluster/__load__.bro +++ b/scripts/base/frameworks/cluster/__load__.zeek @@ -17,7 +17,7 @@ redef Broker::log_topic = Cluster::rr_log_topic; # If this script isn't found anywhere, the cluster bombs out. # Loading the cluster framework requires that a script by this name exists # somewhere in the BROPATH. The only thing in the file should be the -# cluster definition in the :bro:id:`Cluster::nodes` variable. +# cluster definition in the :zeek:id:`Cluster::nodes` variable. @load cluster-layout @if ( Cluster::node in Cluster::nodes ) diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.zeek similarity index 91% rename from scripts/base/frameworks/cluster/main.bro rename to scripts/base/frameworks/cluster/main.zeek index c23a123cfd..02c063c346 100644 --- a/scripts/base/frameworks/cluster/main.bro +++ b/scripts/base/frameworks/cluster/main.zeek @@ -1,8 +1,8 @@ ##! A framework for establishing and controlling a cluster of Bro instances. ##! In order to use the cluster framework, a script named -##! ``cluster-layout.bro`` must exist somewhere in Bro's script search path -##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable. -##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node` +##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path +##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable. +##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node` ##! must also be sent and the cluster framework loaded as a package like ##! ``@load base/frameworks/cluster``. @@ -44,23 +44,23 @@ export { const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef; ## Name of the node on which master data stores will be created if no other - ## has already been specified by the user in :bro:see:`Cluster::stores`. + ## has already been specified by the user in :zeek:see:`Cluster::stores`. ## An empty value means "use whatever name corresponds to the manager ## node". const default_master_node = "" &redef; ## The type of data store backend that will be used for all data stores if - ## no other has already been specified by the user in :bro:see:`Cluster::stores`. + ## no other has already been specified by the user in :zeek:see:`Cluster::stores`. const default_backend = Broker::MEMORY &redef; ## The type of persistent data store backend that will be used for all data ## stores if no other has already been specified by the user in - ## :bro:see:`Cluster::stores`. This will be used when script authors call - ## :bro:see:`Cluster::create_store` with the *persistent* argument set true. + ## :zeek:see:`Cluster::stores`. This will be used when script authors call + ## :zeek:see:`Cluster::create_store` with the *persistent* argument set true. const default_persistent_backend = Broker::SQLITE &redef; ## Setting a default dir will, for persistent backends that have not - ## been given an explicit file path via :bro:see:`Cluster::stores`, + ## been given an explicit file path via :zeek:see:`Cluster::stores`, ## automatically create a path within this dir that is based on the name of ## the data store. const default_store_dir = "" &redef; @@ -81,21 +81,21 @@ export { ## Parameters used for configuring the backend. options: Broker::BackendOptions &default=Broker::BackendOptions(); ## A resync/reconnect interval to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_resync_interval: interval &default=Broker::default_clone_resync_interval; ## A staleness duration to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_stale_interval: interval &default=Broker::default_clone_stale_interval; ## A mutation buffer interval to pass through to - ## :bro:see:`Broker::create_clone`. + ## :zeek:see:`Broker::create_clone`. clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval; }; ## A table of cluster-enabled data stores that have been created, indexed ## by their name. This table will be populated automatically by - ## :bro:see:`Cluster::create_store`, but if you need to customize + ## :zeek:see:`Cluster::create_store`, but if you need to customize ## the options related to a particular data store, you may redef this - ## table. Calls to :bro:see:`Cluster::create_store` will first check + ## table. Calls to :zeek:see:`Cluster::create_store` will first check ## the table for an entry of the same name and, if found, will use the ## predefined options there when setting up the store. global stores: table[string] of StoreInfo &default=StoreInfo() &redef; @@ -174,15 +174,15 @@ export { ## This function can be called at any time to determine if the cluster ## framework is being enabled for this run. ## - ## Returns: True if :bro:id:`Cluster::node` has been set. + ## Returns: True if :zeek:id:`Cluster::node` has been set. global is_enabled: function(): bool; ## This function can be called at any time to determine what type of ## cluster node the current Bro instance is going to be acting as. - ## If :bro:id:`Cluster::is_enabled` returns false, then - ## :bro:enum:`Cluster::NONE` is returned. + ## If :zeek:id:`Cluster::is_enabled` returns false, then + ## :zeek:enum:`Cluster::NONE` is returned. ## - ## Returns: The :bro:type:`Cluster::NodeType` the calling node acts as. + ## Returns: The :zeek:type:`Cluster::NodeType` the calling node acts as. global local_node_type: function(): NodeType; ## This gives the value for the number of workers currently connected to, @@ -192,7 +192,7 @@ export { global worker_count: count = 0; ## The cluster layout definition. This should be placed into a filter - ## named cluster-layout.bro somewhere in the BROPATH. It will be + ## named cluster-layout.zeek somewhere in the BROPATH. It will be ## automatically loaded if the CLUSTER_NODE environment variable is set. ## Note that BroControl handles all of this automatically. ## The table is typically indexed by node names/labels (e.g. "manager" @@ -200,7 +200,7 @@ export { const nodes: table[string] of Node = {} &redef; ## Indicates whether or not the manager will act as the logger and receive - ## logs. This value should be set in the cluster-layout.bro script (the + ## logs. This value should be set in the cluster-layout.zeek script (the ## value should be true only if no logger is specified in Cluster::nodes). ## Note that BroControl handles this automatically. const manager_is_logger = T &redef; @@ -241,8 +241,8 @@ export { ## Retrieve the topic associated with a specific node in the cluster. ## - ## id: the id of the cluster node (from :bro:see:`Broker::EndpointInfo` - ## or :bro:see:`Broker::node_id`. + ## id: the id of the cluster node (from :zeek:see:`Broker::EndpointInfo` + ## or :zeek:see:`Broker::node_id`. ## ## Returns: a topic string that may used to send a message exclusively to ## a given cluster node. @@ -340,10 +340,8 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority= event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=10 { - for ( node_name in nodes ) + for ( node_name, n in nodes ) { - local n = nodes[node_name]; - if ( n?$id && n$id == endpoint$id ) { Cluster::log(fmt("node down: %s", node_name)); @@ -361,7 +359,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1 } } -event bro_init() &priority=5 +event zeek_init() &priority=5 { # If a node is given, but it's an unknown name we need to fail. if ( node != "" && node !in nodes ) diff --git a/scripts/base/frameworks/cluster/nodes/logger.bro b/scripts/base/frameworks/cluster/nodes/logger.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/logger.bro rename to scripts/base/frameworks/cluster/nodes/logger.zeek diff --git a/scripts/base/frameworks/cluster/nodes/manager.bro b/scripts/base/frameworks/cluster/nodes/manager.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/manager.bro rename to scripts/base/frameworks/cluster/nodes/manager.zeek diff --git a/scripts/base/frameworks/cluster/nodes/proxy.bro b/scripts/base/frameworks/cluster/nodes/proxy.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/proxy.bro rename to scripts/base/frameworks/cluster/nodes/proxy.zeek diff --git a/scripts/base/frameworks/cluster/nodes/worker.bro b/scripts/base/frameworks/cluster/nodes/worker.zeek similarity index 100% rename from scripts/base/frameworks/cluster/nodes/worker.bro rename to scripts/base/frameworks/cluster/nodes/worker.zeek diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.zeek similarity index 94% rename from scripts/base/frameworks/cluster/pools.bro rename to scripts/base/frameworks/cluster/pools.zeek index a027fac818..ae14a09527 100644 --- a/scripts/base/frameworks/cluster/pools.bro +++ b/scripts/base/frameworks/cluster/pools.zeek @@ -58,17 +58,17 @@ export { alive_count: count &default = 0; }; - ## The specification for :bro:see:`Cluster::proxy_pool`. + ## The specification for :zeek:see:`Cluster::proxy_pool`. global proxy_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/proxy", $node_type = Cluster::PROXY) &redef; - ## The specification for :bro:see:`Cluster::worker_pool`. + ## The specification for :zeek:see:`Cluster::worker_pool`. global worker_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/worker", $node_type = Cluster::WORKER) &redef; - ## The specification for :bro:see:`Cluster::logger_pool`. + ## The specification for :zeek:see:`Cluster::logger_pool`. global logger_pool_spec: PoolSpec = PoolSpec($topic = "bro/cluster/pool/logger", $node_type = Cluster::LOGGER) &redef; @@ -120,10 +120,10 @@ export { global rr_topic: function(pool: Pool, key: string &default=""): string; ## Distributes log message topics among logger nodes via round-robin. - ## This will be automatically assigned to :bro:see:`Broker::log_topic` - ## if :bro:see:`Cluster::enable_round_robin_logging` is enabled. + ## This will be automatically assigned to :zeek:see:`Broker::log_topic` + ## if :zeek:see:`Cluster::enable_round_robin_logging` is enabled. ## If no logger nodes are active, then this will return the value - ## of :bro:see:`Broker::default_log_topic`. + ## of :zeek:see:`Broker::default_log_topic`. global rr_log_topic: function(id: Log::ID, path: string): string; } @@ -136,7 +136,7 @@ export { ## Returns: F if a node of the same name already exists in the pool, else T. global init_pool_node: function(pool: Pool, name: string): bool; -## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic` +## Mark a pool node as alive/online/available. :zeek:see:`Cluster::hrw_topic` ## will distribute keys to nodes marked as alive. ## ## pool: the pool to which the node belongs. @@ -146,7 +146,7 @@ global init_pool_node: function(pool: Pool, name: string): bool; ## Returns: F if the node does not exist in the pool, else T. global mark_pool_node_alive: function(pool: Pool, name: string): bool; -## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic` +## Mark a pool node as dead/offline/unavailable. :zeek:see:`Cluster::hrw_topic` ## will not distribute keys to nodes marked as dead. ## ## pool: the pool to which the node belongs. @@ -246,10 +246,8 @@ event Cluster::node_down(name: string, id: string) &priority=10 function site_id_in_pool(pool: Pool, site_id: count): bool { - for ( i in pool$nodes ) + for ( i, pn in pool$nodes ) { - local pn = pool$nodes[i]; - if ( pn$site_id == site_id ) return T; } @@ -326,7 +324,7 @@ function mark_pool_node_dead(pool: Pool, name: string): bool return T; } -event bro_init() +event zeek_init() { worker_pool = register_pool(worker_pool_spec); proxy_pool = register_pool(proxy_pool_spec); @@ -346,8 +344,8 @@ function pool_sorter(a: Pool, b: Pool): int return strcmp(a$spec$topic, b$spec$topic); } -# Needs to execute before the bro_init in setup-connections -event bro_init() &priority=-5 +# Needs to execute before the zeek_init in setup-connections +event zeek_init() &priority=-5 { if ( ! Cluster::is_enabled() ) return; @@ -395,10 +393,8 @@ event bro_init() &priority=-5 pet$excluded += pool$spec$max_nodes; } - for ( nt in pool_eligibility ) + for ( nt, pet in pool_eligibility ) { - pet = pool_eligibility[nt]; - if ( pet$excluded > |pet$eligible_nodes| ) Reporter::fatal(fmt("not enough %s nodes to satisfy pool exclusivity requirements: need %d nodes", nt, pet$excluded)); } diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.zeek similarity index 97% rename from scripts/base/frameworks/cluster/setup-connections.bro rename to scripts/base/frameworks/cluster/setup-connections.zeek index a90081c639..4903f62c0a 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.zeek @@ -1,5 +1,5 @@ ##! This script establishes communication among all nodes in a cluster -##! as defined by :bro:id:`Cluster::nodes`. +##! as defined by :zeek:id:`Cluster::nodes`. @load ./main @load ./pools @@ -42,7 +42,7 @@ function connect_peers_with_type(node_type: NodeType) } } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { if ( getenv("BROCTL_CHECK_CONFIG") != "" ) return; diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.zeek similarity index 100% rename from scripts/base/frameworks/config/__load__.bro rename to scripts/base/frameworks/config/__load__.zeek diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.zeek similarity index 98% rename from scripts/base/frameworks/config/input.bro rename to scripts/base/frameworks/config/input.zeek index 7c1f37567b..9796d69f57 100644 --- a/scripts/base/frameworks/config/input.bro +++ b/scripts/base/frameworks/config/input.zeek @@ -34,7 +34,7 @@ event config_line(description: Input::EventDescription, tpe: Input::Event, p: Ev { } -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) return; diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.zeek similarity index 94% rename from scripts/base/frameworks/config/main.bro rename to scripts/base/frameworks/config/main.zeek index dc7e71ecdf..b801c82267 100644 --- a/scripts/base/frameworks/config/main.bro +++ b/scripts/base/frameworks/config/main.zeek @@ -24,14 +24,14 @@ export { location: string &optional &log; }; - ## Event that can be handled to access the :bro:type:`Config::Info` + ## Event that can be handled to access the :zeek:type:`Config::Info` ## record as it is sent on to the logging framework. global log_config: event(rec: Info); ## This function is the config framework layer around the lower-level - ## :bro:see:`Option::set` call. Config::set_value will set the configuration + ## :zeek:see:`Option::set` call. Config::set_value will set the configuration ## value for all nodes in the cluster, no matter where it was called. Note - ## that :bro:see:`Option::set` does not distribute configuration changes + ## that :zeek:see:`Option::set` does not distribute configuration changes ## to other nodes. ## ## ID: The ID of the option to update. @@ -150,7 +150,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an return new_value; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]); @@ -159,9 +159,9 @@ event bro_init() &priority=10 # Iterate over all existing options and add ourselves as change handlers # with a low priority so that we can log the changes. local gids = global_ids(); - for ( i in gids ) + for ( i, gid in gids ) { - if ( ! gids[i]$option_value ) + if ( ! gid$option_value ) next; Option::set_change_handler(i, config_option_changed, -100); diff --git a/scripts/base/frameworks/config/weird.bro b/scripts/base/frameworks/config/weird.zeek similarity index 97% rename from scripts/base/frameworks/config/weird.bro rename to scripts/base/frameworks/config/weird.zeek index bc311e3029..5e55b0b188 100644 --- a/scripts/base/frameworks/config/weird.bro +++ b/scripts/base/frameworks/config/weird.zeek @@ -35,7 +35,7 @@ function weird_option_change_interval(ID: string, new_value: interval, location: return new_value; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5); Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5); diff --git a/scripts/base/frameworks/control/__load__.bro b/scripts/base/frameworks/control/__load__.zeek similarity index 100% rename from scripts/base/frameworks/control/__load__.bro rename to scripts/base/frameworks/control/__load__.zeek diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.zeek similarity index 90% rename from scripts/base/frameworks/control/main.bro rename to scripts/base/frameworks/control/main.zeek index e374806b55..ad1bf3bcce 100644 --- a/scripts/base/frameworks/control/main.bro +++ b/scripts/base/frameworks/control/main.zeek @@ -8,7 +8,7 @@ export { ## The topic prefix used for exchanging control messages via Broker. const topic_prefix = "bro/control"; - ## Whether the controllee should call :bro:see:`Broker::listen`. + ## Whether the controllee should call :zeek:see:`Broker::listen`. ## In a cluster, this isn't needed since the setup process calls it. const controllee_listen = T &redef; @@ -18,7 +18,7 @@ export { ## The port of the host that will be controlled. const host_port = 0/tcp &redef; - ## If :bro:id:`Control::host` is a non-global IPv6 address and + ## If :zeek:id:`Control::host` is a non-global IPv6 address and ## requires a specific :rfc:`4007` ``zone_id``, it can be set here. const zone_id = "" &redef; @@ -45,7 +45,7 @@ export { ## Event for requesting the value of an ID (a variable). global id_value_request: event(id: string); ## Event for returning the value of an ID after an - ## :bro:id:`Control::id_value_request` event. + ## :zeek:id:`Control::id_value_request` event. global id_value_response: event(id: string, val: string); ## Requests the current communication status. @@ -62,7 +62,7 @@ export { ## updated. global configuration_update_request: event(); ## This event is a wrapper and alias for the - ## :bro:id:`Control::configuration_update_request` event. + ## :zeek:id:`Control::configuration_update_request` event. ## This event is also a primary hooking point for the control framework. global configuration_update: event(); ## Message in response to a configuration update request. diff --git a/scripts/base/frameworks/dpd/__load__.bro b/scripts/base/frameworks/dpd/__load__.zeek similarity index 100% rename from scripts/base/frameworks/dpd/__load__.bro rename to scripts/base/frameworks/dpd/__load__.zeek diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.zeek similarity index 98% rename from scripts/base/frameworks/dpd/main.bro rename to scripts/base/frameworks/dpd/main.zeek index cce8b362d5..c6a3515bc3 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.zeek @@ -39,7 +39,7 @@ redef record connection += { dpd: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd"]); } diff --git a/scripts/base/frameworks/files/__load__.bro b/scripts/base/frameworks/files/__load__.bro deleted file mode 100644 index 2177d81e25..0000000000 --- a/scripts/base/frameworks/files/__load__.bro +++ /dev/null @@ -1,2 +0,0 @@ -@load ./main.bro -@load ./magic diff --git a/scripts/base/frameworks/files/__load__.zeek b/scripts/base/frameworks/files/__load__.zeek new file mode 100644 index 0000000000..2da9cffc66 --- /dev/null +++ b/scripts/base/frameworks/files/__load__.zeek @@ -0,0 +1,2 @@ +@load ./main +@load ./magic diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.zeek similarity index 100% rename from scripts/base/frameworks/files/magic/__load__.bro rename to scripts/base/frameworks/files/magic/__load__.zeek diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.zeek similarity index 95% rename from scripts/base/frameworks/files/main.bro rename to scripts/base/frameworks/files/main.zeek index d3d37b30ab..591d6724e6 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.zeek @@ -18,19 +18,19 @@ export { type AnalyzerArgs: record { ## An event which will be generated for all new file contents, ## chunk-wise. Used when *tag* (in the - ## :bro:see:`Files::add_analyzer` function) is - ## :bro:see:`Files::ANALYZER_DATA_EVENT`. + ## :zeek:see:`Files::add_analyzer` function) is + ## :zeek:see:`Files::ANALYZER_DATA_EVENT`. chunk_event: event(f: fa_file, data: string, off: count) &optional; ## An event which will be generated for all new file contents, ## stream-wise. Used when *tag* is - ## :bro:see:`Files::ANALYZER_DATA_EVENT`. + ## :zeek:see:`Files::ANALYZER_DATA_EVENT`. stream_event: event(f: fa_file, data: string) &optional; } &redef; ## Contains all metadata related to the analysis of a given file. ## For the most part, fields here are derived from ones of the same name - ## in :bro:see:`fa_file`. + ## in :zeek:see:`fa_file`. type Info: record { ## The time when the file was first seen. ts: time &log; @@ -66,7 +66,7 @@ export { analyzers: set[string] &default=string_set() &log; ## A mime type provided by the strongest file magic signature - ## match against the *bof_buffer* field of :bro:see:`fa_file`, + ## match against the *bof_buffer* field of :zeek:see:`fa_file`, ## or in the cases where no buffering of the beginning of file ## occurs, an initial guess of the mime type based on the first ## data seen. @@ -82,7 +82,7 @@ export { ## If the source of this file is a network connection, this field ## indicates if the data originated from the local network or not as - ## determined by the configured :bro:see:`Site::local_nets`. + ## determined by the configured :zeek:see:`Site::local_nets`. local_orig: bool &log &optional; ## If the source of this file is a network connection, this field @@ -118,8 +118,8 @@ export { const disable: table[Files::Tag] of bool = table() &redef; ## The salt concatenated to unique file handle strings generated by - ## :bro:see:`get_file_handle` before hashing them in to a file id - ## (the *id* field of :bro:see:`fa_file`). + ## :zeek:see:`get_file_handle` before hashing them in to a file id + ## (the *id* field of :zeek:see:`fa_file`). ## Provided to help mitigate the possibility of manipulating parts of ## network connections that factor in to the file handle in order to ## generate two handles that would hash to the same file id. @@ -142,11 +142,11 @@ export { ## Returns: T if the file uid is known. global file_exists: function(fuid: string): bool; - ## Lookup an :bro:see:`fa_file` record with the file id. + ## Lookup an :zeek:see:`fa_file` record with the file id. ## ## fuid: the file id. ## - ## Returns: the associated :bro:see:`fa_file` record. + ## Returns: the associated :zeek:see:`fa_file` record. global lookup_file: function(fuid: string): fa_file; ## Allows the file reassembler to be used if it's necessary because the @@ -169,10 +169,10 @@ export { ## max: Maximum allowed size of the reassembly buffer. global set_reassembly_buffer_size: function(f: fa_file, max: count); - ## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is + ## Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is ## used to determine the length of inactivity that is allowed for a file ## before internal state related to it is cleaned up. When used within - ## a :bro:see:`file_timeout` handler, the analysis will delay timing out + ## a :zeek:see:`file_timeout` handler, the analysis will delay timing out ## again for the period specified by *t*. ## ## f: the file. @@ -255,7 +255,7 @@ export { ## ## tag: Tag for the protocol analyzer having a callback being registered. ## - ## reg: A :bro:see:`Files::ProtoRegistration` record. + ## reg: A :zeek:see:`Files::ProtoRegistration` record. ## ## Returns: true if the protocol being registered was not previously registered. global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool; @@ -324,7 +324,7 @@ global mime_type_to_analyzers: table[string] of set[Files::Tag]; global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table(); -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files"]); } diff --git a/scripts/base/frameworks/input/__load__.bro b/scripts/base/frameworks/input/__load__.zeek similarity index 100% rename from scripts/base/frameworks/input/__load__.bro rename to scripts/base/frameworks/input/__load__.zeek diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.zeek similarity index 99% rename from scripts/base/frameworks/input/main.bro rename to scripts/base/frameworks/input/main.zeek index 0839602a7a..84488f130c 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.zeek @@ -193,7 +193,7 @@ export { ## Descriptive name that uniquely identifies the input source. ## Can be used to remove a stream at a later time. ## This will also be used for the unique *source* field of - ## :bro:see:`fa_file`. Most of the time, the best choice for this + ## :zeek:see:`fa_file`. Most of the time, the best choice for this ## field will be the same value as the *source* field. name: string; diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.zeek similarity index 86% rename from scripts/base/frameworks/input/readers/ascii.bro rename to scripts/base/frameworks/input/readers/ascii.zeek index ff1d30f3a9..c757718d53 100644 --- a/scripts/base/frameworks/input/readers/ascii.bro +++ b/scripts/base/frameworks/input/readers/ascii.zeek @@ -47,4 +47,10 @@ export { ## fail_on_file_problem = T was the default behavior ## until Bro 2.6. const fail_on_file_problem = F &redef; + + ## On input streams with a pathless or relative-path source filename, + ## prefix the following path. This prefix can, but need not be, absolute. + ## The default is to leave any filenames unchanged. This prefix has no + ## effect if the source already is an absolute path. + const path_prefix = "" &redef; } diff --git a/scripts/base/frameworks/input/readers/benchmark.bro b/scripts/base/frameworks/input/readers/benchmark.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/benchmark.bro rename to scripts/base/frameworks/input/readers/benchmark.zeek diff --git a/scripts/base/frameworks/input/readers/binary.bro b/scripts/base/frameworks/input/readers/binary.bro deleted file mode 100644 index abd7944ff2..0000000000 --- a/scripts/base/frameworks/input/readers/binary.bro +++ /dev/null @@ -1,8 +0,0 @@ -##! Interface for the binary input reader. - -module InputBinary; - -export { - ## Size of data chunks to read from the input file at a time. - const chunk_size = 1024 &redef; -} diff --git a/scripts/base/frameworks/input/readers/binary.zeek b/scripts/base/frameworks/input/readers/binary.zeek new file mode 100644 index 0000000000..fcec4c2704 --- /dev/null +++ b/scripts/base/frameworks/input/readers/binary.zeek @@ -0,0 +1,14 @@ +##! Interface for the binary input reader. + +module InputBinary; + +export { + ## Size of data chunks to read from the input file at a time. + const chunk_size = 1024 &redef; + + ## On input streams with a pathless or relative-path source filename, + ## prefix the following path. This prefix can, but need not be, absolute. + ## The default is to leave any filenames unchanged. This prefix has no + ## effect if the source already is an absolute path. + const path_prefix = "" &redef; +} diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/config.bro rename to scripts/base/frameworks/input/readers/config.zeek diff --git a/scripts/base/frameworks/input/readers/raw.bro b/scripts/base/frameworks/input/readers/raw.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/raw.bro rename to scripts/base/frameworks/input/readers/raw.zeek diff --git a/scripts/base/frameworks/input/readers/sqlite.bro b/scripts/base/frameworks/input/readers/sqlite.zeek similarity index 100% rename from scripts/base/frameworks/input/readers/sqlite.bro rename to scripts/base/frameworks/input/readers/sqlite.zeek diff --git a/scripts/base/frameworks/intel/__load__.bro b/scripts/base/frameworks/intel/__load__.zeek similarity index 100% rename from scripts/base/frameworks/intel/__load__.bro rename to scripts/base/frameworks/intel/__load__.zeek diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.zeek similarity index 98% rename from scripts/base/frameworks/intel/cluster.bro rename to scripts/base/frameworks/intel/cluster.zeek index b71e8c47ea..2d51ffb200 100644 --- a/scripts/base/frameworks/intel/cluster.bro +++ b/scripts/base/frameworks/intel/cluster.zeek @@ -16,7 +16,7 @@ redef have_full_data = F; @endif @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, remove_indicator); } @@ -67,7 +67,7 @@ event Intel::match_remote(s: Seen) &priority=5 @endif @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, match_remote); Broker::auto_publish(Cluster::manager_topic, remove_item); diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.zeek similarity index 97% rename from scripts/base/frameworks/intel/files.bro rename to scripts/base/frameworks/intel/files.zeek index 74fd156520..d292693d66 100644 --- a/scripts/base/frameworks/intel/files.bro +++ b/scripts/base/frameworks/intel/files.zeek @@ -53,8 +53,8 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=6 if ( s$f?$conns && |s$f$conns| == 1 ) { - for ( cid in s$f$conns ) - s$conn = s$f$conns[cid]; + for ( cid, c in s$f$conns ) + s$conn = c; } if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type ) diff --git a/scripts/base/frameworks/intel/input.bro b/scripts/base/frameworks/intel/input.bro deleted file mode 100644 index 9c4d033627..0000000000 --- a/scripts/base/frameworks/intel/input.bro +++ /dev/null @@ -1,36 +0,0 @@ -##! Input handling for the intelligence framework. This script implements the -##! import of intelligence data from files using the input framework. - -@load ./main - -module Intel; - -export { - ## Intelligence files that will be read off disk. The files are - ## reread every time they are updated so updates must be atomic - ## with "mv" instead of writing the file in place. - const read_files: set[string] = {} &redef; -} - -event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item) - { - Intel::insert(item); - } - -event bro_init() &priority=5 - { - if ( ! Cluster::is_enabled() || - Cluster::local_node_type() == Cluster::MANAGER ) - { - for ( a_file in read_files ) - { - Input::add_event([$source=a_file, - $reader=Input::READER_ASCII, - $mode=Input::REREAD, - $name=cat("intel-", a_file), - $fields=Intel::Item, - $ev=Intel::read_entry]); - } - } - } - diff --git a/scripts/base/frameworks/intel/input.zeek b/scripts/base/frameworks/intel/input.zeek new file mode 100644 index 0000000000..4dfa011fad --- /dev/null +++ b/scripts/base/frameworks/intel/input.zeek @@ -0,0 +1,56 @@ +##! Input handling for the intelligence framework. This script implements the +##! import of intelligence data from files using the input framework. + +@load ./main + +module Intel; + +export { + ## Intelligence files that will be read off disk. The files are + ## reread every time they are updated so updates must be atomic + ## with "mv" instead of writing the file in place. + const read_files: set[string] = {} &redef; + + ## An optional path prefix for intel files. This prefix can, but + ## need not be, absolute. The default is to leave any filenames + ## unchanged. This prefix has no effect if a read_file entry is + ## an absolute path. This prefix gets applied _before_ entering + ## the input framework, so if the prefix is absolute, the input + ## framework won't munge it further. If it is relative, then + ## any path_prefix specified in the input framework will apply + ## additionally. + const path_prefix = "" &redef; +} + +event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item) + { + Intel::insert(item); + } + +event zeek_init() &priority=5 + { + if ( ! Cluster::is_enabled() || + Cluster::local_node_type() == Cluster::MANAGER ) + { + for ( a_file in read_files ) + { + # Handle prefixing of the source file name. Note + # that this currently always uses the ASCII reader, + # so we know we're dealing with filenames. + local source = a_file; + + # If we have a path prefix and the file doesn't + # already have an absolute path, prepend the prefix. + if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" ) + source = cat(rstrip(path_prefix, "/"), "/", a_file); + + Input::add_event([$source=source, + $reader=Input::READER_ASCII, + $mode=Input::REREAD, + $name=cat("intel-", a_file), + $fields=Intel::Item, + $ev=Intel::read_entry]); + } + } + } + diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.zeek similarity index 89% rename from scripts/base/frameworks/intel/main.bro rename to scripts/base/frameworks/intel/main.zeek index ffa115e92c..380cb39eaa 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.zeek @@ -35,7 +35,7 @@ export { ## Set of intelligence data types. type TypeSet: set[Type]; - ## Data about an :bro:type:`Intel::Item`. + ## Data about an :zeek:type:`Intel::Item`. type MetaData: record { ## An arbitrary string value representing the data source. This ## value is used as unique key to identify a metadata record in @@ -75,7 +75,7 @@ export { ## The type of data that the indicator represents. indicator_type: Type &log &optional; - ## If the indicator type was :bro:enum:`Intel::ADDR`, then this + ## If the indicator type was :zeek:enum:`Intel::ADDR`, then this ## field will be present. host: addr &optional; @@ -155,7 +155,7 @@ export { global extend_match: hook(info: Info, s: Seen, items: set[Item]); ## The expiration timeout for intelligence items. Once an item expires, the - ## :bro:id:`Intel::item_expired` hook is called. Reinsertion of an item + ## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item ## resets the timeout. A negative value disables expiration of intelligence ## items. const item_expiration = -1 min &redef; @@ -173,6 +173,14 @@ export { ## be removed. global item_expired: hook(indicator: string, indicator_type: Type, metas: set[MetaData]); + ## This hook can be used to filter intelligence items that are about to be + ## inserted into the internal data store. In case the hook execution is + ## terminated using break, the item will not be (re)added to the internal + ## data store. + ## + ## item: The intel item that should be inserted. + global filter_item: hook(item: Intel::Item); + global log_intel: event(rec: Info); } @@ -215,7 +223,7 @@ type MinDataStore: record { global min_data_store: MinDataStore &redef; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel"]); } @@ -235,8 +243,8 @@ function expire_host_data(data: table[addr] of MetaDataTable, idx: addr): interv { local meta_tbl: MetaDataTable = data[idx]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(cat(idx), ADDR, metas); } @@ -245,8 +253,8 @@ function expire_subnet_data(data: table[subnet] of MetaDataTable, idx: subnet): { local meta_tbl: MetaDataTable = data[idx]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(cat(idx), SUBNET, metas); } @@ -259,8 +267,8 @@ function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any local meta_tbl: MetaDataTable = data[indicator, indicator_type]; local metas: set[MetaData]; - for ( src in meta_tbl ) - add metas[meta_tbl[src]]; + for ( src, md in meta_tbl ) + add metas[md]; return expire_item(indicator, indicator_type, metas); } @@ -268,16 +276,21 @@ function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any # Function to check for intelligence hits. function find(s: Seen): bool { - local ds = have_full_data ? data_store : min_data_store; - if ( s?$host ) { - return ((s$host in ds$host_data) || - (|matching_subnets(addr_to_subnet(s$host), ds$subnet_data)| > 0)); + if ( have_full_data ) + return ((s$host in data_store$host_data) || + (|matching_subnets(addr_to_subnet(s$host), data_store$subnet_data)| > 0)); + else + return ((s$host in min_data_store$host_data) || + (|matching_subnets(addr_to_subnet(s$host), min_data_store$subnet_data)| > 0)); } else { - return ([to_lower(s$indicator), s$indicator_type] in ds$string_data); + if ( have_full_data ) + return ([to_lower(s$indicator), s$indicator_type] in data_store$string_data); + else + return ([to_lower(s$indicator), s$indicator_type] in min_data_store$string_data); } } @@ -301,20 +314,19 @@ function get_items(s: Seen): set[Item] if ( s$host in data_store$host_data ) { mt = data_store$host_data[s$host]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=mt[m])]; + add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=md)]; } } # See if the host is part of a known subnet, which has meta values local nets: table[subnet] of MetaDataTable; nets = filter_subnet_table(addr_to_subnet(s$host), data_store$subnet_data); - for ( n in nets ) + for ( n, mt in nets ) { - mt = nets[n]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=mt[m])]; + add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=md)]; } } } @@ -325,9 +337,9 @@ function get_items(s: Seen): set[Item] if ( [lower_indicator, s$indicator_type] in data_store$string_data ) { mt = data_store$string_data[lower_indicator, s$indicator_type]; - for ( m in mt ) + for ( m, md in mt ) { - add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=mt[m])]; + add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=md)]; } } } @@ -492,23 +504,27 @@ function _insert(item: Item, first_dispatch: bool &default = T) function insert(item: Item) { - # Insert possibly new item. - _insert(item, T); + if ( hook filter_item(item) ) + { + # Insert possibly new item. + _insert(item, T); + } } # Function to check whether an item is present. function item_exists(item: Item): bool { - local ds = have_full_data ? data_store : min_data_store; - switch ( item$indicator_type ) { case ADDR: - return to_addr(item$indicator) in ds$host_data; + return have_full_data ? to_addr(item$indicator) in data_store$host_data : + to_addr(item$indicator) in min_data_store$host_data; case SUBNET: - return to_subnet(item$indicator) in ds$subnet_data; + return have_full_data ? to_subnet(item$indicator) in data_store$subnet_data : + to_subnet(item$indicator) in min_data_store$subnet_data; default: - return [item$indicator, item$indicator_type] in ds$string_data; + return have_full_data ? [item$indicator, item$indicator_type] in data_store$string_data : + [item$indicator, item$indicator_type] in min_data_store$string_data; } } diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.zeek similarity index 100% rename from scripts/base/frameworks/logging/__load__.bro rename to scripts/base/frameworks/logging/__load__.zeek diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.zeek similarity index 92% rename from scripts/base/frameworks/logging/main.bro rename to scripts/base/frameworks/logging/main.zeek index 798b54839e..8746ee3654 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.zeek @@ -176,7 +176,7 @@ export { ## easy to flood the disk by returning a new string for each ## connection. Upon adding a filter to a stream, if neither ## ``path`` nor ``path_func`` is explicitly set by them, then - ## :bro:see:`Log::default_path_func` is used. + ## :zeek:see:`Log::default_path_func` is used. ## ## id: The ID associated with the log stream. ## @@ -191,7 +191,7 @@ export { ## ## Returns: The path to be used for the filter, which will be ## subject to the same automatic correction rules as - ## the *path* field of :bro:type:`Log::Filter` in the + ## the *path* field of :zeek:type:`Log::Filter` in the ## case of conflicts with other filters trying to use ## the same writer/path pair. path_func: function(id: ID, path: string, rec: any): string &optional; @@ -232,7 +232,7 @@ export { interv: interval &default=default_rotation_interval; ## Callback function to trigger for rotated files. If not set, the - ## default comes out of :bro:id:`Log::default_rotation_postprocessors`. + ## default comes out of :zeek:id:`Log::default_rotation_postprocessors`. postprocessor: function(info: RotationInfo) : bool &optional; ## A key/value table that will be passed on to the writer. @@ -253,7 +253,7 @@ export { ## Returns: True if a new logging stream was successfully created and ## a default filter added to it. ## - ## .. bro:see:: Log::add_default_filter Log::remove_default_filter + ## .. zeek:see:: Log::add_default_filter Log::remove_default_filter global create_stream: function(id: ID, stream: Stream) : bool; ## Removes a logging stream completely, stopping all the threads. @@ -262,7 +262,7 @@ export { ## ## Returns: True if the stream was successfully removed. ## - ## .. bro:see:: Log::create_stream + ## .. zeek:see:: Log::create_stream global remove_stream: function(id: ID) : bool; ## Enables a previously disabled logging stream. Disabled streams @@ -273,7 +273,7 @@ export { ## ## Returns: True if the stream is re-enabled or was not previously disabled. ## - ## .. bro:see:: Log::disable_stream + ## .. zeek:see:: Log::disable_stream global enable_stream: function(id: ID) : bool; ## Disables a currently enabled logging stream. Disabled streams @@ -284,7 +284,7 @@ export { ## ## Returns: True if the stream is now disabled or was already disabled. ## - ## .. bro:see:: Log::enable_stream + ## .. zeek:see:: Log::enable_stream global disable_stream: function(id: ID) : bool; ## Adds a custom filter to an existing logging stream. If a filter @@ -299,7 +299,7 @@ export { ## the filter was not added or the *filter* argument was not ## the correct type. ## - ## .. bro:see:: Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter Log::get_filter_names global add_filter: function(id: ID, filter: Filter) : bool; @@ -309,12 +309,12 @@ export { ## remove a filter. ## ## name: A string to match against the ``name`` field of a - ## :bro:type:`Log::Filter` for identification purposes. + ## :zeek:type:`Log::Filter` for identification purposes. ## ## Returns: True if the logging stream's filter was removed or ## if no filter associated with *name* was found. ## - ## .. bro:see:: Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter Log::get_filter_names global remove_filter: function(id: ID, name: string) : bool; @@ -326,7 +326,7 @@ export { ## ## Returns: The set of filter names associated with the stream. ## - ## ..bro:see:: Log::remove_filter Log::add_default_filter + ## ..zeek:see:: Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter global get_filter_names: function(id: ID) : set[string]; @@ -336,13 +336,13 @@ export { ## obtain one of its filters. ## ## name: A string to match against the ``name`` field of a - ## :bro:type:`Log::Filter` for identification purposes. + ## :zeek:type:`Log::Filter` for identification purposes. ## ## Returns: A filter attached to the logging stream *id* matching ## *name* or, if no matches are found returns the - ## :bro:id:`Log::no_filter` sentinel value. + ## :zeek:id:`Log::no_filter` sentinel value. ## - ## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter ## Log::remove_default_filter Log::get_filter_names global get_filter: function(id: ID, name: string) : Filter; @@ -360,7 +360,7 @@ export { ## to handle, or one of the stream's filters has an invalid ## ``path_func``. ## - ## .. bro:see:: Log::enable_stream Log::disable_stream + ## .. zeek:see:: Log::enable_stream Log::disable_stream global write: function(id: ID, columns: any) : bool; ## Sets the buffering status for all the writers of a given logging stream. @@ -375,7 +375,7 @@ export { ## Returns: True if buffering status was set, false if the logging stream ## does not exist. ## - ## .. bro:see:: Log::flush + ## .. zeek:see:: Log::flush global set_buf: function(id: ID, buffered: bool): bool; ## Flushes any currently buffered output for all the writers of a given @@ -388,50 +388,50 @@ export { ## buffered data or if the logging stream is disabled, ## false if the logging stream does not exist. ## - ## .. bro:see:: Log::set_buf Log::enable_stream Log::disable_stream + ## .. zeek:see:: Log::set_buf Log::enable_stream Log::disable_stream global flush: function(id: ID): bool; - ## Adds a default :bro:type:`Log::Filter` record with ``name`` field + ## Adds a default :zeek:type:`Log::Filter` record with ``name`` field ## set as "default" to a given logging stream. ## ## id: The ID associated with a logging stream for which to add a default ## filter. ## - ## Returns: The status of a call to :bro:id:`Log::add_filter` using a - ## default :bro:type:`Log::Filter` argument with ``name`` field + ## Returns: The status of a call to :zeek:id:`Log::add_filter` using a + ## default :zeek:type:`Log::Filter` argument with ``name`` field ## set to "default". ## - ## .. bro:see:: Log::add_filter Log::remove_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter ## Log::remove_default_filter global add_default_filter: function(id: ID) : bool; - ## Removes the :bro:type:`Log::Filter` with ``name`` field equal to + ## Removes the :zeek:type:`Log::Filter` with ``name`` field equal to ## "default". ## ## id: The ID associated with a logging stream from which to remove the ## default filter. ## - ## Returns: The status of a call to :bro:id:`Log::remove_filter` using + ## Returns: The status of a call to :zeek:id:`Log::remove_filter` using ## "default" as the argument. ## - ## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter + ## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter global remove_default_filter: function(id: ID) : bool; - ## Runs a command given by :bro:id:`Log::default_rotation_postprocessor_cmd` + ## Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd` ## on a rotated file. Meant to be called from postprocessor functions - ## that are added to :bro:id:`Log::default_rotation_postprocessors`. + ## that are added to :zeek:id:`Log::default_rotation_postprocessors`. ## ## info: A record holding meta-information about the log being rotated. ## ## npath: The new path of the file (after already being rotated/processed ## by writer-specific postprocessor as defined in - ## :bro:id:`Log::default_rotation_postprocessors`). + ## :zeek:id:`Log::default_rotation_postprocessors`). ## - ## Returns: True when :bro:id:`Log::default_rotation_postprocessor_cmd` + ## Returns: True when :zeek:id:`Log::default_rotation_postprocessor_cmd` ## is empty or the system command given by it has been invoked ## to postprocess a rotated log file. ## - ## .. bro:see:: Log::default_rotation_date_format + ## .. zeek:see:: Log::default_rotation_date_format ## Log::default_rotation_postprocessor_cmd ## Log::default_rotation_postprocessors global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool; diff --git a/scripts/base/frameworks/logging/postprocessors/__load__.bro b/scripts/base/frameworks/logging/postprocessors/__load__.zeek similarity index 100% rename from scripts/base/frameworks/logging/postprocessors/__load__.bro rename to scripts/base/frameworks/logging/postprocessors/__load__.zeek diff --git a/scripts/base/frameworks/logging/postprocessors/scp.bro b/scripts/base/frameworks/logging/postprocessors/scp.zeek similarity index 80% rename from scripts/base/frameworks/logging/postprocessors/scp.bro rename to scripts/base/frameworks/logging/postprocessors/scp.zeek index d63520abe6..22adc29e47 100644 --- a/scripts/base/frameworks/logging/postprocessors/scp.bro +++ b/scripts/base/frameworks/logging/postprocessors/scp.zeek @@ -2,22 +2,22 @@ ##! to a logging filter in order to automatically SCP (secure copy) ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`bro_init` event and do the following +##! you must handle the :zeek:id:`zeek_init` event and do the following ##! in your handler: ##! -##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, +##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path, ##! rotation interval, and set the ``postprocessor`` to -##! :bro:id:`Log::scp_postprocessor`. -##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`. -##! 3) Add a table entry to :bro:id:`Log::scp_destinations` for the filter's -##! writer/path pair which defines a set of :bro:type:`Log::SCPDestination` +##! :zeek:id:`Log::scp_postprocessor`. +##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`. +##! 3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's +##! writer/path pair which defines a set of :zeek:type:`Log::SCPDestination` ##! records. module Log; export { ## Secure-copies the rotated log to all the remote hosts - ## defined in :bro:id:`Log::scp_destinations` and then deletes + ## defined in :zeek:id:`Log::scp_destinations` and then deletes ## the local copy of the rotated log. It's not active when ## reading from trace files. ## @@ -42,7 +42,7 @@ export { }; ## A table indexed by a particular log writer and filter path, that yields - ## a set of remote destinations. The :bro:id:`Log::scp_postprocessor` + ## a set of remote destinations. The :zeek:id:`Log::scp_postprocessor` ## function queries this table upon log rotation and performs a secure ## copy of the rotated log to each destination in the set. This ## table can be modified at run-time. diff --git a/scripts/base/frameworks/logging/postprocessors/sftp.bro b/scripts/base/frameworks/logging/postprocessors/sftp.zeek similarity index 80% rename from scripts/base/frameworks/logging/postprocessors/sftp.bro rename to scripts/base/frameworks/logging/postprocessors/sftp.zeek index 8c77899864..75ab438809 100644 --- a/scripts/base/frameworks/logging/postprocessors/sftp.bro +++ b/scripts/base/frameworks/logging/postprocessors/sftp.zeek @@ -2,22 +2,22 @@ ##! to a logging filter in order to automatically SFTP ##! a log stream (or a subset of it) to a remote host at configurable ##! rotation time intervals. Generally, to use this functionality -##! you must handle the :bro:id:`bro_init` event and do the following +##! you must handle the :zeek:id:`zeek_init` event and do the following ##! in your handler: ##! -##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path, +##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path, ##! rotation interval, and set the ``postprocessor`` to -##! :bro:id:`Log::sftp_postprocessor`. -##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`. -##! 3) Add a table entry to :bro:id:`Log::sftp_destinations` for the filter's -##! writer/path pair which defines a set of :bro:type:`Log::SFTPDestination` +##! :zeek:id:`Log::sftp_postprocessor`. +##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`. +##! 3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's +##! writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination` ##! records. module Log; export { ## Securely transfers the rotated log to all the remote hosts - ## defined in :bro:id:`Log::sftp_destinations` and then deletes + ## defined in :zeek:id:`Log::sftp_destinations` and then deletes ## the local copy of the rotated log. It's not active when ## reading from trace files. ## @@ -44,7 +44,7 @@ export { }; ## A table indexed by a particular log writer and filter path, that yields - ## a set of remote destinations. The :bro:id:`Log::sftp_postprocessor` + ## a set of remote destinations. The :zeek:id:`Log::sftp_postprocessor` ## function queries this table upon log rotation and performs a secure ## transfer of the rotated log to each destination in the set. This ## table can be modified at run-time. diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/ascii.bro rename to scripts/base/frameworks/logging/writers/ascii.zeek diff --git a/scripts/base/frameworks/logging/writers/none.bro b/scripts/base/frameworks/logging/writers/none.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/none.bro rename to scripts/base/frameworks/logging/writers/none.zeek diff --git a/scripts/base/frameworks/logging/writers/sqlite.bro b/scripts/base/frameworks/logging/writers/sqlite.zeek similarity index 100% rename from scripts/base/frameworks/logging/writers/sqlite.bro rename to scripts/base/frameworks/logging/writers/sqlite.zeek diff --git a/scripts/base/frameworks/netcontrol/__load__.bro b/scripts/base/frameworks/netcontrol/__load__.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/__load__.bro rename to scripts/base/frameworks/netcontrol/__load__.zeek diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.zeek similarity index 96% rename from scripts/base/frameworks/netcontrol/catch-and-release.bro rename to scripts/base/frameworks/netcontrol/catch-and-release.zeek index 79de7d9662..1a8ba88574 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.zeek @@ -80,7 +80,7 @@ export { ## again. ## ## In cluster mode, this function works on workers as well as the manager. On managers, - ## the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID, + ## the returned :zeek:see:`NetControl::BlockInfo` record will not contain the block ID, ## which will be assigned on the manager. ## ## a: The address to be dropped. @@ -89,7 +89,7 @@ export { ## ## location: An optional string describing where the drop was triggered. ## - ## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about + ## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about ## the inserted block. global drop_address_catch_release: function(a: addr, location: string &default="") : BlockInfo; @@ -114,7 +114,7 @@ export { ## a: The address that was seen and should be re-dropped if it is being watched. global catch_release_seen: function(a: addr); - ## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release. + ## Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release. ## If the address is unknown to catch and release, the watch_until time will be set to 0. ## ## In cluster mode, this function works on the manager and workers. On workers, the data will @@ -123,7 +123,7 @@ export { ## ## a: The address to get information about. ## - ## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about + ## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about ## the inserted block. global get_catch_release_info: function(a: addr) : BlockInfo; @@ -132,7 +132,7 @@ export { ## ## a: The address that is no longer being managed. ## - ## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block. + ## bi: The :zeek:see:`NetControl::BlockInfo` record containing information about the block. global catch_release_forgotten: event(a: addr, bi: BlockInfo); ## If true, catch_release_seen is called on the connection originator in new_connection, @@ -148,7 +148,7 @@ export { ## effect. const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef; - ## Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo` ## record as it is sent on to the logging framework. global log_netcontrol_catch_release: event(rec: CatchReleaseInfo); @@ -163,7 +163,7 @@ export { # Set that is used to only send seen notifications to the master every ~30 seconds. global catch_release_recently_notified: set[addr] &create_expire=30secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release"]); } @@ -227,13 +227,13 @@ global blocks: table[addr] of BlockInfo = {} @if ( Cluster::is_enabled() ) @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new); Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete); } @else -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add); Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete); diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.zeek similarity index 99% rename from scripts/base/frameworks/netcontrol/cluster.bro rename to scripts/base/frameworks/netcontrol/cluster.zeek index d70ab6d1c1..3fbd4cd6a1 100644 --- a/scripts/base/frameworks/netcontrol/cluster.bro +++ b/scripts/base/frameworks/netcontrol/cluster.zeek @@ -17,7 +17,7 @@ export { } @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added); Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed); @@ -28,7 +28,7 @@ event bro_init() Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed); } @else -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule); Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule); diff --git a/scripts/base/frameworks/netcontrol/drop.bro b/scripts/base/frameworks/netcontrol/drop.zeek similarity index 96% rename from scripts/base/frameworks/netcontrol/drop.bro rename to scripts/base/frameworks/netcontrol/drop.zeek index 8b31996057..9c1adc73d2 100644 --- a/scripts/base/frameworks/netcontrol/drop.bro +++ b/scripts/base/frameworks/netcontrol/drop.zeek @@ -50,12 +50,12 @@ export { ## r: The rule to be added. global NetControl::drop_rule_policy: hook(r: Rule); - ## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo` ## record as it is sent on to the logging framework. global log_netcontrol_drop: event(rec: DropInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::DROP, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop"]); } diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.zeek similarity index 97% rename from scripts/base/frameworks/netcontrol/main.bro rename to scripts/base/frameworks/netcontrol/main.zeek index a9418508af..97b6e27459 100644 --- a/scripts/base/frameworks/netcontrol/main.bro +++ b/scripts/base/frameworks/netcontrol/main.zeek @@ -43,8 +43,8 @@ export { # ### High-level API. # ### - # ### Note - other high level primitives are in catch-and-release.bro, shunt.bro and - # ### drop.bro + # ### Note - other high level primitives are in catch-and-release.zeek, + # ### shunt.zeek and drop.zeek ## Allows all traffic involving a specific IP address to be forwarded. ## @@ -98,7 +98,7 @@ export { ## Returns: Vector of inserted rules on success, empty list on failure. global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string; - ## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules. + ## Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules. global clear: function(); # ### @@ -122,7 +122,7 @@ export { ## Removes a rule. ## - ## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`. + ## id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`. ## ## reason: Optional string argument giving information on why the rule was removed. ## @@ -138,7 +138,7 @@ export { ## the rule has been added; if it is not removed from them by a separate mechanism, ## it will stay installed and not be removed later. ## - ## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`. + ## id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`. ## ## reason: Optional string argument giving information on why the rule was deleted. ## @@ -262,7 +262,7 @@ export { ##### Plugin functions ## Function called by plugins once they finished their activation. After all - ## plugins defined in bro_init finished to activate, rules will start to be sent + ## plugins defined in zeek_init finished to activate, rules will start to be sent ## to the plugins. Rules that scripts try to set before the backends are ready ## will be discarded. global plugin_activated: function(p: PluginState); @@ -321,7 +321,7 @@ export { plugin: string &log &optional; }; - ## Event that can be handled to access the :bro:type:`NetControl::Info` + ## Event that can be handled to access the :zeek:type:`NetControl::Info` ## record as it is sent on to the logging framework. global log_netcontrol: event(rec: Info); } @@ -338,13 +338,13 @@ redef record Rule += { }; # Variable tracking the state of plugin activation. Once all plugins that -# have been added in bro_init are activated, this will switch to T and +# have been added in zeek_init are activated, this will switch to T and # the event NetControl::init_done will be raised. global plugins_active: bool = F; -# Set to true at the end of bro_init (with very low priority). +# Set to true at the end of zeek_init (with very low priority). # Used to track when plugin activation could potentially be finished -global bro_init_done: bool = F; +global zeek_init_done: bool = F; # The counters that are used to generate the rule and plugin IDs global rule_counter: count = 1; @@ -364,7 +364,7 @@ global rules_by_subnets: table[subnet] of set[string]; # There always only can be one rule of each type for one entity. global rule_entities: table[Entity, RuleType] of Rule; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol"]); } @@ -613,18 +613,18 @@ function plugin_activated(p: PluginState) plugin_ids[id]$_activated = T; log_msg("activation finished", p); - if ( bro_init_done ) + if ( zeek_init_done ) check_plugins(); } -event bro_init() &priority=-5 +event zeek_init() &priority=-5 { event NetControl::init(); } event NetControl::init() &priority=-20 { - bro_init_done = T; + zeek_init_done = T; check_plugins(); diff --git a/scripts/base/frameworks/netcontrol/non-cluster.bro b/scripts/base/frameworks/netcontrol/non-cluster.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/non-cluster.bro rename to scripts/base/frameworks/netcontrol/non-cluster.zeek diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugin.bro rename to scripts/base/frameworks/netcontrol/plugin.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/__load__.bro b/scripts/base/frameworks/netcontrol/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/__load__.bro rename to scripts/base/frameworks/netcontrol/plugins/__load__.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/acld.bro rename to scripts/base/frameworks/netcontrol/plugins/acld.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.zeek similarity index 98% rename from scripts/base/frameworks/netcontrol/plugins/broker.bro rename to scripts/base/frameworks/netcontrol/plugins/broker.zeek index 4bfb231c94..599613d06d 100644 --- a/scripts/base/frameworks/netcontrol/plugins/broker.bro +++ b/scripts/base/frameworks/netcontrol/plugins/broker.zeek @@ -9,7 +9,7 @@ module NetControl; @load base/frameworks/broker export { - ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`. + ## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`. type BrokerConfig: record { ## The broker topic to send events to. topic: string &optional; diff --git a/scripts/base/frameworks/netcontrol/plugins/debug.bro b/scripts/base/frameworks/netcontrol/plugins/debug.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/debug.bro rename to scripts/base/frameworks/netcontrol/plugins/debug.zeek diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek similarity index 99% rename from scripts/base/frameworks/netcontrol/plugins/openflow.bro rename to scripts/base/frameworks/netcontrol/plugins/openflow.zeek index f1403a70a8..d80d7c4a41 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.zeek @@ -7,7 +7,7 @@ module NetControl; export { - ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`. + ## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`. type OfConfig: record { monitor: bool &default=T; ##< Accept rules that target the monitor path. forward: bool &default=T; ##< Accept rules that target the forward path. diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek similarity index 100% rename from scripts/base/frameworks/netcontrol/plugins/packetfilter.bro rename to scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek diff --git a/scripts/base/frameworks/netcontrol/shunt.bro b/scripts/base/frameworks/netcontrol/shunt.zeek similarity index 94% rename from scripts/base/frameworks/netcontrol/shunt.bro rename to scripts/base/frameworks/netcontrol/shunt.zeek index 1275be1560..7cbd8512e2 100644 --- a/scripts/base/frameworks/netcontrol/shunt.bro +++ b/scripts/base/frameworks/netcontrol/shunt.zeek @@ -31,12 +31,12 @@ export { location: string &log &optional; }; - ## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo` + ## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo` ## record as it is sent on to the logging framework. global log_netcontrol_shunt: event(rec: ShuntInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt"]); } diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.zeek similarity index 83% rename from scripts/base/frameworks/netcontrol/types.bro rename to scripts/base/frameworks/netcontrol/types.zeek index 7fda65ea6b..2be65ce3e6 100644 --- a/scripts/base/frameworks/netcontrol/types.bro +++ b/scripts/base/frameworks/netcontrol/types.zeek @@ -1,6 +1,6 @@ ##! This file defines the types that are used by the NetControl framework. ##! -##! The most important type defined in this file is :bro:see:`NetControl::Rule`, +##! The most important type defined in this file is :zeek:see:`NetControl::Rule`, ##! which is used to describe all rules that can be expressed by the NetControl framework. module NetControl; @@ -10,11 +10,11 @@ export { option default_priority: int = +0; ## The default priority that is used when using the high-level functions to - ## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and - ## :bro:see:`NetControl::whitelist_subnet`). + ## push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and + ## :zeek:see:`NetControl::whitelist_subnet`). ## ## Note that this priority is not automatically used when manually creating rules - ## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`. + ## that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`. const whitelist_priority: int = +5 &redef; ## Type defining the entity that a rule applies to. @@ -25,7 +25,7 @@ export { MAC, ##< Activity involving a MAC address. }; - ## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify + ## Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify ## a uni-directional flow that a rule applies to. ## ## If optional fields are not set, they are interpreted as wildcarded. @@ -41,10 +41,10 @@ export { ## Type defining the entity a rule is operating on. type Entity: record { ty: EntityType; ##< Type of entity. - conn: conn_id &optional; ##< Used with :bro:enum:`NetControl::CONNECTION`. - flow: Flow &optional; ##< Used with :bro:enum:`NetControl::FLOW`. - ip: subnet &optional; ##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet. - mac: string &optional; ##< Used with :bro:enum:`NetControl::MAC`. + conn: conn_id &optional; ##< Used with :zeek:enum:`NetControl::CONNECTION`. + flow: Flow &optional; ##< Used with :zeek:enum:`NetControl::FLOW`. + ip: subnet &optional; ##< Used with :zeek:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet. + mac: string &optional; ##< Used with :zeek:enum:`NetControl::MAC`. }; ## Type defining the target of a rule. @@ -59,7 +59,7 @@ export { }; ## Type of rules that the framework supports. Each type lists the extra - ## :bro:type:`NetControl::Rule` fields it uses, if any. + ## :zeek:type:`NetControl::Rule` fields it uses, if any. ## ## Plugins may extend this type to define their own. type RuleType: enum { @@ -108,8 +108,8 @@ export { priority: int &default=default_priority; ##< Priority if multiple rules match an entity (larger value is higher priority). location: string &optional; ##< Optional string describing where/what installed the rule. - out_port: count &optional; ##< Argument for :bro:enum:`NetControl::REDIRECT` rules. - mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules. + out_port: count &optional; ##< Argument for :zeek:enum:`NetControl::REDIRECT` rules. + mod: FlowMod &optional; ##< Argument for :zeek:enum:`NetControl::MODIFY` rules. id: string &default=""; ##< Internally determined unique ID for this rule. Will be set when added. cid: count &default=0; ##< Internally determined unique numeric ID for this rule. Set when added. diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.zeek similarity index 100% rename from scripts/base/frameworks/notice/__load__.bro rename to scripts/base/frameworks/notice/__load__.zeek diff --git a/scripts/base/frameworks/notice/actions/add-geodata.bro b/scripts/base/frameworks/notice/actions/add-geodata.zeek similarity index 95% rename from scripts/base/frameworks/notice/actions/add-geodata.bro rename to scripts/base/frameworks/notice/actions/add-geodata.zeek index 7d097f5eb6..04cc10209d 100644 --- a/scripts/base/frameworks/notice/actions/add-geodata.bro +++ b/scripts/base/frameworks/notice/actions/add-geodata.zeek @@ -13,7 +13,7 @@ module Notice; export { redef enum Action += { ## Indicates that the notice should have geodata added for the - ## "remote" host. :bro:id:`Site::local_nets` must be defined + ## "remote" host. :zeek:id:`Site::local_nets` must be defined ## in order for this to work. ACTION_ADD_GEODATA }; diff --git a/scripts/base/frameworks/notice/actions/drop.bro b/scripts/base/frameworks/notice/actions/drop.zeek similarity index 91% rename from scripts/base/frameworks/notice/actions/drop.bro rename to scripts/base/frameworks/notice/actions/drop.zeek index a189faaeda..024c3b5b92 100644 --- a/scripts/base/frameworks/notice/actions/drop.bro +++ b/scripts/base/frameworks/notice/actions/drop.zeek @@ -8,7 +8,7 @@ module Notice; export { redef enum Action += { - ## Drops the address via :bro:see:`NetControl::drop_address_catch_release`. + ## Drops the address via :zeek:see:`NetControl::drop_address_catch_release`. ACTION_DROP }; diff --git a/scripts/base/frameworks/notice/actions/email_admin.bro b/scripts/base/frameworks/notice/actions/email_admin.zeek similarity index 87% rename from scripts/base/frameworks/notice/actions/email_admin.bro rename to scripts/base/frameworks/notice/actions/email_admin.zeek index fb82f2b960..1b02e5ff0c 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.bro +++ b/scripts/base/frameworks/notice/actions/email_admin.zeek @@ -1,6 +1,6 @@ ##! Adds a new notice action type which can be used to email notices ##! to the administrators of a particular address space as set by -##! :bro:id:`Site::local_admins` if the notice contains a source +##! :zeek:id:`Site::local_admins` if the notice contains a source ##! or destination address that lies within their space. @load ../main @@ -12,7 +12,7 @@ export { redef enum Action += { ## Indicate that the generated email should be addressed to the ## appropriate email addresses as found by the - ## :bro:id:`Site::get_emails` function based on the relevant + ## :zeek:id:`Site::get_emails` function based on the relevant ## address or addresses indicated in the notice. ACTION_EMAIL_ADMIN }; diff --git a/scripts/base/frameworks/notice/actions/page.bro b/scripts/base/frameworks/notice/actions/page.zeek similarity index 74% rename from scripts/base/frameworks/notice/actions/page.bro rename to scripts/base/frameworks/notice/actions/page.zeek index 73432337d1..99ca44537b 100644 --- a/scripts/base/frameworks/notice/actions/page.bro +++ b/scripts/base/frameworks/notice/actions/page.zeek @@ -7,12 +7,12 @@ module Notice; export { redef enum Action += { ## Indicates that the notice should be sent to the pager email - ## address configured in the :bro:id:`Notice::mail_page_dest` + ## address configured in the :zeek:id:`Notice::mail_page_dest` ## variable. ACTION_PAGE }; - ## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE` + ## Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE` ## action. option mail_page_dest = ""; } diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.zeek similarity index 99% rename from scripts/base/frameworks/notice/actions/pp-alarms.bro rename to scripts/base/frameworks/notice/actions/pp-alarms.zeek index a385d8c626..a327f3f9d6 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.bro +++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek @@ -12,7 +12,7 @@ export { const pretty_print_alarms = T &redef; ## Address to send the pretty-printed reports to. Default if not set is - ## :bro:id:`Notice::mail_dest`. + ## :zeek:id:`Notice::mail_dest`. ## ## Note that this is overridden by the BroControl MailAlarmsTo option. const mail_dest_pretty_printed = "" &redef; @@ -95,7 +95,7 @@ function pp_postprocessor(info: Log::RotationInfo): bool return T; } -event bro_init() +event zeek_init() { if ( ! want_pp() ) return; diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.zeek similarity index 92% rename from scripts/base/frameworks/notice/main.bro rename to scripts/base/frameworks/notice/main.zeek index f4c3f64b42..f4a7796495 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.zeek @@ -18,7 +18,7 @@ export { ## Scripts creating new notices need to redef this enum to add their ## own specific notice types which would then get used when they call - ## the :bro:id:`NOTICE` function. The convention is to give a general + ## the :zeek:id:`NOTICE` function. The convention is to give a general ## category along with the specific notice separating words with ## underscores and using leading capitals on each word except for ## abbreviations which are kept in all capitals. For example, @@ -37,12 +37,12 @@ export { ## logging stream. ACTION_LOG, ## Indicates that the notice should be sent to the email - ## address(es) configured in the :bro:id:`Notice::mail_dest` + ## address(es) configured in the :zeek:id:`Notice::mail_dest` ## variable. ACTION_EMAIL, ## Indicates that the notice should be alarmed. A readable ## ASCII version of the alarm log is emailed in bulk to the - ## address(es) configured in :bro:id:`Notice::mail_dest`. + ## address(es) configured in :zeek:id:`Notice::mail_dest`. ACTION_ALARM, }; @@ -50,7 +50,7 @@ export { type ActionSet: set[Notice::Action]; ## The notice framework is able to do automatic notice suppression by - ## utilizing the *identifier* field in :bro:type:`Notice::Info` records. + ## utilizing the *identifier* field in :zeek:type:`Notice::Info` records. ## Set this to "0secs" to completely disable automated notice ## suppression. option default_suppression_interval = 1hrs; @@ -103,18 +103,18 @@ export { ## *conn*, *iconn* or *p* is specified. proto: transport_proto &log &optional; - ## The :bro:type:`Notice::Type` of the notice. + ## The :zeek:type:`Notice::Type` of the notice. note: Type &log; ## The human readable message for the notice. msg: string &log &optional; ## The human readable sub-message. sub: string &log &optional; - ## Source address, if we don't have a :bro:type:`conn_id`. + ## Source address, if we don't have a :zeek:type:`conn_id`. src: addr &log &optional; ## Destination address. dst: addr &log &optional; - ## Associated port, if we don't have a :bro:type:`conn_id`. + ## Associated port, if we don't have a :zeek:type:`conn_id`. p: port &log &optional; ## Associated count, or perhaps a status code. n: count &log &optional; @@ -131,14 +131,14 @@ export { ## By adding chunks of text into this element, other scripts ## can expand on notices that are being emailed. The normal ## way to add text is to extend the vector by handling the - ## :bro:id:`Notice::notice` event and modifying the notice in + ## :zeek:id:`Notice::notice` event and modifying the notice in ## place. email_body_sections: vector of string &optional; ## Adding a string "token" to this set will cause the notice ## framework's built-in emailing functionality to delay sending ## the email until either the token has been removed or the - ## email has been delayed for :bro:id:`Notice::max_email_delay`. + ## email has been delayed for :zeek:id:`Notice::max_email_delay`. email_delay_tokens: set[string] &optional; ## This field is to be provided when a notice is generated for @@ -192,8 +192,8 @@ export { ## Note that this is overridden by the BroControl SendMail option. option sendmail = "/usr/sbin/sendmail"; ## Email address to send notices with the - ## :bro:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs - ## on rotation with :bro:enum:`Notice::ACTION_ALARM`. + ## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs + ## on rotation with :zeek:enum:`Notice::ACTION_ALARM`. ## ## Note that this is overridden by the BroControl MailTo option. const mail_dest = "" &redef; @@ -212,18 +212,18 @@ export { ## The maximum amount of time a plugin can delay email from being sent. const max_email_delay = 15secs &redef; - ## Contains a portion of :bro:see:`fa_file` that's also contained in - ## :bro:see:`Notice::Info`. + ## Contains a portion of :zeek:see:`fa_file` that's also contained in + ## :zeek:see:`Notice::Info`. type FileInfo: record { fuid: string; ##< File UID. desc: string; ##< File description from e.g. - ##< :bro:see:`Files::describe`. + ##< :zeek:see:`Files::describe`. mime: string &optional; ##< Strongest mime type match for file. cid: conn_id &optional; ##< Connection tuple over which file is sent. cuid: string &optional; ##< Connection UID over which file is sent. }; - ## Creates a record containing a subset of a full :bro:see:`fa_file` record. + ## Creates a record containing a subset of a full :zeek:see:`fa_file` record. ## ## f: record containing metadata about a file. ## @@ -245,7 +245,7 @@ export { global populate_file_info2: function(fi: Notice::FileInfo, n: Notice::Info); ## A log postprocessing function that implements emailing the contents - ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. + ## of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`. ## The rotated log is removed upon being sent. ## ## info: A record containing the rotated log file information. @@ -254,9 +254,9 @@ export { global log_mailing_postprocessor: function(info: Log::RotationInfo): bool; ## This is the event that is called as the entry point to the - ## notice framework by the global :bro:id:`NOTICE` function. By the + ## notice framework by the global :zeek:id:`NOTICE` function. By the ## time this event is generated, default values have already been - ## filled out in the :bro:type:`Notice::Info` record and the notice + ## filled out in the :zeek:type:`Notice::Info` record and the notice ## policy has also been applied. ## ## n: The record containing notice data. @@ -268,7 +268,7 @@ export { ## ## suppress_for: length of time that this notice should be suppressed. ## - ## note: The :bro:type:`Notice::Type` of the notice. + ## note: The :zeek:type:`Notice::Type` of the notice. ## ## identifier: The identifier string of the notice that should be suppressed. global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string); @@ -286,8 +286,8 @@ export { global suppressed: event(n: Notice::Info); ## Call this function to send a notice in an email. It is already used - ## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and - ## :bro:enum:`Notice::ACTION_PAGE` actions. + ## by default with the built in :zeek:enum:`Notice::ACTION_EMAIL` and + ## :zeek:enum:`Notice::ACTION_PAGE` actions. ## ## n: The record of notice data to email. ## @@ -308,13 +308,13 @@ export { ## appended. global email_headers: function(subject_desc: string, dest: string): string; - ## This event can be handled to access the :bro:type:`Notice::Info` + ## This event can be handled to access the :zeek:type:`Notice::Info` ## record as it is sent on to the logging framework. ## ## rec: The record containing notice data before it is logged. global log_notice: event(rec: Info); - ## This is an internal wrapper for the global :bro:id:`NOTICE` + ## This is an internal wrapper for the global :zeek:id:`NOTICE` ## function; disregard. ## ## n: The record of notice data. @@ -385,7 +385,7 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool return T; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]); @@ -531,7 +531,7 @@ event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, suppressing[note, identifier] = suppress_until; } -event bro_init() +event zeek_init() { if ( ! Cluster::is_enabled() ) return; @@ -569,10 +569,10 @@ function create_file_info(f: fa_file): Notice::FileInfo fi$mime = f$info$mime_type; if ( f?$conns && |f$conns| == 1 ) - for ( id in f$conns ) + for ( id, c in f$conns ) { fi$cid = id; - fi$cuid = f$conns[id]$uid; + fi$cuid = c$uid; } return fi; @@ -598,7 +598,7 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info) # This is run synchronously as a function before all of the other # notice related functions and events. It also modifies the -# :bro:type:`Notice::Info` record in place. +# :zeek:type:`Notice::Info` record in place. function apply_policy(n: Notice::Info) { # Fill in some defaults. diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.zeek similarity index 98% rename from scripts/base/frameworks/notice/weird.bro rename to scripts/base/frameworks/notice/weird.zeek index c6f3748a46..d91a93ce27 100644 --- a/scripts/base/frameworks/notice/weird.bro +++ b/scripts/base/frameworks/notice/weird.zeek @@ -296,7 +296,7 @@ const notice_actions = { ACTION_NOTICE_ONCE, }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]); } @@ -422,3 +422,13 @@ event net_weird(name: string) local i = Info($ts=network_time(), $name=name); weird(i); } + +event file_weird(name: string, f: fa_file, addl: string) + { + local i = Info($ts=network_time(), $name=name, $addl=f$id); + + if ( addl != "" ) + i$addl += fmt(": %s", addl); + + weird(i); + } diff --git a/scripts/base/frameworks/openflow/__load__.bro b/scripts/base/frameworks/openflow/__load__.zeek similarity index 100% rename from scripts/base/frameworks/openflow/__load__.bro rename to scripts/base/frameworks/openflow/__load__.zeek diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.zeek similarity index 99% rename from scripts/base/frameworks/openflow/cluster.bro rename to scripts/base/frameworks/openflow/cluster.zeek index 9ae4274bb7..6ff005b877 100644 --- a/scripts/base/frameworks/openflow/cluster.bro +++ b/scripts/base/frameworks/openflow/cluster.zeek @@ -15,7 +15,7 @@ export { @if ( Cluster::local_node_type() != Cluster::MANAGER ) # Workers need ability to forward commands to manager. -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod); Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear); diff --git a/scripts/base/frameworks/openflow/consts.bro b/scripts/base/frameworks/openflow/consts.zeek similarity index 100% rename from scripts/base/frameworks/openflow/consts.bro rename to scripts/base/frameworks/openflow/consts.zeek diff --git a/scripts/base/frameworks/openflow/main.bro b/scripts/base/frameworks/openflow/main.zeek similarity index 99% rename from scripts/base/frameworks/openflow/main.bro rename to scripts/base/frameworks/openflow/main.zeek index 5740e90056..ecddea7cb3 100644 --- a/scripts/base/frameworks/openflow/main.bro +++ b/scripts/base/frameworks/openflow/main.zeek @@ -251,7 +251,7 @@ function controller_init_done(controller: Controller) event OpenFlow::controller_activated(controller$state$_name, controller); } -# Functions that are called from cluster.bro and non-cluster.bro +# Functions that are called from cluster.zeek and non-cluster.zeek function register_controller_impl(tpe: OpenFlow::Plugin, name: string, controller: Controller) { diff --git a/scripts/base/frameworks/openflow/non-cluster.bro b/scripts/base/frameworks/openflow/non-cluster.zeek similarity index 100% rename from scripts/base/frameworks/openflow/non-cluster.bro rename to scripts/base/frameworks/openflow/non-cluster.zeek diff --git a/scripts/base/frameworks/openflow/plugins/__load__.bro b/scripts/base/frameworks/openflow/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/__load__.bro rename to scripts/base/frameworks/openflow/plugins/__load__.zeek diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/broker.bro rename to scripts/base/frameworks/openflow/plugins/broker.zeek diff --git a/scripts/base/frameworks/openflow/plugins/log.bro b/scripts/base/frameworks/openflow/plugins/log.zeek similarity index 95% rename from scripts/base/frameworks/openflow/plugins/log.bro rename to scripts/base/frameworks/openflow/plugins/log.zeek index 2fd961cd4f..23a16c3186 100644 --- a/scripts/base/frameworks/openflow/plugins/log.bro +++ b/scripts/base/frameworks/openflow/plugins/log.zeek @@ -41,12 +41,12 @@ export { flow_mod: ofp_flow_mod &log; }; - ## Event that can be handled to access the :bro:type:`OpenFlow::Info` + ## Event that can be handled to access the :zeek:type:`OpenFlow::Info` ## record as it is sent on to the logging framework. global log_openflow: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow"]); } diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.zeek similarity index 100% rename from scripts/base/frameworks/openflow/plugins/ryu.bro rename to scripts/base/frameworks/openflow/plugins/ryu.zeek diff --git a/scripts/base/frameworks/openflow/types.bro b/scripts/base/frameworks/openflow/types.zeek similarity index 100% rename from scripts/base/frameworks/openflow/types.bro rename to scripts/base/frameworks/openflow/types.zeek diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/__load__.bro rename to scripts/base/frameworks/packet-filter/__load__.zeek diff --git a/scripts/base/frameworks/packet-filter/cluster.bro b/scripts/base/frameworks/packet-filter/cluster.zeek similarity index 100% rename from scripts/base/frameworks/packet-filter/cluster.bro rename to scripts/base/frameworks/packet-filter/cluster.zeek diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.zeek similarity index 92% rename from scripts/base/frameworks/packet-filter/main.bro rename to scripts/base/frameworks/packet-filter/main.zeek index 8a9cb4eb98..160139b1db 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.zeek @@ -2,7 +2,7 @@ ##! Bro sets a capture filter that allows all traffic. If a filter ##! is set on the command line, that filter takes precedence over the default ##! open filter and all filters defined in Bro scripts with the -##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. +##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables. @load base/frameworks/notice @load base/frameworks/analyzer @@ -48,7 +48,7 @@ export { }; ## The BPF filter that is used by default to define what traffic should - ## be captured. Filters defined in :bro:id:`restrict_filters` will + ## be captured. Filters defined in :zeek:id:`restrict_filters` will ## still be applied to reduce the captured traffic. const default_capture_filter = "ip or not ip" &redef; @@ -64,7 +64,7 @@ export { ## The maximum amount of time that you'd like to allow for BPF filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results - ## in the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. + ## in the :zeek:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. const max_filter_compile_time = 100msec &redef; ## Install a BPF filter to exclude some traffic. The filter should @@ -157,25 +157,25 @@ event filter_change_tracking() schedule 5min { filter_change_tracking() }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]); # Preverify the capture and restrict filters to give more granular failure messages. - for ( id in capture_filters ) + for ( id, cf in capture_filters ) { - if ( ! test_filter(capture_filters[id]) ) - Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, capture_filters[id])); + if ( ! test_filter(cf) ) + Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, cf)); } - for ( id in restrict_filters ) + for ( id, rf in restrict_filters ) { if ( ! test_filter(restrict_filters[id]) ) - Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id])); + Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, rf)); } } -event bro_init() &priority=-5 +event zeek_init() &priority=-5 { install(); @@ -234,20 +234,20 @@ function build(): string if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters ) cfilter = default_capture_filter; - for ( id in capture_filters ) - cfilter = combine_filters(cfilter, "or", capture_filters[id]); + for ( id, cf in capture_filters ) + cfilter = combine_filters(cfilter, "or", cf); if ( enable_auto_protocol_capture_filters ) cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf()); # Apply the restriction filters. local rfilter = ""; - for ( id in restrict_filters ) - rfilter = combine_filters(rfilter, "and", restrict_filters[id]); + for ( id, rf in restrict_filters ) + rfilter = combine_filters(rfilter, "and", rf); # Apply the dynamic restriction filters. - for ( filt in dynamic_restrict_filters ) - rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); + for ( filt, drf in dynamic_restrict_filters ) + rfilter = combine_filters(rfilter, "and", string_cat("not (", drf, ")")); # Finally, join them into one filter. local filter = combine_filters(cfilter, "and", rfilter); diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.zeek similarity index 98% rename from scripts/base/frameworks/packet-filter/netstats.bro rename to scripts/base/frameworks/packet-filter/netstats.zeek index 14545243d2..48b157b3eb 100644 --- a/scripts/base/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.zeek @@ -33,7 +33,7 @@ event net_stats_update(last_stat: NetStats) schedule stats_collection_interval { net_stats_update(ns) }; } -event bro_init() +event zeek_init() { # Since this currently only calculates packet drops, let's skip the stats # collection if reading traces. diff --git a/scripts/base/frameworks/packet-filter/utils.bro b/scripts/base/frameworks/packet-filter/utils.zeek similarity index 96% rename from scripts/base/frameworks/packet-filter/utils.bro rename to scripts/base/frameworks/packet-filter/utils.zeek index 29b54229af..cbf07f64ad 100644 --- a/scripts/base/frameworks/packet-filter/utils.bro +++ b/scripts/base/frameworks/packet-filter/utils.zeek @@ -1,7 +1,7 @@ module PacketFilter; export { - ## Takes a :bro:type:`port` and returns a BPF expression which will + ## Takes a :zeek:type:`port` and returns a BPF expression which will ## match the port. ## ## p: The port. diff --git a/scripts/base/frameworks/reporter/__load__.bro b/scripts/base/frameworks/reporter/__load__.zeek similarity index 100% rename from scripts/base/frameworks/reporter/__load__.bro rename to scripts/base/frameworks/reporter/__load__.zeek diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.zeek similarity index 92% rename from scripts/base/frameworks/reporter/main.bro rename to scripts/base/frameworks/reporter/main.zeek index 8cba29bdc2..54e4123407 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.zeek @@ -2,14 +2,14 @@ ##! internal messages/warnings/errors. It should typically be loaded to ##! log such messages to a file in a standard way. For the options to ##! toggle whether messages are additionally written to STDERR, see -##! :bro:see:`Reporter::info_to_stderr`, -##! :bro:see:`Reporter::warnings_to_stderr`, and -##! :bro:see:`Reporter::errors_to_stderr`. +##! :zeek:see:`Reporter::info_to_stderr`, +##! :zeek:see:`Reporter::warnings_to_stderr`, and +##! :zeek:see:`Reporter::errors_to_stderr`. ##! ##! Note that this framework deals with the handling of internally generated ##! reporter messages, for the interface ##! into actually creating reporter messages from the scripting layer, use -##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif.bro`. +##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif.zeek`. module Reporter; @@ -35,7 +35,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter"]); } diff --git a/scripts/base/frameworks/signatures/__load__.bro b/scripts/base/frameworks/signatures/__load__.zeek similarity index 100% rename from scripts/base/frameworks/signatures/__load__.bro rename to scripts/base/frameworks/signatures/__load__.zeek diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.zeek similarity index 93% rename from scripts/base/frameworks/signatures/main.bro rename to scripts/base/frameworks/signatures/main.zeek index 70c446d046..910f3b461c 100644 --- a/scripts/base/frameworks/signatures/main.bro +++ b/scripts/base/frameworks/signatures/main.zeek @@ -13,22 +13,22 @@ export { Sensitive_Signature, ## Host has triggered many signatures on the same host. The ## number of signatures is defined by the - ## :bro:id:`Signatures::vert_scan_thresholds` variable. + ## :zeek:id:`Signatures::vert_scan_thresholds` variable. Multiple_Signatures, ## Host has triggered the same signature on multiple hosts as - ## defined by the :bro:id:`Signatures::horiz_scan_thresholds` + ## defined by the :zeek:id:`Signatures::horiz_scan_thresholds` ## variable. Multiple_Sig_Responders, ## The same signature has triggered multiple times for a host. ## The number of times the signature has been triggered is - ## defined by the :bro:id:`Signatures::count_thresholds` + ## defined by the :zeek:id:`Signatures::count_thresholds` ## variable. To generate this notice, the - ## :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must be + ## :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` action must be ## set for the signature. Count_Signature, ## Summarize the number of times a host triggered a signature. ## The interval between summaries is defined by the - ## :bro:id:`Signatures::summary_interval` variable. + ## :zeek:id:`Signatures::summary_interval` variable. Signature_Summary, }; @@ -48,7 +48,7 @@ export { SIG_QUIET, ## Generate a notice. SIG_LOG, - ## The same as :bro:enum:`Signatures::SIG_LOG`, but ignore for + ## The same as :zeek:enum:`Signatures::SIG_LOG`, but ignore for ## aggregate/scan processing. SIG_FILE_BUT_NO_SCAN, ## Generate a notice and set it to be alarmed upon. @@ -58,8 +58,8 @@ export { ## Alarm once and then never again. SIG_ALARM_ONCE, ## Count signatures per responder host and alarm with the - ## :bro:enum:`Signatures::Count_Signature` notice if a threshold - ## defined by :bro:id:`Signatures::count_thresholds` is reached. + ## :zeek:enum:`Signatures::Count_Signature` notice if a threshold + ## defined by :zeek:id:`Signatures::count_thresholds` is reached. SIG_COUNT_PER_RESP, ## Don't alarm, but generate per-orig summary. SIG_SUMMARY, @@ -114,11 +114,11 @@ export { ## different signature matches has reached one of the thresholds. const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef; - ## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP` + ## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` ## signature is triggered as often as given by one of these thresholds. const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef; - ## The interval between when :bro:enum:`Signatures::Signature_Summary` + ## The interval between when :zeek:enum:`Signatures::Signature_Summary` ## notices are generated. option summary_interval = 1 day; @@ -140,7 +140,7 @@ global count_per_orig: table[addr, string] of count global did_sig_log: set[string] &read_expire = 1 hr; -event bro_init() +event zeek_init() { Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]); } diff --git a/scripts/base/frameworks/software/__load__.bro b/scripts/base/frameworks/software/__load__.zeek similarity index 100% rename from scripts/base/frameworks/software/__load__.bro rename to scripts/base/frameworks/software/__load__.zeek diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.zeek similarity index 94% rename from scripts/base/frameworks/software/main.bro rename to scripts/base/frameworks/software/main.zeek index ddd7ae9801..83669cbc82 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.zeek @@ -2,7 +2,7 @@ ##! parsing but doesn't actually do any detection on it's own. It relies on ##! other protocol specific scripts to parse out software from the protocols ##! that they analyze. The entry point for providing new software detections -##! to this framework is through the :bro:id:`Software::found` function. +##! to this framework is through the :zeek:id:`Software::found` function. @load base/utils/directions-and-hosts @load base/utils/numbers @@ -16,7 +16,7 @@ export { ## Scripts detecting new types of software need to redef this enum to add ## their own specific software types which would then be used when they - ## create :bro:type:`Software::Info` records. + ## create :zeek:type:`Software::Info` records. type Type: enum { ## A placeholder type for when the type of software is not known. UNKNOWN, @@ -45,7 +45,7 @@ export { ## The port on which the software is running. Only sensible for ## server software. host_p: port &log &optional; - ## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`). + ## The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`). software_type: Type &log &default=UNKNOWN; ## Name of the software (e.g. Apache). name: string &log &optional; @@ -96,9 +96,9 @@ export { ["Flash Player"] = "Flash", } &default=function(a: string): string { return a; }; - ## Type to represent a collection of :bro:type:`Software::Info` records. + ## Type to represent a collection of :zeek:type:`Software::Info` records. ## It's indexed with the name of a piece of software such as "Firefox" - ## and it yields a :bro:type:`Software::Info` record with more + ## and it yields a :zeek:type:`Software::Info` record with more ## information about the software. type SoftwareSet: table[string] of Info; @@ -108,7 +108,7 @@ export { ## uniformly distributed among proxy nodes. global tracked: table[addr] of SoftwareSet &create_expire=1day; - ## This event can be handled to access the :bro:type:`Software::Info` + ## This event can be handled to access the :zeek:type:`Software::Info` ## record as it is sent on to the logging framework. global log_software: event(rec: Info); @@ -117,11 +117,11 @@ export { global version_change: event(old: Info, new: Info); ## This event is raised when software is about to be registered for - ## tracking in :bro:see:`Software::tracked`. + ## tracking in :zeek:see:`Software::tracked`. global register: event(info: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software"]); } @@ -147,6 +147,22 @@ function parse(unparsed_version: string): Description { return parse_mozilla(unparsed_version); } + else if ( /A\/[0-9\.]*\/Google\/Pixel/ in unparsed_version ) + { + software_name = "Android (Google Pixel)"; + local parts = split_string_all(unparsed_version, /\//); + if ( 2 in parts ) + { + local vs = parts[2]; + + if ( "." in vs ) + v = parse(vs)$version; + else + v = Version($major=extract_count(vs)); + + return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; + } + } else { # The regular expression should match the complete version number diff --git a/scripts/base/frameworks/sumstats/__load__.bro b/scripts/base/frameworks/sumstats/__load__.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/__load__.bro rename to scripts/base/frameworks/sumstats/__load__.zeek diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.zeek similarity index 98% rename from scripts/base/frameworks/sumstats/cluster.bro rename to scripts/base/frameworks/sumstats/cluster.zeek index f92b4112ff..d2633afd87 100644 --- a/scripts/base/frameworks/sumstats/cluster.bro +++ b/scripts/base/frameworks/sumstats/cluster.zeek @@ -35,12 +35,12 @@ export { global cluster_get_result: event(uid: string, ss_name: string, key: Key, cleanup: bool); ## This event is sent by nodes in response to a - ## :bro:id:`SumStats::cluster_get_result` event. + ## :zeek:id:`SumStats::cluster_get_result` event. global cluster_send_result: event(uid: string, ss_name: string, key: Key, result: Result, cleanup: bool); ## This is sent by workers to indicate that they crossed the percent ## of the current threshold by the percentage defined globally in - ## :bro:id:`SumStats::cluster_request_global_view_percent`. + ## :zeek:id:`SumStats::cluster_request_global_view_percent`. global cluster_key_intermediate_response: event(ss_name: string, key: SumStats::Key); ## This event is scheduled internally on workers to send result chunks. @@ -61,7 +61,7 @@ global recent_global_view_keys: set[string, Key] &create_expire=1min; @if ( Cluster::local_node_type() != Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result); Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response); @@ -209,7 +209,7 @@ function request_key(ss_name: string, key: Key): Result @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request); Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result); diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.zeek similarity index 97% rename from scripts/base/frameworks/sumstats/main.bro rename to scripts/base/frameworks/sumstats/main.zeek index 69a853fd5a..3f73d278e5 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.zeek @@ -105,7 +105,7 @@ export { reducers: set[Reducer]; ## A function that will be called once for each observation in order - ## to calculate a value from the :bro:see:`SumStats::Result` structure + ## to calculate a value from the :zeek:see:`SumStats::Result` structure ## which will be used for thresholding. ## This function is required if a *threshold* value or ## a *threshold_series* is given. @@ -157,7 +157,7 @@ export { ## Dynamically request a sumstat key. This function should be ## used sparingly and not as a replacement for the callbacks - ## from the :bro:see:`SumStats::SumStat` record. The function is only + ## from the :zeek:see:`SumStats::SumStat` record. The function is only ## available for use within "when" statements as an asynchronous ## function. ## @@ -168,7 +168,7 @@ export { ## Returns: The result for the requested sumstat key. global request_key: function(ss_name: string, key: Key): Result; - ## Helper function to represent a :bro:type:`SumStats::Key` value as + ## Helper function to represent a :zeek:type:`SumStats::Key` value as ## a simple string. ## ## key: The metric key that is to be converted into a string. @@ -270,7 +270,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio calc_deps[calc] += depends_on; } -event bro_init() &priority=100000 +event zeek_init() &priority=100000 { # Call all of the plugin registration hooks hook register_observe_plugins(); @@ -300,17 +300,17 @@ function compose_results(r1: Result, r2: Result): Result { local result: Result = table(); - for ( id in r1 ) + for ( id, rv in r1 ) { - result[id] = r1[id]; + result[id] = rv; } - for ( id in r2 ) + for ( id, rv in r2 ) { if ( id in r1 ) - result[id] = compose_resultvals(r1[id], r2[id]); + result[id] = compose_resultvals(r1[id], rv); else - result[id] = r2[id]; + result[id] = rv; } return result; diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.zeek similarity index 93% rename from scripts/base/frameworks/sumstats/non-cluster.bro rename to scripts/base/frameworks/sumstats/non-cluster.zeek index 100e8dad4a..b4292431c5 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.bro +++ b/scripts/base/frameworks/sumstats/non-cluster.zeek @@ -8,9 +8,9 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable) local i = 50; local keys_to_delete: vector of SumStats::Key = vector(); - for ( key in data ) + for ( key, res in data ) { - ss$epoch_result(now, key, data[key]); + ss$epoch_result(now, key, res); keys_to_delete += key; if ( --i == 0 ) @@ -37,8 +37,8 @@ event SumStats::finish_epoch(ss: SumStat) local now = network_time(); if ( bro_is_terminating() ) { - for ( key in data ) - ss$epoch_result(now, key, data[key]); + for ( key, val in data ) + ss$epoch_result(now, key, val); if ( ss?$epoch_finished ) ss$epoch_finished(now); diff --git a/scripts/base/frameworks/sumstats/plugins/__load__.bro b/scripts/base/frameworks/sumstats/plugins/__load__.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/__load__.bro rename to scripts/base/frameworks/sumstats/plugins/__load__.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/average.bro b/scripts/base/frameworks/sumstats/plugins/average.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/average.bro rename to scripts/base/frameworks/sumstats/plugins/average.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/hll_unique.bro b/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/hll_unique.bro rename to scripts/base/frameworks/sumstats/plugins/hll_unique.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/last.bro b/scripts/base/frameworks/sumstats/plugins/last.zeek similarity index 96% rename from scripts/base/frameworks/sumstats/plugins/last.bro rename to scripts/base/frameworks/sumstats/plugins/last.zeek index b12d854bbb..a2c19f3f51 100644 --- a/scripts/base/frameworks/sumstats/plugins/last.bro +++ b/scripts/base/frameworks/sumstats/plugins/last.zeek @@ -19,7 +19,7 @@ export { redef record ResultVal += { ## This is the queue where elements are maintained. ## Don't access this value directly, instead use the - ## :bro:see:`SumStats::get_last` function to get a vector of + ## :zeek:see:`SumStats::get_last` function to get a vector of ## the current element values. last_elements: Queue::Queue &optional; }; diff --git a/scripts/base/frameworks/sumstats/plugins/max.bro b/scripts/base/frameworks/sumstats/plugins/max.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/max.bro rename to scripts/base/frameworks/sumstats/plugins/max.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/min.bro b/scripts/base/frameworks/sumstats/plugins/min.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/min.bro rename to scripts/base/frameworks/sumstats/plugins/min.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/sample.bro rename to scripts/base/frameworks/sumstats/plugins/sample.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/std-dev.bro b/scripts/base/frameworks/sumstats/plugins/std-dev.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/std-dev.bro rename to scripts/base/frameworks/sumstats/plugins/std-dev.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/sum.bro b/scripts/base/frameworks/sumstats/plugins/sum.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/sum.bro rename to scripts/base/frameworks/sumstats/plugins/sum.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/topk.bro b/scripts/base/frameworks/sumstats/plugins/topk.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/topk.bro rename to scripts/base/frameworks/sumstats/plugins/topk.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/unique.bro b/scripts/base/frameworks/sumstats/plugins/unique.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/unique.bro rename to scripts/base/frameworks/sumstats/plugins/unique.zeek diff --git a/scripts/base/frameworks/sumstats/plugins/variance.bro b/scripts/base/frameworks/sumstats/plugins/variance.zeek similarity index 100% rename from scripts/base/frameworks/sumstats/plugins/variance.bro rename to scripts/base/frameworks/sumstats/plugins/variance.zeek diff --git a/scripts/base/frameworks/tunnels/__load__.bro b/scripts/base/frameworks/tunnels/__load__.zeek similarity index 100% rename from scripts/base/frameworks/tunnels/__load__.bro rename to scripts/base/frameworks/tunnels/__load__.zeek diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.zeek similarity index 83% rename from scripts/base/frameworks/tunnels/main.bro rename to scripts/base/frameworks/tunnels/main.zeek index 7721ce3a02..09441c177c 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -3,7 +3,7 @@ ##! ##! For any connection that occurs over a tunnel, information about its ##! encapsulating tunnels is also found in the *tunnel* field of -##! :bro:type:`connection`. +##! :zeek:type:`connection`. module Tunnel; @@ -18,7 +18,7 @@ export { ## A tunnel connection has closed. CLOSE, ## No new connections over a tunnel happened in the amount of - ## time indicated by :bro:see:`Tunnel::expiration_interval`. + ## time indicated by :zeek:see:`Tunnel::expiration_interval`. EXPIRE, }; @@ -27,7 +27,7 @@ export { ## Time at which some tunnel activity occurred. ts: time &log; ## The unique identifier for the tunnel, which may correspond - ## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels. + ## to a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels. ## This is optional because there could be numerous connections ## for payload proxies like SOCKS but we should treat it as a ## single tunnel. @@ -42,29 +42,29 @@ export { }; ## Logs all tunnels in an encapsulation chain with action - ## :bro:see:`Tunnel::DISCOVER` that aren't already in the - ## :bro:id:`Tunnel::active` table and adds them if not. + ## :zeek:see:`Tunnel::DISCOVER` that aren't already in the + ## :zeek:id:`Tunnel::active` table and adds them if not. global register_all: function(ecv: EncapsulatingConnVector); ## Logs a single tunnel "connection" with action - ## :bro:see:`Tunnel::DISCOVER` if it's not already in the - ## :bro:id:`Tunnel::active` table and adds it if not. + ## :zeek:see:`Tunnel::DISCOVER` if it's not already in the + ## :zeek:id:`Tunnel::active` table and adds it if not. global register: function(ec: EncapsulatingConn); ## Logs a single tunnel "connection" with action - ## :bro:see:`Tunnel::EXPIRE` and removes it from the - ## :bro:id:`Tunnel::active` table. + ## :zeek:see:`Tunnel::EXPIRE` and removes it from the + ## :zeek:id:`Tunnel::active` table. ## ## t: A table of tunnels. ## ## idx: The index of the tunnel table corresponding to the tunnel to expire. ## ## Returns: 0secs, which when this function is used as an - ## :bro:attr:`&expire_func`, indicates to remove the element at + ## :zeek:attr:`&expire_func`, indicates to remove the element at ## *idx* immediately. global expire: function(t: table[conn_id] of Info, idx: conn_id): interval; - ## Removes a single tunnel from the :bro:id:`Tunnel::active` table + ## Removes a single tunnel from the :zeek:id:`Tunnel::active` table ## and logs the closing/expiration of the tunnel. ## ## tunnel: The tunnel which has closed or expired. @@ -78,22 +78,23 @@ export { ## Currently active tunnels. That is, tunnels for which new, ## encapsulated connections have been seen in the interval indicated by - ## :bro:see:`Tunnel::expiration_interval`. + ## :zeek:see:`Tunnel::expiration_interval`. global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire; } const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel"]); Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.zeek similarity index 88% rename from scripts/base/init-bare.bro rename to scripts/base/init-bare.zeek index b957ffee26..77f810a16f 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.zeek @@ -99,7 +99,7 @@ type files_tag_set: set[Files::Tag]; ## A structure indicating a MIME type and strength of a match against ## file magic signatures. ## -## :bro:see:`file_magic` +## :zeek:see:`file_magic` type mime_match: record { strength: int; ##< How strongly the signature matched. Used for ##< prioritization when multiple file magic signatures @@ -110,7 +110,7 @@ type mime_match: record { ## A vector of file magic signature matches, ordered by strength of ## the signature, strongest first. ## -## :bro:see:`file_magic` +## :zeek:see:`file_magic` type mime_matches: vector of mime_match; ## A connection's transport-layer protocol. Note that Bro uses the term @@ -126,7 +126,7 @@ type transport_proto: enum { ## ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as ## part of the port values, `orig_p` and `resp_p`, and can be extracted from -## them with :bro:id:`get_port_transport_proto`. +## them with :zeek:id:`get_port_transport_proto`. type conn_id: record { orig_h: addr; ##< The originator's IP address. orig_p: port; ##< The originator's port number. @@ -138,7 +138,7 @@ type conn_id: record { ## ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as ## part of the port values, `src_p` and `dst_p`, and can be extracted from -## them with :bro:id:`get_port_transport_proto`. +## them with :zeek:id:`get_port_transport_proto`. type flow_id : record { src_h: addr; ##< The source IP address. src_p: port; ##< The source port number. @@ -147,9 +147,9 @@ type flow_id : record { } &log; ## Specifics about an ICMP conversation. ICMP events typically pass this in -## addition to :bro:type:`conn_id`. +## addition to :zeek:type:`conn_id`. ## -## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent +## .. zeek:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent ## icmp_time_exceeded icmp_unreachable type icmp_conn: record { orig_h: addr; ##< The originator's IP address. @@ -164,7 +164,7 @@ type icmp_conn: record { ## Packet context part of an ICMP message. The fields of this record reflect the ## packet that is described by the context. ## -## .. bro:see:: icmp_time_exceeded icmp_unreachable +## .. zeek:see:: icmp_time_exceeded icmp_unreachable type icmp_context: record { id: conn_id; ##< The packet's 4-tuple. len: count; ##< The length of the IP packet (headers + payload). @@ -183,7 +183,7 @@ type icmp_context: record { ## Values extracted from a Prefix Information option in an ICMPv6 neighbor ## discovery message as specified by :rfc:`4861`. ## -## .. bro:see:: icmp6_nd_option +## .. zeek:see:: icmp6_nd_option type icmp6_nd_prefix_info: record { ## Number of leading bits of the *prefix* that are valid. prefix_len: count; @@ -199,14 +199,14 @@ type icmp6_nd_prefix_info: record { ## (0xffffffff represents infinity). preferred_lifetime: interval; ## An IP address or prefix of an IP address. Use the *prefix_len* field - ## to convert this into a :bro:type:`subnet`. + ## to convert this into a :zeek:type:`subnet`. prefix: addr; }; ## Options extracted from ICMPv6 neighbor discovery messages as specified ## by :rfc:`4861`. ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect ## icmp6_nd_options type icmp6_nd_option: record { @@ -238,7 +238,7 @@ type icmp6_nd_options: vector of icmp6_nd_option; # A DNS mapping between IP address and hostname resolved by Bro's internal # resolver. # -# .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +# .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name # dns_mapping_unverified dns_mapping_valid type dns_mapping: record { ## The time when the mapping was created, which corresponds to when @@ -264,7 +264,7 @@ type dns_mapping: record { ## A parsed host/port combination describing server endpoint for an upcoming ## data transfer. ## -## .. bro:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv +## .. zeek:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv ## parse_ftp_port type ftp_port: record { h: addr; ##< The host's address. @@ -274,7 +274,7 @@ type ftp_port: record { ## Statistics about what a TCP endpoint sent. ## -## .. bro:see:: conn_stats +## .. zeek:see:: conn_stats type endpoint_stats: record { num_pkts: count; ##< Number of packets. num_rxmit: count; ##< Number of retransmissions. @@ -283,9 +283,9 @@ type endpoint_stats: record { num_OO: count; ##< Number of out-of-order packets. num_repl: count; ##< Number of replicated packets (last packet was sent again). ## Endian type used by the endpoint, if it could be determined from - ## the sequence numbers used. This is one of :bro:see:`ENDIAN_UNKNOWN`, - ## :bro:see:`ENDIAN_BIG`, :bro:see:`ENDIAN_LITTLE`, and - ## :bro:see:`ENDIAN_CONFUSED`. + ## the sequence numbers used. This is one of :zeek:see:`ENDIAN_UNKNOWN`, + ## :zeek:see:`ENDIAN_BIG`, :zeek:see:`ENDIAN_LITTLE`, and + ## :zeek:see:`ENDIAN_CONFUSED`. endian_type: count; }; @@ -302,7 +302,7 @@ export { ## The type of tunnel. tunnel_type: Tunnel::Type; ## A globally unique identifier that, for non-IP-in-IP tunnels, - ## cross-references the *uid* field of :bro:type:`connection`. + ## cross-references the *uid* field of :zeek:type:`connection`. uid: string &optional; } &log; } # end export @@ -316,22 +316,22 @@ module GLOBAL; ## directly and then remove this alias. type EncapsulatingConnVector: vector of Tunnel::EncapsulatingConn; -## Statistics about a :bro:type:`connection` endpoint. +## Statistics about a :zeek:type:`connection` endpoint. ## -## .. bro:see:: connection +## .. zeek:see:: connection type endpoint: record { size: count; ##< Logical size of data sent (for TCP: derived from sequence numbers). ## Endpoint state. For a TCP connection, one of the constants: - ## :bro:see:`TCP_INACTIVE` :bro:see:`TCP_SYN_SENT` - ## :bro:see:`TCP_SYN_ACK_SENT` :bro:see:`TCP_PARTIAL` - ## :bro:see:`TCP_ESTABLISHED` :bro:see:`TCP_CLOSED` :bro:see:`TCP_RESET`. - ## For UDP, one of :bro:see:`UDP_ACTIVE` and :bro:see:`UDP_INACTIVE`. + ## :zeek:see:`TCP_INACTIVE` :zeek:see:`TCP_SYN_SENT` + ## :zeek:see:`TCP_SYN_ACK_SENT` :zeek:see:`TCP_PARTIAL` + ## :zeek:see:`TCP_ESTABLISHED` :zeek:see:`TCP_CLOSED` :zeek:see:`TCP_RESET`. + ## For UDP, one of :zeek:see:`UDP_ACTIVE` and :zeek:see:`UDP_INACTIVE`. state: count; - ## Number of packets sent. Only set if :bro:id:`use_conn_size_analyzer` + ## Number of packets sent. Only set if :zeek:id:`use_conn_size_analyzer` ## is true. num_pkts: count &optional; ## Number of IP-level bytes sent. Only set if - ## :bro:id:`use_conn_size_analyzer` is true. + ## :zeek:id:`use_conn_size_analyzer` is true. num_bytes_ip: count &optional; ## The current IPv6 flow label that the connection endpoint is using. ## Always 0 if the connection is over IPv4. @@ -361,7 +361,7 @@ type connection: record { ## to parse the same data. If so, all will be recorded. Also note that ## the recorded services are independent of any transport-level protocols. service: set[string]; - history: string; ##< State history of connections. See *history* in :bro:see:`Conn::Info`. + history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`. ## A globally unique connection identifier. For each connection, Bro ## creates an ID that is very likely unique across independent Bro runs. ## These IDs can thus be used to tag and locate information associated @@ -370,7 +370,7 @@ type connection: record { ## If the connection is tunneled, this field contains information about ## the encapsulating "connection(s)" with the outermost one starting ## at index zero. It's also always the first such encapsulation seen - ## for the connection unless the :bro:id:`tunnel_changed` event is + ## for the connection unless the :zeek:id:`tunnel_changed` event is ## handled and reassigns this field to the new encapsulation. tunnel: EncapsulatingConnVector &optional; @@ -460,7 +460,7 @@ type fa_metadata: record { ## Fields of a SYN packet. ## -## .. bro:see:: connection_SYN_packet +## .. zeek:see:: connection_SYN_packet type SYN_packet: record { is_orig: bool; ##< True if the packet was sent the connection's originator. DF: bool; ##< True if the *don't fragment* is set in the IP header. @@ -474,13 +474,13 @@ type SYN_packet: record { ## Packet capture statistics. All counts are cumulative. ## -## .. bro:see:: get_net_stats +## .. zeek:see:: get_net_stats type NetStats: record { pkts_recvd: count &default=0; ##< Packets received by Bro. pkts_dropped: count &default=0; ##< Packets reported dropped by the system. ## Packets seen on the link. Note that this may differ ## from *pkts_recvd* because of a potential capture_filter. See - ## :doc:`/scripts/base/frameworks/packet-filter/main.bro`. Depending on the + ## :doc:`/scripts/base/frameworks/packet-filter/main.zeek`. Depending on the ## packet capture system, this value may not be available and will then ## be always set to zero. pkts_link: count &default=0; @@ -514,7 +514,7 @@ type ConnStats: record { ## Statistics about Bro's process. ## -## .. bro:see:: get_proc_stats +## .. zeek:see:: get_proc_stats ## ## .. note:: All process-level values refer to Bro's main process only, not to ## the child process it spawns for doing communication. @@ -540,7 +540,7 @@ type EventStats: record { ## Holds statistics for all types of reassembly. ## -## .. bro:see:: get_reassembler_stats +## .. zeek:see:: get_reassembler_stats type ReassemblerStats: record { file_size: count; ##< Byte size of File reassembly tracking. frag_size: count; ##< Byte size of Fragment reassembly tracking. @@ -550,7 +550,7 @@ type ReassemblerStats: record { ## Statistics of all regular expression matchers. ## -## .. bro:see:: get_matcher_stats +## .. zeek:see:: get_matcher_stats type MatcherStats: record { matchers: count; ##< Number of distinct RE matchers. nfa_states: count; ##< Number of NFA states across all matchers. @@ -563,7 +563,7 @@ type MatcherStats: record { ## Statistics of timers. ## -## .. bro:see:: get_timer_stats +## .. zeek:see:: get_timer_stats type TimerStats: record { current: count; ##< Current number of pending timers. max: count; ##< Maximum number of concurrent timers pending so far. @@ -572,7 +572,7 @@ type TimerStats: record { ## Statistics of file analysis. ## -## .. bro:see:: get_file_analysis_stats +## .. zeek:see:: get_file_analysis_stats type FileAnalysisStats: record { current: count; ##< Current number of files being analyzed. max: count; ##< Maximum number of concurrent files so far. @@ -583,7 +583,7 @@ type FileAnalysisStats: record { ## about Bro performing DNS queries on it's own, not traffic ## being seen. ## -## .. bro:see:: get_dns_stats +## .. zeek:see:: get_dns_stats type DNSStats: record { requests: count; ##< Number of DNS requests made successful: count; ##< Number of successful DNS replies. @@ -595,7 +595,7 @@ type DNSStats: record { ## Statistics about number of gaps in TCP connections. ## -## .. bro:see:: get_gap_stats +## .. zeek:see:: get_gap_stats type GapStats: record { ack_events: count; ##< How many ack events *could* have had gaps. ack_bytes: count; ##< How many bytes those covered. @@ -605,14 +605,14 @@ type GapStats: record { ## Statistics about threads. ## -## .. bro:see:: get_thread_stats +## .. zeek:see:: get_thread_stats type ThreadStats: record { num_threads: count; }; ## Statistics about Broker communication. ## -## .. bro:see:: get_broker_stats +## .. zeek:see:: get_broker_stats type BrokerStats: record { num_peers: count; ## Number of active data stores. @@ -635,7 +635,7 @@ type BrokerStats: record { ## Statistics about reporter messages and weirds. ## -## .. bro:see:: get_reporter_stats +## .. zeek:see:: get_reporter_stats type ReporterStats: record { ## Number of total weirds encountered, before any rate-limiting. weirds: count; @@ -657,7 +657,7 @@ type packet: record { ## Table type used to map variable names to their memory allocation. ## -## .. bro:see:: global_sizes +## .. zeek:see:: global_sizes ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -666,21 +666,21 @@ type var_sizes: table[string] of count; ## Meta-information about a script-level identifier. ## -## .. bro:see:: global_ids id_table +## .. zeek:see:: global_ids id_table type script_id: record { type_name: string; ##< The name of the identifier's type. exported: bool; ##< True if the identifier is exported. constant: bool; ##< True if the identifier is a constant. enum_constant: bool; ##< True if the identifier is an enum value. option_value: bool; ##< True if the identifier is an option. - redefinable: bool; ##< True if the identifier is declared with the :bro:attr:`&redef` attribute. + redefinable: bool; ##< True if the identifier is declared with the :zeek:attr:`&redef` attribute. value: any &optional; ##< The current value of the identifier. }; ## Table type used to map script-level identifiers to meta-information ## describing them. ## -## .. bro:see:: global_ids script_id +## .. zeek:see:: global_ids script_id ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -689,20 +689,20 @@ type id_table: table[string] of script_id; ## Meta-information about a record field. ## -## .. bro:see:: record_fields record_field_table +## .. zeek:see:: record_fields record_field_table type record_field: record { type_name: string; ##< The name of the field's type. - log: bool; ##< True if the field is declared with :bro:attr:`&log` attribute. + log: bool; ##< True if the field is declared with :zeek:attr:`&log` attribute. ## The current value of the field in the record instance passed into - ## :bro:see:`record_fields` (if it has one). + ## :zeek:see:`record_fields` (if it has one). value: any &optional; - default_val: any &optional; ##< The value of the :bro:attr:`&default` attribute if defined. + default_val: any &optional; ##< The value of the :zeek:attr:`&default` attribute if defined. }; ## Table type used to map record field declarations to meta-information ## describing them. ## -## .. bro:see:: record_fields record_field +## .. zeek:see:: record_fields record_field ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -711,21 +711,21 @@ type record_field_table: table[string] of record_field; ## Meta-information about a parameter to a function/event. ## -## .. bro:see:: call_argument_vector new_event +## .. zeek:see:: call_argument_vector new_event type call_argument: record { name: string; ##< The name of the parameter. type_name: string; ##< The name of the parameters's type. - default_val: any &optional; ##< The value of the :bro:attr:`&default` attribute if defined. + default_val: any &optional; ##< The value of the :zeek:attr:`&default` attribute if defined. ## The value of the parameter as passed into a given call instance. - ## Might be unset in the case a :bro:attr:`&default` attribute is + ## Might be unset in the case a :zeek:attr:`&default` attribute is ## defined. value: any &optional; }; ## Vector type used to capture parameters of a function/event call. ## -## .. bro:see:: call_argument new_event +## .. zeek:see:: call_argument new_event type call_argument_vector: vector of call_argument; # todo:: Do we still need these here? Can they move into the packet filter @@ -736,28 +736,28 @@ type call_argument_vector: vector of call_argument; ## Set of BPF capture filters to use for capturing, indexed by a user-definable ## ID (which must be unique). If Bro is *not* configured with -## :bro:id:`PacketFilter::enable_auto_protocol_capture_filters`, +## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`, ## all packets matching at least one of the filters in this table (and all in -## :bro:id:`restrict_filters`) will be analyzed. +## :zeek:id:`restrict_filters`) will be analyzed. ## -## .. bro:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters +## .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters ## PacketFilter::unrestricted_filter restrict_filters global capture_filters: table[string] of string &redef; ## Set of BPF filters to restrict capturing, indexed by a user-definable ID ## (which must be unique). ## -## .. bro:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters +## .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters ## PacketFilter::unrestricted_filter capture_filters global restrict_filters: table[string] of string &redef; ## Enum type identifying dynamic BPF filters. These are used by -## :bro:see:`Pcap::precompile_pcap_filter` and :bro:see:`Pcap::precompile_pcap_filter`. +## :zeek:see:`Pcap::precompile_pcap_filter` and :zeek:see:`Pcap::precompile_pcap_filter`. type PcapFilterID: enum { None }; ## Deprecated. ## -## .. bro:see:: anonymize_addr +## .. zeek:see:: anonymize_addr type IPAddrAnonymization: enum { KEEP_ORIG_ADDR, SEQUENTIALLY_NUMBERED, @@ -768,7 +768,7 @@ type IPAddrAnonymization: enum { ## Deprecated. ## -## .. bro:see:: anonymize_addr +## .. zeek:see:: anonymize_addr type IPAddrAnonymizationClass: enum { ORIG_ADDR, RESP_ADDR, @@ -776,14 +776,14 @@ type IPAddrAnonymizationClass: enum { }; ## A locally unique ID identifying a communication peer. The ID is returned by -## :bro:id:`connect`. +## :zeek:id:`connect`. ## -## .. bro:see:: connect +## .. zeek:see:: connect type peer_id: count; ## A communication peer. ## -## .. bro:see:: complete_handshake disconnect finished_send_state +## .. zeek:see:: complete_handshake disconnect finished_send_state ## get_event_peer get_local_event_peer remote_capture_filter ## remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done @@ -794,19 +794,19 @@ type peer_id: count; ## ## .. todo::The type's name is too narrow these days, should rename. type event_peer: record { - id: peer_id; ##< Locally unique ID of peer (returned by :bro:id:`connect`). + id: peer_id; ##< Locally unique ID of peer (returned by :zeek:id:`connect`). host: addr; ##< The IP address of the peer. ## Either the port we connected to at the peer; or our port the peer ## connected to if the session is remotely initiated. p: port; is_local: bool; ##< True if this record describes the local process. - descr: string; ##< The peer's :bro:see:`peer_description`. + descr: string; ##< The peer's :zeek:see:`peer_description`. class: string &optional; ##< The self-assigned *class* of the peer. }; ## Deprecated. ## -## .. bro:see:: rotate_file rotate_file_by_name rotate_interval +## .. zeek:see:: rotate_file rotate_file_by_name rotate_interval type rotate_info: record { old_name: string; ##< Original filename. new_name: string; ##< File name after rotation. @@ -824,7 +824,7 @@ type rotate_info: record { ## Parameters for the Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman +## .. zeek:see:: str_smith_waterman type sw_params: record { ## Minimum size of a substring, minimum "granularity". min_strlen: count &default = 3; @@ -835,7 +835,7 @@ type sw_params: record { ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params type sw_align: record { str: string; ##< String a substring is part of. index: count; ##< Offset substring is located. @@ -843,12 +843,12 @@ type sw_align: record { ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params type sw_align_vec: vector of sw_align; ## Helper type for return value of Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params ## type sw_substring: record { str: string; ##< A substring. @@ -858,7 +858,7 @@ type sw_substring: record { ## Return type for Smith-Waterman algorithm. ## -## .. bro:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params +## .. zeek:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params ## ## .. todo:: We need this type definition only for declaring builtin functions ## via ``bifcl``. We should extend ``bifcl`` to understand composite types @@ -869,7 +869,7 @@ type sw_substring_vec: vector of sw_substring; ## includes the complete packet as returned by libpcap, including the link-layer ## header. ## -## .. bro:see:: dump_packet get_current_packet +## .. zeek:see:: dump_packet get_current_packet type pcap_packet: record { ts_sec: count; ##< The non-fractional part of the packet's timestamp (i.e., full seconds since the epoch). ts_usec: count; ##< The fractional part of the packet's timestamp. @@ -881,7 +881,7 @@ type pcap_packet: record { ## GeoIP location information. ## -## .. bro:see:: lookup_location +## .. zeek:see:: lookup_location type geo_location: record { country_code: string &optional; ##< The country code. region: string &optional; ##< The region. @@ -898,7 +898,7 @@ const mmdb_dir: string = "" &redef; ## `_ for more information, Bro uses the same ## code. ## -## .. bro:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy +## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy type entropy_test_result: record { entropy: double; ##< Information density. chi_square: double; ##< Chi-Square value. @@ -907,7 +907,7 @@ type entropy_test_result: record { serial_correlation: double; ##< Serial correlation coefficient. }; -# TCP values for :bro:see:`endpoint` *state* field. +# TCP values for :zeek:see:`endpoint` *state* field. # todo:: these should go into an enum to make them autodoc'able. const TCP_INACTIVE = 0; ##< Endpoint is still inactive. const TCP_SYN_SENT = 1; ##< Endpoint has sent SYN. @@ -917,7 +917,7 @@ const TCP_ESTABLISHED = 4; ##< Endpoint has finished initial handshake regularly const TCP_CLOSED = 5; ##< Endpoint has closed connection. const TCP_RESET = 6; ##< Endpoint has sent RST. -# UDP values for :bro:see:`endpoint` *state* field. +# UDP values for :zeek:see:`endpoint` *state* field. # todo:: these should go into an enum to make them autodoc'able. const UDP_INACTIVE = 0; ##< Endpoint is still inactive. const UDP_ACTIVE = 1; ##< Endpoint has sent something. @@ -933,7 +933,7 @@ const ignore_checksums = F &redef; const partial_connection_ok = T &redef; ## If true, instantiate connection state when a SYN/ACK is seen but not the -## initial SYN (even if :bro:see:`partial_connection_ok` is false). +## initial SYN (even if :zeek:see:`partial_connection_ok` is false). const tcp_SYN_ack_ok = T &redef; ## If true, pass any undelivered to the signature engine before flushing the state. @@ -963,53 +963,53 @@ const tcp_close_delay = 5 secs &redef; ## Upon seeing a RST, flush state after this much time. const tcp_reset_delay = 5 secs &redef; -## Generate a :bro:id:`connection_partial_close` event this much time after one +## Generate a :zeek:id:`connection_partial_close` event this much time after one ## half of a partial connection closes, assuming there has been no subsequent ## activity. const tcp_partial_close_delay = 3 secs &redef; ## If a connection belongs to an application that we don't analyze, ## time it out after this interval. If 0 secs, then don't time it out (but -## :bro:see:`tcp_inactivity_timeout`, :bro:see:`udp_inactivity_timeout`, and -## :bro:see:`icmp_inactivity_timeout` still apply). +## :zeek:see:`tcp_inactivity_timeout`, :zeek:see:`udp_inactivity_timeout`, and +## :zeek:see:`icmp_inactivity_timeout` still apply). const non_analyzed_lifetime = 0 secs &redef; ## If a TCP connection is inactive, time it out after this interval. If 0 secs, ## then don't time it out. ## -## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const tcp_inactivity_timeout = 5 min &redef; ## If a UDP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## -## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout const udp_inactivity_timeout = 1 min &redef; ## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then ## don't time it out. ## -## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout +## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout const icmp_inactivity_timeout = 1 min &redef; ## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported ## as ``weird`` via the notice framework, and they must also come within -## intervals of at most :bro:see:`tcp_storm_interarrival_thresh`. +## intervals of at most :zeek:see:`tcp_storm_interarrival_thresh`. ## -## .. bro:see:: tcp_storm_interarrival_thresh +## .. zeek:see:: tcp_storm_interarrival_thresh const tcp_storm_thresh = 1000 &redef; ## FINs/RSTs must come with this much time or less between them to be ## considered a "storm". ## -## .. bro:see:: tcp_storm_thresh +## .. zeek:see:: tcp_storm_thresh const tcp_storm_interarrival_thresh = 1 sec &redef; ## Maximum amount of data that might plausibly be sent in an initial flight ## (prior to receiving any acks). Used to determine whether we must not be ## seeing our peer's ACKs. Set to zero to turn off this determination. ## -## .. bro:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks +## .. zeek:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks const tcp_max_initial_window = 16384 &redef; ## If we're not seeing our peer's ACKs, the maximum volume of data above a @@ -1017,7 +1017,7 @@ const tcp_max_initial_window = 16384 &redef; ## drop and we should give up on tracking a connection. If set to zero, then we ## don't ever give up. ## -## .. bro:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks +## .. zeek:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks const tcp_max_above_hole_without_any_acks = 16384 &redef; ## If we've seen this much data without any of it being acked, we give up @@ -1026,7 +1026,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef; ## track the current window on a connection and use it to infer that data ## has in fact gone too far, but for now we just make this quite beefy. ## -## .. bro:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks +## .. zeek:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024 &redef; ## Number of TCP segments to buffer beyond what's been acknowledged already @@ -1037,46 +1037,46 @@ const tcp_max_old_segments = 0 &redef; ## For services without a handler, these sets define originator-side ports ## that still trigger reassembly. ## -## .. bro:see:: tcp_reassembler_ports_resp +## .. zeek:see:: tcp_reassembler_ports_resp const tcp_reassembler_ports_orig: set[port] = {} &redef; ## For services without a handler, these sets define responder-side ports ## that still trigger reassembly. ## -## .. bro:see:: tcp_reassembler_ports_orig +## .. zeek:see:: tcp_reassembler_ports_orig const tcp_reassembler_ports_resp: set[port] = {} &redef; ## Defines destination TCP ports for which the contents of the originator stream -## should be delivered via :bro:see:`tcp_contents`. +## should be delivered via :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig +## .. zeek:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines destination TCP ports for which the contents of the responder stream -## should be delivered via :bro:see:`tcp_contents`. +## should be delivered via :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig +## .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef; ## If true, all TCP originator-side traffic is reported via -## :bro:see:`tcp_contents`. +## :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp +## .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp tcp_contents const tcp_content_deliver_all_orig = F &redef; ## If true, all TCP responder-side traffic is reported via -## :bro:see:`tcp_contents`. +## :zeek:see:`tcp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp ## tcp_content_deliver_all_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1084,9 +1084,9 @@ const tcp_content_deliver_all_orig = F &redef; const tcp_content_deliver_all_resp = F &redef; ## Defines UDP destination ports for which the contents of the originator stream -## should be delivered via :bro:see:`udp_contents`. +## should be delivered via :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp ## tcp_content_deliver_all_orig tcp_content_deliver_all_resp ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1094,18 +1094,18 @@ const tcp_content_deliver_all_resp = F &redef; const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines UDP destination ports for which the contents of the responder stream -## should be delivered via :bro:see:`udp_contents`. +## should be delivered via :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; ## If true, all UDP originator-side traffic is reported via -## :bro:see:`udp_contents`. +## :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_resp @@ -1113,9 +1113,9 @@ const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; const udp_content_deliver_all_orig = F &redef; ## If true, all UDP responder-side traffic is reported via -## :bro:see:`udp_contents`. +## :zeek:see:`udp_contents`. ## -## .. bro:see:: tcp_content_delivery_ports_orig +## .. zeek:see:: tcp_content_delivery_ports_orig ## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig @@ -1124,19 +1124,19 @@ const udp_content_deliver_all_resp = F &redef; ## Check for expired table entries after this amount of time. ## -## .. bro:see:: table_incremental_step table_expire_delay +## .. zeek:see:: table_incremental_step table_expire_delay const table_expire_interval = 10 secs &redef; ## When expiring/serializing table entries, don't work on more than this many ## table entries at a time. ## -## .. bro:see:: table_expire_interval table_expire_delay +## .. zeek:see:: table_expire_interval table_expire_delay const table_incremental_step = 5000 &redef; ## When expiring table entries, wait this amount of time before checking the ## next chunk of entries. ## -## .. bro:see:: table_expire_interval table_incremental_step +## .. zeek:see:: table_expire_interval table_incremental_step const table_expire_delay = 0.01 secs &redef; ## Time to wait before timing out a DNS request. @@ -1158,7 +1158,7 @@ const encap_hdr_size = 0 &redef; ## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## IP-level bytes transferred by each endpoint. If true, these values are -## returned in the connection's :bro:see:`endpoint` record value. +## returned in the connection's :zeek:see:`endpoint` record value. const use_conn_size_analyzer = T &redef; # todo:: these should go into an enum to make them autodoc'able. @@ -1167,7 +1167,7 @@ const ENDIAN_LITTLE = 1; ##< Little endian. const ENDIAN_BIG = 2; ##< Big endian. const ENDIAN_CONFUSED = 3; ##< Tried to determine endian, but failed. -# Values for :bro:see:`set_contents_file` *direction* argument. +# Values for :zeek:see:`set_contents_file` *direction* argument. # todo:: these should go into an enum to make them autodoc'able const CONTENTS_NONE = 0; ##< Turn off recording of contents. const CONTENTS_ORIG = 1; ##< Record originator contents. @@ -1177,7 +1177,7 @@ const CONTENTS_BOTH = 3; ##< Record both originator and responder contents. # Values for code of ICMP *unreachable* messages. The list is not exhaustive. # todo:: these should go into an enum to make them autodoc'able # -# .. bro:see:: icmp_unreachable +# .. zeek:see:: icmp_unreachable const ICMP_UNREACH_NET = 0; ##< Network unreachable. const ICMP_UNREACH_HOST = 1; ##< Host unreachable. const ICMP_UNREACH_PROTOCOL = 2; ##< Protocol unreachable. @@ -1211,7 +1211,7 @@ const IPPROTO_MOBILITY = 135; ##< IPv6 mobility header. ## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or ## destination option headers) option field. ## -## .. bro:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts +## .. zeek:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts type ip6_option: record { otype: count; ##< Option type. len: count; ##< Option data length. @@ -1223,10 +1223,10 @@ type ip6_options: vector of ip6_option; ## Values extracted from an IPv6 Hop-by-Hop options extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option type ip6_hopopts: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1236,10 +1236,10 @@ type ip6_hopopts: record { ## Values extracted from an IPv6 Destination options extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option type ip6_dstopts: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1249,10 +1249,10 @@ type ip6_dstopts: record { ## Values extracted from an IPv6 Routing extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_routing: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1266,10 +1266,10 @@ type ip6_routing: record { ## Values extracted from an IPv6 Fragment extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_fragment: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## 8-bit reserved field. rsv1: count; @@ -1285,10 +1285,10 @@ type ip6_fragment: record { ## Values extracted from an IPv6 Authentication extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_ah: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 4-octet units, excluding first two units. len: count; @@ -1304,7 +1304,7 @@ type ip6_ah: record { ## Values extracted from an IPv6 ESP extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_esp: record { ## Security Parameters Index. spi: count; @@ -1314,7 +1314,7 @@ type ip6_esp: record { ## Values extracted from an IPv6 Mobility Binding Refresh Request message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_brr: record { ## Reserved. rsv: count; @@ -1324,7 +1324,7 @@ type ip6_mobility_brr: record { ## Values extracted from an IPv6 Mobility Home Test Init message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_hoti: record { ## Reserved. rsv: count; @@ -1336,7 +1336,7 @@ type ip6_mobility_hoti: record { ## Values extracted from an IPv6 Mobility Care-of Test Init message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_coti: record { ## Reserved. rsv: count; @@ -1348,7 +1348,7 @@ type ip6_mobility_coti: record { ## Values extracted from an IPv6 Mobility Home Test message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_hot: record { ## Home Nonce Index. nonce_idx: count; @@ -1362,7 +1362,7 @@ type ip6_mobility_hot: record { ## Values extracted from an IPv6 Mobility Care-of Test message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_cot: record { ## Care-of Nonce Index. nonce_idx: count; @@ -1376,7 +1376,7 @@ type ip6_mobility_cot: record { ## Values extracted from an IPv6 Mobility Binding Update message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_bu: record { ## Sequence number. seq: count; @@ -1396,7 +1396,7 @@ type ip6_mobility_bu: record { ## Values extracted from an IPv6 Mobility Binding Acknowledgement message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_back: record { ## Status. status: count; @@ -1412,7 +1412,7 @@ type ip6_mobility_back: record { ## Values extracted from an IPv6 Mobility Binding Error message. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg type ip6_mobility_be: record { ## Status. status: count; @@ -1424,7 +1424,7 @@ type ip6_mobility_be: record { ## Values extracted from an IPv6 Mobility header's message data. ## -## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr type ip6_mobility_msg: record { ## The type of message from the header's MH Type field. id: count; @@ -1448,10 +1448,10 @@ type ip6_mobility_msg: record { ## Values extracted from an IPv6 Mobility header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr type ip6_mobility_hdr: record { ## Protocol number of the next header (RFC 1700 et seq., IANA assigned - ## number), e.g. :bro:id:`IPPROTO_ICMP`. + ## number), e.g. :zeek:id:`IPPROTO_ICMP`. nxt: count; ## Length of header in 8-octet units, excluding first unit. len: count; @@ -1467,7 +1467,7 @@ type ip6_mobility_hdr: record { ## A general container for a more specific IPv6 extension header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment +## .. zeek:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment ## ip6_ah ip6_esp type ip6_ext_hdr: record { ## The RFC 1700 et seq. IANA assigned number identifying the type of @@ -1494,7 +1494,7 @@ type ip6_ext_hdr_chain: vector of ip6_ext_hdr; ## Values extracted from an IPv6 header. ## -## .. bro:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts +## .. zeek:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts ## ip6_routing ip6_fragment ip6_ah ip6_esp type ip6_hdr: record { class: count; ##< Traffic class. @@ -1502,7 +1502,7 @@ type ip6_hdr: record { len: count; ##< Payload length. nxt: count; ##< Protocol number of the next header ##< (RFC 1700 et seq., IANA assigned number) - ##< e.g. :bro:id:`IPPROTO_ICMP`. + ##< e.g. :zeek:id:`IPPROTO_ICMP`. hlim: count; ##< Hop limit. src: addr; ##< Source address. dst: addr; ##< Destination address. @@ -1511,7 +1511,7 @@ type ip6_hdr: record { ## Values extracted from an IPv4 header. ## -## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip +## .. zeek:see:: pkt_hdr ip6_hdr discarder_check_ip type ip4_hdr: record { hl: count; ##< Header length in bytes. tos: count; ##< Type of service. @@ -1536,7 +1536,7 @@ const TH_FLAGS = 63; ##< Mask combining all flags. ## Values extracted from a TCP header. ## -## .. bro:see:: pkt_hdr discarder_check_tcp +## .. zeek:see:: pkt_hdr discarder_check_tcp type tcp_hdr: record { sport: port; ##< source port. dport: port; ##< destination port @@ -1550,7 +1550,7 @@ type tcp_hdr: record { ## Values extracted from a UDP header. ## -## .. bro:see:: pkt_hdr discarder_check_udp +## .. zeek:see:: pkt_hdr discarder_check_udp type udp_hdr: record { sport: port; ##< source port dport: port; ##< destination port @@ -1559,14 +1559,14 @@ type udp_hdr: record { ## Values extracted from an ICMP header. ## -## .. bro:see:: pkt_hdr discarder_check_icmp +## .. zeek:see:: pkt_hdr discarder_check_icmp type icmp_hdr: record { icmp_type: count; ##< type of message }; ## A packet header, consisting of an IP header and transport-layer header. ## -## .. bro:see:: new_packet +## .. zeek:see:: new_packet type pkt_hdr: record { ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet. ip6: ip6_hdr &optional; ##< The IPv6 header if an IPv6 packet. @@ -1577,7 +1577,7 @@ type pkt_hdr: record { ## Values extracted from the layer 2 header. ## -## .. bro:see:: pkt_hdr +## .. zeek:see:: pkt_hdr type l2_hdr: record { encap: link_encap; ##< L2 link encapsulation. len: count; ##< Total frame length on wire. @@ -1591,9 +1591,9 @@ type l2_hdr: record { }; ## A raw packet header, consisting of L2 header and everything in -## :bro:see:`pkt_hdr`. . +## :zeek:see:`pkt_hdr`. . ## -## .. bro:see:: raw_packet pkt_hdr +## .. zeek:see:: raw_packet pkt_hdr type raw_pkt_hdr: record { l2: l2_hdr; ##< The layer 2 header. ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet. @@ -1606,7 +1606,7 @@ type raw_pkt_hdr: record { ## A Teredo origin indication header. See :rfc:`4380` for more information ## about the Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication ## teredo_hdr type teredo_auth: record { id: string; ##< Teredo client identifier. @@ -1622,7 +1622,7 @@ type teredo_auth: record { ## A Teredo authentication header. See :rfc:`4380` for more information ## about the Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication ## teredo_hdr type teredo_origin: record { p: port; ##< Unobfuscated UDP port of Teredo client. @@ -1632,7 +1632,7 @@ type teredo_origin: record { ## A Teredo packet header. See :rfc:`4380` for more information about the ## Teredo protocol. ## -## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication type teredo_hdr: record { auth: teredo_auth &optional; ##< Teredo authentication header. origin: teredo_origin &optional; ##< Teredo origin indication header. @@ -1831,7 +1831,7 @@ global log_file_name: function(tag: string): string &redef; global open_log_file: function(tag: string): file &redef; ## Specifies a directory for Bro to store its persistent state. All globals can -## be declared persistent via the :bro:attr:`&persistent` attribute. +## be declared persistent via the :zeek:attr:`&persistent` attribute. const state_dir = ".state" &redef; ## Length of the delays inserted when storing state incrementally. To avoid @@ -1892,7 +1892,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr) ## Maximum length of payload passed to discarder functions. ## -## .. bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp ## discarder_check_ip global discarder_maxlen = 128 &redef; @@ -1905,7 +1905,7 @@ global discarder_maxlen = 128 &redef; ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1919,11 +1919,11 @@ global discarder_check_ip: function(p: pkt_hdr): bool; ## ## p: The IP and TCP headers of the considered packet. ## -## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload. +## d: Up to :zeek:see:`discarder_maxlen` bytes of the TCP payload. ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_udp discarder_check_icmp +## .. zeek:see:: discarder_check_ip discarder_check_udp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1937,11 +1937,11 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool; ## ## p: The IP and UDP headers of the considered packet. ## -## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload. +## d: Up to :zeek:see:`discarder_maxlen` bytes of the UDP payload. ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp +## .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1957,7 +1957,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool; ## ## Returns: True if the packet should not be analyzed any further. ## -## .. bro:see:: discarder_check_ip discarder_check_tcp discarder_check_udp +## .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_udp ## discarder_maxlen ## ## .. note:: This is very low-level functionality and potentially expensive. @@ -1979,7 +1979,7 @@ const max_remote_events_processed = 10 &redef; # These need to match the definitions in Login.h. # -# .. bro:see:: get_login_state +# .. zeek:see:: get_login_state # # todo:: use enum to make them autodoc'able const LOGIN_STATE_AUTHENTICATE = 0; # Trying to authenticate. @@ -2061,7 +2061,7 @@ global login_timeouts: set[string] &redef; ## A MIME header key/value pair. ## -## .. bro:see:: mime_header_list http_all_headers mime_all_headers mime_one_header +## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header type mime_header_rec: record { name: string; ##< The header name. value: string; ##< The header value. @@ -2069,22 +2069,22 @@ type mime_header_rec: record { ## A list of MIME headers. ## -## .. bro:see:: mime_header_rec http_all_headers mime_all_headers +## .. zeek:see:: mime_header_rec http_all_headers mime_all_headers type mime_header_list: table[count] of mime_header_rec; ## The length of MIME data segments delivered to handlers of -## :bro:see:`mime_segment_data`. +## :zeek:see:`mime_segment_data`. ## -## .. bro:see:: mime_segment_data mime_segment_overlap_length +## .. zeek:see:: mime_segment_data mime_segment_overlap_length global mime_segment_length = 1024 &redef; ## The number of bytes of overlap between successive segments passed to -## :bro:see:`mime_segment_data`. +## :zeek:see:`mime_segment_data`. global mime_segment_overlap_length = 0 &redef; ## An RPC portmapper mapping. ## -## .. bro:see:: pm_mappings +## .. zeek:see:: pm_mappings type pm_mapping: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2093,12 +2093,12 @@ type pm_mapping: record { ## Table of RPC portmapper mappings. ## -## .. bro:see:: pm_request_dump +## .. zeek:see:: pm_request_dump type pm_mappings: table[count] of pm_mapping; ## An RPC portmapper request. ## -## .. bro:see:: pm_attempt_getport pm_request_getport +## .. zeek:see:: pm_attempt_getport pm_request_getport type pm_port_request: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2107,7 +2107,7 @@ type pm_port_request: record { ## An RPC portmapper *callit* request. ## -## .. bro:see:: pm_attempt_callit pm_request_callit +## .. zeek:see:: pm_attempt_callit pm_request_callit type pm_callit_request: record { program: count; ##< The RPC program. version: count; ##< The program version. @@ -2128,7 +2128,7 @@ type pm_callit_request: record { ## Mapping of numerical RPC status codes to readable messages. ## -## .. bro:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport +## .. zeek:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset rpc_dialogue rpc_reply const RPC_status = { [RPC_SUCCESS] = "ok", @@ -2145,17 +2145,17 @@ const RPC_status = { module NFS3; export { - ## If true, :bro:see:`nfs_proc_read` and :bro:see:`nfs_proc_write` + ## If true, :zeek:see:`nfs_proc_read` and :zeek:see:`nfs_proc_write` ## events return the file data that has been read/written. ## - ## .. bro:see:: NFS3::return_data_max NFS3::return_data_first_only + ## .. zeek:see:: NFS3::return_data_max NFS3::return_data_first_only const return_data = F &redef; - ## If :bro:id:`NFS3::return_data` is true, how much data should be + ## If :zeek:id:`NFS3::return_data` is true, how much data should be ## returned at most. const return_data_max = 512 &redef; - ## If :bro:id:`NFS3::return_data` is true, whether to *only* return data + ## If :zeek:id:`NFS3::return_data` is true, whether to *only* return data ## if the read or write offset is 0, i.e., only return data for the ## beginning of the file. const return_data_first_only = T &redef; @@ -2171,7 +2171,7 @@ export { ## analyzer. Depending on the reassembler, this might be well after the ## first packet of the request was received. ## - ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup + ## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup ## nfs_proc_mkdir nfs_proc_not_implemented nfs_proc_null ## nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove ## nfs_proc_rmdir nfs_proc_write nfs_reply_status @@ -2206,7 +2206,7 @@ export { ## NFS file attributes. Field names are based on RFC 1813. ## - ## .. bro:see:: nfs_proc_sattr + ## .. zeek:see:: nfs_proc_sattr type sattr_t: record { mode: count &optional; ##< Mode uid: count &optional; ##< User ID. @@ -2218,7 +2218,7 @@ export { ## NFS file attributes. Field names are based on RFC 1813. ## - ## .. bro:see:: nfs_proc_getattr + ## .. zeek:see:: nfs_proc_getattr type fattr_t: record { ftype: file_type_t; ##< File type. mode: count; ##< Mode @@ -2238,7 +2238,7 @@ export { ## NFS symlinkdata attributes. Field names are based on RFC 1813 ## - ## .. bro:see:: nfs_proc_symlink + ## .. zeek:see:: nfs_proc_symlink type symlinkdata_t: record { symlink_attributes: sattr_t; ##< The initial attributes for the symbolic link nfspath: string &optional; ##< The string containing the symbolic link data. @@ -2246,7 +2246,7 @@ export { ## NFS *readdir* arguments. ## - ## .. bro:see:: nfs_proc_readdir + ## .. zeek:see:: nfs_proc_readdir type diropargs_t : record { dirfh: string; ##< The file handle of the directory. fname: string; ##< The name of the file we are interested in. @@ -2254,7 +2254,7 @@ export { ## NFS *rename* arguments. ## - ## .. bro:see:: nfs_proc_rename + ## .. zeek:see:: nfs_proc_rename type renameopargs_t : record { src_dirfh : string; src_fname : string; @@ -2264,7 +2264,7 @@ export { ## NFS *symlink* arguments. ## - ## .. bro:see:: nfs_proc_symlink + ## .. zeek:see:: nfs_proc_symlink type symlinkargs_t: record { link : diropargs_t; ##< The location of the link to be created. symlinkdata: symlinkdata_t; ##< The symbolic link to be created. @@ -2272,7 +2272,7 @@ export { ## NFS *link* arguments. ## - ## .. bro:see:: nfs_proc_link + ## .. zeek:see:: nfs_proc_link type linkargs_t: record { fh : string; ##< The file handle for the existing file system object. link : diropargs_t; ##< The location of the link to be created. @@ -2280,7 +2280,7 @@ export { ## NFS *sattr* arguments. ## - ## .. bro:see:: nfs_proc_sattr + ## .. zeek:see:: nfs_proc_sattr type sattrargs_t: record { fh : string; ##< The file handle for the existing file system object. new_attributes: sattr_t; ##< The new attributes for the file. @@ -2290,7 +2290,7 @@ export { ## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr* ## may be set. ## - ## .. bro:see:: nfs_proc_lookup + ## .. zeek:see:: nfs_proc_lookup type lookup_reply_t: record { fh: string &optional; ##< File handle of object looked up. obj_attr: fattr_t &optional; ##< Optional attributes associated w/ file @@ -2299,7 +2299,7 @@ export { ## NFS *read* arguments. ## - ## .. bro:see:: nfs_proc_read + ## .. zeek:see:: nfs_proc_read type readargs_t: record { fh: string; ##< File handle to read from. offset: count; ##< Offset in file. @@ -2318,7 +2318,7 @@ export { ## NFS *readline* reply. If the request fails, *attr* may be set. If the ## request succeeds, *attr* may be set and all other fields are set. ## - ## .. bro:see:: nfs_proc_readlink + ## .. zeek:see:: nfs_proc_readlink type readlink_reply_t: record { attr: fattr_t &optional; ##< Attributes. nfspath: string &optional; ##< Contents of the symlink; in general a pathname as text. @@ -2326,7 +2326,7 @@ export { ## NFS *write* arguments. ## - ## .. bro:see:: nfs_proc_write + ## .. zeek:see:: nfs_proc_write type writeargs_t: record { fh: string; ##< File handle to write to. offset: count; ##< Offset in file. @@ -2337,7 +2337,7 @@ export { ## NFS *wcc* attributes. ## - ## .. bro:see:: NFS3::write_reply_t + ## .. zeek:see:: NFS3::write_reply_t type wcc_attr_t: record { size: count; ##< The size. atime: time; ##< Access time. @@ -2346,7 +2346,7 @@ export { ## NFS *link* reply. ## - ## .. bro:see:: nfs_proc_link + ## .. zeek:see:: nfs_proc_link type link_reply_t: record { post_attr: fattr_t &optional; ##< Optional post-operation attributes of the file system object identified by file preattr: wcc_attr_t &optional; ##< Optional attributes associated w/ file. @@ -2365,7 +2365,7 @@ export { ## If the request succeeds, *pre|post* attr may be set and all other ## fields are set. ## - ## .. bro:see:: nfs_proc_write + ## .. zeek:see:: nfs_proc_write type write_reply_t: record { preattr: wcc_attr_t &optional; ##< Pre operation attributes. postattr: fattr_t &optional; ##< Post operation attributes. @@ -2379,7 +2379,7 @@ export { ## *attr*'s may be set. Note: no guarantee that *fh* is set after ## success. ## - ## .. bro:see:: nfs_proc_create nfs_proc_mkdir + ## .. zeek:see:: nfs_proc_create nfs_proc_mkdir type newobj_reply_t: record { fh: string &optional; ##< File handle of object created. obj_attr: fattr_t &optional; ##< Optional attributes associated w/ new object. @@ -2389,7 +2389,7 @@ export { ## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec. ## - ## .. bro:see:: nfs_proc_remove nfs_proc_rmdir + ## .. zeek:see:: nfs_proc_remove nfs_proc_rmdir type delobj_reply_t: record { dir_pre_attr: wcc_attr_t &optional; ##< Optional attributes associated w/ dir. dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir. @@ -2397,7 +2397,7 @@ export { ## NFS reply for *rename*. Corresponds to *wcc_data* in the spec. ## - ## .. bro:see:: nfs_proc_rename + ## .. zeek:see:: nfs_proc_rename type renameobj_reply_t: record { src_dir_pre_attr: wcc_attr_t; src_dir_post_attr: fattr_t; @@ -2407,7 +2407,7 @@ export { ## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*. ## - ## .. bro:see:: nfs_proc_readdir + ## .. zeek:see:: nfs_proc_readdir type readdirargs_t: record { isplus: bool; ##< Is this a readdirplus request? dirfh: string; ##< The directory filehandle. @@ -2420,7 +2420,7 @@ export { ## NFS *direntry*. *fh* and *attr* are used for *readdirplus*. However, ## even for *readdirplus* they may not be filled out. ## - ## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t + ## .. zeek:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t type direntry_t: record { fileid: count; ##< E.g., inode number. fname: string; ##< Filename. @@ -2431,7 +2431,7 @@ export { ## Vector of NFS *direntry*. ## - ## .. bro:see:: NFS3::readdir_reply_t + ## .. zeek:see:: NFS3::readdir_reply_t type direntry_vec_t: vector of direntry_t; ## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is @@ -2473,7 +2473,7 @@ export { # analyzer. Depending on the reassembler, this might be well after the # first packet of the request was received. # - # .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt + # .. zeek:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt # mount_proc_umntall mount_proc_export mount_proc_not_implemented type info_t: record { ## The RPC status. @@ -2506,7 +2506,7 @@ export { ## MOUNT *mnt* arguments. ## - ## .. bro:see:: mount_proc_mnt + ## .. zeek:see:: mount_proc_mnt type dirmntargs_t : record { dirname: string; ##< Name of directory to mount }; @@ -2514,7 +2514,7 @@ export { ## MOUNT lookup reply. If the mount failed, *dir_attr* may be set. If the ## mount succeeded, *fh* is always set. ## - ## .. bro:see:: mount_proc_mnt + ## .. zeek:see:: mount_proc_mnt type mnt_reply_t: record { dirfh: string &optional; ##< Dir handle auth_flavors: vector of auth_flavor_t &optional; ##< Returned authentication flavors @@ -2571,7 +2571,7 @@ module GLOBAL; ## An NTP message. ## -## .. bro:see:: ntp_message +## .. zeek:see:: ntp_message type ntp_msg: record { id: count; ##< Message ID. code: count; ##< Message code. @@ -2730,7 +2730,7 @@ export { ## ## For more information, see MS-SMB2:2.2.16 ## - ## .. bro:see:: smb1_nt_create_andx_response smb2_create_response + ## .. zeek:see:: smb1_nt_create_andx_response smb2_create_response type SMB::MACTimes: record { ## The time when data was last written to the file. modified : time &log; @@ -2746,7 +2746,7 @@ export { ## only comes into play as a heuristic to identify named ## pipes when the drive mapping wasn't seen by Bro. ## - ## .. bro:see:: smb_pipe_connect_heuristic + ## .. zeek:see:: smb_pipe_connect_heuristic const SMB::pipe_filenames: set[string] &redef; } @@ -2755,7 +2755,7 @@ module SMB1; export { ## An SMB1 header. ## - ## .. bro:see:: smb1_message smb1_empty_response smb1_error + ## .. zeek:see:: smb1_message smb1_empty_response smb1_error ## smb1_check_directory_request smb1_check_directory_response ## smb1_close_request smb1_create_directory_request ## smb1_create_directory_response smb1_echo_request @@ -3112,7 +3112,7 @@ export { ## ## For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2 ## - ## .. bro:see:: smb2_message smb2_close_request smb2_close_response + ## .. zeek:see:: smb2_message smb2_close_request smb2_close_response ## smb2_create_request smb2_create_response smb2_negotiate_request ## smb2_negotiate_response smb2_read_request ## smb2_session_setup_request smb2_session_setup_response @@ -3150,7 +3150,7 @@ export { ## ## For more information, see MS-SMB2:2.2.14.1 ## - ## .. bro:see:: smb2_close_request smb2_create_response smb2_read_request + ## .. zeek:see:: smb2_close_request smb2_create_response smb2_read_request ## smb2_file_rename smb2_file_delete smb2_write_request type SMB2::GUID: record { ## A file handle that remains persistent when reconnected after a disconnect @@ -3163,7 +3163,7 @@ export { ## ## For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6 ## - ## .. bro:see:: smb2_create_response + ## .. zeek:see:: smb2_create_response type SMB2::FileAttrs: record { ## The file is read only. Applications can read the file but cannot ## write to it or delete it. @@ -3214,7 +3214,7 @@ export { ## ## For more information, see MS-SMB2:2.2.16 ## - ## .. bro:see:: smb2_close_response + ## .. zeek:see:: smb2_close_response type SMB2::CloseResponse: record { ## The size, in bytes of the data that is allocated to the file. alloc_size : count; @@ -3226,12 +3226,70 @@ export { attrs : SMB2::FileAttrs; }; + ## Preauthentication information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1.1 + ## + type SMB2::PreAuthIntegrityCapabilities: record { + ## The number of hash algorithms. + hash_alg_count : count; + ## The salt length. + salt_length : count; + ## An array of hash algorithms (counts). + hash_alg : vector of count; + ## The salt. + salt : string; + }; + + ## Encryption information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1.2 + ## + type SMB2::EncryptionCapabilities: record { + ## The number of ciphers. + cipher_count : count; + ## An array of ciphers. + ciphers : vector of count; + }; + + ## Compression information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1.3 + ## + type SMB2::CompressionCapabilities: record { + ## The number of algorithms. + alg_count : count; + ## An array of compression algorithms. + algs : vector of count; + }; + + ## The context type information as defined in SMB v. 3.1.1 + ## + ## For more information, see MS-SMB2:2.3.1 + ## + type SMB2::NegotiateContextValue: record { + ## Specifies the type of context (preauth or encryption). + context_type : count; + ## The length in byte of the data field. + data_length : count; + ## The preauthentication information. + preauth_info : SMB2::PreAuthIntegrityCapabilities &optional; + ## The encryption information. + encryption_info : SMB2::EncryptionCapabilities &optional; + ## The compression information. + compression_info : SMB2::CompressionCapabilities &optional; + ## Indicates the server name the client must connect to. + netname: string &optional; + }; + + type SMB2::NegotiateContextValues: vector of SMB2::NegotiateContextValue; + ## The response to an SMB2 *negotiate* request, which is used by tghe client to notify the server ## what dialects of the SMB2 protocol the client understands. ## ## For more information, see MS-SMB2:2.2.4 ## - ## .. bro:see:: smb2_negotiate_response + ## .. zeek:see:: smb2_negotiate_response type SMB2::NegotiateResponse: record { ## The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 ## NEGOTIATE Request. @@ -3244,6 +3302,11 @@ export { system_time : time; ## The SMB2 server start time. server_start_time : time; + + ## The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0. + negotiate_context_count : count; + ## An array of context values in SMB v. 3.1.1. + negotiate_context_values : SMB2::NegotiateContextValues; }; ## The request sent by the client to request a new authenticated session @@ -3251,7 +3314,7 @@ export { ## ## For more information, see MS-SMB2:2.2.5 ## - ## .. bro:see:: smb2_session_setup_request + ## .. zeek:see:: smb2_session_setup_request type SMB2::SessionSetupRequest: record { ## The security mode field specifies whether SMB signing is enabled or required at the client. security_mode: count; @@ -3262,7 +3325,7 @@ export { ## ## For more information, see MS-SMB2:2.2.6 ## - ## .. bro:see:: smb2_session_setup_response + ## .. zeek:see:: smb2_session_setup_response type SMB2::SessionSetupFlags: record { ## If set, the client has been authenticated as a guest user. guest: bool; @@ -3278,7 +3341,7 @@ export { ## ## For more information, see MS-SMB2:2.2.6 ## - ## .. bro:see:: smb2_session_setup_response + ## .. zeek:see:: smb2_session_setup_response type SMB2::SessionSetupResponse: record { ## Additional information about the session flags: SMB2::SessionSetupFlags; @@ -3289,7 +3352,7 @@ export { ## ## For more information, see MS-SMB2:2.2.9 ## - ## .. bro:see:: smb2_tree_connect_response + ## .. zeek:see:: smb2_tree_connect_response type SMB2::TreeConnectResponse: record { ## The type of share being accessed. Physical disk, named pipe, or printer. share_type: count; @@ -3299,7 +3362,7 @@ export { ## ## For more information, see MS-SMB2:2.2.13 ## - ## .. bro:see:: smb2_create_request + ## .. zeek:see:: smb2_create_request type SMB2::CreateRequest: record { ## Name of the file filename : string; @@ -3314,7 +3377,7 @@ export { ## ## For more information, see MS-SMB2:2.2.14 ## - ## .. bro:see:: smb2_create_response + ## .. zeek:see:: smb2_create_response type SMB2::CreateResponse: record { ## The SMB2 GUID for the file. file_id : SMB2::GUID; @@ -3345,6 +3408,29 @@ export { default_quota_limit : count; ## file systems control flags passed as unsigned int fs_control_flags : count; + + ## An SMB2 transform header (for SMB 3.x dialects with encryption enabled). + ## + ## For more information, see MS-SMB2:2.2.41 + ## + ## .. zeek:see:: smb2_transform_header smb2_message smb2_close_request smb2_close_response + ## smb2_create_request smb2_create_response smb2_negotiate_request + ## smb2_negotiate_response smb2_read_request + ## smb2_session_setup_request smb2_session_setup_response + ## smb2_file_rename smb2_file_delete + ## smb2_tree_connect_request smb2_tree_connect_response + ## smb2_write_request + type SMB2::Transform_header: record { + ## The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey. + signature : string; + ## An implementation specific value assigned for every encrypted message. + nonce : string; + ## The size, in bytes, of the SMB2 message. + orig_msg_size : count; + ## A flags field, interpreted in different ways depending of the SMB2 dialect. + flags : count; + ## A value that uniquely identifies the established session for the command. + session_id : count; }; } @@ -3356,11 +3442,11 @@ export { ## A list of addresses offered by a DHCP server. Could be routers, ## DNS servers, or other. ## - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::Addrs: vector of addr; ## A DHCP message. - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::Msg: record { op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY m_type: count; ##< The type of DHCP message. @@ -3379,7 +3465,7 @@ export { }; ## DHCP Client Identifier (Option 61) - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::ClientID: record { hwtype: count; hwaddr: string; @@ -3399,7 +3485,7 @@ export { }; ## DHCP Relay Agent Information Option (Option 82) - ## .. bro:see:: dhcp_message + ## .. zeek:see:: dhcp_message type DHCP::SubOpt: record { code: count; value: string; @@ -3497,7 +3583,7 @@ export { module GLOBAL; ## A DNS message. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_message dns_query_reply dns_rejected dns_request @@ -3522,7 +3608,7 @@ type dns_msg: record { ## A DNS SOA record. ## -## .. bro:see:: dns_SOA_reply +## .. zeek:see:: dns_SOA_reply type dns_soa: record { mname: string; ##< Primary source of data for zone. rname: string; ##< Mailbox for responsible person. @@ -3535,7 +3621,7 @@ type dns_soa: record { ## An additional DNS EDNS record. ## -## .. bro:see:: dns_EDNS_addl +## .. zeek:see:: dns_EDNS_addl type dns_edns_additional: record { query: string; ##< Query. qtype: count; ##< Query type. @@ -3550,7 +3636,7 @@ type dns_edns_additional: record { ## An additional DNS TSIG record. ## -## .. bro:see:: dns_TSIG_addl +## .. zeek:see:: dns_TSIG_addl type dns_tsig_additional: record { query: string; ##< Query. qtype: count; ##< Query type. @@ -3565,7 +3651,7 @@ type dns_tsig_additional: record { ## A DNSSEC RRSIG record. ## -## .. bro:see:: dns_RRSIG +## .. zeek:see:: dns_RRSIG type dns_rrsig_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3583,7 +3669,7 @@ type dns_rrsig_rr: record { ## A DNSSEC DNSKEY record. ## -## .. bro:see:: dns_DNSKEY +## .. zeek:see:: dns_DNSKEY type dns_dnskey_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3596,7 +3682,7 @@ type dns_dnskey_rr: record { ## A DNSSEC NSEC3 record. ## -## .. bro:see:: dns_NSEC3 +## .. zeek:see:: dns_NSEC3 type dns_nsec3_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3613,7 +3699,7 @@ type dns_nsec3_rr: record { ## A DNSSEC DS record. ## -## .. bro:see:: dns_DS +## .. zeek:see:: dns_DS type dns_ds_rr: record { query: string; ##< Query. answer_type: count; ##< Ans type. @@ -3626,7 +3712,7 @@ type dns_ds_rr: record { # DNS answer types. # -# .. bro:see:: dns_answerr +# .. zeek:see:: dns_answerr # # todo:: use enum to make them autodoc'able const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness. @@ -3636,12 +3722,12 @@ const DNS_ADDL = 3; ##< An additional record. ## The general part of a DNS reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply ## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TXT_reply dns_WKS_reply type dns_answer: record { - ## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`, - ## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`. + ## Answer type. One of :zeek:see:`DNS_QUERY`, :zeek:see:`DNS_ANS`, + ## :zeek:see:`DNS_AUTH` and :zeek:see:`DNS_ADDL`. answer_type: count; query: string; ##< Query. qtype: count; ##< Query type. @@ -3652,23 +3738,23 @@ type dns_answer: record { ## For DNS servers in these sets, omit processing the AUTH records they include ## in their replies. ## -## .. bro:see:: dns_skip_all_auth dns_skip_addl +## .. zeek:see:: dns_skip_all_auth dns_skip_addl global dns_skip_auth: set[addr] &redef; ## For DNS servers in these sets, omit processing the ADDL records they include ## in their replies. ## -## .. bro:see:: dns_skip_all_addl dns_skip_auth +## .. zeek:see:: dns_skip_all_addl dns_skip_auth global dns_skip_addl: set[addr] &redef; ## If true, all DNS AUTH records are skipped. ## -## .. bro:see:: dns_skip_all_addl dns_skip_auth +## .. zeek:see:: dns_skip_all_addl dns_skip_auth global dns_skip_all_auth = T &redef; ## If true, all DNS ADDL records are skipped. ## -## .. bro:see:: dns_skip_all_auth dns_skip_addl +## .. zeek:see:: dns_skip_all_auth dns_skip_addl global dns_skip_all_addl = T &redef; ## If a DNS request includes more than this many queries, assume it's non-DNS @@ -3683,7 +3769,7 @@ const dns_resolver = [::] &redef; ## HTTP session statistics. ## -## .. bro:see:: http_stats +## .. zeek:see:: http_stats type http_stats_rec: record { num_requests: count; ##< Number of requests. num_replies: count; ##< Number of replies. @@ -3693,7 +3779,7 @@ type http_stats_rec: record { ## HTTP message statistics. ## -## .. bro:see:: http_message_done +## .. zeek:see:: http_message_done type http_message_stat: record { ## When the request/reply line was complete. start: time; @@ -3711,25 +3797,25 @@ type http_message_stat: record { ## Maximum number of HTTP entity data delivered to events. ## -## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data +## .. zeek:see:: http_entity_data skip_http_entity_data skip_http_data global http_entity_data_delivery_size = 1500 &redef; ## Skip HTTP data for performance considerations. The skipped ## portion will not go through TCP reassembly. ## -## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size +## .. zeek:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size const skip_http_data = F &redef; ## Maximum length of HTTP URIs passed to events. Longer ones will be truncated ## to prevent over-long URIs (usually sent by worms) from slowing down event ## processing. A value of -1 means "do not truncate". ## -## .. bro:see:: http_request +## .. zeek:see:: http_request const truncate_http_URI = -1 &redef; ## IRC join information. ## -## .. bro:see:: irc_join_list +## .. zeek:see:: irc_join_list type irc_join_info: record { nick: string; channel: string; @@ -3739,7 +3825,7 @@ type irc_join_info: record { ## Set of IRC join information. ## -## .. bro:see:: irc_join_message +## .. zeek:see:: irc_join_message type irc_join_list: set[irc_join_info]; module PE; @@ -3948,7 +4034,7 @@ type backdoor_endp_stats: record { ## Description of a signature match. ## -## .. bro:see:: signature_match +## .. zeek:see:: signature_match type signature_state: record { sig_id: string; ##< ID of the matching signature. conn: connection; ##< Matching connection. @@ -3978,7 +4064,7 @@ type software: record { ## Quality of passive fingerprinting matches. ## -## .. bro:see:: OS_version +## .. zeek:see:: OS_version type OS_version_inference: enum { direct_inference, ##< TODO. generic_inference, ##< TODO. @@ -3987,7 +4073,7 @@ type OS_version_inference: enum { ## Passive fingerprinting match. ## -## .. bro:see:: OS_version_found +## .. zeek:see:: OS_version_found type OS_version: record { genre: string; ##< Linux, Windows, AIX, ... detail: string; ##< Kernel version or such. @@ -3997,17 +4083,17 @@ type OS_version: record { ## Defines for which subnets we should do passive fingerprinting. ## -## .. bro:see:: OS_version_found +## .. zeek:see:: OS_version_found global generate_OS_version_event: set[subnet] &redef; -# Type used to report load samples via :bro:see:`load_sample`. For now, it's a +# Type used to report load samples via :zeek:see:`load_sample`. For now, it's a # set of names (event names, source file names, and perhaps ````), which were seen during the sample. type load_sample_info: set[string]; ## A BitTorrent peer. ## -## .. bro:see:: bittorrent_peer_set +## .. zeek:see:: bittorrent_peer_set type bittorrent_peer: record { h: addr; ##< The peer's address. p: port; ##< The peer's port. @@ -4015,13 +4101,13 @@ type bittorrent_peer: record { ## A set of BitTorrent peers. ## -## .. bro:see:: bt_tracker_response +## .. zeek:see:: bt_tracker_response type bittorrent_peer_set: set[bittorrent_peer]; ## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per ## http://en.wikipedia.org/wiki/Bencode. ## -## .. bro:see:: bittorrent_benc_dir +## .. zeek:see:: bittorrent_benc_dir type bittorrent_benc_value: record { i: int &optional; ##< TODO. s: string &optional; ##< TODO. @@ -4031,12 +4117,12 @@ type bittorrent_benc_value: record { ## A table of BitTorrent "benc" values. ## -## .. bro:see:: bt_tracker_response +## .. zeek:see:: bt_tracker_response type bittorrent_benc_dir: table[string] of bittorrent_benc_value; ## Header table type used by BitTorrent analyzer. ## -## .. bro:see:: bt_tracker_request bt_tracker_response +## .. zeek:see:: bt_tracker_request bt_tracker_response ## bt_tracker_response_not_ok type bt_tracker_headers: table[string] of string; @@ -4101,6 +4187,17 @@ export { HashAlgorithm: count; ##< Hash algorithm number SignatureAlgorithm: count; ##< Signature algorithm number }; + + +## Number of non-DTLS frames that can occur in a DTLS connection before +## parsing of the connection is suspended. +## DTLS does not immediately stop parsing a connection because other protocols +## might be interleaved in the same UDP "connection". +const SSL::dtls_max_version_errors = 10 &redef; + +## Maximum number of invalid version errors to report in one DTLS connection. +const SSL::dtls_max_reported_version_errors = 1 &redef; + } module GLOBAL; @@ -4320,7 +4417,7 @@ export { }; ## A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`. - ## A sequences of :bro:see:`SNMP::Binding`, which maps an OIDs to values. + ## A sequences of :zeek:see:`SNMP::Binding`, which maps an OIDs to values. type SNMP::Bindings: vector of SNMP::Binding; ## A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`. @@ -4561,79 +4658,79 @@ const log_max_size = 0.0 &redef; const log_encryption_key = "" &redef; ## Write profiling info into this file in regular intervals. The easiest way to -## activate profiling is loading :doc:`/scripts/policy/misc/profiling.bro`. +## activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling +## .. zeek:see:: profiling_interval expensive_profiling_multiple segment_profiling global profiling_file: file &redef; ## Update interval for profiling (0 disables). The easiest way to activate -## profiling is loading :doc:`/scripts/policy/misc/profiling.bro`. +## profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## -## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling +## .. zeek:see:: profiling_file expensive_profiling_multiple segment_profiling const profiling_interval = 0 secs &redef; -## Multiples of :bro:see:`profiling_interval` at which (more expensive) memory +## Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory ## profiling is done (0 disables). ## -## .. bro:see:: profiling_interval profiling_file segment_profiling +## .. zeek:see:: profiling_interval profiling_file segment_profiling const expensive_profiling_multiple = 0 &redef; ## If true, then write segment profiling information (very high volume!) ## in addition to profiling statistics. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file +## .. zeek:see:: profiling_interval expensive_profiling_multiple profiling_file const segment_profiling = F &redef; ## Output modes for packet profiling information. ## -## .. bro:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file +## .. zeek:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file type pkt_profile_modes: enum { PKT_PROFILE_MODE_NONE, ##< No output. - PKT_PROFILE_MODE_SECS, ##< Output every :bro:see:`pkt_profile_freq` seconds. - PKT_PROFILE_MODE_PKTS, ##< Output every :bro:see:`pkt_profile_freq` packets. - PKT_PROFILE_MODE_BYTES, ##< Output every :bro:see:`pkt_profile_freq` bytes. + PKT_PROFILE_MODE_SECS, ##< Output every :zeek:see:`pkt_profile_freq` seconds. + PKT_PROFILE_MODE_PKTS, ##< Output every :zeek:see:`pkt_profile_freq` packets. + PKT_PROFILE_MODE_BYTES, ##< Output every :zeek:see:`pkt_profile_freq` bytes. }; ## Output mode for packet profiling information. ## -## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; ## Frequency associated with packet profiling. ## -## .. bro:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file +## .. zeek:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file const pkt_profile_freq = 0.0 &redef; ## File where packet profiles are logged. ## -## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode global pkt_profile_file: file &redef; -## Rate at which to generate :bro:see:`load_sample` events. As all +## Rate at which to generate :zeek:see:`load_sample` events. As all ## events, the event is only generated if you've also defined a -## :bro:see:`load_sample` handler. Units are inverse number of packets; e.g., +## :zeek:see:`load_sample` handler. Units are inverse number of packets; e.g., ## a value of 20 means "roughly one in every 20 packets". ## -## .. bro:see:: load_sample +## .. zeek:see:: load_sample global load_sample_freq = 20 &redef; ## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace ## and not report missing segments for such connections. ## If this is enabled, then missing data at the end of connections may not -## be reported via :bro:see:`content_gap`. +## be reported via :zeek:see:`content_gap`. const detect_filtered_trace = F &redef; -## Whether we want :bro:see:`content_gap` for partial +## Whether we want :zeek:see:`content_gap` for partial ## connections. A connection is partial if it is missing a full handshake. Note ## that gap reports for partial connections might not be reliable. ## -## .. bro:see:: content_gap partial_connection +## .. zeek:see:: content_gap partial_connection const report_gaps_for_partial = F &redef; ## Flag to prevent Bro from exiting automatically when input is exhausted. ## Normally Bro terminates when all packet sources have gone dry ## and communication isn't enabled. If this flag is set, Bro's main loop will -## instead keep idling until :bro:see:`terminate` is explicitly called. +## instead keep idling until :zeek:see:`terminate` is explicitly called. ## ## This is mainly for testing purposes when termination behaviour needs to be ## controlled for reproducing results. @@ -4641,18 +4738,18 @@ const exit_only_after_terminate = F &redef; ## The CA certificate file to authorize remote Bros/Broccolis. ## -## .. bro:see:: ssl_private_key ssl_passphrase +## .. zeek:see:: ssl_private_key ssl_passphrase const ssl_ca_certificate = "" &redef; ## File containing our private key and our certificate. ## -## .. bro:see:: ssl_ca_certificate ssl_passphrase +## .. zeek:see:: ssl_ca_certificate ssl_passphrase const ssl_private_key = "" &redef; ## The passphrase for our private key. Keeping this undefined ## causes Bro to prompt for the passphrase. ## -## .. bro:see:: ssl_private_key ssl_ca_certificate +## .. zeek:see:: ssl_private_key ssl_ca_certificate const ssl_passphrase = "" &redef; ## Default mode for Bro's user-space dynamic packet filter. If true, packets @@ -4662,7 +4759,7 @@ const ssl_passphrase = "" &redef; ## .. note:: This is not the BPF packet filter but an additional dynamic filter ## that Bro optionally applies just before normal processing starts. ## -## .. bro:see:: install_dst_addr_filter install_dst_net_filter +## .. zeek:see:: install_dst_addr_filter install_dst_net_filter ## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter ## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter const packet_filter_default = F &redef; @@ -4678,7 +4775,7 @@ const peer_description = "bro" &redef; ## If true, broadcast events received from one peer to all other peers. ## -## .. bro:see:: forward_remote_state_changes +## .. zeek:see:: forward_remote_state_changes ## ## .. note:: This option is only temporary and will disappear once we get a ## more sophisticated script-level communication framework. @@ -4686,7 +4783,7 @@ const forward_remote_events = F &redef; ## If true, broadcast state updates received from one peer to all other peers. ## -## .. bro:see:: forward_remote_events +## .. zeek:see:: forward_remote_events ## ## .. note:: This option is only temporary and will disappear once we get a ## more sophisticated script-level communication framework. @@ -4721,16 +4818,16 @@ const REMOTE_SRC_SCRIPT = 3; ##< Message from a policy script. ## Synchronize trace processing at a regular basis in pseudo-realtime mode. ## -## .. bro:see:: remote_trace_sync_peers +## .. zeek:see:: remote_trace_sync_peers const remote_trace_sync_interval = 0 secs &redef; ## Number of peers across which to synchronize trace processing in ## pseudo-realtime mode. ## -## .. bro:see:: remote_trace_sync_interval +## .. zeek:see:: remote_trace_sync_interval const remote_trace_sync_peers = 0 &redef; -## Whether for :bro:attr:`&synchronized` state to send the old value as a +## Whether for :zeek:attr:`&synchronized` state to send the old value as a ## consistency check. const remote_check_sync_consistency = F &redef; @@ -4738,7 +4835,7 @@ const remote_check_sync_consistency = F &redef; ## signature matching. Enabling this provides more accurate matching at the ## expense of CPU cycles. ## -## .. bro:see:: dpd_buffer_size +## .. zeek:see:: dpd_buffer_size ## dpd_match_only_beginning dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -4753,14 +4850,14 @@ const dpd_reassemble_first_packets = T &redef; ## are activated afterwards. Then only analyzers that can deal with partial ## connections will be able to analyze the session. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning +## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning ## dpd_ignore_ports const dpd_buffer_size = 1024 &redef; -## If true, stops signature matching if :bro:see:`dpd_buffer_size` has been +## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been ## reached. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -4770,7 +4867,7 @@ const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to ## use. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_match_only_beginning const dpd_ignore_ports = F &redef; @@ -4797,7 +4894,7 @@ const suppress_local_output = F &redef; ## Holds the filename of the trace file given with ``-w`` (empty if none). ## -## .. bro:see:: record_all_packets +## .. zeek:see:: record_all_packets const trace_output_file = ""; ## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it. @@ -4806,16 +4903,16 @@ const trace_output_file = ""; ## actually process them, which can be helpful for debugging in case the ## analysis triggers a crash. ## -## .. bro:see:: trace_output_file +## .. zeek:see:: trace_output_file const record_all_packets = F &redef; -## Ignore certain TCP retransmissions for :bro:see:`conn_stats`. Some +## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`. Some ## connections (e.g., SSH) retransmit the acknowledged last byte to keep the ## connection alive. If *ignore_keep_alive_rexmit* is set to true, such ## retransmissions will be excluded in the rexmit counter in -## :bro:see:`conn_stats`. +## :zeek:see:`conn_stats`. ## -## .. bro:see:: conn_stats +## .. zeek:see:: conn_stats const ignore_keep_alive_rexmit = F &redef; module JSON; @@ -4859,14 +4956,14 @@ export { ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing - ## a :bro:see:`protocol_confirmation`. If it's false, the first + ## a :zeek:see:`protocol_confirmation`. If it's false, the first ## occurrence of a packet with valid Teredo encapsulation causes a ## confirmation. const delay_teredo_confirmation = T &redef; ## With this set, the GTP analyzer waits until the most-recent upflow ## and downflow packets are a valid GTPv1 encapsulation before - ## issuing :bro:see:`protocol_confirmation`. If it's false, the + ## issuing :zeek:see:`protocol_confirmation`. If it's false, the ## first occurrence of a packet with valid GTPv1 encapsulation causes ## confirmation. Since the same inner connection can be carried ## differing outer upflow/downflow connections, setting to false @@ -4876,6 +4973,18 @@ export { ## How often to cleanup internal state for inactive IP tunnels ## (includes GRE tunnels). const ip_tunnel_timeout = 24hrs &redef; + + ## Whether to validate the checksum supplied in the outer UDP header + ## of a VXLAN encapsulation. The spec says the checksum should be + ## transmitted as zero, but if not, then the decapsulating destination + ## may choose whether to perform the validation. + const validate_vxlan_checksums = T &redef; + + ## The set of UDP ports used for VXLAN traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :zeek:see:`likely_server_ports` also gets populated accordingly. + const vxlan_ports: set[port] = { 4789/udp } &redef; } # end export module Reporter; @@ -4953,13 +5062,33 @@ export { ## "conn" weirds, counters and expiration timers are kept for the duration ## of the connection for each named weird and reset when necessary. E.g. ## if a "conn" weird by the name of "foo" is seen more than - ## :bro:see:`Weird::sampling_threshold` times, then an expiration timer + ## :zeek:see:`Weird::sampling_threshold` times, then an expiration timer ## begins for "foo" and upon triggering will reset the counter for "foo" ## and unthrottle its rate-limiting until it once again exceeds the ## threshold. option sampling_duration = 10min; } +module BinPAC; +export { + ## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to + ## grow to for use with incremental parsing of a given connection/analyzer. + const flowbuffer_capacity_max = 10 * 1024 * 1024 &redef; + + ## The initial capacity, in bytes, that will be allocated to the BinPAC + ## flowbuffer of a given connection/analyzer. If the buffer buffer is + ## later contracted, its capacity is also reduced to this size. + const flowbuffer_capacity_min = 512 &redef; + + ## The threshold, in bytes, at which the BinPAC flowbuffer of a given + ## connection/analyzer will have its capacity contracted to + ## :zeek:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit. + ## I.e. this is the maximum capacity to reserve in between the parsing of + ## units. If, after parsing a unit, the flowbuffer capacity is greater + ## than this value, it will be contracted. + const flowbuffer_contract_threshold = 2 * 1024 * 1024 &redef; +} + module GLOBAL; ## Seed for hashes computed internally for probabilistic data structures. Using diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.zeek similarity index 98% rename from scripts/base/init-default.bro rename to scripts/base/init-default.zeek index 463f5c2942..6982b0b2f4 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.zeek @@ -25,7 +25,7 @@ @load base/utils/urls # This has some deep interplay between types and BiFs so it's -# loaded in base/init-bare.bro +# loaded in base/init-bare.zeek #@load base/frameworks/logging @load base/frameworks/notice @load base/frameworks/analyzer diff --git a/scripts/base/init-frameworks-and-bifs.bro b/scripts/base/init-frameworks-and-bifs.zeek similarity index 86% rename from scripts/base/init-frameworks-and-bifs.bro rename to scripts/base/init-frameworks-and-bifs.zeek index f772e2d223..19897e7ffb 100644 --- a/scripts/base/init-frameworks-and-bifs.bro +++ b/scripts/base/init-frameworks-and-bifs.zeek @@ -1,7 +1,7 @@ # Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. They are also more likely to # make use of calling BIFs for variable initializations, and that -# can't be done until init-bare.bro has been loaded completely (hence +# can't be done until init-bare.zeek has been loaded completely (hence # the separate file). @load base/frameworks/logging @load base/frameworks/broker diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.zeek similarity index 98% rename from scripts/base/misc/find-checksum-offloading.bro rename to scripts/base/misc/find-checksum-offloading.zeek index 334cf4a2db..1edd4f9799 100644 --- a/scripts/base/misc/find-checksum-offloading.bro +++ b/scripts/base/misc/find-checksum-offloading.zeek @@ -62,7 +62,7 @@ event ChecksumOffloading::check() } } -event bro_init() +event zeek_init() { schedule check_interval { ChecksumOffloading::check() }; } @@ -81,7 +81,7 @@ event conn_weird(name: string, c: connection, addl: string) ++bad_udp_checksums; } -event bro_done() +event zeek_done() { event ChecksumOffloading::check(); } diff --git a/scripts/base/misc/find-filtered-trace.bro b/scripts/base/misc/find-filtered-trace.zeek similarity index 92% rename from scripts/base/misc/find-filtered-trace.bro rename to scripts/base/misc/find-filtered-trace.zeek index a723b656a7..f7bdbb9e91 100644 --- a/scripts/base/misc/find-filtered-trace.bro +++ b/scripts/base/misc/find-filtered-trace.zeek @@ -1,7 +1,7 @@ ##! Discovers trace files that contain TCP traffic consisting only of ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST ##! packets and no content). On finding such a trace, a warning is -##! emitted that suggests toggling the :bro:see:`detect_filtered_trace` +##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace` ##! option may be desired if the user does not want Bro to report ##! missing TCP segments. @@ -36,7 +36,7 @@ event connection_state_remove(c: connection) saw_tcp_conn_with_data = T; } -event bro_done() +event zeek_done() { if ( ! enable ) return; diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.zeek similarity index 100% rename from scripts/base/misc/version.bro rename to scripts/base/misc/version.zeek diff --git a/scripts/base/protocols/conn/__load__.bro b/scripts/base/protocols/conn/__load__.zeek similarity index 100% rename from scripts/base/protocols/conn/__load__.bro rename to scripts/base/protocols/conn/__load__.zeek diff --git a/scripts/base/protocols/conn/contents.bro b/scripts/base/protocols/conn/contents.zeek similarity index 95% rename from scripts/base/protocols/conn/contents.bro rename to scripts/base/protocols/conn/contents.zeek index dbfbbd0dc1..ea689c6350 100644 --- a/scripts/base/protocols/conn/contents.bro +++ b/scripts/base/protocols/conn/contents.zeek @@ -2,7 +2,7 @@ ##! responders data or both. By default nothing is extracted, and in order ##! to actually extract data the ``c$extract_orig`` and/or the ##! ``c$extract_resp`` variable must be set to ``T``. One way to achieve this -##! would be to handle the :bro:id:`connection_established` event elsewhere +##! would be to handle the :zeek:id:`connection_established` event elsewhere ##! and set the ``extract_orig`` and ``extract_resp`` options there. ##! However, there may be trouble with the timing due to event queue delay. ##! diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.zeek similarity index 100% rename from scripts/base/protocols/conn/inactivity.bro rename to scripts/base/protocols/conn/inactivity.zeek diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.zeek similarity index 94% rename from scripts/base/protocols/conn/main.bro rename to scripts/base/protocols/conn/main.zeek index e2209b6e22..ecc9e436ac 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.zeek @@ -78,13 +78,13 @@ export { ## If the connection is originated locally, this value will be T. ## If it was originated remotely it will be F. In the case that - ## the :bro:id:`Site::local_nets` variable is undefined, this + ## the :zeek:id:`Site::local_nets` variable is undefined, this ## field will be left empty at all times. local_orig: bool &log &optional; ## If the connection is responded to locally, this value will be T. ## If it was responded to remotely it will be F. In the case that - ## the :bro:id:`Site::local_nets` variable is undefined, this + ## the :zeek:id:`Site::local_nets` variable is undefined, this ## field will be left empty at all times. local_resp: bool &log &optional; @@ -107,6 +107,7 @@ export { ## f packet with FIN bit set ## r packet with RST bit set ## c packet with a bad checksum (applies to UDP too) + ## g a content gap ## t packet with retransmitted payload ## w packet with a zero window advertisement ## i inconsistent packet (e.g. FIN+RST bits set) @@ -122,23 +123,23 @@ export { ## 's' can be recorded multiple times for either direction ## if the associated sequence number differs from the ## last-seen packet of the same flag type. - ## 'c', 't' and 'w' are recorded in a logarithmic fashion: + ## 'c', 'g', 't' and 'w' are recorded in a logarithmic fashion: ## the second instance represents that the event was seen ## (at least) 10 times; the third instance, 100 times; etc. history: string &log &optional; ## Number of packets that the originator sent. - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. orig_pkts: count &log &optional; ## Number of IP level bytes that the originator sent (as seen on ## the wire, taken from the IP total_length header field). - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. orig_ip_bytes: count &log &optional; ## Number of packets that the responder sent. - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. resp_pkts: count &log &optional; ## Number of IP level bytes that the responder sent (as seen on ## the wire, taken from the IP total_length header field). - ## Only set if :bro:id:`use_conn_size_analyzer` = T. + ## Only set if :zeek:id:`use_conn_size_analyzer` = T. resp_ip_bytes: count &log &optional; ## If this connection was over a tunnel, indicate the ## *uid* values for any encapsulating parent connections @@ -146,7 +147,7 @@ export { tunnel_parents: set[string] &log &optional; }; - ## Event that can be handled to access the :bro:type:`Conn::Info` + ## Event that can be handled to access the :zeek:type:`Conn::Info` ## record as it is sent on to the logging framework. global log_conn: event(rec: Info); } @@ -155,7 +156,7 @@ redef record connection += { conn: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn"]); } diff --git a/scripts/base/protocols/conn/polling.bro b/scripts/base/protocols/conn/polling.zeek similarity index 100% rename from scripts/base/protocols/conn/polling.bro rename to scripts/base/protocols/conn/polling.zeek diff --git a/scripts/base/protocols/conn/thresholds.bro b/scripts/base/protocols/conn/thresholds.zeek similarity index 100% rename from scripts/base/protocols/conn/thresholds.bro rename to scripts/base/protocols/conn/thresholds.zeek diff --git a/scripts/base/protocols/dce-rpc/__load__.bro b/scripts/base/protocols/dce-rpc/__load__.zeek similarity index 100% rename from scripts/base/protocols/dce-rpc/__load__.bro rename to scripts/base/protocols/dce-rpc/__load__.zeek diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.zeek similarity index 100% rename from scripts/base/protocols/dce-rpc/consts.bro rename to scripts/base/protocols/dce-rpc/consts.zeek diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.zeek similarity index 98% rename from scripts/base/protocols/dce-rpc/main.bro rename to scripts/base/protocols/dce-rpc/main.zeek index e73bfa4b2b..1b318265e8 100644 --- a/scripts/base/protocols/dce-rpc/main.bro +++ b/scripts/base/protocols/dce-rpc/main.zeek @@ -59,7 +59,7 @@ redef record connection += { const ports = { 135/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports); @@ -215,9 +215,8 @@ event connection_state_remove(c: connection) return; # TODO: Go through any remaining dce_rpc requests that haven't been processed with replies. - for ( i in c$dce_rpc_backing ) + for ( i, x in c$dce_rpc_backing ) { - local x = c$dce_rpc_backing[i]; set_state(c, x); # In the event that the binding wasn't seen, but the pipe diff --git a/scripts/base/protocols/dhcp/__load__.bro b/scripts/base/protocols/dhcp/__load__.zeek similarity index 100% rename from scripts/base/protocols/dhcp/__load__.bro rename to scripts/base/protocols/dhcp/__load__.zeek diff --git a/scripts/base/protocols/dhcp/consts.bro b/scripts/base/protocols/dhcp/consts.zeek similarity index 100% rename from scripts/base/protocols/dhcp/consts.bro rename to scripts/base/protocols/dhcp/consts.zeek diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.zeek similarity index 97% rename from scripts/base/protocols/dhcp/main.bro rename to scripts/base/protocols/dhcp/main.zeek index b31c623afa..1f98cd0583 100644 --- a/scripts/base/protocols/dhcp/main.bro +++ b/scripts/base/protocols/dhcp/main.zeek @@ -89,13 +89,13 @@ export { ## This event is used internally to distribute data around clusters ## since DHCP doesn't follow the normal "connection" model used by ## most protocols. It can also be handled to extend the DHCP log. - ## bro:see::`DHCP::log_info`. + ## :zeek:see:`DHCP::log_info`. global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options); ## This is a global variable that is only to be used in the - ## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid + ## :zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid ## looking up the info record for a transaction ID in every event handler - ## for :bro:see::`DHCP::aggregate_msgs`. + ## for :zeek:see:`DHCP::aggregate_msgs`. global DHCP::log_info: Info; ## Event that can be handled to access the DHCP @@ -117,14 +117,14 @@ redef record Info += { const ports = { 67/udp, 68/udp, 4011/udp }; redef likely_server_ports += { 67/udp }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); } @if ( Cluster::is_enabled() ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs); } @@ -264,7 +264,7 @@ event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP:: event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options); } -event bro_done() &priority=-5 +event zeek_done() &priority=-5 { # Log any remaining data that hasn't already been logged! for ( i in DHCP::join_data ) diff --git a/scripts/base/protocols/dnp3/__load__.bro b/scripts/base/protocols/dnp3/__load__.zeek similarity index 100% rename from scripts/base/protocols/dnp3/__load__.bro rename to scripts/base/protocols/dnp3/__load__.zeek diff --git a/scripts/base/protocols/dnp3/consts.bro b/scripts/base/protocols/dnp3/consts.zeek similarity index 100% rename from scripts/base/protocols/dnp3/consts.bro rename to scripts/base/protocols/dnp3/consts.zeek diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.zeek similarity index 98% rename from scripts/base/protocols/dnp3/main.bro rename to scripts/base/protocols/dnp3/main.zeek index 35dd012d75..184816c59f 100644 --- a/scripts/base/protocols/dnp3/main.bro +++ b/scripts/base/protocols/dnp3/main.zeek @@ -34,7 +34,7 @@ redef record connection += { const ports = { 20000/tcp , 20000/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports); diff --git a/scripts/base/protocols/dns/__load__.bro b/scripts/base/protocols/dns/__load__.zeek similarity index 100% rename from scripts/base/protocols/dns/__load__.bro rename to scripts/base/protocols/dns/__load__.zeek diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.zeek similarity index 100% rename from scripts/base/protocols/dns/consts.bro rename to scripts/base/protocols/dns/consts.zeek diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.zeek similarity index 84% rename from scripts/base/protocols/dns/main.bro rename to scripts/base/protocols/dns/main.zeek index a0e22aae6b..f91a94b0cb 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.zeek @@ -80,7 +80,7 @@ export { saw_reply: bool &default=F; }; - ## An event that can be handled to access the :bro:type:`DNS::Info` + ## An event that can be handled to access the :zeek:type:`DNS::Info` ## record as it is sent to the logging framework. global log_dns: event(rec: Info); @@ -109,7 +109,7 @@ export { ## is_query: Indicator for if this is being called for a query or a response. global set_session: hook(c: connection, msg: dns_msg, is_query: bool); - ## Yields a queue of :bro:see:`DNS::Info` objects for a given + ## Yields a queue of :zeek:see:`DNS::Info` objects for a given ## DNS message query/transaction ID. type PendingMessages: table[count] of Queue::Queue; @@ -126,15 +126,22 @@ export { option max_pending_query_ids = 50; ## A record type which tracks the status of DNS queries for a given - ## :bro:type:`connection`. + ## :zeek:type:`connection`. type State: record { + ## A single query that hasn't been matched with a response yet. + ## Note this is maintained separate from the *pending_queries* + ## field solely for performance reasons -- it's possible that + ## *pending_queries* contains further queries for which a response + ## has not yet been seen, even for the same transaction ID. + pending_query: Info &optional; + ## Indexed by query id, returns Info record corresponding to ## queries that haven't been matched with a response yet. - pending_queries: PendingMessages; + pending_queries: PendingMessages &optional; ## Indexed by query id, returns Info record corresponding to ## replies that haven't been matched with a query yet. - pending_replies: PendingMessages; + pending_replies: PendingMessages &optional; }; } @@ -147,7 +154,7 @@ redef record connection += { const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports); @@ -159,7 +166,7 @@ function new_session(c: connection, trans_id: count): Info info$ts = network_time(); info$id = c$id; info$uid = c$uid; - info$proto = get_conn_transport_proto(c$id); + info$proto = get_port_transport_proto(c$id$resp_p); info$trans_id = trans_id; return info; } @@ -177,9 +184,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue) function log_unmatched_msgs(msgs: PendingMessages) { - for ( trans_id in msgs ) + for ( trans_id, q in msgs ) { - log_unmatched_msgs_queue(msgs[trans_id]); + log_unmatched_msgs_queue(q); } clear_table(msgs); @@ -230,7 +237,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 if ( is_query ) { - if ( msg$id in c$dns_state$pending_replies && + if ( c$dns_state?$pending_replies && msg$id in c$dns_state$pending_replies && Queue::len(c$dns_state$pending_replies[msg$id]) > 0 ) { # Match this DNS query w/ what's at head of pending reply queue. @@ -241,12 +248,53 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 # Create a new DNS session and put it in the query queue so # we can wait for a matching reply. c$dns = new_session(c, msg$id); - enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns); + + if( ! c$dns_state?$pending_query ) + c$dns_state$pending_query = c$dns; + else + { + if( !c$dns_state?$pending_queries ) + c$dns_state$pending_queries = table(); + + enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns); + } } } else { - if ( msg$id in c$dns_state$pending_queries && + if ( c$dns_state?$pending_query && c$dns_state$pending_query$trans_id == msg$id ) + { + c$dns = c$dns_state$pending_query; + delete c$dns_state$pending_query; + + if ( c$dns_state?$pending_queries ) + { + # Popping off an arbitrary, unpaired query to set as the + # new fastpath is necessary in order to preserve the overall + # queuing order of any pending queries that may share a + # transaction ID. If we didn't fill c$dns_state$pending_query + # back in, then it's possible a new query would jump ahead in + # the queue of some other pending query since + # c$dns_state$pending_query is filled first if available. + + if ( msg$id in c$dns_state$pending_queries && + Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) + # Prioritize any pending query with matching ID to the one + # that just got paired with a response. + c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, msg$id); + else + { + # Just pick an arbitrary, unpaired query. + for ( trans_id, q in c$dns_state$pending_queries ) + if ( Queue::len(q) > 0 ) + { + c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, trans_id); + break; + } + } + } + } + else if ( c$dns_state?$pending_queries && msg$id in c$dns_state$pending_queries && Queue::len(c$dns_state$pending_queries[msg$id]) > 0 ) { # Match this DNS reply w/ what's at head of pending query queue. @@ -257,6 +305,10 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 # Create a new DNS session and put it in the reply queue so # we can wait for a matching query. c$dns = new_session(c, msg$id); + + if( ! c$dns_state?$pending_replies ) + c$dns_state$pending_replies = table(); + enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns); } } @@ -511,6 +563,12 @@ event connection_state_remove(c: connection) &priority=-5 # If Bro is expiring state, we should go ahead and log all unmatched # queries and replies now. - log_unmatched_msgs(c$dns_state$pending_queries); - log_unmatched_msgs(c$dns_state$pending_replies); + if( c$dns_state?$pending_query ) + Log::write(DNS::LOG, c$dns_state$pending_query); + + if( c$dns_state?$pending_queries ) + log_unmatched_msgs(c$dns_state$pending_queries); + + if( c$dns_state?$pending_replies ) + log_unmatched_msgs(c$dns_state$pending_replies); } diff --git a/scripts/base/protocols/ftp/__load__.bro b/scripts/base/protocols/ftp/__load__.zeek similarity index 100% rename from scripts/base/protocols/ftp/__load__.bro rename to scripts/base/protocols/ftp/__load__.zeek diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.zeek similarity index 92% rename from scripts/base/protocols/ftp/files.bro rename to scripts/base/protocols/ftp/files.zeek index c114f11c8d..f2c2625bdb 100644 --- a/scripts/base/protocols/ftp/files.bro +++ b/scripts/base/protocols/ftp/files.zeek @@ -37,15 +37,15 @@ function describe_file(f: fa_file): string if ( f$source != "FTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$ftp ) - return FTP::describe(f$conns[cid]$ftp); + if ( c?$ftp ) + return FTP::describe(c$ftp); } return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [$get_file_handle = FTP::get_file_handle, diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.zeek similarity index 93% rename from scripts/base/protocols/ftp/gridftp.bro rename to scripts/base/protocols/ftp/gridftp.zeek index cdbe354a08..ef6965d3ca 100644 --- a/scripts/base/protocols/ftp/gridftp.bro +++ b/scripts/base/protocols/ftp/gridftp.zeek @@ -6,7 +6,7 @@ ##! indicating the GSI mechanism for GSSAPI was used. This analysis ##! is all supported internally, this script simply adds the "gridftp" ##! label to the *service* field of the control channel's -##! :bro:type:`connection` record. +##! :zeek:type:`connection` record. ##! ##! GridFTP data channels are identified by a heuristic that relies on ##! the fact that default settings for GridFTP clients typically @@ -33,7 +33,7 @@ export { option size_threshold = 1073741824; ## Time during which we check whether a connection's size exceeds the - ## :bro:see:`GridFTP::size_threshold`. + ## :zeek:see:`GridFTP::size_threshold`. option max_time = 2 min; ## Whether to skip further processing of the GridFTP data channel once @@ -46,8 +46,8 @@ export { global data_channel_detected: event(c: connection); ## The initial criteria used to determine whether to start polling - ## the connection for the :bro:see:`GridFTP::size_threshold` to have - ## been exceeded. This is called in a :bro:see:`ssl_established` event + ## the connection for the :zeek:see:`GridFTP::size_threshold` to have + ## been exceeded. This is called in a :zeek:see:`ssl_established` event ## handler and by default looks for both a client and server certificate ## and for a NULL bulk cipher. One way in which this function could be ## redefined is to make it also consider client/server certificate @@ -56,7 +56,7 @@ export { ## c: The connection which may possibly be a GridFTP data channel. ## ## Returns: true if the connection should be further polled for an - ## exceeded :bro:see:`GridFTP::size_threshold`, else false. + ## exceeded :zeek:see:`GridFTP::size_threshold`, else false. const data_channel_initial_criteria: function(c: connection): bool &redef; } diff --git a/scripts/base/protocols/ftp/info.bro b/scripts/base/protocols/ftp/info.zeek similarity index 100% rename from scripts/base/protocols/ftp/info.bro rename to scripts/base/protocols/ftp/info.zeek diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.zeek similarity index 97% rename from scripts/base/protocols/ftp/main.bro rename to scripts/base/protocols/ftp/main.zeek index b3eaf79370..1c2dce17f8 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.zeek @@ -36,7 +36,7 @@ export { ## Parse FTP reply codes into the three constituent single digit values. global parse_ftp_reply_code: function(code: count): ReplyCode; - ## Event that can be handled to access the :bro:type:`FTP::Info` + ## Event that can be handled to access the :zeek:type:`FTP::Info` ## record as it is sent on to the logging framework. global log_ftp: event(rec: Info); } @@ -50,7 +50,7 @@ redef record connection += { const ports = { 21/tcp, 2811/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); @@ -295,9 +295,9 @@ event connection_state_remove(c: connection) &priority=-5 { if ( ! c?$ftp ) return; - for ( ca in c$ftp$pending_commands ) + for ( ca, cmdarg in c$ftp$pending_commands ) { - c$ftp$cmdarg = c$ftp$pending_commands[ca]; + c$ftp$cmdarg = cmdarg; ftp_message(c$ftp); } } diff --git a/scripts/base/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.zeek similarity index 99% rename from scripts/base/protocols/ftp/utils-commands.bro rename to scripts/base/protocols/ftp/utils-commands.zeek index 0ee1635b4a..67c52e62e4 100644 --- a/scripts/base/protocols/ftp/utils-commands.bro +++ b/scripts/base/protocols/ftp/utils-commands.zeek @@ -91,9 +91,8 @@ function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): local best_seq = 0; local best_score: int = -1; - for ( cmd_seq in pc ) + for ( cmd_seq, cmd in pc ) { - local cmd = pc[cmd_seq]; local score: int = 0; # if the command is compatible with the reply code diff --git a/scripts/base/protocols/ftp/utils.bro b/scripts/base/protocols/ftp/utils.zeek similarity index 81% rename from scripts/base/protocols/ftp/utils.bro rename to scripts/base/protocols/ftp/utils.zeek index 74aeaa1e03..44c621b361 100644 --- a/scripts/base/protocols/ftp/utils.bro +++ b/scripts/base/protocols/ftp/utils.zeek @@ -7,16 +7,16 @@ module FTP; export { - ## Creates a URL from an :bro:type:`FTP::Info` record. + ## Creates a URL from an :zeek:type:`FTP::Info` record. ## - ## rec: An :bro:type:`FTP::Info` record. + ## rec: An :zeek:type:`FTP::Info` record. ## ## Returns: A URL, not prefixed by ``"ftp://"``. global build_url: function(rec: Info): string; - ## Creates a URL from an :bro:type:`FTP::Info` record. + ## Creates a URL from an :zeek:type:`FTP::Info` record. ## - ## rec: An :bro:type:`FTP::Info` record. + ## rec: An :zeek:type:`FTP::Info` record. ## ## Returns: A URL prefixed with ``"ftp://"``. global build_url_ftp: function(rec: Info): string; diff --git a/scripts/base/protocols/http/__load__.bro b/scripts/base/protocols/http/__load__.zeek similarity index 100% rename from scripts/base/protocols/http/__load__.bro rename to scripts/base/protocols/http/__load__.zeek diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.zeek similarity index 67% rename from scripts/base/protocols/http/entities.bro rename to scripts/base/protocols/http/entities.zeek index 3670d7879a..0a72c6b76e 100644 --- a/scripts/base/protocols/http/entities.bro +++ b/scripts/base/protocols/http/entities.zeek @@ -13,23 +13,45 @@ export { filename: string &optional; }; + ## Maximum number of originator files to log. + ## :zeek:see:`HTTP::max_files_policy` even is called once this + ## limit is reached to determine if it's enforced. + option max_files_orig = 15; + + ## Maximum number of responder files to log. + ## :zeek:see:`HTTP::max_files_policy` even is called once this + ## limit is reached to determine if it's enforced. + option max_files_resp = 15; + + ## Called when reaching the max number of files across a given HTTP + ## connection according to :zeek:see:`HTTP::max_files_orig` + ## or :zeek:see:`HTTP::max_files_resp`. Break from the hook + ## early to signal that the file limit should not be applied. + global max_files_policy: hook(f: fa_file, is_orig: bool); + redef record Info += { ## An ordered vector of file unique IDs. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_fuids: vector of string &log &optional; ## An ordered vector of filenames from the client. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_filenames: vector of string &log &optional; ## An ordered vector of mime types. + ## Limited to :zeek:see:`HTTP::max_files_orig` entries. orig_mime_types: vector of string &log &optional; ## An ordered vector of file unique IDs. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_fuids: vector of string &log &optional; ## An ordered vector of filenames from the server. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_filenames: vector of string &log &optional; ## An ordered vector of mime types. + ## Limited to :zeek:see:`HTTP::max_files_resp` entries. resp_mime_types: vector of string &log &optional; ## The current entity. @@ -82,6 +104,23 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( c$http?$current_entity && c$http$current_entity?$filename ) f$info$filename = c$http$current_entity$filename; + local size: count; + local max: count; + + if ( f$is_orig ) + { + size = f$http?$orig_fuids ? |f$http$orig_fuids| : 0; + max = max_files_orig; + } + else + { + size = f$http?$resp_fuids ? |f$http$resp_fuids| : 0; + max = max_files_resp; + } + + if ( size >= max && hook HTTP::max_files_policy(f, f$is_orig) ) + return; + if ( f$is_orig ) { if ( ! c$http?$orig_fuids ) @@ -125,6 +164,23 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 if ( ! meta?$mime_type ) return; + local size: count; + local max: count; + + if ( f$is_orig ) + { + size = f$http?$orig_mime_types ? |f$http$orig_mime_types| : 0; + max = max_files_orig; + } + else + { + size = f$http?$resp_mime_types ? |f$http$resp_mime_types| : 0; + max = max_files_resp; + } + + if ( size >= max && hook HTTP::max_files_policy(f, f$is_orig) ) + return; + if ( f$is_orig ) { if ( ! f$http?$orig_mime_types ) diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.zeek similarity index 91% rename from scripts/base/protocols/http/files.bro rename to scripts/base/protocols/http/files.zeek index 840b5a2372..a8a67762d4 100644 --- a/scripts/base/protocols/http/files.bro +++ b/scripts/base/protocols/http/files.zeek @@ -40,15 +40,15 @@ function describe_file(f: fa_file): string if ( f$source != "HTTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$http ) - return build_url_http(f$conns[cid]$http); + if ( c?$http ) + return build_url_http(c$http); } return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_HTTP, [$get_file_handle = HTTP::get_file_handle, diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.zeek similarity index 97% rename from scripts/base/protocols/http/main.bro rename to scripts/base/protocols/http/main.zeek index 5296964520..ef0561efb4 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.zeek @@ -46,6 +46,8 @@ export { version: string &log &optional; ## Value of the User-Agent header from the client. user_agent: string &log &optional; + ## Value of the Origin header from the client. + origin: string &log &optional; ## Actual uncompressed content size of the data transferred from ## the client. request_body_len: count &log &default=0; @@ -137,7 +139,7 @@ const ports = { redef likely_server_ports += { ports }; # Initialize the HTTP logging stream and ports. -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http"]); Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); @@ -258,6 +260,9 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "RANGE" ) c$http$range_request = T; + else if ( name == "ORIGIN" ) + c$http$origin = value; + else if ( name == "USER-AGENT" ) c$http$user_agent = value; @@ -321,11 +326,11 @@ event connection_state_remove(c: connection) &priority=-5 # Flush all pending but incomplete request/response pairs. if ( c?$http_state ) { - for ( r in c$http_state$pending ) + for ( r, info in c$http_state$pending ) { # We don't use pending elements at index 0. if ( r == 0 ) next; - Log::write(HTTP::LOG, c$http_state$pending[r]); + Log::write(HTTP::LOG, info); } } } diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.zeek similarity index 88% rename from scripts/base/protocols/http/utils.bro rename to scripts/base/protocols/http/utils.zeek index 67f13f2640..a48841cef5 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.zeek @@ -17,18 +17,18 @@ export { ## Returns: A vector of strings containing the keys. global extract_keys: function(data: string, kv_splitter: pattern): string_vec; - ## Creates a URL from an :bro:type:`HTTP::Info` record. This should + ## Creates a URL from an :zeek:type:`HTTP::Info` record. This should ## handle edge cases such as proxied requests appropriately. ## - ## rec: An :bro:type:`HTTP::Info` record. + ## rec: An :zeek:type:`HTTP::Info` record. ## ## Returns: A URL, not prefixed by ``"http://"``. global build_url: function(rec: Info): string; - ## Creates a URL from an :bro:type:`HTTP::Info` record. This should + ## Creates a URL from an :zeek:type:`HTTP::Info` record. This should ## handle edge cases such as proxied requests appropriately. ## - ## rec: An :bro:type:`HTTP::Info` record. + ## rec: An :zeek:type:`HTTP::Info` record. ## ## Returns: A URL prefixed with ``"http://"``. global build_url_http: function(rec: Info): string; diff --git a/scripts/base/protocols/imap/__load__.bro b/scripts/base/protocols/imap/__load__.zeek similarity index 100% rename from scripts/base/protocols/imap/__load__.bro rename to scripts/base/protocols/imap/__load__.zeek diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.zeek similarity index 83% rename from scripts/base/protocols/imap/main.bro rename to scripts/base/protocols/imap/main.zeek index 9f0305c80c..30bfeab229 100644 --- a/scripts/base/protocols/imap/main.bro +++ b/scripts/base/protocols/imap/main.zeek @@ -4,7 +4,7 @@ module IMAP; const ports = { 143/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports); } diff --git a/scripts/base/protocols/irc/__load__.bro b/scripts/base/protocols/irc/__load__.zeek similarity index 100% rename from scripts/base/protocols/irc/__load__.bro rename to scripts/base/protocols/irc/__load__.zeek diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.zeek similarity index 98% rename from scripts/base/protocols/irc/dcc-send.bro rename to scripts/base/protocols/irc/dcc-send.zeek index 44d939209e..bf5094a4f2 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.zeek @@ -65,10 +65,8 @@ function log_dcc(f: fa_file) { if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; - if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next; local irc = dcc_expected_transfers[cid$resp_h, cid$resp_p]; diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.zeek similarity index 97% rename from scripts/base/protocols/irc/files.bro rename to scripts/base/protocols/irc/files.zeek index 759acdca81..59b178f4df 100644 --- a/scripts/base/protocols/irc/files.bro +++ b/scripts/base/protocols/irc/files.zeek @@ -23,7 +23,7 @@ function get_file_handle(c: connection, is_orig: bool): string return cat(Analyzer::ANALYZER_IRC_DATA, c$start_time, c$id, is_orig); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [$get_file_handle = IRC::get_file_handle]); diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.zeek similarity index 99% rename from scripts/base/protocols/irc/main.bro rename to scripts/base/protocols/irc/main.zeek index c2de29da6a..85a8795e88 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.zeek @@ -41,7 +41,7 @@ redef record connection += { const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc"]); Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); diff --git a/scripts/base/protocols/krb/__load__.bro b/scripts/base/protocols/krb/__load__.zeek similarity index 100% rename from scripts/base/protocols/krb/__load__.bro rename to scripts/base/protocols/krb/__load__.zeek diff --git a/scripts/base/protocols/krb/consts.bro b/scripts/base/protocols/krb/consts.zeek similarity index 100% rename from scripts/base/protocols/krb/consts.bro rename to scripts/base/protocols/krb/consts.zeek diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.zeek similarity index 96% rename from scripts/base/protocols/krb/files.bro rename to scripts/base/protocols/krb/files.zeek index 5a155d9184..c7dde949f2 100644 --- a/scripts/base/protocols/krb/files.bro +++ b/scripts/base/protocols/krb/files.zeek @@ -48,11 +48,10 @@ function describe_file(f: fa_file): string # are already populated). # # Just return a bit of our connection information and hope that that is good enough. - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$krb ) + if ( c?$krb ) { - local c = f$conns[cid]; return cat(c$id$resp_h, ":", c$id$resp_p); } } @@ -62,7 +61,7 @@ function describe_file(f: fa_file): string f$info$x509$certificate$issuer); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [$get_file_handle = KRB::get_file_handle, diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.zeek similarity index 99% rename from scripts/base/protocols/krb/main.bro rename to scripts/base/protocols/krb/main.zeek index 076ea0e171..72103104d5 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.zeek @@ -73,7 +73,7 @@ const tcp_ports = { 88/tcp }; const udp_ports = { 88/udp }; redef likely_server_ports += { tcp_ports, udp_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports); diff --git a/scripts/base/protocols/modbus/__load__.bro b/scripts/base/protocols/modbus/__load__.zeek similarity index 100% rename from scripts/base/protocols/modbus/__load__.bro rename to scripts/base/protocols/modbus/__load__.zeek diff --git a/scripts/base/protocols/modbus/consts.bro b/scripts/base/protocols/modbus/consts.zeek similarity index 100% rename from scripts/base/protocols/modbus/consts.bro rename to scripts/base/protocols/modbus/consts.zeek diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.zeek similarity index 98% rename from scripts/base/protocols/modbus/main.bro rename to scripts/base/protocols/modbus/main.zeek index 5a30d170e5..d8866cefa1 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.zeek @@ -32,7 +32,7 @@ redef record connection += { const ports = { 502/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus"]); Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); diff --git a/scripts/base/protocols/mysql/__load__.bro b/scripts/base/protocols/mysql/__load__.zeek similarity index 100% rename from scripts/base/protocols/mysql/__load__.bro rename to scripts/base/protocols/mysql/__load__.zeek diff --git a/scripts/base/protocols/mysql/consts.bro b/scripts/base/protocols/mysql/consts.zeek similarity index 100% rename from scripts/base/protocols/mysql/consts.bro rename to scripts/base/protocols/mysql/consts.zeek diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.zeek similarity index 98% rename from scripts/base/protocols/mysql/main.bro rename to scripts/base/protocols/mysql/main.zeek index e4ba07cbca..e4c76dd5bc 100644 --- a/scripts/base/protocols/mysql/main.bro +++ b/scripts/base/protocols/mysql/main.zeek @@ -37,7 +37,7 @@ redef record connection += { const ports = { 1434/tcp, 3306/tcp }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql"]); Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports); diff --git a/scripts/base/protocols/ntlm/__load__.bro b/scripts/base/protocols/ntlm/__load__.zeek similarity index 100% rename from scripts/base/protocols/ntlm/__load__.bro rename to scripts/base/protocols/ntlm/__load__.zeek diff --git a/scripts/base/protocols/ntlm/main.bro b/scripts/base/protocols/ntlm/main.zeek similarity index 98% rename from scripts/base/protocols/ntlm/main.bro rename to scripts/base/protocols/ntlm/main.zeek index 88a484e090..231f90473d 100644 --- a/scripts/base/protocols/ntlm/main.bro +++ b/scripts/base/protocols/ntlm/main.zeek @@ -42,7 +42,7 @@ redef record connection += { ntlm: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm"]); } diff --git a/scripts/base/protocols/pop3/__load__.bro b/scripts/base/protocols/pop3/__load__.zeek similarity index 100% rename from scripts/base/protocols/pop3/__load__.bro rename to scripts/base/protocols/pop3/__load__.zeek diff --git a/scripts/base/protocols/radius/__load__.bro b/scripts/base/protocols/radius/__load__.zeek similarity index 100% rename from scripts/base/protocols/radius/__load__.bro rename to scripts/base/protocols/radius/__load__.zeek diff --git a/scripts/base/protocols/radius/consts.bro b/scripts/base/protocols/radius/consts.zeek similarity index 100% rename from scripts/base/protocols/radius/consts.bro rename to scripts/base/protocols/radius/consts.zeek diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.zeek similarity index 98% rename from scripts/base/protocols/radius/main.bro rename to scripts/base/protocols/radius/main.zeek index ea30b27911..6cd69227c8 100644 --- a/scripts/base/protocols/radius/main.bro +++ b/scripts/base/protocols/radius/main.zeek @@ -2,7 +2,7 @@ module RADIUS; -@load ./consts.bro +@load ./consts @load base/utils/addrs export { @@ -56,7 +56,7 @@ redef record connection += { const ports = { 1812/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius"]); Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports); diff --git a/scripts/base/protocols/rdp/__load__.bro b/scripts/base/protocols/rdp/__load__.zeek similarity index 100% rename from scripts/base/protocols/rdp/__load__.bro rename to scripts/base/protocols/rdp/__load__.zeek diff --git a/scripts/base/protocols/rdp/consts.bro b/scripts/base/protocols/rdp/consts.zeek similarity index 100% rename from scripts/base/protocols/rdp/consts.bro rename to scripts/base/protocols/rdp/consts.zeek diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.zeek similarity index 99% rename from scripts/base/protocols/rdp/main.bro rename to scripts/base/protocols/rdp/main.zeek index 30d5764ce3..39c3ef8fd8 100644 --- a/scripts/base/protocols/rdp/main.bro +++ b/scripts/base/protocols/rdp/main.zeek @@ -86,7 +86,7 @@ redef record connection += { const ports = { 3389/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, ports); diff --git a/scripts/base/protocols/rfb/__load__.bro b/scripts/base/protocols/rfb/__load__.zeek similarity index 100% rename from scripts/base/protocols/rfb/__load__.bro rename to scripts/base/protocols/rfb/__load__.zeek diff --git a/scripts/base/protocols/rfb/main.bro b/scripts/base/protocols/rfb/main.zeek similarity index 99% rename from scripts/base/protocols/rfb/main.bro rename to scripts/base/protocols/rfb/main.zeek index ff05063538..ae9d3ca508 100644 --- a/scripts/base/protocols/rfb/main.bro +++ b/scripts/base/protocols/rfb/main.zeek @@ -76,7 +76,7 @@ redef record connection += { rfb: Info &optional; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]); } diff --git a/scripts/base/protocols/sip/__load__.bro b/scripts/base/protocols/sip/__load__.zeek similarity index 100% rename from scripts/base/protocols/sip/__load__.bro rename to scripts/base/protocols/sip/__load__.zeek diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.zeek similarity index 97% rename from scripts/base/protocols/sip/main.bro rename to scripts/base/protocols/sip/main.zeek index 1089f0c1a4..e0647e6494 100644 --- a/scripts/base/protocols/sip/main.bro +++ b/scripts/base/protocols/sip/main.zeek @@ -98,7 +98,7 @@ redef record connection += { const ports = { 5060/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports); @@ -149,13 +149,13 @@ function flush_pending(c: connection) # Flush all pending but incomplete request/response pairs. if ( c?$sip_state ) { - for ( r in c$sip_state$pending ) + for ( r, info in c$sip_state$pending ) { # We don't use pending elements at index 0. if ( r == 0 ) next; - Log::write(SIP::LOG, c$sip_state$pending[r]); + Log::write(SIP::LOG, info); } } } @@ -293,9 +293,9 @@ event connection_state_remove(c: connection) &priority=-5 { if ( c?$sip_state ) { - for ( r in c$sip_state$pending ) + for ( r, info in c$sip_state$pending ) { - Log::write(SIP::LOG, c$sip_state$pending[r]); + Log::write(SIP::LOG, info); } } } diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.zeek similarity index 100% rename from scripts/base/protocols/smb/__load__.bro rename to scripts/base/protocols/smb/__load__.zeek diff --git a/scripts/base/protocols/smb/const-dos-error.bro b/scripts/base/protocols/smb/const-dos-error.zeek similarity index 100% rename from scripts/base/protocols/smb/const-dos-error.bro rename to scripts/base/protocols/smb/const-dos-error.zeek diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.zeek similarity index 100% rename from scripts/base/protocols/smb/const-nt-status.bro rename to scripts/base/protocols/smb/const-nt-status.zeek diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.zeek similarity index 99% rename from scripts/base/protocols/smb/consts.bro rename to scripts/base/protocols/smb/consts.zeek index f36d029be9..32a03dd17d 100644 --- a/scripts/base/protocols/smb/consts.bro +++ b/scripts/base/protocols/smb/consts.zeek @@ -12,7 +12,7 @@ export { ## Heuristic detection of named pipes when the pipe ## mapping isn't seen. This variable is defined in - ## init-bare.bro. + ## init-bare.zeek. redef SMB::pipe_filenames = { "spoolss", "winreg", diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.zeek similarity index 90% rename from scripts/base/protocols/smb/files.bro rename to scripts/base/protocols/smb/files.zeek index d01aa815a5..ac719d728f 100644 --- a/scripts/base/protocols/smb/files.bro +++ b/scripts/base/protocols/smb/files.zeek @@ -38,16 +38,15 @@ function describe_file(f: fa_file): string if ( f$source != "SMB" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local info = f$conns[cid]; - if ( info?$smb_state && info$smb_state?$current_file && info$smb_state$current_file?$name ) - return info$smb_state$current_file$name; + if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name ) + return c$smb_state$current_file$name; } return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMB, [$get_file_handle = SMB::get_file_handle, @@ -65,5 +64,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori if ( c$smb_state$current_file?$name ) f$info$filename = c$smb_state$current_file$name; + write_file_log(c$smb_state); } } diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.zeek similarity index 98% rename from scripts/base/protocols/smb/main.bro rename to scripts/base/protocols/smb/main.zeek index 14ecbecf46..5524bde4f0 100644 --- a/scripts/base/protocols/smb/main.bro +++ b/scripts/base/protocols/smb/main.zeek @@ -177,7 +177,7 @@ redef record FileInfo += { const ports = { 139/tcp, 445/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]); Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]); @@ -238,9 +238,8 @@ event file_state_remove(f: fa_file) &priority=-5 if ( f$source != "SMB" ) return; - for ( id in f$conns ) + for ( id, c in f$conns ) { - local c = f$conns[id]; if ( c?$smb_state && c$smb_state?$current_file) { write_file_log(c$smb_state); diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.zeek similarity index 100% rename from scripts/base/protocols/smb/smb1-main.bro rename to scripts/base/protocols/smb/smb1-main.zeek diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.zeek similarity index 100% rename from scripts/base/protocols/smb/smb2-main.bro rename to scripts/base/protocols/smb/smb2-main.zeek diff --git a/scripts/base/protocols/smtp/__load__.bro b/scripts/base/protocols/smtp/__load__.zeek similarity index 100% rename from scripts/base/protocols/smtp/__load__.bro rename to scripts/base/protocols/smtp/__load__.zeek diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.zeek similarity index 100% rename from scripts/base/protocols/smtp/entities.bro rename to scripts/base/protocols/smtp/entities.zeek diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.zeek similarity index 93% rename from scripts/base/protocols/smtp/files.bro rename to scripts/base/protocols/smtp/files.zeek index a65b90b528..cb38c27c97 100644 --- a/scripts/base/protocols/smtp/files.bro +++ b/scripts/base/protocols/smtp/files.zeek @@ -31,15 +31,14 @@ function describe_file(f: fa_file): string if ( f$source != "SMTP" ) return ""; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c = f$conns[cid]; return SMTP::describe(c$smtp); } return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SMTP, [$get_file_handle = SMTP::get_file_handle, diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.zeek similarity index 99% rename from scripts/base/protocols/smtp/main.bro rename to scripts/base/protocols/smtp/main.zeek index faa73d2412..b13bbadb8d 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.zeek @@ -92,7 +92,7 @@ redef record connection += { const ports = { 25/tcp, 587/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); diff --git a/scripts/base/protocols/snmp/__load__.bro b/scripts/base/protocols/snmp/__load__.zeek similarity index 100% rename from scripts/base/protocols/snmp/__load__.bro rename to scripts/base/protocols/snmp/__load__.zeek diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.zeek similarity index 99% rename from scripts/base/protocols/snmp/main.bro rename to scripts/base/protocols/snmp/main.zeek index ec45d59440..606d3e9c76 100644 --- a/scripts/base/protocols/snmp/main.bro +++ b/scripts/base/protocols/snmp/main.zeek @@ -63,7 +63,7 @@ redef record connection += { const ports = { 161/udp, 162/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports); Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp"]); diff --git a/scripts/base/protocols/socks/__load__.bro b/scripts/base/protocols/socks/__load__.zeek similarity index 100% rename from scripts/base/protocols/socks/__load__.bro rename to scripts/base/protocols/socks/__load__.zeek diff --git a/scripts/base/protocols/socks/consts.bro b/scripts/base/protocols/socks/consts.zeek similarity index 100% rename from scripts/base/protocols/socks/consts.bro rename to scripts/base/protocols/socks/consts.zeek diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.zeek similarity index 99% rename from scripts/base/protocols/socks/main.bro rename to scripts/base/protocols/socks/main.zeek index 341b6bbc84..2ca9dfc175 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.zeek @@ -47,7 +47,7 @@ export { const ports = { 1080/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.zeek similarity index 100% rename from scripts/base/protocols/ssh/__load__.bro rename to scripts/base/protocols/ssh/__load__.zeek diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.zeek similarity index 97% rename from scripts/base/protocols/ssh/main.bro rename to scripts/base/protocols/ssh/main.zeek index 4452424512..293c529b6d 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.zeek @@ -75,7 +75,7 @@ export { ## c: The connection over which the :abbr:`SSH (Secure Shell)` ## connection took place. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_result ssh_auth_attempted ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -98,7 +98,7 @@ export { ## auth_attempts: The number of authentication attempts that were ## observed. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_attempted ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -106,10 +106,10 @@ export { global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count); ## Event that can be handled when the analyzer sees an SSH server host - ## key. This abstracts :bro:id:`ssh1_server_host_key` and - ## :bro:id:`ssh2_server_host_key`. + ## key. This abstracts :zeek:id:`ssh1_server_host_key` and + ## :zeek:id:`ssh2_server_host_key`. ## - ## .. bro:see:: ssh_server_version ssh_client_version + ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -136,7 +136,7 @@ redef record connection += { const ports = { 22/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]); diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.zeek similarity index 100% rename from scripts/base/protocols/ssl/__load__.bro rename to scripts/base/protocols/ssl/__load__.zeek diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.zeek similarity index 99% rename from scripts/base/protocols/ssl/consts.bro rename to scripts/base/protocols/ssl/consts.zeek index aaac5aab84..dc4f72674b 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.zeek @@ -78,6 +78,7 @@ export { [4] = "sha256", [5] = "sha384", [6] = "sha512", + [8] = "Intrinsic", } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between numeric codes and human readable strings for signature @@ -87,6 +88,16 @@ export { [1] = "rsa", [2] = "dsa", [3] = "ecdsa", + [4] = "rsa_pss_sha256", + [5] = "rsa_pss_sha384", + [6] = "rsa_pss_sha512", + [7] = "ed25519", + [8] = "ed448", + [9] = "rsa_pss_sha256", + [10] = "rsa_pss_sha384", + [11] = "rsa_pss_sha512", + [64] = "gostr34102012_256", + [65] = "gostr34102012_256", } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between numeric codes and human readable strings for alert diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.zeek similarity index 100% rename from scripts/base/protocols/ssl/ct-list.bro rename to scripts/base/protocols/ssl/ct-list.zeek diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.zeek similarity index 95% rename from scripts/base/protocols/ssl/files.bro rename to scripts/base/protocols/ssl/files.zeek index d0d89561e3..fd3080b47d 100644 --- a/scripts/base/protocols/ssl/files.bro +++ b/scripts/base/protocols/ssl/files.zeek @@ -66,11 +66,10 @@ function describe_file(f: fa_file): string # are already populated). # # Just return a bit of our connection information and hope that that is good enough. - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - if ( f$conns[cid]?$ssl ) + if ( c?$ssl ) { - local c = f$conns[cid]; return cat(c$id$resp_h, ":", c$id$resp_p); } } @@ -80,7 +79,7 @@ function describe_file(f: fa_file): string f$info$x509$certificate$issuer); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_SSL, [$get_file_handle = SSL::get_file_handle, @@ -103,12 +102,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5 || f$info$mime_type == "application/pkix-cert" ) ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } if ( ! c$ssl?$cert_chain ) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.zeek similarity index 99% rename from scripts/base/protocols/ssl/main.bro rename to scripts/base/protocols/ssl/main.zeek index 8abb6e1d3f..cc656d44b8 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.zeek @@ -69,7 +69,7 @@ export { logged: bool &default=F; }; - ## The default root CA bundle. By default, the mozilla-ca-list.bro + ## The default root CA bundle. By default, the mozilla-ca-list.zeek ## script sets this to Mozilla's root CA list. const root_certs: table[string] of string = {} &redef; @@ -88,7 +88,7 @@ export { url: string; }; - ## The Certificate Transparency log bundle. By default, the ct-list.bro + ## The Certificate Transparency log bundle. By default, the ct-list.zeek ## script sets this to the current list of known logs. Entries ## are indexed by (binary) log-id. option ct_logs: table[string] of CTInfo = {}; @@ -137,7 +137,7 @@ const dtls_ports = { 443/udp }; redef likely_server_ports += { ssl_ports, dtls_ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports); diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.zeek similarity index 100% rename from scripts/base/protocols/ssl/mozilla-ca-list.bro rename to scripts/base/protocols/ssl/mozilla-ca-list.zeek diff --git a/scripts/base/protocols/syslog/__load__.bro b/scripts/base/protocols/syslog/__load__.zeek similarity index 100% rename from scripts/base/protocols/syslog/__load__.bro rename to scripts/base/protocols/syslog/__load__.zeek diff --git a/scripts/base/protocols/syslog/consts.bro b/scripts/base/protocols/syslog/consts.zeek similarity index 95% rename from scripts/base/protocols/syslog/consts.bro rename to scripts/base/protocols/syslog/consts.zeek index dce1877ecf..c68cbda658 100644 --- a/scripts/base/protocols/syslog/consts.bro +++ b/scripts/base/protocols/syslog/consts.zeek @@ -29,6 +29,7 @@ export { [21] = "LOCAL5", [22] = "LOCAL6", [23] = "LOCAL7", + [999] = "UNSPECIFIED", } &default=function(c: count): string { return fmt("?-%d", c); }; ## Mapping between the constants and string values for syslog severities. @@ -41,5 +42,6 @@ export { [5] = "NOTICE", [6] = "INFO", [7] = "DEBUG", + [999] = "UNSPECIFIED", } &default=function(c: count): string { return fmt("?-%d", c); }; -} \ No newline at end of file +} diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.zeek similarity index 98% rename from scripts/base/protocols/syslog/main.bro rename to scripts/base/protocols/syslog/main.zeek index 6e74760225..6b8cc7fb77 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.zeek @@ -34,7 +34,7 @@ redef record connection += { const ports = { 514/udp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog"]); Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); diff --git a/scripts/base/protocols/tunnels/__load__.bro b/scripts/base/protocols/tunnels/__load__.zeek similarity index 100% rename from scripts/base/protocols/tunnels/__load__.bro rename to scripts/base/protocols/tunnels/__load__.zeek diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.zeek similarity index 100% rename from scripts/base/protocols/xmpp/__load__.bro rename to scripts/base/protocols/xmpp/__load__.zeek diff --git a/scripts/base/protocols/xmpp/main.bro b/scripts/base/protocols/xmpp/main.zeek similarity index 84% rename from scripts/base/protocols/xmpp/main.bro rename to scripts/base/protocols/xmpp/main.zeek index 3d7a4cbc37..587432561f 100644 --- a/scripts/base/protocols/xmpp/main.bro +++ b/scripts/base/protocols/xmpp/main.zeek @@ -4,7 +4,7 @@ module XMPP; const ports = { 5222/tcp, 5269/tcp }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports); } diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.zeek similarity index 90% rename from scripts/base/utils/active-http.bro rename to scripts/base/utils/active-http.zeek index a6b0f8111c..27eb6e2bb2 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.zeek @@ -46,7 +46,7 @@ export { }; ## Perform an HTTP request according to the - ## :bro:type:`ActiveHTTP::Request` record. This is an asynchronous + ## :zeek:type:`ActiveHTTP::Request` record. This is an asynchronous ## function and must be called within a "when" statement. ## ## req: A record instance representing all options for an HTTP request. @@ -57,10 +57,10 @@ export { function request2curl(r: Request, bodyfile: string, headersfile: string): string { - local cmd = fmt("curl -s -g -o \"%s\" -D \"%s\" -X \"%s\"", - str_shell_escape(bodyfile), - str_shell_escape(headersfile), - str_shell_escape(r$method)); + local cmd = fmt("curl -s -g -o %s -D %s -X %s", + safe_shell_quote(bodyfile), + safe_shell_quote(headersfile), + safe_shell_quote(r$method)); cmd = fmt("%s -m %.0f", cmd, r$max_time); @@ -70,9 +70,9 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string if ( r?$addl_curl_args ) cmd = fmt("%s %s", cmd, r$addl_curl_args); - cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url)); + cmd = fmt("%s %s", cmd, safe_shell_quote(r$url)); # Make sure file will exist even if curl did not write one. - cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile)); + cmd = fmt("%s && touch %s", cmd, safe_shell_quote(bodyfile)); return cmd; } diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.zeek similarity index 100% rename from scripts/base/utils/addrs.bro rename to scripts/base/utils/addrs.zeek diff --git a/scripts/base/utils/conn-ids.bro b/scripts/base/utils/conn-ids.zeek similarity index 93% rename from scripts/base/utils/conn-ids.bro rename to scripts/base/utils/conn-ids.zeek index 6601b665e5..b5d7fffd77 100644 --- a/scripts/base/utils/conn-ids.bro +++ b/scripts/base/utils/conn-ids.zeek @@ -13,7 +13,7 @@ export { ## on the right to the originator on the left. global reverse_id_string: function(id: conn_id): string; - ## Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the + ## Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the ## second argument is T or F, respectively. global directed_id_string: function(id: conn_id, is_orig: bool): string; } diff --git a/scripts/base/utils/dir.bro b/scripts/base/utils/dir.zeek similarity index 92% rename from scripts/base/utils/dir.bro rename to scripts/base/utils/dir.zeek index c3598d039d..678e81d7ed 100644 --- a/scripts/base/utils/dir.bro +++ b/scripts/base/utils/dir.zeek @@ -6,7 +6,7 @@ module Dir; export { ## The default interval this module checks for files in directories when - ## using the :bro:see:`Dir::monitor` function. + ## using the :zeek:see:`Dir::monitor` function. option polling_interval = 30sec; ## Register a directory to monitor with a callback that is called @@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string], callback: function(fname: string), poll_interval: interval) { - when ( local result = Exec::run([$cmd=fmt("ls -1 \"%s/\"", str_shell_escape(dir))]) ) + when ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) ) { if ( result$exit_code != 0 ) { diff --git a/scripts/base/utils/directions-and-hosts.bro b/scripts/base/utils/directions-and-hosts.zeek similarity index 100% rename from scripts/base/utils/directions-and-hosts.bro rename to scripts/base/utils/directions-and-hosts.zeek diff --git a/scripts/base/utils/email.bro b/scripts/base/utils/email.zeek similarity index 100% rename from scripts/base/utils/email.bro rename to scripts/base/utils/email.zeek diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.zeek similarity index 96% rename from scripts/base/utils/exec.bro rename to scripts/base/utils/exec.zeek index 37668c0bc6..85500bf9c2 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.zeek @@ -8,7 +8,7 @@ export { type Command: record { ## The command line to execute. Use care to avoid injection ## attacks (i.e., if the command uses untrusted/variable data, - ## sanitize it with :bro:see:`str_shell_escape`). + ## sanitize it with :zeek:see:`safe_shell_quote`). cmd: string; ## Provide standard input to the program as a string. stdin: string &default=""; @@ -122,7 +122,7 @@ event Input::end_of_data(orig_name: string, source:string) delete pending_files[name][track_file]; if ( |pending_files[name]| == 0 ) delete pending_commands[name]; - system(fmt("rm \"%s\"", str_shell_escape(track_file))); + system(fmt("rm %s", safe_shell_quote(track_file))); } } @@ -186,10 +186,10 @@ function run(cmd: Command): Result } } -event bro_done() +event zeek_done() { # We are punting here and just deleting any unprocessed files. for ( uid in pending_files ) for ( fname in pending_files[uid] ) - system(fmt("rm \"%s\"", str_shell_escape(fname))); + system(fmt("rm %s", safe_shell_quote(fname))); } diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.zeek similarity index 100% rename from scripts/base/utils/files.bro rename to scripts/base/utils/files.zeek diff --git a/scripts/base/utils/geoip-distance.bro b/scripts/base/utils/geoip-distance.zeek similarity index 93% rename from scripts/base/utils/geoip-distance.bro rename to scripts/base/utils/geoip-distance.zeek index 8d3149cb03..8aa2601500 100644 --- a/scripts/base/utils/geoip-distance.bro +++ b/scripts/base/utils/geoip-distance.zeek @@ -10,7 +10,7 @@ ## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data ## is not available for either of the IP addresses. ## -## .. bro:see:: haversine_distance lookup_location +## .. zeek:see:: haversine_distance lookup_location function haversine_distance_ip(a1: addr, a2: addr): double { local loc1 = lookup_location(a1); diff --git a/scripts/base/utils/hash_hrw.bro b/scripts/base/utils/hash_hrw.zeek similarity index 100% rename from scripts/base/utils/hash_hrw.bro rename to scripts/base/utils/hash_hrw.zeek diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.zeek similarity index 94% rename from scripts/base/utils/json.bro rename to scripts/base/utils/json.zeek index 45248e3ea2..ead214f93e 100644 --- a/scripts/base/utils/json.bro +++ b/scripts/base/utils/json.zeek @@ -57,9 +57,8 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p local rec_parts: string_vec = vector(); local ft = record_fields(v); - for ( field in ft ) + for ( field, field_desc in ft ) { - local field_desc = ft[field]; # replace the escape pattern in the field. if( field_escape_pattern in field ) field = cat(sub(field, field_escape_pattern, "")); @@ -87,11 +86,11 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p { local tab_parts: vector of string = vector(); local ta: table[bool] of any = v; - for ( ti in ta ) + for ( ti, tv in ta ) { local ts = to_json(ti); local if_quotes = (ts[0] == "\"") ? "" : "\""; - tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable)); + tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(tv, only_loggable)); } return cat("{", join_string_vec(tab_parts, ", "), "}"); } diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.zeek similarity index 100% rename from scripts/base/utils/numbers.bro rename to scripts/base/utils/numbers.zeek diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.zeek similarity index 97% rename from scripts/base/utils/paths.bro rename to scripts/base/utils/paths.zeek index 6de5b85e2e..fdc9bd5d3d 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.zeek @@ -75,7 +75,7 @@ function build_path(dir: string, file_name: string): string } ## Returns a compressed path to a file given a directory and file name. -## See :bro:id:`build_path` and :bro:id:`compress_path`. +## See :zeek:id:`build_path` and :zeek:id:`compress_path`. function build_path_compressed(dir: string, file_name: string): string { return compress_path(build_path(dir, file_name)); diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.zeek similarity index 97% rename from scripts/base/utils/patterns.bro rename to scripts/base/utils/patterns.zeek index 47b8cf4e37..6d955339f8 100644 --- a/scripts/base/utils/patterns.bro +++ b/scripts/base/utils/patterns.zeek @@ -37,7 +37,7 @@ type PatternMatchResult: record { }; ## Matches the given pattern against the given string, returning -## a :bro:type:`PatternMatchResult` record. +## a :zeek:type:`PatternMatchResult` record. ## For example: ``match_pattern("foobar", /o*[a-k]/)`` returns ## ``[matched=T, str=f, off=1]``, because the *first* match is for ## zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)`` diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.zeek similarity index 100% rename from scripts/base/utils/queue.bro rename to scripts/base/utils/queue.zeek diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.zeek similarity index 88% rename from scripts/base/utils/site.bro rename to scripts/base/utils/site.zeek index aa40e1b92b..949f340410 100644 --- a/scripts/base/utils/site.bro +++ b/scripts/base/utils/site.zeek @@ -22,9 +22,9 @@ export { option local_nets: set[subnet] = {}; ## This is used for retrieving the subnet when using multiple entries in - ## :bro:id:`Site::local_nets`. It's populated automatically from there. + ## :zeek:id:`Site::local_nets`. It's populated automatically from there. ## A membership query can be done with an - ## :bro:type:`addr` and the table will yield the subnet it was found + ## :zeek:type:`addr` and the table will yield the subnet it was found ## within. global local_nets_table: table[subnet] of subnet = {}; @@ -45,33 +45,33 @@ export { ## Function that returns true if an address corresponds to one of ## the local networks, false if not. - ## The function inspects :bro:id:`Site::local_nets`. + ## The function inspects :zeek:id:`Site::local_nets`. global is_local_addr: function(a: addr): bool; ## Function that returns true if an address corresponds to one of ## the neighbor networks, false if not. - ## The function inspects :bro:id:`Site::neighbor_nets`. + ## The function inspects :zeek:id:`Site::neighbor_nets`. global is_neighbor_addr: function(a: addr): bool; ## Function that returns true if an address corresponds to one of ## the private/unrouted networks, false if not. - ## The function inspects :bro:id:`Site::private_address_space`. + ## The function inspects :zeek:id:`Site::private_address_space`. global is_private_addr: function(a: addr): bool; ## Function that returns true if a host name is within a local ## DNS zone. - ## The function inspects :bro:id:`Site::local_zones`. + ## The function inspects :zeek:id:`Site::local_zones`. global is_local_name: function(name: string): bool; ## Function that returns true if a host name is within a neighbor ## DNS zone. - ## The function inspects :bro:id:`Site::neighbor_zones`. + ## The function inspects :zeek:id:`Site::neighbor_zones`. global is_neighbor_name: function(name: string): bool; ## Function that returns a comma-separated list of email addresses ## that are considered administrators for the IP address provided as ## an argument. - ## The function inspects :bro:id:`Site::local_admins`. + ## The function inspects :zeek:id:`Site::local_admins`. global get_emails: function(a: addr): string; } @@ -148,7 +148,7 @@ function get_emails(a: addr): string return fmt_email_string(find_all_emails(a)); } -event bro_init() &priority=10 +event zeek_init() &priority=10 { # Double backslashes are needed due to string parsing. local_dns_suffix_regex = set_to_regex(local_zones, "(^\\.?|\\.)(~~)$"); diff --git a/scripts/base/utils/strings.bro b/scripts/base/utils/strings.zeek similarity index 100% rename from scripts/base/utils/strings.bro rename to scripts/base/utils/strings.zeek diff --git a/scripts/base/utils/thresholds.bro b/scripts/base/utils/thresholds.zeek similarity index 79% rename from scripts/base/utils/thresholds.bro rename to scripts/base/utils/thresholds.zeek index 31d1d3e84f..d30e9f2b0a 100644 --- a/scripts/base/utils/thresholds.bro +++ b/scripts/base/utils/thresholds.zeek @@ -1,8 +1,8 @@ ##! Functions for using multiple thresholds with a counting tracker. For ##! example, you may want to generate a notice when something happens 10 times ##! and again when it happens 100 times but nothing in between. You can use -##! the :bro:id:`check_threshold` function to define your threshold points -##! and the :bro:type:`TrackCount` variable where you are keeping track of your +##! the :zeek:id:`check_threshold` function to define your threshold points +##! and the :zeek:type:`TrackCount` variable where you are keeping track of your ##! counter. module GLOBAL; @@ -18,12 +18,12 @@ export { }; ## The thresholds you would like to use as defaults with the - ## :bro:id:`default_check_threshold` function. + ## :zeek:id:`default_check_threshold` function. const default_notice_thresholds: vector of count = { 30, 100, 1000, 10000, 100000, 1000000, 10000000, } &redef; - ## This will check if a :bro:type:`TrackCount` variable has crossed any + ## This will check if a :zeek:type:`TrackCount` variable has crossed any ## thresholds in a given set. ## ## v: a vector holding counts that represent thresholds. @@ -34,8 +34,8 @@ export { ## Returns: T if a threshold has been crossed, else F. global check_threshold: function(v: vector of count, tracker: TrackCount): bool; - ## This will use the :bro:id:`default_notice_thresholds` variable to - ## check a :bro:type:`TrackCount` variable to see if it has crossed + ## This will use the :zeek:id:`default_notice_thresholds` variable to + ## check a :zeek:type:`TrackCount` variable to see if it has crossed ## another threshold. global default_check_threshold: function(tracker: TrackCount): bool; } diff --git a/scripts/base/utils/time.bro b/scripts/base/utils/time.zeek similarity index 100% rename from scripts/base/utils/time.bro rename to scripts/base/utils/time.zeek diff --git a/scripts/base/utils/urls.bro b/scripts/base/utils/urls.zeek similarity index 98% rename from scripts/base/utils/urls.bro rename to scripts/base/utils/urls.zeek index a34b6a02c1..c6ec41cbfc 100644 --- a/scripts/base/utils/urls.bro +++ b/scripts/base/utils/urls.zeek @@ -3,7 +3,7 @@ ## A regular expression for matching and extracting URLs. const url_regex = /^([a-zA-Z\-]{3,5})(:\/\/[^\/?#"'\r\n><]*)([^?#"'\r\n><]*)([^[:blank:]\r\n"'><]*|\??[^"'\r\n><]*)/ &redef; -## A URI, as parsed by :bro:id:`decompose_uri`. +## A URI, as parsed by :zeek:id:`decompose_uri`. type URI: record { ## The URL's scheme.. scheme: string &optional; diff --git a/scripts/broxygen/README b/scripts/broxygen/README deleted file mode 100644 index ac7f522285..0000000000 --- a/scripts/broxygen/README +++ /dev/null @@ -1,4 +0,0 @@ -This package is loaded during the process which automatically generates -reference documentation for all Bro scripts (i.e. "Broxygen"). Its only -purpose is to provide an easy way to load all known Bro scripts plus any -extra scripts needed or used by the documentation process. diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro deleted file mode 100644 index 5d4ac5ea03..0000000000 --- a/scripts/broxygen/__load__.bro +++ /dev/null @@ -1,17 +0,0 @@ -@load test-all-policy.bro - -# Scripts which are commented out in test-all-policy.bro. -@load protocols/ssl/notary.bro -@load frameworks/control/controllee.bro -@load frameworks/control/controller.bro -@load frameworks/files/extract-all-files.bro -@load policy/misc/dump-events.bro -@load policy/protocols/dhcp/deprecated_events.bro -@load policy/protocols/smb/__load__.bro - -@load ./example.bro - -event bro_init() - { - terminate(); - } diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.zeek similarity index 99% rename from scripts/policy/files/x509/log-ocsp.bro rename to scripts/policy/files/x509/log-ocsp.zeek index e416535dd4..8cc9d5aef3 100644 --- a/scripts/policy/files/x509/log-ocsp.bro +++ b/scripts/policy/files/x509/log-ocsp.zeek @@ -39,7 +39,7 @@ export { global log_ocsp: event(rec: Info); } -event bro_init() +event zeek_init() { Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.zeek similarity index 98% rename from scripts/policy/frameworks/control/controllee.bro rename to scripts/policy/frameworks/control/controllee.zeek index c3f08cda2b..89768ef997 100644 --- a/scripts/policy/frameworks/control/controllee.bro +++ b/scripts/policy/frameworks/control/controllee.zeek @@ -12,7 +12,7 @@ module Control; -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { Broker::subscribe(Control::topic_prefix + "/" + Broker::node_id()); Broker::auto_publish(Control::topic_prefix + "/id_value_response", diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.zeek similarity index 99% rename from scripts/policy/frameworks/control/controller.bro rename to scripts/policy/frameworks/control/controller.zeek index b81ce4b2d6..6befe70fe8 100644 --- a/scripts/policy/frameworks/control/controller.bro +++ b/scripts/policy/frameworks/control/controller.zeek @@ -12,7 +12,7 @@ module Control; # Do some sanity checking and rework the communication nodes. -event bro_init() &priority=5 +event zeek_init() &priority=5 { # We know that some command was given because this script wouldn't be # loaded if there wasn't so we can feel free to throw an error here and diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.zeek similarity index 100% rename from scripts/policy/frameworks/dpd/detect-protocols.bro rename to scripts/policy/frameworks/dpd/detect-protocols.zeek diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek similarity index 91% rename from scripts/policy/frameworks/dpd/packet-segment-logging.bro rename to scripts/policy/frameworks/dpd/packet-segment-logging.zeek index 35a52c3870..7dff2b07f8 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek @@ -1,6 +1,6 @@ ##! This script enables logging of packet segment data when a protocol ##! parsing violation is encountered. The amount of data from the -##! packet logged is set by the :bro:see:`DPD::packet_segment_size` variable. +##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable. ##! A caveat to logging packet data is that in some cases, the packet may ##! not be the packet that actually caused the protocol violation. diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.zeek similarity index 100% rename from scripts/policy/frameworks/files/detect-MHR.bro rename to scripts/policy/frameworks/files/detect-MHR.zeek diff --git a/scripts/policy/frameworks/files/entropy-test-all-files.bro b/scripts/policy/frameworks/files/entropy-test-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/entropy-test-all-files.bro rename to scripts/policy/frameworks/files/entropy-test-all-files.zeek diff --git a/scripts/policy/frameworks/files/extract-all-files.bro b/scripts/policy/frameworks/files/extract-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/extract-all-files.bro rename to scripts/policy/frameworks/files/extract-all-files.zeek diff --git a/scripts/policy/frameworks/files/hash-all-files.bro b/scripts/policy/frameworks/files/hash-all-files.zeek similarity index 100% rename from scripts/policy/frameworks/files/hash-all-files.bro rename to scripts/policy/frameworks/files/hash-all-files.zeek diff --git a/scripts/policy/frameworks/intel/do_expire.bro b/scripts/policy/frameworks/intel/do_expire.zeek similarity index 100% rename from scripts/policy/frameworks/intel/do_expire.bro rename to scripts/policy/frameworks/intel/do_expire.zeek diff --git a/scripts/policy/frameworks/intel/do_notice.bro b/scripts/policy/frameworks/intel/do_notice.zeek similarity index 100% rename from scripts/policy/frameworks/intel/do_notice.bro rename to scripts/policy/frameworks/intel/do_notice.zeek diff --git a/scripts/policy/frameworks/intel/removal.zeek b/scripts/policy/frameworks/intel/removal.zeek new file mode 100644 index 0000000000..cc4bb42921 --- /dev/null +++ b/scripts/policy/frameworks/intel/removal.zeek @@ -0,0 +1,23 @@ +##! This script enables removal of intelligence items. + +@load base/frameworks/intel + +module Intel; + +export { + redef record Intel::MetaData += { + ## A boolean value to indicate whether the item should be removed. + remove: bool &default=F; + }; +} + +hook Intel::filter_item(item: Item) + { + if ( item$meta$remove ) + { + Intel::remove(item); + # Prevent readding + break; + } + } + diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.zeek similarity index 90% rename from scripts/policy/frameworks/intel/seen/__load__.bro rename to scripts/policy/frameworks/intel/seen/__load__.zeek index d364e8c587..814a274613 100644 --- a/scripts/policy/frameworks/intel/seen/__load__.bro +++ b/scripts/policy/frameworks/intel/seen/__load__.zeek @@ -6,6 +6,7 @@ @load ./http-url @load ./pubkey-hashes @load ./ssl +@load ./smb-filenames @load ./smtp @load ./smtp-url-extraction @load ./x509 diff --git a/scripts/policy/frameworks/intel/seen/conn-established.bro b/scripts/policy/frameworks/intel/seen/conn-established.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/conn-established.bro rename to scripts/policy/frameworks/intel/seen/conn-established.zeek diff --git a/scripts/policy/frameworks/intel/seen/dns.bro b/scripts/policy/frameworks/intel/seen/dns.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/dns.bro rename to scripts/policy/frameworks/intel/seen/dns.zeek diff --git a/scripts/policy/frameworks/intel/seen/file-hashes.bro b/scripts/policy/frameworks/intel/seen/file-hashes.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/file-hashes.bro rename to scripts/policy/frameworks/intel/seen/file-hashes.zeek diff --git a/scripts/policy/frameworks/intel/seen/file-names.bro b/scripts/policy/frameworks/intel/seen/file-names.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/file-names.bro rename to scripts/policy/frameworks/intel/seen/file-names.zeek diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/http-headers.bro rename to scripts/policy/frameworks/intel/seen/http-headers.zeek diff --git a/scripts/policy/frameworks/intel/seen/http-url.bro b/scripts/policy/frameworks/intel/seen/http-url.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/http-url.bro rename to scripts/policy/frameworks/intel/seen/http-url.zeek diff --git a/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro b/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/pubkey-hashes.bro rename to scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek diff --git a/scripts/policy/frameworks/intel/seen/smb-filenames.zeek b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek new file mode 100644 index 0000000000..66c8977bb0 --- /dev/null +++ b/scripts/policy/frameworks/intel/seen/smb-filenames.zeek @@ -0,0 +1,23 @@ +@load base/protocols/smb +@load base/frameworks/intel +@load ./where-locations + +event file_new(f: fa_file) + { + if ( f$source != "SMB" ) + return; + + for ( id in f$conns ) + { + local c = f$conns[id]; + if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name ) + { + local split_fname = split_string(c$smb_state$current_file$name, /\\/); + local fname = split_fname[|split_fname|-1]; + Intel::seen([$indicator=fname, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=SMB::IN_FILE_NAME]); + } + } + } diff --git a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek similarity index 90% rename from scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro rename to scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek index aa9c322bcf..343beb277e 100644 --- a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro +++ b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek @@ -8,9 +8,8 @@ event intel_mime_data(f: fa_file, data: string) if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; local urls = find_all_urls_without_scheme(data); for ( url in urls ) { diff --git a/scripts/policy/frameworks/intel/seen/smtp.bro b/scripts/policy/frameworks/intel/seen/smtp.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/smtp.bro rename to scripts/policy/frameworks/intel/seen/smtp.zeek diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/ssl.bro rename to scripts/policy/frameworks/intel/seen/ssl.zeek diff --git a/scripts/policy/frameworks/intel/seen/where-locations.bro b/scripts/policy/frameworks/intel/seen/where-locations.zeek similarity index 96% rename from scripts/policy/frameworks/intel/seen/where-locations.bro rename to scripts/policy/frameworks/intel/seen/where-locations.zeek index 59a89b0eb2..9d30b5ff8f 100644 --- a/scripts/policy/frameworks/intel/seen/where-locations.bro +++ b/scripts/policy/frameworks/intel/seen/where-locations.zeek @@ -26,5 +26,6 @@ export { SSL::IN_SERVER_NAME, SMTP::IN_HEADER, X509::IN_CERT, + SMB::IN_FILE_NAME, }; } diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.zeek similarity index 100% rename from scripts/policy/frameworks/intel/seen/x509.bro rename to scripts/policy/frameworks/intel/seen/x509.zeek diff --git a/scripts/policy/frameworks/intel/whitelist.bro b/scripts/policy/frameworks/intel/whitelist.zeek similarity index 100% rename from scripts/policy/frameworks/intel/whitelist.bro rename to scripts/policy/frameworks/intel/whitelist.zeek diff --git a/scripts/policy/frameworks/notice/__load__.bro b/scripts/policy/frameworks/notice/__load__.zeek similarity index 100% rename from scripts/policy/frameworks/notice/__load__.bro rename to scripts/policy/frameworks/notice/__load__.zeek diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek similarity index 91% rename from scripts/policy/frameworks/notice/extend-email/hostnames.bro rename to scripts/policy/frameworks/notice/extend-email/hostnames.zeek index 9ee58d3e0b..5be74c7913 100644 --- a/scripts/policy/frameworks/notice/extend-email/hostnames.bro +++ b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek @@ -1,6 +1,6 @@ -##! Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action +##! Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action ##! by appending to the email the hostnames associated with -##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a +##! :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a ##! DNS lookup. @load base/frameworks/notice/main diff --git a/scripts/policy/frameworks/packet-filter/shunt.bro b/scripts/policy/frameworks/packet-filter/shunt.zeek similarity index 96% rename from scripts/policy/frameworks/packet-filter/shunt.bro rename to scripts/policy/frameworks/packet-filter/shunt.zeek index 97ae0c792d..3a08dfaddd 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.bro +++ b/scripts/policy/frameworks/packet-filter/shunt.zeek @@ -23,7 +23,7 @@ export { ## update done by the `PacketFilter` framework. global unshunt_host_pair: function(id: conn_id): bool; - ## Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair` + ## Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair` ## function, but it forces an immediate filter update. global force_unshunt_host_pair: function(id: conn_id): bool; @@ -34,7 +34,7 @@ export { global current_shunted_host_pairs: function(): set[conn_id]; redef enum Notice::Type += { - ## Indicative that :bro:id:`PacketFilter::max_bpf_shunts` + ## Indicative that :zeek:id:`PacketFilter::max_bpf_shunts` ## connections are already being shunted with BPF filters and ## no more are allowed. No_More_Conn_Shunts_Available, @@ -76,7 +76,7 @@ function shunt_filters() PacketFilter::exclude("shunt_filters", filter); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { register_filter_plugin([ $func()={ return shunt_filters(); } diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.zeek similarity index 94% rename from scripts/policy/frameworks/software/version-changes.bro rename to scripts/policy/frameworks/software/version-changes.zeek index 215a64d6b7..865cc20447 100644 --- a/scripts/policy/frameworks/software/version-changes.bro +++ b/scripts/policy/frameworks/software/version-changes.zeek @@ -12,7 +12,7 @@ export { ## For certain software, a version changing may matter. In that ## case, this notice will be generated. Software that matters ## if the version changes can be configured with the - ## :bro:id:`Software::interesting_version_changes` variable. + ## :zeek:id:`Software::interesting_version_changes` variable. Software_Version_Change, }; diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.zeek similarity index 96% rename from scripts/policy/frameworks/software/vulnerable.bro rename to scripts/policy/frameworks/software/vulnerable.zeek index 13de1c9cf8..b8d8c43a12 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.zeek @@ -111,13 +111,13 @@ function update_vulnerable_sw() internal_vulnerable_versions = table(); # Copy the const vulnerable versions into the global modifiable one. - for ( sw in vulnerable_versions ) - internal_vulnerable_versions[sw] = vulnerable_versions[sw]; + for ( sw, vuln_range_set in vulnerable_versions ) + internal_vulnerable_versions[sw] = vuln_range_set; event grab_vulnerable_versions(1); } -event bro_init() &priority=3 +event zeek_init() &priority=3 { update_vulnerable_sw(); } diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.zeek similarity index 100% rename from scripts/policy/frameworks/software/windows-version-detection.bro rename to scripts/policy/frameworks/software/windows-version-detection.zeek diff --git a/scripts/policy/integration/barnyard2/__load__.bro b/scripts/policy/integration/barnyard2/__load__.zeek similarity index 100% rename from scripts/policy/integration/barnyard2/__load__.bro rename to scripts/policy/integration/barnyard2/__load__.zeek diff --git a/scripts/policy/integration/barnyard2/main.bro b/scripts/policy/integration/barnyard2/main.zeek similarity index 91% rename from scripts/policy/integration/barnyard2/main.bro rename to scripts/policy/integration/barnyard2/main.zeek index 96c74043f7..876467eb8a 100644 --- a/scripts/policy/integration/barnyard2/main.bro +++ b/scripts/policy/integration/barnyard2/main.zeek @@ -18,13 +18,13 @@ export { alert: AlertData &log; }; - ## This can convert a Barnyard :bro:type:`Barnyard2::PacketID` value to - ## a :bro:type:`conn_id` value in the case that you might need to index + ## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to + ## a :zeek:type:`conn_id` value in the case that you might need to index ## into an existing data structure elsewhere within Bro. global pid2cid: function(p: PacketID): conn_id; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Barnyard2::LOG, [$columns=Info, $path="barnyard2"]); } diff --git a/scripts/policy/integration/barnyard2/types.bro b/scripts/policy/integration/barnyard2/types.zeek similarity index 100% rename from scripts/policy/integration/barnyard2/types.bro rename to scripts/policy/integration/barnyard2/types.zeek diff --git a/scripts/policy/integration/collective-intel/__load__.bro b/scripts/policy/integration/collective-intel/__load__.zeek similarity index 100% rename from scripts/policy/integration/collective-intel/__load__.bro rename to scripts/policy/integration/collective-intel/__load__.zeek diff --git a/scripts/policy/integration/collective-intel/main.bro b/scripts/policy/integration/collective-intel/main.zeek similarity index 100% rename from scripts/policy/integration/collective-intel/main.bro rename to scripts/policy/integration/collective-intel/main.zeek diff --git a/scripts/policy/misc/capture-loss.bro b/scripts/policy/misc/capture-loss.zeek similarity index 96% rename from scripts/policy/misc/capture-loss.bro rename to scripts/policy/misc/capture-loss.zeek index 541f6577cc..c6516d46eb 100644 --- a/scripts/policy/misc/capture-loss.bro +++ b/scripts/policy/misc/capture-loss.zeek @@ -41,7 +41,7 @@ export { option watch_interval = 15mins; ## The percentage of missed data that is considered "too much" - ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be + ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. option too_much_loss: double = 0.1; @@ -74,7 +74,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps: schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LOG, [$columns=Info, $path="capture_loss"]); diff --git a/scripts/policy/misc/detect-traceroute/__load__.bro b/scripts/policy/misc/detect-traceroute/__load__.zeek similarity index 100% rename from scripts/policy/misc/detect-traceroute/__load__.bro rename to scripts/policy/misc/detect-traceroute/__load__.zeek diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.zeek similarity index 97% rename from scripts/policy/misc/detect-traceroute/main.bro rename to scripts/policy/misc/detect-traceroute/main.zeek index 5cbb34e27e..091ceceed6 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.zeek @@ -34,7 +34,7 @@ export { const icmp_time_exceeded_threshold: double = 3 &redef; ## Interval at which to watch for the - ## :bro:id:`Traceroute::icmp_time_exceeded_threshold` variable to be + ## :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be ## crossed. At the end of each interval the counter is reset. const icmp_time_exceeded_interval = 3min &redef; @@ -53,7 +53,7 @@ export { global log_traceroute: event(rec: Traceroute::Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute"]); diff --git a/scripts/policy/misc/dump-events.bro b/scripts/policy/misc/dump-events.zeek similarity index 100% rename from scripts/policy/misc/dump-events.bro rename to scripts/policy/misc/dump-events.zeek diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.zeek similarity index 98% rename from scripts/policy/misc/load-balancing.bro rename to scripts/policy/misc/load-balancing.zeek index 40bbe238ca..62f352f12e 100644 --- a/scripts/policy/misc/load-balancing.bro +++ b/scripts/policy/misc/load-balancing.zeek @@ -28,7 +28,7 @@ export { @if ( Cluster::is_enabled() ) -event bro_init() &priority=5 +event zeek_init() &priority=5 { if ( method != AUTO_BPF ) return; diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.zeek similarity index 90% rename from scripts/policy/misc/loaded-scripts.bro rename to scripts/policy/misc/loaded-scripts.zeek index bfc0aad114..0bd986e01a 100644 --- a/scripts/policy/misc/loaded-scripts.bro +++ b/scripts/policy/misc/loaded-scripts.zeek @@ -27,12 +27,12 @@ function get_indent(level: count): string return out; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts"]); } -event bro_script_loaded(path: string, level: count) +event zeek_script_loaded(path: string, level: count) { Log::write(LoadedScripts::LOG, [$name=cat(get_indent(level), compress_path(path))]); } diff --git a/scripts/policy/misc/profiling.bro b/scripts/policy/misc/profiling.zeek similarity index 87% rename from scripts/policy/misc/profiling.bro rename to scripts/policy/misc/profiling.zeek index 613e78f860..fed8c41f54 100644 --- a/scripts/policy/misc/profiling.bro +++ b/scripts/policy/misc/profiling.zeek @@ -9,10 +9,10 @@ redef profiling_file = open_log_file("prof"); redef profiling_interval = 15 secs; ## Set the expensive profiling interval (multiple of -## :bro:id:`profiling_interval`). +## :zeek:id:`profiling_interval`). redef expensive_profiling_multiple = 20; -event bro_init() +event zeek_init() { set_buf(profiling_file, F); } diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.zeek similarity index 96% rename from scripts/policy/misc/scan.bro rename to scripts/policy/misc/scan.zeek index d70f8f9e79..26dc54ce90 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.zeek @@ -15,17 +15,17 @@ export { redef enum Notice::Type += { ## Address scans detect that a host appears to be scanning some ## number of destinations on a single port. This notice is - ## generated when more than :bro:id:`Scan::addr_scan_threshold` + ## generated when more than :zeek:id:`Scan::addr_scan_threshold` ## unique hosts are seen over the previous - ## :bro:id:`Scan::addr_scan_interval` time range. + ## :zeek:id:`Scan::addr_scan_interval` time range. Address_Scan, ## Port scans detect that an attacking host appears to be ## scanning a single victim host on several ports. This notice ## is generated when an attacking host attempts to connect to - ## :bro:id:`Scan::port_scan_threshold` + ## :zeek:id:`Scan::port_scan_threshold` ## unique ports on a single host over the previous - ## :bro:id:`Scan::port_scan_interval` time range. + ## :zeek:id:`Scan::port_scan_interval` time range. Port_Scan, }; @@ -51,7 +51,7 @@ export { global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)]; SumStats::create([$name="addr-scan", diff --git a/scripts/policy/misc/stats.bro b/scripts/policy/misc/stats.zeek similarity index 99% rename from scripts/policy/misc/stats.bro rename to scripts/policy/misc/stats.zeek index 0bbf5c8aac..9c4ae4e792 100644 --- a/scripts/policy/misc/stats.bro +++ b/scripts/policy/misc/stats.zeek @@ -82,7 +82,7 @@ export { global log_stats: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats"]); } @@ -149,7 +149,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr schedule report_interval { check_stats(nettime, ns, cs, ps, es, rs, ts, fs, ds) }; } -event bro_init() +event zeek_init() { schedule report_interval { check_stats(network_time(), get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_timer_stats(), get_file_analysis_stats(), get_dns_stats()) }; } diff --git a/scripts/policy/misc/trim-trace-file.bro b/scripts/policy/misc/trim-trace-file.zeek similarity index 93% rename from scripts/policy/misc/trim-trace-file.bro rename to scripts/policy/misc/trim-trace-file.zeek index 8f534ec005..3f50406f3b 100644 --- a/scripts/policy/misc/trim-trace-file.bro +++ b/scripts/policy/misc/trim-trace-file.zeek @@ -11,7 +11,7 @@ export { ## tracefile rotation is required with the caveat that the script ## doesn't currently attempt to get back on schedule automatically and ## the next trim likely won't happen on the - ## :bro:id:`TrimTraceFile::trim_interval`. + ## :zeek:id:`TrimTraceFile::trim_interval`. global go: event(first_trim: bool); } @@ -30,7 +30,7 @@ event TrimTraceFile::go(first_trim: bool) schedule trim_interval { TrimTraceFile::go(F) }; } -event bro_init() +event zeek_init() { if ( trim_interval > 0 secs ) schedule trim_interval { TrimTraceFile::go(T) }; diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.zeek similarity index 90% rename from scripts/policy/misc/weird-stats.bro rename to scripts/policy/misc/weird-stats.zeek index d08ce9381d..bc75e2057a 100644 --- a/scripts/policy/misc/weird-stats.bro +++ b/scripts/policy/misc/weird-stats.zeek @@ -33,14 +33,14 @@ function weird_epoch_results(ts: time, key: SumStats::Key, result: SumStats::Res function weird_epoch_finished(ts: time) { - for ( n in this_epoch_weirds ) + for ( n, v in this_epoch_weirds ) { local last_count: double = 0.0; if ( n in last_epoch_weirds ) last_count = last_epoch_weirds[n]; - local num_seen: double = this_epoch_weirds[n] - last_count; + local num_seen: double = v - last_count; if ( num_seen > 0.0 ) Log::write(LOG, Info($ts = ts, $name = n, @@ -51,7 +51,7 @@ function weird_epoch_finished(ts: time) this_epoch_weirds = table(); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(WeirdStats::LOG, [$columns = Info, $ev = log_weird_stats, @@ -70,9 +70,9 @@ function observe_weird_stats() { local rs = get_reporter_stats(); - for ( n in rs$weirds_by_type ) + for ( n, v in rs$weirds_by_type ) SumStats::observe("weirds.encountered", SumStats::Key($str = n), - SumStats::Observation($dbl=rs$weirds_by_type[n]+0.0)); + SumStats::Observation($dbl=(v + 0.0))); } @if ( Cluster::is_enabled() ) @@ -84,6 +84,8 @@ function observe_weird_stats() # less synchronized? event SumStats::cluster_ss_request(uid: string, ss_name: string, cleanup: bool) &priority=10 { + if ( ss_name != "weirds.statistics" ) + return; observe_weird_stats(); } diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.zeek similarity index 92% rename from scripts/policy/protocols/conn/known-hosts.bro rename to scripts/policy/protocols/conn/known-hosts.zeek index ef78630c6a..702ab59ca3 100644 --- a/scripts/policy/protocols/conn/known-hosts.bro +++ b/scripts/policy/protocols/conn/known-hosts.zeek @@ -28,22 +28,22 @@ export { const use_host_store = T &redef; ## The hosts whose existence should be logged and tracked. - ## See :bro:type:`Host` for possible choices. + ## See :zeek:type:`Host` for possible choices. option host_tracking = LOCAL_HOSTS; ## Holds the set of all known hosts. Keys in the store are addresses ## and their associated value will always be the "true" boolean. global host_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::host_store`. + ## The Broker topic name to use for :zeek:see:`Known::host_store`. const host_store_name = "bro/known/hosts" &redef; - ## The expiry interval of new entries in :bro:see:`Known::host_store`. + ## The expiry interval of new entries in :zeek:see:`Known::host_store`. ## This also changes the interval at which hosts get logged. const host_store_expiry = 1day &redef; ## The timeout interval to use for operations against - ## :bro:see:`Known::host_store`. + ## :zeek:see:`Known::host_store`. option host_store_timeout = 15sec; ## The set of all known addresses to store for preventing duplicate @@ -56,12 +56,12 @@ export { ## proxy nodes. global hosts: set[addr] &create_expire=1day &redef; - ## An event that can be handled to access the :bro:type:`Known::HostsInfo` + ## An event that can be handled to access the :zeek:type:`Known::HostsInfo` ## record as it is sent on to the logging framework. global log_known_hosts: event(rec: HostsInfo); } -event bro_init() +event zeek_init() { if ( ! Known::use_host_store ) return; @@ -145,7 +145,7 @@ event Known::host_found(info: HostsInfo) event known_host_add(info); } -event bro_init() +event zeek_init() { Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]); } diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.zeek similarity index 93% rename from scripts/policy/protocols/conn/known-services.bro rename to scripts/policy/protocols/conn/known-services.zeek index f9e129839d..767962b791 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -34,7 +34,7 @@ export { const use_service_store = T &redef; ## The hosts whose services should be tracked and logged. - ## See :bro:type:`Host` for possible choices. + ## See :zeek:type:`Host` for possible choices. option service_tracking = LOCAL_HOSTS; type AddrPortPair: record { @@ -43,19 +43,19 @@ export { }; ## Holds the set of all known services. Keys in the store are - ## :bro:type:`Known::AddrPortPair` and their associated value is + ## :zeek:type:`Known::AddrPortPair` and their associated value is ## always the boolean value of "true". global service_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::service_store`. + ## The Broker topic name to use for :zeek:see:`Known::service_store`. const service_store_name = "bro/known/services" &redef; - ## The expiry interval of new entries in :bro:see:`Known::service_store`. + ## The expiry interval of new entries in :zeek:see:`Known::service_store`. ## This also changes the interval at which services get logged. const service_store_expiry = 1day &redef; ## The timeout interval to use for operations against - ## :bro:see:`Known::service_store`. + ## :zeek:see:`Known::service_store`. option service_store_timeout = 15sec; ## Tracks the set of daily-detected services for preventing the logging @@ -68,7 +68,7 @@ export { ## This set is automatically populated and shouldn't be directly modified. global services: set[addr, port] &create_expire=1day; - ## Event that can be handled to access the :bro:type:`Known::ServicesInfo` + ## Event that can be handled to access the :zeek:type:`Known::ServicesInfo` ## record as it is sent on to the logging framework. global log_known_services: event(rec: ServicesInfo); } @@ -80,7 +80,7 @@ redef record connection += { }; -event bro_init() +event zeek_init() { if ( ! Known::use_service_store ) return; @@ -216,7 +216,7 @@ event connection_state_remove(c: connection) &priority=-5 known_services_done(c); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo, $ev=log_known_services, diff --git a/scripts/policy/protocols/conn/mac-logging.bro b/scripts/policy/protocols/conn/mac-logging.zeek similarity index 100% rename from scripts/policy/protocols/conn/mac-logging.bro rename to scripts/policy/protocols/conn/mac-logging.zeek diff --git a/scripts/policy/protocols/conn/vlan-logging.bro b/scripts/policy/protocols/conn/vlan-logging.zeek similarity index 100% rename from scripts/policy/protocols/conn/vlan-logging.bro rename to scripts/policy/protocols/conn/vlan-logging.zeek diff --git a/scripts/policy/protocols/conn/weirds.bro b/scripts/policy/protocols/conn/weirds.zeek similarity index 100% rename from scripts/policy/protocols/conn/weirds.bro rename to scripts/policy/protocols/conn/weirds.zeek diff --git a/scripts/policy/protocols/dhcp/deprecated_events.bro b/scripts/policy/protocols/dhcp/deprecated_events.zeek similarity index 92% rename from scripts/policy/protocols/dhcp/deprecated_events.bro rename to scripts/policy/protocols/dhcp/deprecated_events.zeek index 941e5c72c3..553d13bc05 100644 --- a/scripts/policy/protocols/dhcp/deprecated_events.bro +++ b/scripts/policy/protocols/dhcp/deprecated_events.zeek @@ -11,9 +11,9 @@ ## .. note:: This type is included to support the deprecated events dhcp_ack, ## dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer, ## dhcp_release and dhcp_request and is thus similarly deprecated -## itself. Use :bro:see:`dhcp_message` instead. +## itself. Use :zeek:see:`dhcp_message` instead. ## -## .. bro:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover +## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover ## dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request type dhcp_msg: record { op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY @@ -28,9 +28,9 @@ type dhcp_msg: record { ## ## .. note:: This type is included to support the deprecated events dhcp_ack ## and dhcp_offer and is thus similarly deprecated -## itself. Use :bro:see:`dhcp_message` instead. +## itself. Use :zeek:see:`dhcp_message` instead. ## -## .. bro:see:: dhcp_message dhcp_ack dhcp_offer +## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer type dhcp_router_list: table[count] of addr; ## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate @@ -44,7 +44,7 @@ type dhcp_router_list: table[count] of addr; ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -74,7 +74,7 @@ global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_n ## host_name: Optional host name value. May differ from the host name requested ## from the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline +## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -101,7 +101,7 @@ global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -122,7 +122,7 @@ global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_ad ## ## host_name: Optional host name value. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_ack dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -152,7 +152,7 @@ global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &dep ## host_name: Optional host name value. May differ from the host name requested ## from the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_nak dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -170,7 +170,7 @@ global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ro ## ## host_name: Optional host name value. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_release dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -191,7 +191,7 @@ global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &depreca ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_inform ## ## .. note:: This event has been deprecated, and will be removed in the next version. @@ -209,7 +209,7 @@ global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &dep ## ## host_name: The value of the host name option, if specified by the client. ## -## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request +## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request ## dhcp_decline dhcp_ack dhcp_nak dhcp_release ## ## .. note:: This event has been deprecated, and will be removed in the next version. diff --git a/scripts/policy/protocols/dhcp/msg-orig.bro b/scripts/policy/protocols/dhcp/msg-orig.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/msg-orig.bro rename to scripts/policy/protocols/dhcp/msg-orig.zeek diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/software.bro rename to scripts/policy/protocols/dhcp/software.zeek diff --git a/scripts/policy/protocols/dhcp/sub-opts.bro b/scripts/policy/protocols/dhcp/sub-opts.zeek similarity index 100% rename from scripts/policy/protocols/dhcp/sub-opts.bro rename to scripts/policy/protocols/dhcp/sub-opts.zeek diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.zeek similarity index 100% rename from scripts/policy/protocols/dns/auth-addl.bro rename to scripts/policy/protocols/dns/auth-addl.zeek diff --git a/scripts/policy/protocols/dns/detect-external-names.bro b/scripts/policy/protocols/dns/detect-external-names.zeek similarity index 87% rename from scripts/policy/protocols/dns/detect-external-names.bro rename to scripts/policy/protocols/dns/detect-external-names.zeek index ea56e5676f..9533f396a2 100644 --- a/scripts/policy/protocols/dns/detect-external-names.bro +++ b/scripts/policy/protocols/dns/detect-external-names.zeek @@ -1,6 +1,6 @@ ##! This script detects names which are not within zones considered to be ##! local but resolving to addresses considered local. -##! The :bro:id:`Site::local_zones` variable **must** be set appropriately for +##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for ##! this detection. @load base/frameworks/notice @@ -11,7 +11,7 @@ module DNS; export { redef enum Notice::Type += { ## Raised when a non-local name is found to be pointing at a - ## local host. The :bro:id:`Site::local_zones` variable + ## local host. The :zeek:id:`Site::local_zones` variable ## **must** be set appropriately for this detection. External_Name, }; diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek similarity index 99% rename from scripts/policy/protocols/ftp/detect-bruteforcing.bro rename to scripts/policy/protocols/ftp/detect-bruteforcing.zeek index eb70688d47..4ac7b61efc 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.zeek @@ -25,7 +25,7 @@ export { } -event bro_init() +event zeek_init() { local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; SumStats::create([$name="ftp-detect-bruteforcing", diff --git a/scripts/policy/protocols/ftp/detect.bro b/scripts/policy/protocols/ftp/detect.zeek similarity index 100% rename from scripts/policy/protocols/ftp/detect.bro rename to scripts/policy/protocols/ftp/detect.zeek diff --git a/scripts/policy/protocols/ftp/software.bro b/scripts/policy/protocols/ftp/software.zeek similarity index 100% rename from scripts/policy/protocols/ftp/software.bro rename to scripts/policy/protocols/ftp/software.zeek diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.zeek similarity index 98% rename from scripts/policy/protocols/http/detect-sqli.bro rename to scripts/policy/protocols/http/detect-sqli.zeek index 01c98ba0d7..5baf6b89ab 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.zeek @@ -35,7 +35,7 @@ export { const sqli_requests_threshold: double = 50.0 &redef; ## Interval at which to watch for the - ## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed. + ## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed. ## At the end of each interval the counter is reset. const sqli_requests_interval = 5min &redef; @@ -67,7 +67,7 @@ function format_sqli_samples(samples: vector of SumStats::Observation): string return ret; } -event bro_init() &priority=3 +event zeek_init() &priority=3 { # Add filters to the metrics so that the metrics framework knows how to # determine when it looks like an actual attack and how to respond when diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.zeek similarity index 100% rename from scripts/policy/protocols/http/detect-webapps.bro rename to scripts/policy/protocols/http/detect-webapps.zeek diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.zeek similarity index 100% rename from scripts/policy/protocols/http/header-names.bro rename to scripts/policy/protocols/http/header-names.zeek diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.zeek similarity index 100% rename from scripts/policy/protocols/http/software-browser-plugins.bro rename to scripts/policy/protocols/http/software-browser-plugins.zeek diff --git a/scripts/policy/protocols/http/software.bro b/scripts/policy/protocols/http/software.zeek similarity index 100% rename from scripts/policy/protocols/http/software.bro rename to scripts/policy/protocols/http/software.zeek diff --git a/scripts/policy/protocols/http/var-extraction-cookies.bro b/scripts/policy/protocols/http/var-extraction-cookies.zeek similarity index 100% rename from scripts/policy/protocols/http/var-extraction-cookies.bro rename to scripts/policy/protocols/http/var-extraction-cookies.zeek diff --git a/scripts/policy/protocols/http/var-extraction-uri.bro b/scripts/policy/protocols/http/var-extraction-uri.zeek similarity index 100% rename from scripts/policy/protocols/http/var-extraction-uri.bro rename to scripts/policy/protocols/http/var-extraction-uri.zeek diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.zeek similarity index 100% rename from scripts/policy/protocols/krb/ticket-logging.bro rename to scripts/policy/protocols/krb/ticket-logging.zeek diff --git a/scripts/policy/protocols/modbus/known-masters-slaves.bro b/scripts/policy/protocols/modbus/known-masters-slaves.zeek similarity index 98% rename from scripts/policy/protocols/modbus/known-masters-slaves.bro rename to scripts/policy/protocols/modbus/known-masters-slaves.zeek index a49e1f81e4..4ce56570d8 100644 --- a/scripts/policy/protocols/modbus/known-masters-slaves.bro +++ b/scripts/policy/protocols/modbus/known-masters-slaves.zeek @@ -33,7 +33,7 @@ export { global log_known_modbus: event(rec: ModbusInfo); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus"]); } diff --git a/scripts/policy/protocols/modbus/track-memmap.bro b/scripts/policy/protocols/modbus/track-memmap.zeek similarity index 99% rename from scripts/policy/protocols/modbus/track-memmap.bro rename to scripts/policy/protocols/modbus/track-memmap.zeek index 9a6e49e214..da2be29745 100644 --- a/scripts/policy/protocols/modbus/track-memmap.bro +++ b/scripts/policy/protocols/modbus/track-memmap.zeek @@ -52,7 +52,7 @@ redef record Modbus::Info += { track_address: count &default=0; }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change"]); } diff --git a/scripts/policy/protocols/mysql/software.bro b/scripts/policy/protocols/mysql/software.zeek similarity index 100% rename from scripts/policy/protocols/mysql/software.bro rename to scripts/policy/protocols/mysql/software.zeek diff --git a/scripts/policy/protocols/rdp/indicate_ssl.bro b/scripts/policy/protocols/rdp/indicate_ssl.zeek similarity index 100% rename from scripts/policy/protocols/rdp/indicate_ssl.bro rename to scripts/policy/protocols/rdp/indicate_ssl.zeek diff --git a/scripts/policy/protocols/smb/__load__.bro b/scripts/policy/protocols/smb/__load__.zeek similarity index 100% rename from scripts/policy/protocols/smb/__load__.bro rename to scripts/policy/protocols/smb/__load__.zeek diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.zeek similarity index 98% rename from scripts/policy/protocols/smb/log-cmds.bro rename to scripts/policy/protocols/smb/log-cmds.zeek index 53e309c5ea..88108276dc 100644 --- a/scripts/policy/protocols/smb/log-cmds.bro +++ b/scripts/policy/protocols/smb/log-cmds.zeek @@ -25,7 +25,7 @@ const deferred_logging_cmds: set[string] = { "TREE_CONNECT_ANDX", }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]); } diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.zeek similarity index 100% rename from scripts/policy/protocols/smtp/blocklists.bro rename to scripts/policy/protocols/smtp/blocklists.zeek diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.bro b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek similarity index 100% rename from scripts/policy/protocols/smtp/detect-suspicious-orig.bro rename to scripts/policy/protocols/smtp/detect-suspicious-orig.zeek diff --git a/scripts/policy/protocols/smtp/entities-excerpt.bro b/scripts/policy/protocols/smtp/entities-excerpt.zeek similarity index 86% rename from scripts/policy/protocols/smtp/entities-excerpt.bro rename to scripts/policy/protocols/smtp/entities-excerpt.zeek index a3c35507ca..4dad6d3e39 100644 --- a/scripts/policy/protocols/smtp/entities-excerpt.bro +++ b/scripts/policy/protocols/smtp/entities-excerpt.zeek @@ -13,7 +13,7 @@ export { ## This is the default value for how much of the entity body should be ## included for all MIME entities. The lesser of this value and - ## :bro:see:`default_file_bof_buffer_size` will be used. + ## :zeek:see:`default_file_bof_buffer_size` will be used. option default_entity_excerpt_len = 0; } @@ -24,10 +24,8 @@ event file_new(f: fa_file) &priority=5 if ( ! f?$bof_buffer ) return; if ( ! f?$conns ) return; - for ( cid in f$conns ) + for ( cid, c in f$conns ) { - local c: connection = f$conns[cid]; - if ( ! c?$smtp ) next; if ( default_entity_excerpt_len > 0 ) diff --git a/scripts/policy/protocols/smtp/software.bro b/scripts/policy/protocols/smtp/software.zeek similarity index 100% rename from scripts/policy/protocols/smtp/software.bro rename to scripts/policy/protocols/smtp/software.zeek diff --git a/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek similarity index 97% rename from scripts/policy/protocols/ssh/detect-bruteforcing.bro rename to scripts/policy/protocols/ssh/detect-bruteforcing.zeek index 55687e2afd..4368258b98 100644 --- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ssh/detect-bruteforcing.zeek @@ -11,7 +11,7 @@ module SSH; export { redef enum Notice::Type += { ## Indicates that a host has been identified as crossing the - ## :bro:id:`SSH::password_guesses_limit` threshold with + ## :zeek:id:`SSH::password_guesses_limit` threshold with ## failed logins. Password_Guessing, ## Indicates that a host previously identified as a "password @@ -39,7 +39,7 @@ export { const ignore_guessers: table[subnet] of subnet &redef; } -event bro_init() +event zeek_init() { local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5]; SumStats::create([$name="detect-ssh-bruteforcing", diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.zeek similarity index 87% rename from scripts/policy/protocols/ssh/geo-data.bro rename to scripts/policy/protocols/ssh/geo-data.zeek index c8f73b6ac7..5c98f62229 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.zeek @@ -8,7 +8,7 @@ module SSH; export { redef enum Notice::Type += { ## If an SSH login is seen to or from a "watched" country based - ## on the :bro:id:`SSH::watched_countries` variable then this + ## on the :zeek:id:`SSH::watched_countries` variable then this ## notice will be generated. Watched_Country_Login, }; @@ -35,8 +35,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 if ( ! c$ssh?$direction ) return; - # Add the location data to the SSH record. - c$ssh$remote_location = get_location(c); + if ( ! c$ssh?$remote_location ) + return; if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries ) { @@ -48,7 +48,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 } } -event ssh_auth_failed(c: connection) &priority=3 +event ssh_auth_attempted(c: connection, authenticated: bool) &priority=3 { if ( ! c$ssh?$direction ) return; diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.bro b/scripts/policy/protocols/ssh/interesting-hostnames.zeek similarity index 95% rename from scripts/policy/protocols/ssh/interesting-hostnames.bro rename to scripts/policy/protocols/ssh/interesting-hostnames.zeek index 064556f9c4..92f7bfc1dd 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.bro +++ b/scripts/policy/protocols/ssh/interesting-hostnames.zeek @@ -12,7 +12,7 @@ export { redef enum Notice::Type += { ## Generated if a login originates or responds with a host where ## the reverse hostname lookup resolves to a name matched by the - ## :bro:id:`SSH::interesting_hostnames` regular expression. + ## :zeek:id:`SSH::interesting_hostnames` regular expression. Interesting_Hostname_Login, }; diff --git a/scripts/policy/protocols/ssh/software.bro b/scripts/policy/protocols/ssh/software.zeek similarity index 100% rename from scripts/policy/protocols/ssh/software.bro rename to scripts/policy/protocols/ssh/software.zeek diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.zeek similarity index 95% rename from scripts/policy/protocols/ssl/expiring-certs.bro rename to scripts/policy/protocols/ssl/expiring-certs.zeek index 1e806942d7..630d23d145 100644 --- a/scripts/policy/protocols/ssl/expiring-certs.bro +++ b/scripts/policy/protocols/ssl/expiring-certs.zeek @@ -15,7 +15,7 @@ export { ## and the certificate is now invalid. Certificate_Expired, ## Indicates that a certificate is going to expire within - ## :bro:id:`SSL::notify_when_cert_expiring_in`. + ## :zeek:id:`SSL::notify_when_cert_expiring_in`. Certificate_Expires_Soon, ## Indicates that a certificate's NotValidBefore date is future ## dated. @@ -30,7 +30,7 @@ export { option notify_certs_expiration = LOCAL_HOSTS; ## The time before a certificate is going to expire that you would like - ## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices. + ## to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices. option notify_when_cert_expiring_in = 30days; } diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.zeek similarity index 100% rename from scripts/policy/protocols/ssl/extract-certs-pem.bro rename to scripts/policy/protocols/ssl/extract-certs-pem.zeek diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.zeek similarity index 99% rename from scripts/policy/protocols/ssl/heartbleed.bro rename to scripts/policy/protocols/ssl/heartbleed.zeek index ae4395289d..483c1f4ce1 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.zeek @@ -45,7 +45,7 @@ type min_length: record { global min_lengths: vector of min_length = vector(); global min_lengths_tls11: vector of min_length = vector(); -event bro_init() +event zeek_init() { # Minimum length a heartbeat packet must have for different cipher suites. # Note - tls 1.1f and 1.0 have different lengths :( diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.zeek similarity index 94% rename from scripts/policy/protocols/ssl/known-certs.bro rename to scripts/policy/protocols/ssl/known-certs.zeek index 63a371b3e1..3a8ec75922 100644 --- a/scripts/policy/protocols/ssl/known-certs.bro +++ b/scripts/policy/protocols/ssl/known-certs.zeek @@ -43,19 +43,19 @@ export { }; ## Holds the set of all known certificates. Keys in the store are of - ## type :bro:type:`Known::AddrCertHashPair` and their associated value is + ## type :zeek:type:`Known::AddrCertHashPair` and their associated value is ## always the boolean value of "true". global cert_store: Cluster::StoreInfo; - ## The Broker topic name to use for :bro:see:`Known::cert_store`. + ## The Broker topic name to use for :zeek:see:`Known::cert_store`. const cert_store_name = "bro/known/certs" &redef; - ## The expiry interval of new entries in :bro:see:`Known::cert_store`. + ## The expiry interval of new entries in :zeek:see:`Known::cert_store`. ## This also changes the interval at which certs get logged. option cert_store_expiry = 1day; ## The timeout interval to use for operations against - ## :bro:see:`Known::cert_store`. + ## :zeek:see:`Known::cert_store`. option cert_store_timeout = 15sec; ## The set of all known certificates to store for preventing duplicate @@ -72,7 +72,7 @@ export { global log_known_certs: event(rec: CertsInfo); } -event bro_init() +event zeek_init() { if ( ! Known::use_cert_store ) return; @@ -193,7 +193,7 @@ event ssl_established(c: connection) &priority=3 event Known::cert_found(info, hash); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]); } diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.zeek similarity index 94% rename from scripts/policy/protocols/ssl/log-hostcerts-only.bro rename to scripts/policy/protocols/ssl/log-hostcerts-only.zeek index 7f07c2b069..3aefac088a 100644 --- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro +++ b/scripts/policy/protocols/ssl/log-hostcerts-only.zeek @@ -31,7 +31,7 @@ function host_certs_only(rec: X509::Info): bool return rec$logcert; } -event bro_init() &priority=2 +event zeek_init() &priority=2 { local f = Log::get_filter(X509::LOG, "default"); Log::remove_filter(X509::LOG, "default"); # disable default logging @@ -51,12 +51,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=4 || f$info$mime_type == "application/pkix-cert" ) ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } local chain: vector of string; diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.zeek similarity index 100% rename from scripts/policy/protocols/ssl/notary.bro rename to scripts/policy/protocols/ssl/notary.zeek diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.zeek similarity index 99% rename from scripts/policy/protocols/ssl/validate-certs.bro rename to scripts/policy/protocols/ssl/validate-certs.zeek index bd76daeceb..6a85627b3c 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.zeek @@ -62,7 +62,7 @@ export { global intermediate_cache: table[string] of vector of opaque of x509; @if ( Cluster::is_enabled() ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add); Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate); diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.zeek similarity index 100% rename from scripts/policy/protocols/ssl/validate-ocsp.bro rename to scripts/policy/protocols/ssl/validate-ocsp.zeek diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.zeek similarity index 98% rename from scripts/policy/protocols/ssl/validate-sct.bro rename to scripts/policy/protocols/ssl/validate-sct.zeek index 0ce11b63ff..b4db3666eb 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.zeek @@ -69,7 +69,7 @@ export { global recently_validated_scts: table[string] of bool = table() &read_expire=5mins &redef; -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); } @@ -95,12 +95,12 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log if ( |f$conns| != 1 ) return; - for ( cid in f$conns ) - { - if ( ! f$conns[cid]?$ssl ) - return; + local c: connection; - local c = f$conns[cid]; + for ( cid, c in f$conns ) + { + if ( ! c?$ssl ) + return; } c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.zeek similarity index 100% rename from scripts/policy/protocols/ssl/weak-keys.bro rename to scripts/policy/protocols/ssl/weak-keys.zeek diff --git a/scripts/policy/tuning/__load__.bro b/scripts/policy/tuning/__load__.zeek similarity index 100% rename from scripts/policy/tuning/__load__.bro rename to scripts/policy/tuning/__load__.zeek diff --git a/scripts/policy/tuning/defaults/__load__.bro b/scripts/policy/tuning/defaults/__load__.zeek similarity index 55% rename from scripts/policy/tuning/defaults/__load__.bro rename to scripts/policy/tuning/defaults/__load__.zeek index fd52f92401..2b574a6845 100644 --- a/scripts/policy/tuning/defaults/__load__.bro +++ b/scripts/policy/tuning/defaults/__load__.zeek @@ -1,3 +1,3 @@ @load ./packet-fragments @load ./warnings -@load ./extracted_file_limits.bro +@load ./extracted_file_limits diff --git a/scripts/policy/tuning/defaults/extracted_file_limits.bro b/scripts/policy/tuning/defaults/extracted_file_limits.zeek similarity index 100% rename from scripts/policy/tuning/defaults/extracted_file_limits.bro rename to scripts/policy/tuning/defaults/extracted_file_limits.zeek diff --git a/scripts/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.zeek similarity index 100% rename from scripts/policy/tuning/defaults/packet-fragments.bro rename to scripts/policy/tuning/defaults/packet-fragments.zeek diff --git a/scripts/policy/tuning/defaults/warnings.bro b/scripts/policy/tuning/defaults/warnings.zeek similarity index 91% rename from scripts/policy/tuning/defaults/warnings.bro rename to scripts/policy/tuning/defaults/warnings.zeek index cedc3d62ad..6c31e82d4e 100644 --- a/scripts/policy/tuning/defaults/warnings.bro +++ b/scripts/policy/tuning/defaults/warnings.zeek @@ -4,7 +4,7 @@ @load base/utils/site -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { if ( |Site::local_nets| == 0 ) print "WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks."; diff --git a/scripts/policy/tuning/json-logs.bro b/scripts/policy/tuning/json-logs.zeek similarity index 100% rename from scripts/policy/tuning/json-logs.bro rename to scripts/policy/tuning/json-logs.zeek diff --git a/scripts/policy/tuning/track-all-assets.bro b/scripts/policy/tuning/track-all-assets.zeek similarity index 100% rename from scripts/policy/tuning/track-all-assets.bro rename to scripts/policy/tuning/track-all-assets.zeek diff --git a/scripts/site/local.bro b/scripts/site/local.zeek similarity index 100% rename from scripts/site/local.bro rename to scripts/site/local.zeek diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro deleted file mode 100644 index c3c2941b06..0000000000 --- a/scripts/test-all-policy.bro +++ /dev/null @@ -1,111 +0,0 @@ -# This file loads ALL policy scripts that are part of the Bro distribution. -# -# This is rarely makes sense, and is for testing only. -# -# Note that we have a unit test that makes sure that all policy files shipped are -# actually loaded here. If we have files that are part of the distribution yet -# can't be loaded here, these must still be listed here with their load command -# commented out. - -# The base/ scripts are all loaded by default and not included here. - -# @load frameworks/control/controllee.bro -# @load frameworks/control/controller.bro -@load frameworks/dpd/detect-protocols.bro -@load frameworks/dpd/packet-segment-logging.bro -@load frameworks/intel/do_notice.bro -@load frameworks/intel/do_expire.bro -@load frameworks/intel/whitelist.bro -@load frameworks/intel/seen/__load__.bro -@load frameworks/intel/seen/conn-established.bro -@load frameworks/intel/seen/dns.bro -@load frameworks/intel/seen/file-hashes.bro -@load frameworks/intel/seen/file-names.bro -@load frameworks/intel/seen/http-headers.bro -@load frameworks/intel/seen/http-url.bro -@load frameworks/intel/seen/pubkey-hashes.bro -@load frameworks/intel/seen/smtp-url-extraction.bro -@load frameworks/intel/seen/smtp.bro -@load frameworks/intel/seen/ssl.bro -@load frameworks/intel/seen/where-locations.bro -@load frameworks/intel/seen/x509.bro -@load frameworks/files/detect-MHR.bro -@load frameworks/files/entropy-test-all-files.bro -#@load frameworks/files/extract-all-files.bro -@load frameworks/files/hash-all-files.bro -@load frameworks/notice/__load__.bro -@load frameworks/notice/extend-email/hostnames.bro -@load files/x509/log-ocsp.bro -@load frameworks/packet-filter/shunt.bro -@load frameworks/software/version-changes.bro -@load frameworks/software/vulnerable.bro -@load frameworks/software/windows-version-detection.bro -@load integration/barnyard2/__load__.bro -@load integration/barnyard2/main.bro -@load integration/barnyard2/types.bro -@load integration/collective-intel/__load__.bro -@load integration/collective-intel/main.bro -@load misc/capture-loss.bro -@load misc/detect-traceroute/__load__.bro -@load misc/detect-traceroute/main.bro -# @load misc/dump-events.bro -@load misc/load-balancing.bro -@load misc/loaded-scripts.bro -@load misc/profiling.bro -@load misc/scan.bro -@load misc/stats.bro -@load misc/weird-stats.bro -@load misc/trim-trace-file.bro -@load protocols/conn/known-hosts.bro -@load protocols/conn/known-services.bro -@load protocols/conn/mac-logging.bro -@load protocols/conn/vlan-logging.bro -@load protocols/conn/weirds.bro -#@load protocols/dhcp/deprecated_events.bro -@load protocols/dhcp/msg-orig.bro -@load protocols/dhcp/software.bro -@load protocols/dhcp/sub-opts.bro -@load protocols/dns/auth-addl.bro -@load protocols/dns/detect-external-names.bro -@load protocols/ftp/detect-bruteforcing.bro -@load protocols/ftp/detect.bro -@load protocols/ftp/software.bro -@load protocols/http/detect-sqli.bro -@load protocols/http/detect-webapps.bro -@load protocols/http/header-names.bro -@load protocols/http/software-browser-plugins.bro -@load protocols/http/software.bro -@load protocols/http/var-extraction-cookies.bro -@load protocols/http/var-extraction-uri.bro -@load protocols/krb/ticket-logging.bro -@load protocols/modbus/known-masters-slaves.bro -@load protocols/modbus/track-memmap.bro -@load protocols/mysql/software.bro -@load protocols/rdp/indicate_ssl.bro -#@load protocols/smb/__load__.bro -@load protocols/smb/log-cmds.bro -@load protocols/smtp/blocklists.bro -@load protocols/smtp/detect-suspicious-orig.bro -@load protocols/smtp/entities-excerpt.bro -@load protocols/smtp/software.bro -@load protocols/ssh/detect-bruteforcing.bro -@load protocols/ssh/geo-data.bro -@load protocols/ssh/interesting-hostnames.bro -@load protocols/ssh/software.bro -@load protocols/ssl/expiring-certs.bro -@load protocols/ssl/extract-certs-pem.bro -@load protocols/ssl/heartbleed.bro -@load protocols/ssl/known-certs.bro -@load protocols/ssl/log-hostcerts-only.bro -#@load protocols/ssl/notary.bro -@load protocols/ssl/validate-certs.bro -@load protocols/ssl/validate-ocsp.bro -@load protocols/ssl/validate-sct.bro -@load protocols/ssl/weak-keys.bro -@load tuning/__load__.bro -@load tuning/defaults/__load__.bro -@load tuning/defaults/extracted_file_limits.bro -@load tuning/defaults/packet-fragments.bro -@load tuning/defaults/warnings.bro -@load tuning/json-logs.bro -@load tuning/track-all-assets.bro diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek new file mode 100644 index 0000000000..26408b6d44 --- /dev/null +++ b/scripts/test-all-policy.zeek @@ -0,0 +1,113 @@ +# This file loads ALL policy scripts that are part of the Bro distribution. +# +# This is rarely makes sense, and is for testing only. +# +# Note that we have a unit test that makes sure that all policy files shipped are +# actually loaded here. If we have files that are part of the distribution yet +# can't be loaded here, these must still be listed here with their load command +# commented out. + +# The base/ scripts are all loaded by default and not included here. + +# @load frameworks/control/controllee.zeek +# @load frameworks/control/controller.zeek +@load frameworks/dpd/detect-protocols.zeek +@load frameworks/dpd/packet-segment-logging.zeek +@load frameworks/intel/do_notice.zeek +@load frameworks/intel/do_expire.zeek +@load frameworks/intel/whitelist.zeek +@load frameworks/intel/removal.zeek +@load frameworks/intel/seen/__load__.zeek +@load frameworks/intel/seen/conn-established.zeek +@load frameworks/intel/seen/dns.zeek +@load frameworks/intel/seen/file-hashes.zeek +@load frameworks/intel/seen/file-names.zeek +@load frameworks/intel/seen/http-headers.zeek +@load frameworks/intel/seen/http-url.zeek +@load frameworks/intel/seen/pubkey-hashes.zeek +@load frameworks/intel/seen/smb-filenames.zeek +@load frameworks/intel/seen/smtp-url-extraction.zeek +@load frameworks/intel/seen/smtp.zeek +@load frameworks/intel/seen/ssl.zeek +@load frameworks/intel/seen/where-locations.zeek +@load frameworks/intel/seen/x509.zeek +@load frameworks/files/detect-MHR.zeek +@load frameworks/files/entropy-test-all-files.zeek +#@load frameworks/files/extract-all-files.zeek +@load frameworks/files/hash-all-files.zeek +@load frameworks/notice/__load__.zeek +@load frameworks/notice/extend-email/hostnames.zeek +@load files/x509/log-ocsp.zeek +@load frameworks/packet-filter/shunt.zeek +@load frameworks/software/version-changes.zeek +@load frameworks/software/vulnerable.zeek +@load frameworks/software/windows-version-detection.zeek +@load integration/barnyard2/__load__.zeek +@load integration/barnyard2/main.zeek +@load integration/barnyard2/types.zeek +@load integration/collective-intel/__load__.zeek +@load integration/collective-intel/main.zeek +@load misc/capture-loss.zeek +@load misc/detect-traceroute/__load__.zeek +@load misc/detect-traceroute/main.zeek +# @load misc/dump-events.zeek +@load misc/load-balancing.zeek +@load misc/loaded-scripts.zeek +@load misc/profiling.zeek +@load misc/scan.zeek +@load misc/stats.zeek +@load misc/weird-stats.zeek +@load misc/trim-trace-file.zeek +@load protocols/conn/known-hosts.zeek +@load protocols/conn/known-services.zeek +@load protocols/conn/mac-logging.zeek +@load protocols/conn/vlan-logging.zeek +@load protocols/conn/weirds.zeek +#@load protocols/dhcp/deprecated_events.zeek +@load protocols/dhcp/msg-orig.zeek +@load protocols/dhcp/software.zeek +@load protocols/dhcp/sub-opts.zeek +@load protocols/dns/auth-addl.zeek +@load protocols/dns/detect-external-names.zeek +@load protocols/ftp/detect-bruteforcing.zeek +@load protocols/ftp/detect.zeek +@load protocols/ftp/software.zeek +@load protocols/http/detect-sqli.zeek +@load protocols/http/detect-webapps.zeek +@load protocols/http/header-names.zeek +@load protocols/http/software-browser-plugins.zeek +@load protocols/http/software.zeek +@load protocols/http/var-extraction-cookies.zeek +@load protocols/http/var-extraction-uri.zeek +@load protocols/krb/ticket-logging.zeek +@load protocols/modbus/known-masters-slaves.zeek +@load protocols/modbus/track-memmap.zeek +@load protocols/mysql/software.zeek +@load protocols/rdp/indicate_ssl.zeek +#@load protocols/smb/__load__.zeek +@load protocols/smb/log-cmds.zeek +@load protocols/smtp/blocklists.zeek +@load protocols/smtp/detect-suspicious-orig.zeek +@load protocols/smtp/entities-excerpt.zeek +@load protocols/smtp/software.zeek +@load protocols/ssh/detect-bruteforcing.zeek +@load protocols/ssh/geo-data.zeek +@load protocols/ssh/interesting-hostnames.zeek +@load protocols/ssh/software.zeek +@load protocols/ssl/expiring-certs.zeek +@load protocols/ssl/extract-certs-pem.zeek +@load protocols/ssl/heartbleed.zeek +@load protocols/ssl/known-certs.zeek +@load protocols/ssl/log-hostcerts-only.zeek +#@load protocols/ssl/notary.zeek +@load protocols/ssl/validate-certs.zeek +@load protocols/ssl/validate-ocsp.zeek +@load protocols/ssl/validate-sct.zeek +@load protocols/ssl/weak-keys.zeek +@load tuning/__load__.zeek +@load tuning/defaults/__load__.zeek +@load tuning/defaults/extracted_file_limits.zeek +@load tuning/defaults/packet-fragments.zeek +@load tuning/defaults/warnings.zeek +@load tuning/json-logs.zeek +@load tuning/track-all-assets.zeek diff --git a/scripts/zeexygen/README b/scripts/zeexygen/README new file mode 100644 index 0000000000..f099b09833 --- /dev/null +++ b/scripts/zeexygen/README @@ -0,0 +1,4 @@ +This package is loaded during the process which automatically generates +reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only +purpose is to provide an easy way to load all known Zeek scripts plus any +extra scripts needed or used by the documentation process. diff --git a/scripts/zeexygen/__load__.zeek b/scripts/zeexygen/__load__.zeek new file mode 100644 index 0000000000..ac9d2c008b --- /dev/null +++ b/scripts/zeexygen/__load__.zeek @@ -0,0 +1,17 @@ +@load test-all-policy.zeek + +# Scripts which are commented out in test-all-policy.zeek. +@load protocols/ssl/notary.zeek +@load frameworks/control/controllee.zeek +@load frameworks/control/controller.zeek +@load frameworks/files/extract-all-files.zeek +@load policy/misc/dump-events.zeek +@load policy/protocols/dhcp/deprecated_events.zeek +@load policy/protocols/smb/__load__.zeek + +@load ./example.zeek + +event zeek_init() + { + terminate(); + } diff --git a/scripts/broxygen/example.bro b/scripts/zeexygen/example.zeek similarity index 88% rename from scripts/broxygen/example.bro rename to scripts/zeexygen/example.zeek index 65cc5ff1c7..69affed96a 100644 --- a/scripts/broxygen/example.bro +++ b/scripts/zeexygen/example.zeek @@ -1,4 +1,4 @@ -##! This is an example script that demonstrates Broxygen-style +##! This is an example script that demonstrates Zeexygen-style ##! documentation. It generally will make most sense when viewing ##! the script's raw source code and comparing to the HTML-rendered ##! version. @@ -11,14 +11,14 @@ ##! .. tip:: You can embed directives and roles within ``##``-stylized comments. ##! ##! There's also a custom role to reference any identifier node in -##! the Bro Sphinx domain that's good for "see alsos", e.g. +##! the Zeek Sphinx domain that's good for "see alsos", e.g. ##! -##! See also: :bro:see:`BroxygenExample::a_var`, -##! :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` +##! See also: :zeek:see:`ZeexygenExample::a_var`, +##! :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` ##! ##! And a custom directive does the equivalent references: ##! -##! .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info +##! .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info # Comments that use a single pound sign (#) are not significant to # a script's auto-generated documentation, but ones that use a @@ -30,7 +30,7 @@ # variable declarations to associate with the last-declared identifier. # # Generally, the auto-doc comments (##) are associated with the -# next declaration/identifier found in the script, but Broxygen +# next declaration/identifier found in the script, but Zeexygen # will track/render identifiers regardless of whether they have any # of these special comments associated with them. # @@ -49,19 +49,19 @@ # "module" statements are self-documenting, don't use any ``##`` style # comments with them. -module BroxygenExample; +module ZeexygenExample; # Redefinitions of "Notice::Type" are self-documenting, but # more information can be supplied in two different ways. redef enum Notice::Type += { ## Any number of this type of comment - ## will document "Broxygen_One". - Broxygen_One, - Broxygen_Two, ##< Any number of this type of comment - ##< will document "BROXYGEN_TWO". - Broxygen_Three, + ## will document "Zeexygen_One". + Zeexygen_One, + Zeexygen_Two, ##< Any number of this type of comment + ##< will document "ZEEXYGEN_TWO". + Zeexygen_Three, ## Omitting comments is fine, and so is mixing ``##`` and ``##<``, but - Broxygen_Four, ##< it's probably best to use only one style consistently. + Zeexygen_Four, ##< it's probably best to use only one style consistently. }; # All redefs are automatically tracked. Comments of the "##" form can be use @@ -110,7 +110,7 @@ export { type ComplexRecord: record { field1: count; ##< Counts something. field2: bool; ##< Toggles something. - field3: SimpleRecord; ##< Broxygen automatically tracks types + field3: SimpleRecord; ##< Zeexygen automatically tracks types ##< and cross-references are automatically ##< inserted in to generated docs. msg: string &default="blah"; ##< Attributes are self-documenting. @@ -163,9 +163,9 @@ export { ## Summarize "an_event" here. ## Give more details about "an_event" here. ## - ## BroxygenExample::a_function should not be confused as a parameter + ## ZeexygenExample::a_function should not be confused as a parameter ## in the generated docs, but it also doesn't generate a cross-reference - ## link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. + ## link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. ## ## name: Describe the argument here. global an_event: event(name: string); @@ -189,6 +189,6 @@ type PrivateRecord: record { # Event handlers are also an implementation detail of a script, so they # don't show up anywhere in the generated documentation. -event bro_init() +event zeek_init() { } diff --git a/src/Attr.cc b/src/Attr.cc index 47ea7d4f06..2f9673346c 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -51,7 +51,7 @@ void Attr::Describe(ODesc* d) const void Attr::DescribeReST(ODesc* d) const { - d->Add(":bro:attr:`"); + d->Add(":zeek:attr:`"); AddTag(d); d->Add("`"); @@ -64,14 +64,14 @@ void Attr::DescribeReST(ODesc* d) const if ( expr->Tag() == EXPR_NAME ) { - d->Add(":bro:see:`"); + d->Add(":zeek:see:`"); expr->Describe(d); d->Add("`"); } else if ( expr->Type()->Tag() == TYPE_FUNC ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(expr->Type()->AsFuncType()->FlavorString()); d->Add("`"); } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f3dfd42d85..94aca30eb9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -143,7 +143,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) add_subdirectory(analyzer) add_subdirectory(broker) -add_subdirectory(broxygen) +add_subdirectory(zeexygen) add_subdirectory(file_analysis) add_subdirectory(input) add_subdirectory(iosource) @@ -319,6 +319,7 @@ set(bro_SRCS UID.cc Val.cc Var.cc + WeirdState.cc bsd-getopt-long.c bro_inet_ntop.c cq.c @@ -385,17 +386,17 @@ add_dependencies(generate_outputs_stage2b generate_outputs_stage1) add_custom_target(generate_outputs) add_dependencies(generate_outputs generate_outputs_stage2a generate_outputs_stage2b) -# Build __load__.bro files for standard *.bif.bro. +# Build __load__.zeek files for standard *.bif.zeek. bro_bif_create_loader(bif_loader "${bro_BASE_BIF_SCRIPTS}") add_dependencies(bif_loader ${bro_SUBDIRS}) add_dependencies(bro bif_loader) -# Build __load__.bro files for plugins/*.bif.bro. +# Build __load__.zeek files for plugins/*.bif.zeek. bro_bif_create_loader(bif_loader_plugins "${bro_PLUGIN_BIF_SCRIPTS}") add_dependencies(bif_loader_plugins ${bro_SUBDIRS}) add_dependencies(bro bif_loader_plugins) -# Install *.bif.bro. +# Install *.bif.zeek. install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) # Create plugin directory at install time. diff --git a/src/Conn.cc b/src/Conn.cc index b55b1210b0..03ecf32703 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -1075,27 +1075,5 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label) bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate, double duration) { - auto& state = weird_state[name]; - ++state.count; - - if ( state.count <= threshold ) - return true; - - if ( state.count == threshold + 1) - state.sampling_start_time = network_time; - else - { - if ( network_time > state.sampling_start_time + duration ) - { - state.sampling_start_time = 0; - state.count = 1; - return true; - } - } - - auto num_above_threshold = state.count - threshold; - if ( rate ) - return num_above_threshold % rate == 0; - else - return false; + return ::PermitWeird(weird_state, name, threshold, rate, duration); } diff --git a/src/Conn.h b/src/Conn.h index ae639d6341..e49314968a 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -17,6 +17,7 @@ #include "IPAddr.h" #include "TunnelEncapsulation.h" #include "UID.h" +#include "WeirdState.h" #include "analyzer/Tag.h" #include "analyzer/Analyzer.h" @@ -345,14 +346,7 @@ protected: analyzer::pia::PIA* primary_PIA; Bro::UID uid; // Globally unique connection ID. - - struct WeirdState { - WeirdState() { count = 0; sampling_start_time = 0; } - uint64 count = 0; - double sampling_start_time = 0; - }; - - std::unordered_map weird_state; + WeirdStateMap weird_state; }; class ConnectionTimer : public Timer { diff --git a/src/Debug.cc b/src/Debug.cc index 54a40c58d1..a45c27888e 100644 --- a/src/Debug.cc +++ b/src/Debug.cc @@ -348,7 +348,7 @@ vector parse_location_string(const string& s) if ( ! sscanf(line_string.c_str(), "%d", &plr.line) ) plr.type = plrUnknown; - string path(find_file(filename, bro_path(), "bro")); + string path(find_script_file(filename, bro_path())); if ( path.empty() ) { diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 07590590df..baddd2bdd8 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -18,7 +18,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "dpd", 0, false }, { "tm", 0, false }, { "logging", 0, false }, {"input", 0, false }, { "threading", 0, false }, { "file_analysis", 0, false }, - { "plugins", 0, false }, { "broxygen", 0, false }, + { "plugins", 0, false }, { "zeexygen", 0, false }, { "pktio", 0, false }, { "broker", 0, false }, { "scripts", 0, false} }; diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 1eb8e30417..8026e8ba3c 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -30,7 +30,7 @@ enum DebugStream { DBG_THREADING, // Threading system DBG_FILE_ANALYSIS, // File analysis DBG_PLUGINS, // Plugin system - DBG_BROXYGEN, // Broxygen + DBG_ZEEXYGEN, // Zeexygen DBG_PKTIO, // Packet sources and dumpers. DBG_BROKER, // Broker communication DBG_SCRIPTS, // Script initialization diff --git a/src/Dict.cc b/src/Dict.cc index 9e68d64089..d639b0c912 100644 --- a/src/Dict.cc +++ b/src/Dict.cc @@ -17,6 +17,10 @@ // is prime. #define PRIME_THRESH 1000 +// Default number of hash buckets in dictionary. The dictionary will +// increase the size of the hash table as needed. +#define DEFAULT_DICT_SIZE 16 + class DictEntry { public: DictEntry(void* k, int l, hash_t h, void* val) @@ -53,7 +57,7 @@ public: Dictionary::Dictionary(dict_order ordering, int initial_size) { - Init(initial_size); + tbl = 0; tbl2 = 0; if ( ordering == ORDERED ) @@ -61,14 +65,17 @@ Dictionary::Dictionary(dict_order ordering, int initial_size) else order = 0; - SetDensityThresh(DEFAULT_DENSITY_THRESH); - delete_func = 0; tbl_next_ind = 0; cumulative_entries = 0; + num_buckets = num_entries = max_num_entries = thresh_entries = 0; + den_thresh = 0; num_buckets2 = num_entries2 = max_num_entries2 = thresh_entries2 = 0; den_thresh2 = 0; + + if ( initial_size > 0 ) + Init(initial_size); } Dictionary::~Dictionary() @@ -80,12 +87,15 @@ Dictionary::~Dictionary() void Dictionary::Clear() { DeInit(); - Init(2); + tbl = 0; tbl2 = 0; } void Dictionary::DeInit() { + if ( ! tbl ) + return; + for ( int i = 0; i < num_buckets; ++i ) if ( tbl[i] ) { @@ -127,6 +137,9 @@ void Dictionary::DeInit() void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const { + if ( ! tbl && ! tbl2 ) + return 0; + hash_t h; PList(DictEntry)* chain; @@ -155,6 +168,9 @@ void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val, int copy_key) { + if ( ! tbl ) + Init(DEFAULT_DICT_SIZE); + DictEntry* new_entry = new DictEntry(key, key_size, hash, val); void* old_val = Insert(new_entry, copy_key); @@ -179,6 +195,9 @@ void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val, void* Dictionary::Remove(const void* key, int key_size, hash_t hash, bool dont_delete) { + if ( ! tbl && ! tbl2 ) + return 0; + hash_t h; PList(DictEntry)* chain; int* num_entries_ptr; @@ -280,6 +299,14 @@ void Dictionary::StopIteration(IterCookie* cookie) const void* Dictionary::NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const { + if ( ! tbl && ! tbl2 ) + { + const_cast(&cookies)->remove(cookie); + delete cookie; + cookie = 0; + return 0; + } + // If there are any inserted entries, return them first. // That keeps the list small and helps avoiding searching // a large list when deleting an entry. @@ -366,6 +393,7 @@ void Dictionary::Init(int size) tbl[i] = 0; max_num_entries = num_entries = 0; + SetDensityThresh(DEFAULT_DENSITY_THRESH); } void Dictionary::Init2(int size) @@ -382,6 +410,9 @@ void Dictionary::Init2(int size) // private void* Dictionary::Insert(DictEntry* new_entry, int copy_key) { + if ( ! tbl ) + Init(DEFAULT_DICT_SIZE); + PList(DictEntry)** ttbl; int* num_entries_ptr; int* max_num_entries_ptr; @@ -568,6 +599,9 @@ unsigned int Dictionary::MemoryAllocation() const { int size = padded_sizeof(*this); + if ( ! tbl ) + return size; + for ( int i = 0; i < num_buckets; ++i ) if ( tbl[i] ) { diff --git a/src/Dict.h b/src/Dict.h index a929319450..75eb34abe9 100644 --- a/src/Dict.h +++ b/src/Dict.h @@ -13,10 +13,6 @@ class IterCookie; declare(PList,DictEntry); declare(PList,IterCookie); -// Default number of hash buckets in dictionary. The dictionary will -// increase the size of the hash table as needed. -#define DEFAULT_DICT_SIZE 16 - // Type indicating whether the dictionary should keep track of the order // of insertions. typedef enum { ORDERED, UNORDERED } dict_order; @@ -30,7 +26,7 @@ extern void generic_delete_func(void*); class Dictionary { public: explicit Dictionary(dict_order ordering = UNORDERED, - int initial_size = DEFAULT_DICT_SIZE); + int initial_size = 0); virtual ~Dictionary(); // Member functions for looking up a key, inserting/changing its @@ -196,7 +192,7 @@ private: class PDict(type) : public Dictionary { \ public: \ explicit PDict(type)(dict_order ordering = UNORDERED, \ - int initial_size = DEFAULT_DICT_SIZE) : \ + int initial_size = 0) : \ Dictionary(ordering, initial_size) {} \ type* Lookup(const char* key) const \ { \ diff --git a/src/Expr.cc b/src/Expr.cc index be186524ad..737a9455ca 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -1382,7 +1382,7 @@ SizeExpr::SizeExpr(Expr* arg_op) : UnaryExpr(EXPR_SIZE, arg_op) return; if ( op->Type()->InternalType() == TYPE_INTERNAL_DOUBLE ) - SetType(op->Type()->Ref()); + SetType(base_type(TYPE_DOUBLE)); else SetType(base_type(TYPE_COUNT)); } @@ -2337,7 +2337,13 @@ CondExpr::CondExpr(Expr* arg_op1, Expr* arg_op2, Expr* arg_op3) ExprError("operands must be of the same type"); else - SetType(op2->Type()->Ref()); + { + if ( IsRecord(bt2) && IsRecord(bt3) && + ! same_type(op2->Type(), op3->Type()) ) + ExprError("operands must be of the same type"); + else + SetType(op2->Type()->Ref()); + } } } diff --git a/src/ID.cc b/src/ID.cc index fd99d7c937..24c1c829ff 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -14,7 +14,7 @@ #include "PersistenceSerializer.h" #include "Scope.h" #include "Traverse.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export) { @@ -651,9 +651,9 @@ void ID::DescribeExtended(ODesc* d) const void ID::DescribeReSTShort(ODesc* d) const { if ( is_type ) - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); else - d->Add(":bro:id:`"); + d->Add(":zeek:id:`"); d->Add(name); d->Add("`"); @@ -661,7 +661,7 @@ void ID::DescribeReSTShort(ODesc* d) const if ( type ) { d->Add(": "); - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); if ( ! is_type && ! type->GetName().empty() ) d->Add(type->GetName().c_str()); @@ -682,7 +682,7 @@ void ID::DescribeReSTShort(ODesc* d) const if ( is_type ) d->Add(type_name(t)); else - d->Add(broxygen_mgr->GetEnumTypeName(Name()).c_str()); + d->Add(zeexygen_mgr->GetEnumTypeName(Name()).c_str()); break; default: @@ -706,18 +706,18 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const if ( roles_only ) { if ( is_type ) - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); else - d->Add(":bro:id:`"); + d->Add(":zeek:id:`"); d->Add(name); d->Add("`"); } else { if ( is_type ) - d->Add(".. bro:type:: "); + d->Add(".. zeek:type:: "); else - d->Add(".. bro:id:: "); + d->Add(".. zeek:id:: "); d->Add(name); } @@ -730,7 +730,7 @@ void ID::DescribeReST(ODesc* d, bool roles_only) const if ( ! is_type && ! type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(type->GetName()); d->Add("`"); } diff --git a/src/IP.cc b/src/IP.cc index 689876339b..589c973e72 100644 --- a/src/IP.cc +++ b/src/IP.cc @@ -288,7 +288,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const } default: - reporter->Weird(fmt("unknown_mobility_type_%d", mob->ip6mob_type)); + reporter->Weird("unknown_mobility_type"); break; } @@ -553,7 +553,7 @@ void IPv6_Hdr_Chain::ProcessRoutingHeader(const struct ip6_rthdr* r, uint16 len) #endif default: - reporter->Weird(fmt("unknown_routing_type_%d", r->ip6r_type)); + reporter->Weird(SrcAddr(), DstAddr(), "unknown_routing_type"); break; } } diff --git a/src/List.cc b/src/List.cc index a2b4609975..0f7f706bcd 100644 --- a/src/List.cc +++ b/src/List.cc @@ -6,33 +6,27 @@ #include "List.h" #include "util.h" -static const int DEFAULT_CHUNK_SIZE = 10; +#define DEFAULT_LIST_SIZE 10 +#define GROWTH_FACTOR 2 BaseList::BaseList(int size) { - chunk_size = DEFAULT_CHUNK_SIZE; + num_entries = 0; + max_entries = 0; + entry = 0; - if ( size < 0 ) - { - num_entries = max_entries = 0; - entry = 0; - } - else - { - if ( size > 0 ) - chunk_size = size; + if ( size <= 0 ) + return; - num_entries = 0; - entry = (ent *) safe_malloc(chunk_size * sizeof(ent)); - max_entries = chunk_size; - } + max_entries = size; + + entry = (ent *) safe_malloc(max_entries * sizeof(ent)); } BaseList::BaseList(BaseList& b) { max_entries = b.max_entries; - chunk_size = b.chunk_size; num_entries = b.num_entries; if ( max_entries ) @@ -58,7 +52,6 @@ void BaseList::operator=(BaseList& b) free(entry); max_entries = b.max_entries; - chunk_size = b.chunk_size; num_entries = b.num_entries; if ( max_entries ) @@ -73,10 +66,7 @@ void BaseList::operator=(BaseList& b) void BaseList::insert(ent a) { if ( num_entries == max_entries ) - { - resize(max_entries + chunk_size); // make more room - chunk_size *= 2; - } + resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE); for ( int i = num_entries; i > 0; --i ) entry[i] = entry[i-1]; // move all pointers up one @@ -94,10 +84,7 @@ void BaseList::sortedinsert(ent a, list_cmp_func cmp_func) // First append element. if ( num_entries == max_entries ) - { - resize(max_entries + chunk_size); - chunk_size *= 2; - } + resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE); entry[num_entries++] = a; @@ -141,10 +128,7 @@ ent BaseList::remove_nth(int n) void BaseList::append(ent a) { if ( num_entries == max_entries ) - { - resize(max_entries + chunk_size); // make more room - chunk_size *= 2; - } + resize(max_entries ? max_entries * GROWTH_FACTOR : DEFAULT_LIST_SIZE); entry[num_entries++] = a; } @@ -168,7 +152,6 @@ void BaseList::clear() } num_entries = max_entries = 0; - chunk_size = DEFAULT_CHUNK_SIZE; } ent BaseList::replace(int ent_index, ent new_ent) diff --git a/src/List.h b/src/List.h index fcc0274225..6fb2bbcec6 100644 --- a/src/List.h +++ b/src/List.h @@ -11,7 +11,7 @@ // element up, and resizing the list, which involves getting new space // and moving the data. Resizing occurs automatically when inserting // more elements than the list can currently hold. Automatic -// resizing is done one "chunk_size" of elements at a time and +// resizing is done by growing by GROWTH_FACTOR at a time and // always increases the size of the list. Resizing to zero // (or to less than the current value of num_entries) // will decrease the size of the list to the current number of @@ -32,7 +32,6 @@ public: void clear(); // remove all entries int length() const { return num_entries; } - int chunk() const { return chunk_size; } int max() const { return max_entries; } int resize(int = 0); // 0 => size to fit current number of entries @@ -79,7 +78,6 @@ protected: void operator=(BaseList&); ent* entry; - int chunk_size; // increase size by this amount when necessary int max_entries; int num_entries; }; diff --git a/src/Net.cc b/src/Net.cc index d6cb6632b2..b61d365a2a 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -188,7 +188,7 @@ void net_init(name_list& interfaces, name_list& readfiles, else // have_pending_timers = 1, possibly. We don't set // that here, though, because at this point we don't know - // whether the user's bro_init() event will indeed set + // whether the user's zeek_init() event will indeed set // a timer. reading_traces = reading_live = 0; diff --git a/src/OSFinger.cc b/src/OSFinger.cc index df5f30b0cc..1b540a1fd0 100644 --- a/src/OSFinger.cc +++ b/src/OSFinger.cc @@ -295,7 +295,7 @@ void OSFingerprint::load_config(const char* file) char buf[MAXLINE]; char* p; - FILE* c = open_file(find_file(file, bro_path(), "osf")); + FILE* c = open_file(find_file(file, bro_path(), ".osf")); if (!c) { diff --git a/src/Reporter.cc b/src/Reporter.cc index ba1196de21..413f89b9ea 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -13,6 +13,7 @@ #include "Timer.h" #include "plugin/Plugin.h" #include "plugin/Manager.h" +#include "file_analysis/File.h" #ifdef SYSLOG_INT extern "C" { @@ -213,12 +214,14 @@ void Reporter::Syslog(const char* fmt, ...) va_end(ap); } -void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) +void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) { val_list* vl = new val_list(1); if ( conn_val ) vl->append(conn_val); + else if ( f ) + vl->append(f->GetVal()->Ref()); if ( addl ) vl->append(new StringVal(addl)); @@ -339,7 +342,21 @@ void Reporter::Weird(const char* name) return; } - WeirdHelper(net_weird, 0, 0, "%s", name); + WeirdHelper(net_weird, 0, 0, 0, "%s", name); + } + +void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) + { + UpdateWeirdStats(name); + + if ( ! WeirdOnSamplingWhiteList(name) ) + { + if ( ! f->PermitWeird(name, weird_sampling_threshold, + weird_sampling_rate, weird_sampling_duration) ) + return; + } + + WeirdHelper(file_weird, 0, f, addl, "%s", name); } void Reporter::Weird(Connection* conn, const char* name, const char* addl) @@ -353,7 +370,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl) return; } - WeirdHelper(conn_weird, conn->BuildConnVal(), addl, "%s", name); + WeirdHelper(conn_weird, conn->BuildConnVal(), 0, addl, "%s", name); } void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name) diff --git a/src/Reporter.h b/src/Reporter.h index bd029c0b59..88270a9dba 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -17,6 +17,7 @@ #include "IPAddr.h" namespace analyzer { class Analyzer; } +namespace file_analysis { class File; } class Connection; class Location; class Reporter; @@ -84,6 +85,7 @@ public: // Report a traffic weirdness, i.e., an unexpected protocol situation // that may lead to incorrectly processing a connnection. void Weird(const char* name); // Raises net_weird(). + void Weird(file_analysis::File* f, const char* name, const char* addl = ""); // Raises file_weird(). void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird(). void Weird(const IPAddr& orig, const IPAddr& resp, const char* name); // Raises flow_weird(). @@ -238,7 +240,7 @@ private: // The order if addl, name needs to be like that since fmt_name can // contain format specifiers - void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 5, 6)));; + void WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...) __attribute__((format(printf, 6, 7)));; void WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...) __attribute__((format(printf, 4, 5)));; void UpdateWeirdStats(const char* name); inline bool WeirdOnSamplingWhiteList(const char* name) diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 54228d58dd..5b72264926 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -235,7 +235,7 @@ bool RuleMatcher::ReadFiles(const name_list& files) for ( int i = 0; i < files.length(); ++i ) { - rules_in = open_file(find_file(files[i], bro_path(), "sig")); + rules_in = open_file(find_file(files[i], bro_path(), ".sig")); if ( ! rules_in ) { diff --git a/src/Sessions.cc b/src/Sessions.cc index 5709ad5f28..edccb7e00c 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -537,8 +537,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version != 0 && gre_version != 1 ) { - Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr, - encapsulation); + Weird("unknown_gre_version", ip_hdr, encapsulation); return; } @@ -613,8 +612,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr else { // Not IPv4/IPv6 payload. - Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr, - encapsulation); + Weird("unknown_gre_protocol", ip_hdr, encapsulation); return; } @@ -747,7 +745,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr } default: - Weird(fmt("unknown_protocol_%d", proto), pkt, encapsulation); + Weird("unknown_protocol", pkt, encapsulation); return; } diff --git a/src/Stmt.cc b/src/Stmt.cc index 5e6ac3fb39..7e7ba23a18 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1421,12 +1421,38 @@ ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr) e->Error("target to iterate over must be a table, set, vector, or string"); } +ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr, ID* val_var) + : ForStmt(arg_loop_vars, loop_expr) + { + value_var = val_var; + + if ( e->Type()->IsTable() ) + { + BroType* yield_type = e->Type()->AsTableType()->YieldType(); + + // Verify value_vars type if its already been defined + if ( value_var->Type() ) + { + if ( ! same_type(value_var->Type(), yield_type) ) + value_var->Type()->Error("type clash in iteration", yield_type); + } + else + { + delete add_local(value_var, yield_type->Ref(), INIT_NONE, + 0, 0, VAR_REGULAR); + } + } + else + e->Error("key value for loops only support iteration over tables"); + } + ForStmt::~ForStmt() { loop_over_list(*loop_vars, i) Unref((*loop_vars)[i]); delete loop_vars; + Unref(value_var); Unref(body); } @@ -1443,12 +1469,16 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const return 0; HashKey* k; + TableEntryVal* current_tev; IterCookie* c = loop_vals->InitForIteration(); - while ( loop_vals->NextEntry(k, c) ) + while ( (current_tev = loop_vals->NextEntry(k, c)) ) { ListVal* ind_lv = tv->RecoverIndex(k); delete k; + if ( value_var ) + f->SetElement(value_var->Offset(), current_tev->Value()->Ref()); + for ( int i = 0; i < ind_lv->Length(); i++ ) f->SetElement((*loop_vars)[i]->Offset(), ind_lv->Index(i)->Ref()); Unref(ind_lv); diff --git a/src/Stmt.h b/src/Stmt.h index a6676d678d..a9bf7cddf8 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -337,6 +337,8 @@ protected: class ForStmt : public ExprStmt { public: ForStmt(id_list* loop_vars, Expr* loop_expr); + // Special constructor for key value for loop. + ForStmt(id_list* loop_vars, Expr* loop_expr, ID* val_var); ~ForStmt() override; void AddBody(Stmt* arg_body) { body = arg_body; } @@ -361,6 +363,9 @@ protected: id_list* loop_vars; Stmt* body; + // Stores the value variable being used for a key value for loop. + // Always set to nullptr unless special constructor is called. + ID* value_var = nullptr; }; class NextStmt : public Stmt { diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index b853fc01b3..27729e56b7 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -94,6 +94,14 @@ public: ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + if ( ec1.type == BifEnum::Tunnel::VXLAN ) + // Reversing endpoints is still same tunnel, destination port is + // always the same. + return ec1.dst_port == ec2.dst_port && + ec1.uid == ec2.uid && ec1.proto == ec2.proto && + ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || + (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto; diff --git a/src/Type.cc b/src/Type.cc index 77a5ac6d16..0bc7d0e3fe 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -8,8 +8,8 @@ #include "Scope.h" #include "Serializer.h" #include "Reporter.h" -#include "broxygen/Manager.h" -#include "broxygen/utils.h" +#include "zeexygen/Manager.h" +#include "zeexygen/utils.h" #include #include @@ -190,7 +190,7 @@ void BroType::Describe(ODesc* d) const void BroType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s`", type_name(Tag()))); + d->Add(fmt(":zeek:type:`%s`", type_name(Tag()))); } void BroType::SetError() @@ -478,7 +478,7 @@ void IndexType::Describe(ODesc* d) const void IndexType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); if ( IsSet() ) d->Add("set"); @@ -497,7 +497,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const if ( ! t->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(t->GetName()); d->Add("`"); } @@ -513,7 +513,7 @@ void IndexType::DescribeReST(ODesc* d, bool roles_only) const if ( ! yield_type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(yield_type->GetName()); d->Add("`"); } @@ -800,7 +800,7 @@ void FuncType::Describe(ODesc* d) const void FuncType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(FlavorString()); d->Add("`"); d->Add(" ("); @@ -813,7 +813,7 @@ void FuncType::DescribeReST(ODesc* d, bool roles_only) const if ( ! yield->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(yield->GetName()); d->Add("`"); } @@ -957,7 +957,7 @@ void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const if ( ! type->GetName().empty() ) { - d->Add(":bro:type:`"); + d->Add(":zeek:type:`"); d->Add(type->GetName()); d->Add("`"); } @@ -1073,7 +1073,7 @@ void RecordType::Describe(ODesc* d) const void RecordType::DescribeReST(ODesc* d, bool roles_only) const { d->PushType(this); - d->Add(":bro:type:`record`"); + d->Add(":zeek:type:`record`"); if ( num_fields == 0 ) return; @@ -1197,8 +1197,8 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const if ( func_args ) continue; - using broxygen::IdentifierInfo; - IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(GetName()); + using zeexygen::IdentifierInfo; + IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(GetName()); if ( ! doc ) { @@ -1217,7 +1217,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const field_from_script != type_from_script ) { d->PushIndent(); - d->Add(broxygen::redef_indication(field_from_script).c_str()); + d->Add(zeexygen::redef_indication(field_from_script).c_str()); d->PopIndent(); } @@ -1237,7 +1237,7 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const { string s = cmnts[i]; - if ( broxygen::prettify_params(s) ) + if ( zeexygen::prettify_params(s) ) d->NL(); d->Add(s.c_str()); @@ -1405,7 +1405,7 @@ void OpaqueType::Describe(ODesc* d) const void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s` of %s", type_name(Tag()), name.c_str())); + d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str())); } IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE); @@ -1505,12 +1505,12 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, if ( deprecated ) id->MakeDeprecated(); - broxygen_mgr->Identifier(id); + zeexygen_mgr->Identifier(id); } else { // We allow double-definitions if matching exactly. This is so that - // we can define an enum both in a *.bif and *.bro for avoiding + // we can define an enum both in a *.bif and *.zeek for avoiding // cyclic dependencies. string fullname = make_full_var_name(module_name.c_str(), name); if ( id->Name() != fullname @@ -1597,7 +1597,7 @@ EnumVal* EnumType::GetVal(bro_int_t i) void EnumType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(":bro:type:`enum`"); + d->Add(":zeek:type:`enum`"); // Create temporary, reverse name map so that enums can be documented // in ascending order of their actual integral value instead of by name. @@ -1614,12 +1614,12 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const d->PushIndent(); if ( roles_only ) - d->Add(fmt(":bro:enum:`%s`", it->second.c_str())); + d->Add(fmt(":zeek:enum:`%s`", it->second.c_str())); else - d->Add(fmt(".. bro:enum:: %s %s", it->second.c_str(), GetName().c_str())); + d->Add(fmt(".. zeek:enum:: %s %s", it->second.c_str(), GetName().c_str())); - using broxygen::IdentifierInfo; - IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(it->second); + using zeexygen::IdentifierInfo; + IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(it->second); if ( ! doc ) { @@ -1634,7 +1634,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const if ( doc->GetDeclaringScript() ) enum_from_script = doc->GetDeclaringScript()->Name(); - IdentifierInfo* type_doc = broxygen_mgr->GetIdentifierInfo(GetName()); + IdentifierInfo* type_doc = zeexygen_mgr->GetIdentifierInfo(GetName()); if ( type_doc && type_doc->GetDeclaringScript() ) type_from_script = type_doc->GetDeclaringScript()->Name(); @@ -1644,7 +1644,7 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const { d->NL(); d->PushIndent(); - d->Add(broxygen::redef_indication(enum_from_script).c_str()); + d->Add(zeexygen::redef_indication(enum_from_script).c_str()); d->PopIndent(); } @@ -1818,12 +1818,12 @@ void VectorType::Describe(ODesc* d) const void VectorType::DescribeReST(ODesc* d, bool roles_only) const { - d->Add(fmt(":bro:type:`%s` of ", type_name(Tag()))); + d->Add(fmt(":zeek:type:`%s` of ", type_name(Tag()))); if ( yield_type->GetName().empty() ) yield_type->DescribeReST(d, roles_only); else - d->Add(fmt(":bro:type:`%s`", yield_type->GetName().c_str())); + d->Add(fmt(":zeek:type:`%s`", yield_type->GetName().c_str())); } BroType* base_type_no_ref(TypeTag tag) diff --git a/src/Val.cc b/src/Val.cc index a96d2b098e..340cef6bb5 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -425,7 +425,7 @@ Val* Val::SizeVal() const return val_mgr->GetCount(val.uint_val); case TYPE_INTERNAL_DOUBLE: - return new Val(fabs(val.double_val), type->Tag()); + return new Val(fabs(val.double_val), TYPE_DOUBLE); case TYPE_INTERNAL_OTHER: if ( type->Tag() == TYPE_FUNC ) @@ -2319,7 +2319,7 @@ void TableVal::DoExpire(double t) if ( v->ExpireAccessTime() == 0 ) { // This happens when we insert val while network_time - // hasn't been initialized yet (e.g. in bro_init()), and + // hasn't been initialized yet (e.g. in zeek_init()), and // also when bro_start_network_time hasn't been initialized // (e.g. before first packet). The expire_access_time is // correct, so we just need to wait. diff --git a/src/WeirdState.cc b/src/WeirdState.cc new file mode 100644 index 0000000000..1f1407a1d2 --- /dev/null +++ b/src/WeirdState.cc @@ -0,0 +1,30 @@ +#include "WeirdState.h" +#include "Net.h" + +bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold, + uint64_t rate, double duration) + { + auto& state = wsm[name]; + ++state.count; + + if ( state.count <= threshold ) + return true; + + if ( state.count == threshold + 1) + state.sampling_start_time = network_time; + else + { + if ( network_time > state.sampling_start_time + duration ) + { + state.sampling_start_time = 0; + state.count = 1; + return true; + } + } + + auto num_above_threshold = state.count - threshold; + if ( rate ) + return num_above_threshold % rate == 0; + else + return false; + } diff --git a/src/WeirdState.h b/src/WeirdState.h new file mode 100644 index 0000000000..64dc2bb4b2 --- /dev/null +++ b/src/WeirdState.h @@ -0,0 +1,21 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef WEIRDSTATE_H +#define WEIRDSTATE_H + +#include +#include + +struct WeirdState { + WeirdState() { count = 0; sampling_start_time = 0; } + uint64_t count = 0; + double sampling_start_time = 0; +}; + +using WeirdStateMap = std::unordered_map; + +bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold, + uint64_t rate, double duration); + +#endif // WEIRDSTATE_H + diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 1fe0dc82bf..818dd917e8 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -223,7 +223,7 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64 seq, } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } @@ -246,7 +246,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig) } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } @@ -269,7 +269,7 @@ void Analyzer::NextUndelivered(uint64 seq, int len, bool is_orig) } catch ( binpac::Exception const &e ) { - Weird(e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } } } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 286c5eee9f..c7e156b41e 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -96,12 +96,24 @@ void Manager::InitPreScript() void Manager::InitPostScript() { + auto id = global_scope()->Lookup("Tunnel::vxlan_ports"); + + if ( ! (id && id->ID_Val()) ) + reporter->FatalError("Tunnel::vxlan_ports not defined"); + + auto table_val = id->ID_Val()->AsTableVal(); + auto port_list = table_val->ConvertToPureList(); + + for ( auto i = 0; i < port_list->Length(); ++i ) + vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port()); + + Unref(port_list); } void Manager::DumpDebug() { #ifdef DEBUG - DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); + DBG_LOG(DBG_ANALYZER, "Available analyzers after zeek_init():"); list all_analyzers = GetComponents(); for ( list::const_iterator i = all_analyzers.begin(); i != all_analyzers.end(); ++i ) DBG_LOG(DBG_ANALYZER, " %s (%s)", (*i)->Name().c_str(), diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index d341940e7d..8f6d982394 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -22,6 +22,7 @@ #define ANALYZER_MANAGER_H #include +#include #include "Analyzer.h" #include "Component.h" @@ -77,10 +78,10 @@ public: /** * Dumps out the state of all registered analyzers to the \c analyzer - * debug stream. Should be called only after any \c bro_init events + * debug stream. Should be called only after any \c zeek_init events * have executed to ensure that any of their changes are applied. */ - void DumpDebug(); // Called after bro_init() events. + void DumpDebug(); // Called after zeek_init() events. /** * Enables an analyzer type. Only enabled analyzers will be @@ -335,6 +336,12 @@ public: void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, Val* analyzer, double timeout); + /** + * @return the UDP port numbers to be associated with VXLAN traffic. + */ + const std::vector& GetVxlanPorts() const + { return vxlan_ports; } + private: typedef set tag_set; typedef map analyzer_map_by_port; @@ -390,6 +397,7 @@ private: conns_map conns; conns_queue conns_by_timeout; + std::vector vxlan_ports; }; } diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index ff34d243e8..882ba23da9 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -47,5 +47,6 @@ add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(teredo) add_subdirectory(udp) +add_subdirectory(vxlan) add_subdirectory(xmpp) add_subdirectory(zip) diff --git a/src/analyzer/protocol/arp/events.bif b/src/analyzer/protocol/arp/events.bif index efee33d7f4..e12d0acd1c 100644 --- a/src/analyzer/protocol/arp/events.bif +++ b/src/analyzer/protocol/arp/events.bif @@ -15,7 +15,7 @@ ## ## THA: The target hardware address. ## -## .. bro:see:: arp_reply bad_arp +## .. zeek:see:: arp_reply bad_arp event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); @@ -36,7 +36,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## THA: The target hardware address. ## -## .. bro:see:: arp_request bad_arp +## .. zeek:see:: arp_request bad_arp event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); @@ -54,7 +54,7 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## explanation: A short description of why the ARP packet is considered "bad". ## -## .. bro:see:: arp_reply arp_request +## .. zeek:see:: arp_reply arp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index fd2d5fa914..652d3d120c 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -126,6 +126,4 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) vl->append(new StringVal(msg)); ConnectionEvent(bittorrent_peer_weird, vl); } - else - Weird(msg); } diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 0a3cda37fd..54cac790fb 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -253,8 +253,6 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) vl->append(new StringVal(msg)); ConnectionEvent(bt_tracker_weird, vl); } - else - Weird(msg); } bool BitTorrentTracker_Analyzer::ParseRequest(char* line) @@ -326,8 +324,11 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line) case BTT_REQ_DONE: if ( *line ) - DeliverWeird(fmt("Got post request data: %s\n", line), - true); + { + auto msg = fmt("Got post request data: %s\n", line); + Weird("bittorrent_tracker_data_post_request", msg); + DeliverWeird(msg, true); + } break; default: diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac index c3ba226908..232f4a9bd1 100644 --- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac +++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac @@ -40,7 +40,6 @@ flow BitTorrent_Flow(is_orig: bool) { if ( pstrlen != 19 || memcmp("BitTorrent protocol", pstr.begin(), 19) ) { - connection()->bro_analyzer()->Weird(fmt("BitTorrent: invalid handshake (pstrlen: %hhu, pstr: %.*s)", pstrlen, 19, pstr.begin())); throw Exception("invalid handshake"); } diff --git a/src/analyzer/protocol/bittorrent/events.bif b/src/analyzer/protocol/bittorrent/events.bif index 8c4ddc146f..d86b497437 100644 --- a/src/analyzer/protocol/bittorrent/events.bif +++ b/src/analyzer/protocol/bittorrent/events.bif @@ -3,7 +3,7 @@ ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -16,7 +16,7 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -28,7 +28,7 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -40,7 +40,7 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request @@ -52,7 +52,7 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -64,7 +64,7 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -76,7 +76,7 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -88,7 +88,7 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake +## .. zeek:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive ## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -100,7 +100,7 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%) ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown @@ -113,7 +113,7 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -126,7 +126,7 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -139,7 +139,7 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown @@ -151,7 +151,7 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -164,7 +164,7 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -176,7 +176,7 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -189,7 +189,7 @@ event bt_tracker_request%(c: connection, uri: string, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -204,7 +204,7 @@ event bt_tracker_response%(c: connection, status: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke @@ -217,7 +217,7 @@ event bt_tracker_response_not_ok%(c: connection, status: count, ## See `Wikipedia `__ for ## more information about the BitTorrent protocol. ## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested ## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece ## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke diff --git a/src/analyzer/protocol/conn-size/events.bif b/src/analyzer/protocol/conn-size/events.bif index 38b263db57..9b1007ec3b 100644 --- a/src/analyzer/protocol/conn-size/events.bif +++ b/src/analyzer/protocol/conn-size/events.bif @@ -8,7 +8,7 @@ ## ## is_orig: true if the threshold was crossed by the originator of the connection ## -## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%); @@ -22,6 +22,6 @@ event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bo ## ## is_orig: true if the threshold was crossed by the originator of the connection ## -## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%); diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif index d4ad045da7..9dc91bb722 100644 --- a/src/analyzer/protocol/conn-size/functions.bif +++ b/src/analyzer/protocol/conn-size/functions.bif @@ -26,7 +26,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid) ## ## is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder. ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool %{ @@ -49,7 +49,7 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or ## ## is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder. ## -## .. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold get_current_conn_packets_threshold function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool %{ @@ -70,7 +70,7 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_ ## ## Returns: 0 if no threshold is set or the threshold in bytes ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_packets_threshold function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count %{ @@ -89,7 +89,7 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count ## ## Returns: 0 if no threshold is set or the threshold in packets ## -## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed +## .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed ## get_current_conn_bytes_threshold function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count %{ diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac index d776f6fec2..44648e35f0 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac @@ -43,7 +43,7 @@ refine connection DCE_RPC_Conn += { ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); break; default: - bro_analyzer()->Weird(fmt("unknown_dce_rpc_auth_type_%d",${auth.type})); + bro_analyzer()->Weird("unknown_dce_rpc_auth_type", fmt("%d", ${auth.type})); break; } diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif index 1e4a4e0d51..1f2b61255c 100644 --- a/src/analyzer/protocol/dce-rpc/events.bif +++ b/src/analyzer/protocol/dce-rpc/events.bif @@ -12,7 +12,7 @@ ## ## ptype: Enum representation of the prodecure type of the message. ## -## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message. @@ -33,7 +33,7 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count ## ## ver_minor: The minor version of the endpoint being requested. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message. @@ -54,7 +54,7 @@ event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_ ## ## ver_minor: The minor version of the endpoint being requested. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message. @@ -67,7 +67,7 @@ event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: str ## ## sec_addr: Secondary address for the ack. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message. @@ -78,7 +78,7 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%); ## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was ## not transported over a pipe. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context event dce_rpc_alter_context_resp%(c: connection, fid: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message. @@ -95,7 +95,7 @@ event dce_rpc_alter_context_resp%(c: connection, fid: count%); ## ## stub_len: Length of the data for the request. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); ## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message. @@ -112,5 +112,5 @@ event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, s ## ## stub_len: Length of the data for the response. ## -## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request +## .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%); diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac index 7e1e7ad1af..154fdc8be3 100644 --- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac +++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac @@ -73,7 +73,7 @@ type DNP3_Response = record { default -> unknown: Debug_Byte; }; } &byteorder = bigendian - &length= 9 + addin_header.len - 5 - 1' + &length= 9 + addin_header.len - 5 - 1; type DNP3_Application_Request_Header = record { empty: bytestring &length = 0; # Work-around BinPAC problem. @@ -117,7 +117,7 @@ type Response_Objects(function_code: uint8) = record { 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; - default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; + default -> objects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; }; }; diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index 6fe741d4d9..1113ca2687 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -13,7 +13,7 @@ ## ## len: The length of the message's raw representation (i.e., the DNS payload). ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -40,7 +40,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -69,7 +69,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -95,7 +95,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## ## qclass: The queried resource record class. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -121,7 +121,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string, ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply +## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply ## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -146,7 +146,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -171,7 +171,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## a: The address returned by the reply. ## -## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -196,7 +196,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -221,7 +221,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -246,7 +246,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## ## name: The name returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -271,7 +271,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## ## soa: The parsed SOA value. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -294,7 +294,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -317,7 +317,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -344,7 +344,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## preference: The preference for *name* specified by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -369,7 +369,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## ## strs: The textual information returned by the reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -423,7 +423,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count, ## p: Port of the SRV response -- the TCP or UDP port on which the ## service is to be found. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -442,7 +442,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin ## ## ans: The type-independent part of the parsed answer record. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%); @@ -461,7 +461,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## ## ans: The parsed EDNS reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered ## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified @@ -484,7 +484,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## ## ans: The parsed TSIG reply. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -573,7 +573,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%); ## ## msg: The parsed DNS message header. ## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request ## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name diff --git a/src/analyzer/protocol/finger/events.bif b/src/analyzer/protocol/finger/events.bif index e495263b12..d1b9212c22 100644 --- a/src/analyzer/protocol/finger/events.bif +++ b/src/analyzer/protocol/finger/events.bif @@ -11,7 +11,7 @@ ## ## hostname: The request's host name. ## -## .. bro:see:: finger_reply +## .. zeek:see:: finger_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -28,7 +28,7 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str ## ## reply_line: The reply as returned by the server ## -## .. bro:see:: finger_request +## .. zeek:see:: finger_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/ftp/events.bif b/src/analyzer/protocol/ftp/events.bif index 16faa417d3..6cc2317936 100644 --- a/src/analyzer/protocol/ftp/events.bif +++ b/src/analyzer/protocol/ftp/events.bif @@ -9,7 +9,7 @@ ## ## arg: The arguments going with the command. ## -## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port +## .. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_request%(c: connection, command: string, arg: string%); @@ -29,7 +29,7 @@ event ftp_request%(c: connection, command: string, arg: string%); ## to reassemble the pieces before processing the response any ## further. ## -## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port +## .. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif index 20c26b7c57..ad9c89fadb 100644 --- a/src/analyzer/protocol/ftp/functions.bif +++ b/src/analyzer/protocol/ftp/functions.bif @@ -117,20 +117,20 @@ static Val* parse_eftp(const char* line) %%} ## Converts a string representation of the FTP PORT command to an -## :bro:type:`ftp_port`. +## :zeek:type:`ftp_port`. ## ## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port function parse_ftp_port%(s: string%): ftp_port %{ return parse_port(s->CheckString()); %} ## Converts a string representation of the FTP EPRT command (see :rfc:`2428`) -## to an :bro:type:`ftp_port`. The format is +## to an :zeek:type:`ftp_port`. The format is ## ``"EPRT"``, ## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). ## @@ -138,19 +138,19 @@ function parse_ftp_port%(s: string%): ftp_port ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port function parse_eftp_port%(s: string%): ftp_port %{ return parse_eftp(s->CheckString()); %} -## Converts the result of the FTP PASV command to an :bro:type:`ftp_port`. +## Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`. ## ## str: The string containing the result of the FTP PASV command. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port function parse_ftp_pasv%(str: string%): ftp_port %{ const char* s = str->CheckString(); @@ -170,14 +170,14 @@ function parse_ftp_pasv%(str: string%): ftp_port %} ## Converts the result of the FTP EPSV command (see :rfc:`2428`) to an -## :bro:type:`ftp_port`. The format is ``" ()"``, +## :zeek:type:`ftp_port`. The format is ``" ()"``, ## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). ## ## str: The string containing the result of the FTP EPSV command. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port function parse_ftp_epsv%(str: string%): ftp_port %{ const char* s = str->CheckString(); @@ -196,7 +196,7 @@ function parse_ftp_epsv%(str: string%): ftp_port ## ## Returns: The FTP PORT string. ## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv +## .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv function fmt_ftp_port%(a: addr, p: port%): string %{ const uint32* addr; diff --git a/src/analyzer/protocol/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif index 9384f34e88..f09b0890c7 100644 --- a/src/analyzer/protocol/gnutella/events.bif +++ b/src/analyzer/protocol/gnutella/events.bif @@ -3,7 +3,7 @@ ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found ## ## @@ -18,7 +18,7 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish +## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -35,7 +35,7 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_not_establish gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -50,7 +50,7 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish +## .. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -64,7 +64,7 @@ event gnutella_establish%(c: connection%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -78,7 +78,7 @@ event gnutella_not_establish%(c: connection%); ## See `Wikipedia `__ for more ## information about the Gnutella protocol. ## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish +## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish ## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index 37b7cee0b1..6cf9439363 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -319,7 +319,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(21, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -388,7 +388,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(12, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -466,7 +466,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(15, BuildEndUserAddr(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -526,7 +526,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(9, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -560,7 +560,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(2, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } @@ -591,7 +591,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) rv->Assign(1, BuildPrivateExt(ie)); break; default: - a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type())); + a->Weird("gtp_invalid_info_element", fmt("%d", (*v)[i]->type())); break; } } diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif index ab005ba8d6..f86ee09ccd 100644 --- a/src/analyzer/protocol/http/events.bif +++ b/src/analyzer/protocol/http/events.bif @@ -2,7 +2,7 @@ ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a request's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. +## been parsed, and before any :zeek:id:`http_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP protocol. @@ -17,7 +17,7 @@ ## ## version: The version number specified in the request (e.g., ``1.1``). ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply http_stats ## truncate_http_URI http_connection_upgrade event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); @@ -25,7 +25,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a reply's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. +## been parsed, and before any :zeek:id:`http_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP protocol. @@ -38,7 +38,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## ## reason: The textual description returned by the server along with *code*. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_request ## http_stats http_connection_upgrade event http_reply%(c: connection, version: string, code: count, reason: string%); @@ -58,7 +58,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%); ## ## value: The value of the header. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_message_done http_reply http_request ## http_stats http_connection_upgrade ## @@ -81,7 +81,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%); ## The table is indexed by the position of the header (1 for the first, ## 2 for the second, etc.). ## -## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data +## .. zeek:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## http_connection_upgrade ## @@ -103,7 +103,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## -## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data +## .. zeek:see:: http_all_headers http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## mime_begin_entity http_connection_upgrade event http_begin_entity%(c: connection, is_orig: bool%); @@ -122,7 +122,7 @@ event http_begin_entity%(c: connection, is_orig: bool%); ## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data ## http_event http_header http_message_done http_reply http_request ## http_stats mime_end_entity http_connection_upgrade event http_end_entity%(c: connection, is_orig: bool%); @@ -134,7 +134,7 @@ event http_end_entity%(c: connection, is_orig: bool%); ## A common idiom for using this event is to first *reassemble* the data ## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## :zeek:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## @@ -150,7 +150,7 @@ event http_end_entity%(c: connection, is_orig: bool%); ## ## data: One chunk of raw entity data. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_event http_header http_message_done http_reply http_request http_stats ## mime_entity_data http_entity_data_delivery_size skip_http_data ## http_connection_upgrade @@ -173,7 +173,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin ## ## subty: The subtype. ## -## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data +## .. zeek:see:: http_all_headers http_begin_entity http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## http_connection_upgrade ## @@ -199,7 +199,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## ## stat: Further meta information about the message. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_reply http_request http_stats ## http_connection_upgrade event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%); @@ -216,7 +216,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) ## ## detail: Further more detailed description of the error. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_header http_message_done http_reply http_request ## http_stats mime_event http_connection_upgrade event http_event%(c: connection, event_type: string, detail: string%); @@ -230,7 +230,7 @@ event http_event%(c: connection, event_type: string, detail: string%); ## stats: Statistics summarizing HTTP-level properties of the finished ## connection. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request http_connection_upgrade event http_stats%(c: connection, stats: http_stats_rec%); @@ -243,7 +243,7 @@ event http_stats%(c: connection, stats: http_stats_rec%); ## ## protocol: The protocol to which the connection is switching. ## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_connection_upgrade%(c: connection, protocol: string%); diff --git a/src/analyzer/protocol/http/functions.bif b/src/analyzer/protocol/http/functions.bif index 6ef6fecb81..ff4f0015b7 100644 --- a/src/analyzer/protocol/http/functions.bif +++ b/src/analyzer/protocol/http/functions.bif @@ -9,7 +9,7 @@ ## ## is_orig: If true, the client data is skipped, and the server data otherwise. ## -## .. bro:see:: skip_smtp_data +## .. zeek:see:: skip_smtp_data function skip_http_entity_data%(c: connection, is_orig: bool%): any %{ analyzer::ID id = mgr.CurrentAnalyzer(); diff --git a/src/analyzer/protocol/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif index bd55f17b27..ef7d2b7da5 100644 --- a/src/analyzer/protocol/icmp/events.bif +++ b/src/analyzer/protocol/icmp/events.bif @@ -12,10 +12,10 @@ ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## -## .. bro:see:: icmp_error_message icmp_sent_payload +## .. zeek:see:: icmp_error_message icmp_sent_payload event icmp_sent%(c: connection, icmp: icmp_conn%); -## The same as :bro:see:`icmp_sent` except containing the ICMP payload. +## The same as :zeek:see:`icmp_sent` except containing the ICMP payload. ## ## c: The connection record for the corresponding ICMP flow. ## @@ -24,7 +24,7 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## ## payload: The payload of the ICMP message. ## -## .. bro:see:: icmp_error_message icmp_sent_payload +## .. zeek:see:: icmp_error_message icmp_sent_payload event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## Generated for ICMP *echo request* messages. @@ -45,7 +45,7 @@ event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); ## payload: The message-specific data of the packet payload, i.e., everything ## after the first 8 bytes of the ICMP header. ## -## .. bro:see:: icmp_echo_reply +## .. zeek:see:: icmp_echo_reply event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for ICMP *echo reply* messages. @@ -66,7 +66,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## payload: The message-specific data of the packet payload, i.e., everything ## after the first 8 bytes of the ICMP header. ## -## .. bro:see:: icmp_echo_request +## .. zeek:see:: icmp_echo_request event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); ## Generated for all ICMPv6 error messages that are not handled @@ -88,7 +88,7 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## context: A record with specifics of the original packet that the message ## refers to. ## -## .. bro:see:: icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -112,7 +112,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## -## .. bro:see:: icmp_error_message icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -136,7 +136,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## a partial IP header for some reason, no fields of *context* will ## be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable +## .. zeek:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -160,7 +160,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## only a partial IP header for some reason, no fields of *context* ## will be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -184,7 +184,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); @@ -201,7 +201,7 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_advertisement +## .. zeek:see:: icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); @@ -239,7 +239,7 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_n ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation +## .. zeek:see:: icmp_router_solicitation ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); @@ -258,7 +258,7 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_redirect event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); @@ -284,7 +284,7 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, opt ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_redirect event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); @@ -306,7 +306,7 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, ## ## options: Any Neighbor Discovery options included with message (:rfc:`4861`). ## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## .. zeek:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); diff --git a/src/analyzer/protocol/ident/events.bif b/src/analyzer/protocol/ident/events.bif index 96a7f37a31..ecbf8efee8 100644 --- a/src/analyzer/protocol/ident/events.bif +++ b/src/analyzer/protocol/ident/events.bif @@ -9,7 +9,7 @@ ## ## rport: The request's remote port. ## -## .. bro:see:: ident_error ident_reply +## .. zeek:see:: ident_error ident_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -32,7 +32,7 @@ event ident_request%(c: connection, lport: port, rport: port%); ## ## system: The operating system returned by the reply. ## -## .. bro:see:: ident_error ident_request +## .. zeek:see:: ident_error ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -53,7 +53,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## ## line: The error description returned by the reply. ## -## .. bro:see:: ident_reply ident_request +## .. zeek:see:: ident_reply ident_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/irc/events.bif b/src/analyzer/protocol/irc/events.bif index be425817b2..d6af5fbae1 100644 --- a/src/analyzer/protocol/irc/events.bif +++ b/src/analyzer/protocol/irc/events.bif @@ -15,7 +15,7 @@ ## ## arguments: The arguments for the command. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -23,7 +23,7 @@ ## ## .. note:: This event is generated only for messages that originate ## at the client-side. Commands coming in from remote trigger -## the :bro:id:`irc_message` event instead. +## the :zeek:id:`irc_message` event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); @@ -45,7 +45,7 @@ event irc_request%(c: connection, is_orig: bool, prefix: string, ## ## params: The reply's parameters. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -69,7 +69,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## message: TODO. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -79,7 +79,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## This event is generated only for messages that are forwarded by the server ## to the client. Commands coming from client trigger the -## :bro:id:`irc_request` event instead. +## :zeek:id:`irc_request` event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); @@ -98,7 +98,7 @@ event irc_message%(c: connection, is_orig: bool, prefix: string, ## ## message: The text included with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -122,7 +122,7 @@ event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: str ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -147,7 +147,7 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string, ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_oper_message irc_oper_response irc_part_message @@ -172,7 +172,7 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string, ## ## message: The text of communication. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -193,7 +193,7 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## ## info_list: The user information coming with the command. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -217,7 +217,7 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%) ## ## message: The text coming with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -240,7 +240,7 @@ event irc_part_message%(c: connection, is_orig: bool, nick: string, ## ## newnick: The new nickname. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -257,7 +257,7 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri ## is_orig: True if the command was sent by the originator of the TCP ## connection. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -280,7 +280,7 @@ event irc_invalid_nick%(c: connection, is_orig: bool%); ## ## servers: The number of servers as returned in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -304,7 +304,7 @@ event irc_network_info%(c: connection, is_orig: bool, users: count, ## ## servers: The number of servers as returned in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -324,7 +324,7 @@ event irc_server_info%(c: connection, is_orig: bool, users: count, ## ## chans: The number of channels as returned in the reply. ## -## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users +## .. zeek:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -359,7 +359,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## real_name: The real name. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -386,7 +386,7 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string, ## ## users: The set of users. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -406,7 +406,7 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string, ## ## nick: The nickname specified in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -427,7 +427,7 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## ## chans: The set of channels returned. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -453,7 +453,7 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, ## ## real_name: The real name specified in the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -474,7 +474,7 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_part_message @@ -496,7 +496,7 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## ## msg: The message coming with the reply. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -517,7 +517,7 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## ## topic: The topic specified in the reply. ## -## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users +## .. zeek:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -539,7 +539,7 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s ## ## oper: True if the operator flag was set. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -561,7 +561,7 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## ## users: TODO. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -583,7 +583,7 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st ## ## password: The password specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_response irc_part_message @@ -610,7 +610,7 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st ## ## comment: The comment specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -634,7 +634,7 @@ event irc_kick_message%(c: connection, is_orig: bool, prefix: string, ## ## message: The textual description specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -659,7 +659,7 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: ## ## channel: The channel specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -683,7 +683,7 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string, ## ## params: The parameters coming with the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -708,7 +708,7 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st ## ## message: The textual description specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -742,7 +742,7 @@ event irc_squit_message%(c: connection, is_orig: bool, prefix: string, ## ## size: The size specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users +## .. zeek:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users ## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message ## irc_notice_message irc_oper_message irc_oper_response irc_part_message @@ -771,7 +771,7 @@ event irc_dcc_message%(c: connection, is_orig: bool, ## ## real_name: The real name specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response @@ -791,7 +791,7 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string ## ## password: The password specified in the message. ## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message ## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif index 19b165a4be..26405442ed 100644 --- a/src/analyzer/protocol/krb/events.bif +++ b/src/analyzer/protocol/krb/events.bif @@ -11,7 +11,7 @@ ## ## msg: A Kerberos KDC request message data structure. ## -## .. bro:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_as_request%(c: connection, msg: KRB::KDC_Request%); @@ -27,7 +27,7 @@ event krb_as_request%(c: connection, msg: KRB::KDC_Request%); ## ## msg: A Kerberos KDC reply message data structure. ## -## .. bro:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_as_response%(c: connection, msg: KRB::KDC_Response%); @@ -44,7 +44,7 @@ event krb_as_response%(c: connection, msg: KRB::KDC_Response%); ## ## msg: A Kerberos KDC request message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); @@ -60,7 +60,7 @@ event krb_tgs_request%(c: connection, msg: KRB::KDC_Request%); ## ## msg: A Kerberos KDC reply message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%); @@ -78,7 +78,7 @@ event krb_tgs_response%(c: connection, msg: KRB::KDC_Response%); ## ## opts: A Kerberos AP options data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_response krb_priv krb_safe krb_cred krb_error event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options%); @@ -93,7 +93,7 @@ event krb_ap_request%(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options% ## ## c: The connection over which this Kerberos message was sent. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_priv krb_safe krb_cred krb_error event krb_ap_response%(c: connection%); @@ -109,7 +109,7 @@ event krb_ap_response%(c: connection%); ## ## is_orig: Whether the originator of the connection sent this message. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_safe krb_cred krb_error event krb_priv%(c: connection, is_orig: bool%); @@ -125,7 +125,7 @@ event krb_priv%(c: connection, is_orig: bool%); ## ## msg: A Kerberos SAFE message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_cred krb_error event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%); @@ -141,7 +141,7 @@ event krb_safe%(c: connection, is_orig: bool, msg: KRB::SAFE_Msg%); ## ## tickets: Tickets obtained from the KDC that are being forwarded. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_safe krb_error event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%); @@ -154,6 +154,6 @@ event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%); ## ## msg: A Kerberos error message data structure. ## -## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response +## .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## krb_ap_request krb_ap_response krb_priv krb_safe krb_cred event krb_error%(c: connection, msg: KRB::Error_Msg%); diff --git a/src/analyzer/protocol/login/events.bif b/src/analyzer/protocol/login/events.bif index 91c58f21c4..39921b4c5e 100644 --- a/src/analyzer/protocol/login/events.bif +++ b/src/analyzer/protocol/login/events.bif @@ -14,7 +14,7 @@ ## ## new_session: True if this is the first command of the Rsh session. ## -## .. bro:see:: rsh_reply login_confused login_confused_text login_display +## .. zeek:see:: rsh_reply login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## @@ -41,7 +41,7 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## ## line: The command line sent in the request. ## -## .. bro:see:: rsh_request login_confused login_confused_text login_display +## .. zeek:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## @@ -72,7 +72,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## line: The line of text that led the analyzer to conclude that the ## authentication had failed. ## -## .. bro:see:: login_confused login_confused_text login_display login_input_line +## .. zeek:see:: login_confused login_confused_text login_display login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state @@ -85,7 +85,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); @@ -107,7 +107,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## line: The line of text that led the analyzer to conclude that the ## authentication had succeeded. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_terminal ## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs ## login_prompts login_success_msgs login_timeouts set_login_state @@ -120,7 +120,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); @@ -131,13 +131,13 @@ event login_success%(c: connection, user: string, client_user: string, password: ## ## line: The input line. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_output_line login_prompt login_success login_terminal rsh_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_input_line%(c: connection, line: string%); @@ -148,13 +148,13 @@ event login_input_line%(c: connection, line: string%); ## ## line: The ouput line. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_prompt login_success login_terminal rsh_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_output_line%(c: connection, line: string%); @@ -173,7 +173,7 @@ event login_output_line%(c: connection, line: string%); ## line: The line of text that caused the heuristics to conclude they were ## confused. ## -## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line +## .. zeek:see:: login_confused_text login_display login_failure login_input_line login_output_line ## login_prompt login_success login_terminal direct_login_prompts get_login_state ## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs ## login_timeouts set_login_state @@ -181,20 +181,20 @@ event login_output_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin ## authentication dialog. The *login* analyzer generates this even for every -## line of user input after it has reported :bro:id:`login_confused` for a +## line of user input after it has reported :zeek:id:`login_confused` for a ## connection. ## ## c: The connection. ## ## line: The line the user typed. ## -## .. bro:see:: login_confused login_display login_failure login_input_line +## .. zeek:see:: login_confused login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state @@ -202,7 +202,7 @@ event login_confused%(c: connection, msg: string, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_confused_text%(c: connection, line: string%); @@ -213,13 +213,13 @@ event login_confused_text%(c: connection, line: string%); ## ## terminal: The TERM value transmitted. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_prompt login_success ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_terminal%(c: connection, terminal: string%); @@ -230,13 +230,13 @@ event login_terminal%(c: connection, terminal: string%); ## ## display: The DISPLAY transmitted. ## -## .. bro:see:: login_confused login_confused_text login_failure login_input_line +## .. zeek:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_display%(c: connection, display: string%); @@ -252,16 +252,16 @@ event login_display%(c: connection, display: string%); ## ## c: The connection. ## -## .. bro:see:: authentication_rejected authentication_skipped login_success +## .. zeek:see:: authentication_rejected authentication_skipped login_success ## ## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines success by watching +## while :zeek:id:`login_success` heuristically determines success by watching ## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_accepted%(name: string, c: connection%); @@ -277,16 +277,16 @@ event authentication_accepted%(name: string, c: connection%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_skipped login_failure +## .. zeek:see:: authentication_accepted authentication_skipped login_failure ## ## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines failure by watching +## while :zeek:id:`login_success` heuristically determines failure by watching ## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_rejected%(name: string, c: connection%); @@ -298,7 +298,7 @@ event authentication_rejected%(name: string, c: connection%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts +## .. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts ## get_login_state login_failure_msgs login_non_failure_msgs login_prompts ## login_success_msgs login_timeouts set_login_state ## @@ -310,7 +310,7 @@ event authentication_rejected%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event authentication_skipped%(c: connection%); @@ -325,13 +325,13 @@ event authentication_skipped%(c: connection%); ## ## prompt: The TTYPROMPT transmitted. ## -## .. bro:see:: login_confused login_confused_text login_display login_failure +## .. zeek:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event login_prompt%(c: connection, prompt: string%); @@ -344,7 +344,7 @@ event login_prompt%(c: connection, prompt: string%); ## ## c: The connection. ## -## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped +## .. zeek:see:: authentication_accepted authentication_rejected authentication_skipped ## login_confused login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); @@ -362,7 +362,7 @@ event activating_encryption%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: bad_option bad_option_termination authentication_accepted +## .. zeek:see:: bad_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -375,7 +375,7 @@ event inconsistent_option%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted +## .. zeek:see:: inconsistent_option bad_option_termination authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -383,7 +383,7 @@ event inconsistent_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event bad_option%(c: connection%); @@ -394,7 +394,7 @@ event bad_option%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: inconsistent_option bad_option authentication_accepted +## .. zeek:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -402,6 +402,6 @@ event bad_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocol/login/functions.bif b/src/analyzer/protocol/login/functions.bif index bc4b2a7104..932020595c 100644 --- a/src/analyzer/protocol/login/functions.bif +++ b/src/analyzer/protocol/login/functions.bif @@ -21,7 +21,7 @@ ## does not correctly know the state of the connection, and/or ## the username associated with it. ## -## .. bro:see:: set_login_state +## .. zeek:see:: set_login_state function get_login_state%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -40,12 +40,12 @@ function get_login_state%(cid: conn_id%): count ## cid: The connection ID. ## ## new_state: The new state of the login analyzer. See -## :bro:id:`get_login_state` for possible values. +## :zeek:id:`get_login_state` for possible values. ## ## Returns: Returns false if *cid* is not an active connection ## or is not tagged as a login analyzer, and true otherwise. ## -## .. bro:see:: get_login_state +## .. zeek:see:: get_login_state function set_login_state%(cid: conn_id, new_state: count%): bool %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/analyzer/protocol/mime/events.bif b/src/analyzer/protocol/mime/events.bif index c0b2e66132..1c73e2e69b 100644 --- a/src/analyzer/protocol/mime/events.bif +++ b/src/analyzer/protocol/mime/events.bif @@ -9,12 +9,12 @@ ## ## c: The connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_begin_entity` instead. +## however, it raises :zeek:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); ## Generated when finishing parsing an email MIME entity. MIME is a @@ -28,12 +28,12 @@ event mime_begin_entity%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## ## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_end_entity` instead. +## however, it raises :zeek:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME @@ -48,12 +48,12 @@ event mime_end_entity%(c: connection%); ## ## h: The parsed MIME header. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. +## however, it raises :zeek:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all @@ -70,12 +70,12 @@ event mime_one_header%(c: connection, h: mime_header_rec%); ## The table is indexed by the position of the header (1 for the first, ## 2 for the second, etc.). ## -## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. +## however, it raises :zeek:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); ## Generated for chunks of decoded MIME data from email MIME entities. MIME @@ -83,7 +83,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## corresponding metadata, for transmission. As Bro parses the data of an ## entity, it raises a sequence of these events, each coming as soon as a new ## chunk of data is available. In contrast, there is also -## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## :zeek:id:`mime_entity_data`, which passes all of an entities data at once ## in a single block. While the latter is more convenient to handle, ## ``mime_segment_data`` is more efficient as Bro does not need to buffer ## the data. Thus, if possible, this event should be preferred. @@ -98,17 +98,17 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## ## data: The raw data of one segment of the current entity. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## ## .. note:: Bro also extracts MIME data from HTTP sessions. For those, -## however, it raises :bro:id:`http_entity_data` (sic!) instead. +## however, it raises :zeek:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity with the quoted-printable and -## and base64 data decoded. In contrast, there is also :bro:id:`mime_segment_data`, +## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`, ## which passes on a sequence of data chunks as they come in. While ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is ## more efficient as Bro does not need to buffer the data. Thus, if possible, @@ -124,7 +124,7 @@ event mime_segment_data%(c: connection, length: count, data: string%); ## ## data: The raw data of the complete entity. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP @@ -147,7 +147,7 @@ event mime_entity_data%(c: connection, length: count, data: string%); ## ## data: The raw data of all MIME entities concatenated. ## -## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity +## .. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP @@ -167,11 +167,11 @@ event mime_all_data%(c: connection, length: count, data: string%); ## ## detail: Further more detailed description of the error. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## ## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_event` instead. +## however, it raises :zeek:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); ## Generated for decoded MIME entities extracted from email messages, passing on @@ -188,7 +188,7 @@ event mime_event%(c: connection, event_type: string, detail: string%); ## ## hash_value: The MD5 hash. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## ## .. note:: While Bro also decodes MIME entities extracted from HTTP diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index 34cbc54b4b..7ce65276a6 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake +## .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake +## .. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake +## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for each MySQL ResultsetRow response packet. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## row: The result row data. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok +## .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok event mysql_result_row%(c: connection, row: string_vec%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -59,7 +59,7 @@ event mysql_result_row%(c: connection, row: string_vec%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake +## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting @@ -72,6 +72,6 @@ event mysql_server_version%(c: connection, ver: string%); ## ## username: The username supplied by the client ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_server_version +## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version event mysql_handshake%(c: connection, username: string%); diff --git a/src/analyzer/protocol/ncp/events.bif b/src/analyzer/protocol/ncp/events.bif index 9b5b7d77a7..05da060658 100644 --- a/src/analyzer/protocol/ncp/events.bif +++ b/src/analyzer/protocol/ncp/events.bif @@ -11,7 +11,7 @@ ## ## func: The requested function, as specified by the protocol. ## -## .. bro:see:: ncp_reply +## .. zeek:see:: ncp_reply ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -36,7 +36,7 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## ## completion_code: The reply's completion code, as specified by the protocol. ## -## .. bro:see:: ncp_request +## .. zeek:see:: ncp_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 07c81f6839..492375b7aa 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -97,7 +97,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, return ParseDatagram(data, len, is_query); default: - analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type)); + analyzer->Weird("unknown_netbios_type", fmt("0x%x", type)); return 1; } } @@ -143,7 +143,7 @@ int NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len, NetbiosSSN_RawMsgHdr hdr(data, len); if ( hdr.length > unsigned(len) ) - analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) @@ -162,12 +162,12 @@ int NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len, NetbiosDGM_RawMsgHdr hdr(data, len); if ( unsigned(hdr.length-14) > unsigned(len) ) - analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)", + analyzer->Weird("excess_netbios_hdr_len", fmt("(%d > %d)", hdr.length, len)); else if ( hdr.length < unsigned(len) ) { - analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)", + analyzer->Weird("deficit_netbios_hdr_len", fmt("(%d < %d)", hdr.length, len)); len = hdr.length; } diff --git a/src/analyzer/protocol/netbios/events.bif b/src/analyzer/protocol/netbios/events.bif index 72933f1e49..ed51264e92 100644 --- a/src/analyzer/protocol/netbios/events.bif +++ b/src/analyzer/protocol/netbios/events.bif @@ -16,7 +16,7 @@ ## ## data_len: The length of the message's payload. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -44,7 +44,7 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -72,7 +72,7 @@ event netbios_session_request%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_keepalive netbios_session_message +## .. zeek:see:: netbios_session_keepalive netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -100,7 +100,7 @@ event netbios_session_accepted%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -132,7 +132,7 @@ event netbios_session_rejected%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header (i.e., the ``user_data``). ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## @@ -163,7 +163,7 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## .. zeek:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## @@ -193,7 +193,7 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## msg: The raw payload of the message sent, excluding the common NetBIOS ## header. ## -## .. bro:see:: netbios_session_accepted netbios_session_message +## .. zeek:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## diff --git a/src/analyzer/protocol/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif index f92402a3e8..c86156931f 100644 --- a/src/analyzer/protocol/netbios/functions.bif +++ b/src/analyzer/protocol/netbios/functions.bif @@ -5,7 +5,7 @@ ## ## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. ## -## .. bro:see:: decode_netbios_name_type +## .. zeek:see:: decode_netbios_name_type function decode_netbios_name%(name: string%): string %{ char buf[16]; @@ -41,7 +41,7 @@ function decode_netbios_name%(name: string%): string ## ## Returns: The numeric value of *name*. ## -## .. bro:see:: decode_netbios_name +## .. zeek:see:: decode_netbios_name function decode_netbios_name_type%(name: string%): count %{ const u_char* s = name->Bytes(); diff --git a/src/analyzer/protocol/ntlm/events.bif b/src/analyzer/protocol/ntlm/events.bif index a36d653968..88def089fa 100644 --- a/src/analyzer/protocol/ntlm/events.bif +++ b/src/analyzer/protocol/ntlm/events.bif @@ -4,7 +4,7 @@ ## ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_challenge ntlm_authenticate +## .. zeek:see:: ntlm_challenge ntlm_authenticate event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%); ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*. @@ -13,7 +13,7 @@ event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%); ## ## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_negotiate ntlm_authenticate +## .. zeek:see:: ntlm_negotiate ntlm_authenticate event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%); ## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*. @@ -22,5 +22,5 @@ event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%); ## ## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details. ## -## .. bro:see:: ntlm_negotiate ntlm_challenge +## .. zeek:see:: ntlm_negotiate ntlm_challenge event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%); diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif index bba2dfbbe5..d32d680799 100644 --- a/src/analyzer/protocol/ntp/events.bif +++ b/src/analyzer/protocol/ntp/events.bif @@ -11,7 +11,7 @@ ## excess: The raw bytes of any optional parts of the NTP packet. Bro does not ## further parse any optional fields. ## -## .. bro:see:: ntp_session_timeout +## .. zeek:see:: ntp_session_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif index 74cf1f6f68..c51632b6c2 100644 --- a/src/analyzer/protocol/pop3/events.bif +++ b/src/analyzer/protocol/pop3/events.bif @@ -12,7 +12,7 @@ ## ## arg: The argument to the command. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -37,7 +37,7 @@ event pop3_request%(c: connection, is_orig: bool, ## ## msg: The textual description the server sent along with *cmd*. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_unexpected ## ## .. todo:: This event is receiving odd parameters, should unify. @@ -62,7 +62,7 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## ## data: The data sent. ## -## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -86,7 +86,7 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); ## ## detail: The input that triggered the event. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -105,7 +105,7 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## c: The connection. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply ## pop3_request pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -128,7 +128,7 @@ event pop3_starttls%(c: connection%); ## ## password: The password used for authentication. ## -## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -152,7 +152,7 @@ event pop3_login_success%(c: connection, is_orig: bool, ## ## password: The password attempted for authentication. ## -## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request +## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request ## pop3_unexpected ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index f32f4449af..604d2e3ed1 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -17,7 +17,7 @@ using namespace analyzer::rpc; int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100005 ) - Weird(fmt("bad_RPC_program (%d)", c->Program())); + Weird("bad_RPC_program", fmt("%d", c->Program())); uint32 proc = c->Proc(); // The call arguments, depends on the call type obviously ... @@ -49,7 +49,7 @@ int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird(fmt("unknown_MOUNT_request(%u)", proc)); + Weird("unknown_MOUNT_request", fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 6d0841900c..ff16812d65 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -17,7 +17,7 @@ using namespace analyzer::rpc; int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) - Weird(fmt("bad_RPC_program (%d)", c->Program())); + Weird("bad_RPC_program", fmt("%d", c->Program())); uint32 proc = c->Proc(); // The call arguments, depends on the call type obviously ... @@ -103,7 +103,7 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) n = 0; } else - Weird(fmt("unknown_NFS_request(%u)", proc)); + Weird("unknown_NFS_request", fmt("%u", proc)); // Return 1 so that replies to unprocessed calls will still // be processed, and the return status extracted. diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 9d86210df6..5bd748d1ea 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -371,9 +371,9 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, } } -void RPC_Interpreter::Weird(const char* msg) +void RPC_Interpreter::Weird(const char* msg, const char* addl) { - analyzer->Weird(msg); + analyzer->Weird(msg, addl); } @@ -532,9 +532,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) DEBUG_MSG("%.6f RPC resync: " "discard small pieces: %d\n", network_time, len); - Conn()->Weird( - fmt("RPC resync: discard %d bytes\n", - len)); + Conn()->Weird("RPC_resync", fmt("discard %d bytes\n", len)); } NeedResync(); @@ -677,7 +675,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) // network_time, IsOrig(), marker, last_frag, msg_buf.GetExpected(), msg_buf.GetProcessed(), len); if ( ! msg_buf.AddToExpected(marker) ) - Conn()->Weird(fmt("RPC_message_too_long (%" PRId64 ")" , msg_buf.GetExpected())); + Conn()->Weird("RPC_message_too_long", fmt("%" PRId64, msg_buf.GetExpected())); if ( last_frag ) state = WAIT_FOR_LAST_DATA; diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h index 8fa19b8d53..40c65a00d4 100644 --- a/src/analyzer/protocol/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -123,7 +123,7 @@ protected: void Event_RPC_Call(RPC_CallInfo* c); void Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len); - void Weird(const char* name); + void Weird(const char* name, const char* addl = ""); PDict(RPC_CallInfo) calls; analyzer::Analyzer* analyzer; diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index b811a60cda..fd6331360d 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -10,7 +10,7 @@ ## ## info: Reports the status of the dialogue, along with some meta information. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -38,7 +38,7 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## attrs: The attributes returned in the reply. The values may not be valid if ## the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply file_mode @@ -66,7 +66,7 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF ## rep: The attributes returned in the reply. The values may not be ## valid if the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply file_mode @@ -94,7 +94,7 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -122,7 +122,7 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir ## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max @@ -150,7 +150,7 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## nfs_proc_symlink rpc_call rpc_dialogue rpc_reply @@ -178,7 +178,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## rep: The attributes returned in the reply. The values may not be ## valid if the request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode @@ -206,7 +206,7 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## nfs_proc_symlink rpc_dialogue rpc_reply @@ -234,7 +234,7 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call ## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only @@ -263,7 +263,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -291,7 +291,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status ## rpc_call rpc_dialogue rpc_reply @@ -319,7 +319,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -347,7 +347,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -375,7 +375,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write ## nfs_reply_status rpc_call rpc_dialogue rpc_reply @@ -403,7 +403,7 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink ## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call ## rpc_dialogue rpc_reply @@ -427,7 +427,7 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## ## proc: The procedure called that Bro does not implement. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove ## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply ## @@ -444,7 +444,7 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## ## info: Reports the status included in the reply. ## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir ## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call ## rpc_dialogue rpc_reply @@ -463,7 +463,7 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## r: The RPC connection. ## -## .. bro:see:: pm_request_set pm_request_unset pm_request_getport +## .. zeek:see:: pm_request_set pm_request_unset pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -488,7 +488,7 @@ event pm_request_null%(r: connection%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: pm_request_null pm_request_unset pm_request_getport +## .. zeek:see:: pm_request_null pm_request_unset pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -513,7 +513,7 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## reply. If no reply was seen, this will be false once the request ## times out. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_getport +## .. zeek:see:: pm_request_null pm_request_set pm_request_getport ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -536,7 +536,7 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set ## pm_attempt_unset pm_attempt_getport pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -557,7 +557,7 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## m: The mappings returned by the server. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_callit pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -581,7 +581,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## p: The port value returned by the call. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_attempt_null ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -602,9 +602,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_set pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -625,11 +625,11 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## m: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_unset pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -650,11 +650,11 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## m: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_getport ## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call @@ -675,11 +675,11 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## pr: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump ## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply @@ -699,9 +699,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call @@ -722,11 +722,11 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## r: The RPC connection. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## call: The argument to the original request. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call @@ -751,7 +751,7 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## bad_p: The invalid port value. ## -## .. bro:see:: pm_request_null pm_request_set pm_request_unset +## .. zeek:see:: pm_request_null pm_request_set pm_request_unset ## pm_request_getport pm_request_dump pm_request_callit ## pm_attempt_null pm_attempt_set pm_attempt_unset ## pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call @@ -767,7 +767,7 @@ event pm_bad_port%(r: connection, bad_p: count%); ## and reply by their transaction identifiers and raises this event once both ## have been seen. If there's not a reply, this event will still be generated ## eventually on timeout. In that case, *status* will be set to -## :bro:enum:`RPC_TIMEOUT`. +## :zeek:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. @@ -781,7 +781,7 @@ event pm_bad_port%(r: connection, bad_p: count%); ## proc: The procedure of the remote program to call. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## start_time: The time when the *call* was seen. ## @@ -789,13 +789,13 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## reply_len: The size of the *reply_body* PDU. ## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); @@ -816,13 +816,13 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## ## call_len: The size of the *call_body* PDU. ## -## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); @@ -836,17 +836,17 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## xid: The transaction identifier allowing to match requests with replies. ## ## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. +## :zeek:id:`RPC_status`. ## ## reply_len: The size of the *reply_body* PDU. ## -## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request +## .. zeek:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request ## dce_rpc_response rpc_timeout ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload ## signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); @@ -859,7 +859,7 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## ## info: Reports the status of the dialogue, along with some meta information. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -882,7 +882,7 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%); ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -902,7 +902,7 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar ## ## req: The arguments passed in the request. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -922,7 +922,7 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta ## ## req: The arguments passed in the request. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -940,7 +940,7 @@ event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dir ## ## proc: The procedure called that Bro does not implement. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol @@ -956,7 +956,7 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU ## ## info: Reports the status included in the reply. ## -## .. bro:see:: mount_proc_mnt mount_proc_umnt +## .. zeek:see:: mount_proc_mnt mount_proc_umnt ## mount_proc_umnt_all mount_proc_not_implemented ## ## .. todo:: Bro's current default configuration does not activate the protocol diff --git a/src/analyzer/protocol/sip/events.bif b/src/analyzer/protocol/sip/events.bif index f8ab6f4f37..fb8f9b77d1 100644 --- a/src/analyzer/protocol/sip/events.bif +++ b/src/analyzer/protocol/sip/events.bif @@ -13,7 +13,7 @@ ## ## version: The version number specified in the request (e.g., ``2.0``). ## -## .. bro:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity event sip_request%(c: connection, method: string, original_URI: string, version: string%); ## Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP). @@ -31,7 +31,7 @@ event sip_request%(c: connection, method: string, original_URI: string, version: ## ## reason: Textual details for the response code. ## -## .. bro:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity event sip_reply%(c: connection, version: string, code: count, reason: string%); ## Generated for each :abbr:`SIP (Session Initiation Protocol)` header. @@ -47,7 +47,7 @@ event sip_reply%(c: connection, version: string, code: count, reason: string%); ## ## value: Header value. ## -## .. bro:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity event sip_header%(c: connection, is_orig: bool, name: string, value: string%); ## Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder. @@ -61,7 +61,7 @@ event sip_header%(c: connection, is_orig: bool, name: string, value: string%); ## ## hlist: All the headers, and their values ## -## .. bro:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message. @@ -75,7 +75,7 @@ event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## ## is_orig: Whether the message came from the originator. ## -## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity event sip_begin_entity%(c: connection, is_orig: bool%); ## Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message. @@ -87,5 +87,5 @@ event sip_begin_entity%(c: connection, is_orig: bool%); ## ## is_orig: Whether the message came from the originator. ## -## .. bro:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity +## .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity event sip_end_entity%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index cc5d690dfd..b156d185bc 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -35,6 +35,7 @@ bro_plugin_bif( smb2_com_tree_connect.bif smb2_com_tree_disconnect.bif smb2_com_write.bif + smb2_com_transform_header.bif smb2_events.bif events.bif @@ -84,5 +85,6 @@ bro_plugin_pac( smb2-com-tree-connect.pac smb2-com-tree-disconnect.pac smb2-com-write.pac + smb2-com-transform-header.pac ) bro_plugin_end() diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif index d0091589fe..77746c2a09 100644 --- a/src/analyzer/protocol/smb/events.bif +++ b/src/analyzer/protocol/smb/events.bif @@ -3,7 +3,7 @@ ## up is when the drive mapping isn't seen so the analyzer is not able ## to determine whether to send the data to the files framework or to ## the DCE_RPC analyzer. This heuristic can be tuned by adding or -## removing "named pipe" names from the :bro:see:`SMB::pipe_filenames` +## removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames` ## const. ## ## c: The connection. diff --git a/src/analyzer/protocol/smb/smb-common.pac b/src/analyzer/protocol/smb/smb-common.pac index 5e2a655ed7..05e9545642 100644 --- a/src/analyzer/protocol/smb/smb-common.pac +++ b/src/analyzer/protocol/smb/smb-common.pac @@ -1,6 +1,7 @@ enum SMBVersion { SMB1 = 0xff534d42, # \xffSMB SMB2 = 0xfe534d42, # \xfeSMB + SMB3 = 0xfd534d42, # \xfdSMB (implies use of transform_header) }; enum TransactionType { diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index a21101faaa..4a1e8abbb3 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -40,6 +40,7 @@ #include "smb2_com_tree_connect.bif.h" #include "smb2_com_tree_disconnect.bif.h" #include "smb2_com_write.bif.h" +#include "smb2_com_transform_header.bif.h" %} analyzer SMB withcontext { @@ -93,6 +94,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) { %include smb2-com-tree-connect.pac %include smb2-com-tree-disconnect.pac %include smb2-com-write.pac +%include smb2-com-transform-header.pac type uint24 = record { byte1 : uint8; @@ -128,6 +130,8 @@ type SMB_Protocol_Identifier(is_orig: bool, msg_len: uint32) = record { smb_1_or_2 : case protocol of { SMB1 -> smb1 : SMB_PDU(is_orig, msg_len); SMB2 -> smb2 : SMB2_PDU(is_orig); + # SMB 3.x protocol ID implies use of transform header to support encryption + SMB3 -> smb3 : SMB2_transform_header; default -> unknown : empty; }; }; diff --git a/src/analyzer/protocol/smb/smb1_com_check_directory.bif b/src/analyzer/protocol/smb/smb1_com_check_directory.bif index 15feb3ad59..26f83210ff 100644 --- a/src/analyzer/protocol/smb/smb1_com_check_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_check_directory.bif @@ -10,7 +10,7 @@ ## ## directory_name: The directory name to check for existence. ## -## .. bro:see:: smb1_message smb1_check_directory_response +## .. zeek:see:: smb1_message smb1_check_directory_response event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -23,5 +23,5 @@ event smb1_check_directory_request%(c: connection, hdr: SMB1::Header, directory_ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message smb1_check_directory_request +## .. zeek:see:: smb1_message smb1_check_directory_request event smb1_check_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_close.bif b/src/analyzer/protocol/smb/smb1_com_close.bif index 37958e1d19..8d2d8f0747 100644 --- a/src/analyzer/protocol/smb/smb1_com_close.bif +++ b/src/analyzer/protocol/smb/smb1_com_close.bif @@ -10,6 +10,6 @@ ## ## file_id: The file identifier being closed. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_close_request%(c: connection, hdr: SMB1::Header, file_id: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_create_directory.bif b/src/analyzer/protocol/smb/smb1_com_create_directory.bif index f5e29b467b..40ddf44c8d 100644 --- a/src/analyzer/protocol/smb/smb1_com_create_directory.bif +++ b/src/analyzer/protocol/smb/smb1_com_create_directory.bif @@ -11,7 +11,7 @@ ## ## directory_name: The name of the directory to create. ## -## .. bro:see:: smb1_message smb1_create_directory_response smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,5 +25,5 @@ event smb1_create_directory_request%(c: connection, hdr: SMB1::Header, directory ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message smb1_create_directory_request smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request event smb1_create_directory_response%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_echo.bif b/src/analyzer/protocol/smb/smb1_com_echo.bif index 5b255af371..f95261ca3c 100644 --- a/src/analyzer/protocol/smb/smb1_com_echo.bif +++ b/src/analyzer/protocol/smb/smb1_com_echo.bif @@ -12,7 +12,7 @@ ## ## data: The data for the server to echo. ## -## .. bro:see:: smb1_message smb1_echo_response +## .. zeek:see:: smb1_message smb1_echo_response event smb1_echo_request%(c: connection, echo_count: count, data: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,5 +28,5 @@ event smb1_echo_request%(c: connection, echo_count: count, data: string%); ## ## data: The data echoed back from the client. ## -## .. bro:see:: smb1_message smb1_echo_request +## .. zeek:see:: smb1_message smb1_echo_request event smb1_echo_response%(c: connection, seq_num: count, data: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif index 88b5016328..ff5168e4dd 100644 --- a/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_logoff_andx.bif @@ -10,6 +10,6 @@ ## ## is_orig: Indicates which host sent the logoff message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_logoff_andx%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_negotiate.bif b/src/analyzer/protocol/smb/smb1_com_negotiate.bif index fdb2201c1f..7dfe02cb68 100644 --- a/src/analyzer/protocol/smb/smb1_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb1_com_negotiate.bif @@ -11,7 +11,7 @@ ## ## dialects: The SMB dialects supported by the client. ## -## .. bro:see:: smb1_message smb1_negotiate_response +## .. zeek:see:: smb1_message smb1_negotiate_response event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string_vec%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -26,7 +26,7 @@ event smb1_negotiate_request%(c: connection, hdr: SMB1::Header, dialects: string ## ## response: A record structure containing more information from the response. ## -## .. bro:see:: smb1_message smb1_negotiate_request +## .. zeek:see:: smb1_message smb1_negotiate_request event smb1_negotiate_response%(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif index f04fc839ec..66bbbc5fb9 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_cancel.bif @@ -8,5 +8,5 @@ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_nt_cancel_request%(c: connection, hdr: SMB1::Header%); \ No newline at end of file diff --git a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif index f8008e878b..d19d59fd50 100644 --- a/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_nt_create_andx.bif @@ -11,7 +11,7 @@ ## ## name: The ``name`` attribute specified in the message. ## -## .. bro:see:: smb1_message smb1_nt_create_andx_response +## .. zeek:see:: smb1_message smb1_nt_create_andx_response event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -30,7 +30,7 @@ event smb1_nt_create_andx_request%(c: connection, hdr: SMB1::Header, file_name: ## ## times: Timestamps associated with the file in question. ## -## .. bro:see:: smb1_message smb1_nt_create_andx_request +## .. zeek:see:: smb1_message smb1_nt_create_andx_request event smb1_nt_create_andx_response%(c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes%); diff --git a/src/analyzer/protocol/smb/smb1_com_query_information.bif b/src/analyzer/protocol/smb/smb1_com_query_information.bif index 64a5150dc9..e2f1ded6bd 100644 --- a/src/analyzer/protocol/smb/smb1_com_query_information.bif +++ b/src/analyzer/protocol/smb/smb1_com_query_information.bif @@ -11,6 +11,6 @@ ## ## filename: The filename that the client is querying. ## -## .. bro:see:: smb1_message smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_transaction2_request event smb1_query_information_request%(c: connection, hdr: SMB1::Header, filename: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_read_andx.bif b/src/analyzer/protocol/smb/smb1_com_read_andx.bif index 73cacf0a65..a7c04bffca 100644 --- a/src/analyzer/protocol/smb/smb1_com_read_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_read_andx.bif @@ -15,7 +15,7 @@ ## ## length: The number of bytes being requested. ## -## .. bro:see:: smb1_message smb1_read_andx_response +## .. zeek:see:: smb1_message smb1_read_andx_response event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -29,6 +29,6 @@ event smb1_read_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, ## ## data_len: The length of data from the requested file. ## -## .. bro:see:: smb1_message smb1_read_andx_request +## .. zeek:see:: smb1_message smb1_read_andx_request event smb1_read_andx_response%(c: connection, hdr: SMB1::Header, data_len: count%); diff --git a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif index 7971a4977c..b50fa5d875 100644 --- a/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_session_setup_andx.bif @@ -9,7 +9,7 @@ ## ## request: The parsed request data of the SMB message. See init-bare for more details. ## -## .. bro:see:: smb1_message smb1_session_setup_andx_response +## .. zeek:see:: smb1_message smb1_session_setup_andx_response event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -23,7 +23,7 @@ event smb1_session_setup_andx_request%(c: connection, hdr: SMB1::Header, request ## ## response: The parsed response data of the SMB message. See init-bare for more details. ## -## .. bro:see:: smb1_message smb1_session_setup_andx_request +## .. zeek:see:: smb1_message smb1_session_setup_andx_request event smb1_session_setup_andx_response%(c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif index 0c411b55c3..cd80a668dc 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif @@ -18,7 +18,7 @@ ## ## data: content of the SMB_Data.Trans_Data field ## -## .. bro:see:: smb1_message smb1_transaction2_request +## .. zeek:see:: smb1_message smb1_transaction2_request event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif index aa30aeebe1..48e2f7cdd6 100644 --- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif +++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif @@ -15,7 +15,7 @@ ## ## sub_cmd: The sub command, some are parsed and have their own events. ## -## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request +## .. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request ## smb1_trans2_get_dfs_referral_request smb1_transaction_request event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%); @@ -31,7 +31,7 @@ event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::T ## ## args: A record data structure with arguments given to the command. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request ## smb1_trans2_get_dfs_referral_request event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args%); @@ -47,7 +47,7 @@ event smb1_trans2_find_first2_request%(c: connection, hdr: SMB1::Header, args: S ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request ## smb1_trans2_get_dfs_referral_request event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, file_name: string%); @@ -63,7 +63,7 @@ event smb1_trans2_query_path_info_request%(c: connection, hdr: SMB1::Header, fil ## ## file_name: File name the request is in reference to. ## -## .. bro:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request +## .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request ## smb1_trans2_query_path_info_request event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, file_name: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif index 16aeb2bbb6..95274af115 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_connect_andx.bif @@ -12,7 +12,7 @@ ## ## service: The ``service`` attribute specified in the message. ## -## .. bro:see:: smb1_message smb1_tree_connect_andx_response +## .. zeek:see:: smb1_message smb1_tree_connect_andx_response event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: string, service: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -29,6 +29,6 @@ event smb1_tree_connect_andx_request%(c: connection, hdr: SMB1::Header, path: st ## ## native_file_system: The file system of the remote server as indicate by the server. ## -## .. bro:see:: smb1_message smb1_tree_connect_andx_request +## .. zeek:see:: smb1_message smb1_tree_connect_andx_request event smb1_tree_connect_andx_response%(c: connection, hdr: SMB1::Header, service: string, native_file_system: string%); diff --git a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif index 493ee66238..db94e1ff2a 100644 --- a/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb1_com_tree_disconnect.bif @@ -10,6 +10,6 @@ ## ## is_orig: True if the message was from the originator. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_tree_disconnect%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb1_com_write_andx.bif b/src/analyzer/protocol/smb/smb1_com_write_andx.bif index d30c8af2ba..6bf086e978 100644 --- a/src/analyzer/protocol/smb/smb1_com_write_andx.bif +++ b/src/analyzer/protocol/smb/smb1_com_write_andx.bif @@ -13,7 +13,7 @@ ## ## data: The data being written. ## -## .. bro:see:: smb1_message smb1_write_andx_response +## .. zeek:see:: smb1_message smb1_write_andx_response event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,5 +28,5 @@ event smb1_write_andx_request%(c: connection, hdr: SMB1::Header, file_id: count, ## ## written_bytes: The number of bytes the server reported having actually written. ## -## .. bro:see:: smb1_message smb1_write_andx_request +## .. zeek:see:: smb1_message smb1_write_andx_request event smb1_write_andx_response%(c: connection, hdr: SMB1::Header, written_bytes: count%); diff --git a/src/analyzer/protocol/smb/smb1_events.bif b/src/analyzer/protocol/smb/smb1_events.bif index 4746af34a4..e5134b8bd0 100644 --- a/src/analyzer/protocol/smb/smb1_events.bif +++ b/src/analyzer/protocol/smb/smb1_events.bif @@ -14,7 +14,7 @@ ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%); ## Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body. @@ -23,7 +23,7 @@ event smb1_message%(c: connection, hdr: SMB1::Header, is_orig: bool%); ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_empty_response%(c: connection, hdr: SMB1::Header%); ## Generated for :abbr:`SMB (Server Message Block)` version 1 messages @@ -37,6 +37,6 @@ event smb1_empty_response%(c: connection, hdr: SMB1::Header%); ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb1_error%(c: connection, hdr: SMB1::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index 39311e4ee3..41175fcfdd 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -1,3 +1,21 @@ +enum smb3_capabilities { + SMB2_GLOBAL_CAP_DFS = 0x00, + SMB2_GLOBAL_CAP_LEASING = 0x02, + SMB2_GLOBAL_CAP_LARGE_MTU = 0x04, + SMB2_GLOBAL_CAP_MULTI_CHANNE = 0x08, + SMB2_GLOBAL_CAP_PERSISTENT_HANDLES = 0x10, + SMB2_GLOBAL_CAP_DIRECTORY_LEASING = 0x20, + SMB2_GLOBAL_CAP_ENCRYPTION = 0x40, +}; + +enum smb3_context_type { + SMB2_PREAUTH_INTEGRITY_CAPABILITIES = 0x0001, + SMB2_ENCRYPTION_CAPABILITIES = 0x0002, + SMB2_COMPRESSION_CAPABILITIES = 0x0004, + SMB2_NETNAME_NEGOTIATE_CONTEXT_ID = 0x0005, +}; + + refine connection SMB_Conn += { function proc_smb2_negotiate_request(h: SMB2_Header, val: SMB2_negotiate_request) : bool @@ -25,9 +43,19 @@ refine connection SMB_Conn += { nr->Assign(0, val_mgr->GetCount(${val.dialect_revision})); nr->Assign(1, val_mgr->GetCount(${val.security_mode})); - nr->Assign(2, BuildSMB2GUID(${val.server_guid})), + nr->Assign(2, BuildSMB2GUID(${val.server_guid})); nr->Assign(3, filetime2brotime(${val.system_time})); nr->Assign(4, filetime2brotime(${val.server_start_time})); + nr->Assign(5, val_mgr->GetCount(${val.negotiate_context_count})); + + VectorVal* cv = new VectorVal(BifType::Vector::SMB2::NegotiateContextValues); + + if ( ${val.dialect_revision} == 0x0311 ) + for ( auto i = 0u; i < ${val.smb3_ncl.vals}->size(); ++i ) + cv->Assign(i, BuildSMB2ContextVal(${val.smb3_ncl.vals[i]})); + + nr->Assign(6, cv); + BifEvent::generate_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), BuildSMB2HeaderVal(h), nr); @@ -37,35 +65,81 @@ refine connection SMB_Conn += { %} }; +type SMB3_preauth_integrity_capabilities = record { + hash_alg_count : uint16; + salt_length : uint16; + hash_alg : uint16[hash_alg_count]; + salt : bytestring &length = salt_length; +}; + +type SMB3_encryption_capabilities = record { + cipher_count : uint16; + ciphers : uint16[cipher_count]; +}; + +type SMB3_compression_capabilities = record { + alg_count : uint16; + pad: uint16; + reserved : uint32; + algs : uint16[alg_count]; +}; + +type SMB3_netname_negotiate_context_id(len: uint16) = record { + net_name: bytestring &length = len; +}; + +type SMB3_negotiate_context_value = record { + context_type : uint16; # specify the type of context + data_length : uint16; # the length of the data field + reserved : uint32; # ignored + data : case context_type of { + SMB2_PREAUTH_INTEGRITY_CAPABILITIES -> preauth_integrity_capabilities : SMB3_preauth_integrity_capabilities; + SMB2_ENCRYPTION_CAPABILITIES -> encryption_capabilities : SMB3_encryption_capabilities; + SMB2_COMPRESSION_CAPABILITIES -> compression_capabilities : SMB3_compression_capabilities; + SMB2_NETNAME_NEGOTIATE_CONTEXT_ID -> netname_negotiate_context_id : SMB3_netname_negotiate_context_id(data_length); + }; + pad : padding align 4; +}; + type SMB2_negotiate_request(header: SMB2_Header) = record { - structure_size : uint16; # client MUST set this to 36 - dialect_count : uint16; # must be > 0 - security_mode : uint16; # there is a list of required modes - reserved : padding[2]; # must be set to 0 - capabilities : uint32; # must be set to 0 - client_guid : SMB2_guid; # guid if client implements SMB 2.1 dialect, otherwise set to 0 - client_start_time : SMB_timestamp; # must be set to 0 + structure_size : uint16; # client MUST set this to 36 + dialect_count : uint16; # must be > 0 + security_mode : uint16; # there is a list of required modes + reserved : padding[2]; # must be set to 0 + capabilities : uint32; # must be set to 0 if SMB 2.x, otherwise if SMB 3.x one of enum smb2_capabilities + client_guid : SMB2_guid; # guid if client implements SMB 2.1 dialect, otherwise set to 0 + client_start_time : SMB_timestamp; dialects : uint16[dialect_count]; } &byteorder=littleendian, &let { proc : bool = $context.connection.proc_smb2_negotiate_request(header, this); }; +type NegotiateContextList(len: uint16) = record { + pad : padding align 8; + vals : SMB3_negotiate_context_value[len]; +} + type SMB2_negotiate_response(header: SMB2_Header) = record { - structure_size : uint16; - security_mode : uint16; - dialect_revision : uint16; - reserved : padding[2]; - server_guid : SMB2_guid; - capabilities : uint32; - max_transact_size : uint32; - max_read_size : uint32; - max_write_size : uint32; - system_time : SMB_timestamp; - server_start_time : SMB_timestamp; - security_offset : uint16; - security_length : uint16; - pad1 : padding to security_offset - header.head_length; - security_blob : bytestring &length=security_length; + structure_size : uint16; + security_mode : uint16; + dialect_revision : uint16; + negotiate_context_count : uint16; # reserved to 0 if not smb 3.1.1 + server_guid : SMB2_guid; + capabilities : uint32; + max_transact_size : uint32; + max_read_size : uint32; + max_write_size : uint32; + system_time : SMB_timestamp; + server_start_time : SMB_timestamp; + security_offset : uint16; + security_length : uint16; + negotiate_context_offset : uint32; + pad1 : padding to security_offset - header.head_length; + security_blob : bytestring &length=security_length; + negotiate_context_list : case dialect_revision of { + 0x0311 -> smb3_ncl : NegotiateContextList(negotiate_context_count); + default -> unknown : empty; + }; } &byteorder=littleendian, &let { proc : bool = $context.connection.proc_smb2_negotiate_response(header, this); gssapi_proc : bool = $context.connection.forward_gssapi(security_blob, false); diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac new file mode 100644 index 0000000000..34beed0481 --- /dev/null +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -0,0 +1,37 @@ +refine connection SMB_Conn += { + + function BuildSMB2TransformHeaderVal(hdr: SMB2_transform_header): BroVal + %{ + RecordVal* r = new RecordVal(BifType::Record::SMB2::Transform_header); + + r->Assign(0, bytestring_to_val(${hdr.signature})); + r->Assign(1, bytestring_to_val(${hdr.nonce})); + r->Assign(2, val_mgr->GetCount(${hdr.orig_msg_size})); + r->Assign(3, val_mgr->GetCount(${hdr.flags})); + r->Assign(4, val_mgr->GetCount(${hdr.session_id})); + + return r; + %} + + function proc_smb2_transform_header(hdr: SMB2_transform_header) : bool + %{ + if ( smb2_transform_header ) + BifEvent::generate_smb2_transform_header(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2TransformHeaderVal(hdr)); + + return true; + %} + +}; + +type SMB2_transform_header = record { + signature : bytestring &length = 16; + nonce : bytestring &length = 16; + orig_msg_size : uint32; + reserved : uint16; + flags : uint16; + session_id : uint64; +} &let { + proc: bool = $context.connection.proc_smb2_transform_header(this); +} &byteorder = littleendian; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 177a3a84bd..c117fc793d 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -24,6 +24,15 @@ refine connection SMB_Conn += { function proc_smb2_write_response(h: SMB2_Header, val: SMB2_write_response) : bool %{ + + if ( smb2_write_response ) + { + BifEvent::generate_smb2_write_response(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(h), + ${val.write_count}); + } + return true; %} diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index f5095a66d1..6424e86d53 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -100,6 +100,74 @@ refine connection SMB_Conn += { std::map smb2_request_tree_id; %} + function BuildSMB2ContextVal(ncv: SMB3_negotiate_context_value): BroVal + %{ + RecordVal* r = new RecordVal(BifType::Record::SMB2::NegotiateContextValue); + + r->Assign(0, val_mgr->GetCount(${ncv.context_type})); + r->Assign(1, val_mgr->GetCount(${ncv.data_length})); + + switch ( ${ncv.context_type} ) { + case SMB2_PREAUTH_INTEGRITY_CAPABILITIES: + { + RecordVal* rpreauth = new RecordVal(BifType::Record::SMB2::PreAuthIntegrityCapabilities); + rpreauth->Assign(0, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg_count})); + rpreauth->Assign(1, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.salt_length})); + + VectorVal* ha = new VectorVal(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < (${ncv.preauth_integrity_capabilities.hash_alg_count}); ++i ) + ha->Assign(i, val_mgr->GetCount(${ncv.preauth_integrity_capabilities.hash_alg[i]})); + + rpreauth->Assign(2, ha); + rpreauth->Assign(3, bytestring_to_val(${ncv.preauth_integrity_capabilities.salt})); + r->Assign(2, rpreauth); + } + break; + + case SMB2_ENCRYPTION_CAPABILITIES: + { + RecordVal* rencr = new RecordVal(BifType::Record::SMB2::EncryptionCapabilities); + rencr->Assign(0, val_mgr->GetCount(${ncv.encryption_capabilities.cipher_count})); + + VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < (${ncv.encryption_capabilities.cipher_count}); ++i ) + c->Assign(i, val_mgr->GetCount(${ncv.encryption_capabilities.ciphers[i]})); + + rencr->Assign(1, c); + r->Assign(3, rencr); + } + break; + + case SMB2_COMPRESSION_CAPABILITIES: + { + RecordVal* rcomp = new RecordVal(BifType::Record::SMB2::CompressionCapabilities); + rcomp->Assign(0, val_mgr->GetCount(${ncv.compression_capabilities.alg_count})); + + VectorVal* c = new VectorVal(internal_type("index_vec")->AsVectorType()); + + for ( int i = 0; i < (${ncv.compression_capabilities.alg_count}); ++i ) + c->Assign(i, val_mgr->GetCount(${ncv.compression_capabilities.algs[i]})); + + rcomp->Assign(1, c); + r->Assign(4, rcomp); + } + break; + + case SMB2_NETNAME_NEGOTIATE_CONTEXT_ID: + { + r->Assign(5, bytestring_to_val(${ncv.netname_negotiate_context_id.net_name})); + } + break; + + default: + break; + } + + return r; + %} + function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal %{ RecordVal* r = new RecordVal(BifType::Record::SMB2::Header); diff --git a/src/analyzer/protocol/smb/smb2_com_close.bif b/src/analyzer/protocol/smb/smb2_com_close.bif index 5ac4afa1db..4f8d802c63 100644 --- a/src/analyzer/protocol/smb/smb2_com_close.bif +++ b/src/analyzer/protocol/smb/smb2_com_close.bif @@ -10,7 +10,7 @@ ## ## file_name: The SMB2 GUID of the file being closed. ## -## .. bro:see:: smb2_message smb2_close_response +## .. zeek:see:: smb2_message smb2_close_response event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_close_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID% ## ## response: A record of attributes returned from the server from the close. ## -## .. bro:see:: smb2_message smb2_close_request +## .. zeek:see:: smb2_message smb2_close_request event smb2_close_response%(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse%); diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif index 9a77878e9f..7d9c4e4895 100644 --- a/src/analyzer/protocol/smb/smb2_com_create.bif +++ b/src/analyzer/protocol/smb/smb2_com_create.bif @@ -10,7 +10,7 @@ ## ## request: A record with more information related to the request. ## -## .. bro:see:: smb2_message smb2_create_response +## .. zeek:see:: smb2_message smb2_create_response event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea ## ## response: A record with more information related to the response. ## -## .. bro:see:: smb2_message smb2_create_request +## .. zeek:see:: smb2_message smb2_create_request event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_negotiate.bif b/src/analyzer/protocol/smb/smb2_com_negotiate.bif index 80c7c1aea5..2202064933 100644 --- a/src/analyzer/protocol/smb/smb2_com_negotiate.bif +++ b/src/analyzer/protocol/smb/smb2_com_negotiate.bif @@ -10,7 +10,7 @@ ## ## dialects: A vector of the client's supported dialects. ## -## .. bro:see:: smb2_message smb2_negotiate_response +## .. zeek:see:: smb2_message smb2_negotiate_response event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_vec%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_negotiate_request%(c: connection, hdr: SMB2::Header, dialects: index_ ## ## response: The negotiate response data structure. ## -## .. bro:see:: smb2_message smb2_negotiate_request +## .. zeek:see:: smb2_message smb2_negotiate_request event smb2_negotiate_response%(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_read.bif b/src/analyzer/protocol/smb/smb2_com_read.bif index 4ccc8d7788..b14874b38b 100644 --- a/src/analyzer/protocol/smb/smb2_com_read.bif +++ b/src/analyzer/protocol/smb/smb2_com_read.bif @@ -14,5 +14,5 @@ ## ## length: The number of bytes of the file being read. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_read_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_com_session_setup.bif b/src/analyzer/protocol/smb/smb2_com_session_setup.bif index 99430d5ac9..b3dbe6cc57 100644 --- a/src/analyzer/protocol/smb/smb2_com_session_setup.bif +++ b/src/analyzer/protocol/smb/smb2_com_session_setup.bif @@ -11,7 +11,7 @@ ## ## request: A record containing more information related to the request. ## -## .. bro:see:: smb2_message smb2_session_setup_response +## .. zeek:see:: smb2_message smb2_session_setup_response event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -26,7 +26,7 @@ event smb2_session_setup_request%(c: connection, hdr: SMB2::Header, request: SMB ## ## response: A record containing more information related to the response. ## -## .. bro:see:: smb2_message smb2_session_setup_request +## .. zeek:see:: smb2_message smb2_session_setup_request event smb2_session_setup_response%(c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse%); #### Types diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 32de91c582..0aed278917 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -11,7 +11,8 @@ ## ## dst_filename: The filename to rename the file into. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid + event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -28,7 +29,8 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid + event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -46,7 +48,8 @@ event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## ## attrs: File attributes. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid + event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -60,7 +63,7 @@ event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ti ## ## alloc_size: desired allocation size. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_allocation%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, alloc_size: int%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -74,7 +77,7 @@ event smb2_file_allocation%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUI ## ## end_of_file: the absolute new end of file position as a byte offset from the start of the file ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_endoffile%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, end_of_file: int%); @@ -89,7 +92,7 @@ event smb2_file_endoffile%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID ## ## mode: specifies how the file will subsequently be accessed. ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_mode%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mode: count%); @@ -106,7 +109,7 @@ event smb2_file_mode%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mod ## ## completion_mode: specifies if blocking mode must be enabled or not ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_pipe%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, read_mode: count, completion_mode: count%); @@ -121,7 +124,7 @@ event smb2_file_pipe%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, rea ## ## current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_position%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, current_byte_offset: int%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -135,7 +138,7 @@ event smb2_file_position%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ## ## file_name: specifies the name of the file to be changed ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_shortname%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_name: string %); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -149,7 +152,7 @@ event smb2_file_shortname%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID ## ## valid_data_length: specifies the new valid data length ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_validdatalength%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, valid_data_length: int %); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -165,7 +168,7 @@ event smb2_file_validdatalength%(c: connection, hdr: SMB2::Header, file_id: SMB2 ## ## ea_value: contains the extended attribute value ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_fullea%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ea_name: string, ea_value: string %); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -181,7 +184,7 @@ event smb2_file_fullea%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, e ## ## file_name: contains the name to be assigned to the newly created link ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_link%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, root_directory: count, file_name: string %); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -195,7 +198,7 @@ event smb2_file_link%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, roo ## ## fs_control: contains fs_control info (see MS-FCC 2.5.2) ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_fscontrol%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol %); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -211,7 +214,7 @@ event smb2_file_fscontrol%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID ## ## extended_info: contains extended information on the file system volume ## -## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid +## .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr, smb2_file_allocation, smb2_file_endoffile, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_shortname, smb2_file_validdatalength, smb2_file_fullea, smb2_file_link, smb2_file_fsobjectid, smb2_file_fsobjectid event smb2_file_fsobjectid%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, object_id: SMB2::GUID, extended_info: string %); # TODO - Not implemented @@ -225,7 +228,7 @@ event smb2_file_fsobjectid%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUI # # request: A record containing more information related to the request. # -# .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +# .. zeek:see:: smb2_message smb2_file_rename smb2_file_delete # event smb2_set_info_request%(c: connection, hdr: SMB2::Header, request: SMB2::SetInfoRequest%); # # type SMB2::SetInfoRequest: record; diff --git a/src/analyzer/protocol/smb/smb2_com_transform_header.bif b/src/analyzer/protocol/smb/smb2_com_transform_header.bif new file mode 100644 index 0000000000..629ae27841 --- /dev/null +++ b/src/analyzer/protocol/smb/smb2_com_transform_header.bif @@ -0,0 +1,15 @@ +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 3.x *transform_header*. This is used by the client or server when sending +## encrypted messages. +## +## For more information, see MS-SMB2:2.2.41 +## +## c: The connection. +## +## hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers. +## +## .. zeek:see:: smb2_message +event smb2_transform_header%(c: connection, hdr: SMB2::Transform_header%); + +type SMB2::Transform_header: record; + diff --git a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif index 78978f3971..877f5b2c4c 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_connect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_connect.bif @@ -10,7 +10,7 @@ ## ## path: Path of the requested tree. ## -## .. bro:see:: smb2_message smb2_tree_connect_response +## .. zeek:see:: smb2_message smb2_tree_connect_response event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -25,7 +25,7 @@ event smb2_tree_connect_request%(c: connection, hdr: SMB2::Header, path: string% ## ## response: A record with more information related to the response. ## -## .. bro:see:: smb2_message smb2_tree_connect_request +## .. zeek:see:: smb2_message smb2_tree_connect_request event smb2_tree_connect_response%(c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse%); type SMB2::TreeConnectResponse: record; diff --git a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif index fdcd5d9d8b..6c7f3b7c2d 100644 --- a/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif +++ b/src/analyzer/protocol/smb/smb2_com_tree_disconnect.bif @@ -6,7 +6,7 @@ ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%); @@ -18,5 +18,5 @@ event smb2_tree_disconnect_request%(c: connection, hdr: SMB2::Header%); ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_tree_disconnect_response%(c: connection, hdr: SMB2::Header%); diff --git a/src/analyzer/protocol/smb/smb2_com_write.bif b/src/analyzer/protocol/smb/smb2_com_write.bif index 90efce049c..71df322090 100644 --- a/src/analyzer/protocol/smb/smb2_com_write.bif +++ b/src/analyzer/protocol/smb/smb2_com_write.bif @@ -14,5 +14,20 @@ ## ## length: The number of bytes of the file being written. ## -## .. bro:see:: smb2_message +## .. zeek:see:: smb2_message event smb2_write_request%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count%); + +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *write*. This is sent by the server in response to a write request or +## named pipe on the server. +## +## For more information, see MS-SMB2:2.2.22 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## length: The number of bytes of the file being written. +## +## .. zeek:see:: smb2_message +event smb2_write_response%(c: connection, hdr: SMB2::Header, length: count%); diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif index a8a2c439fc..7f7d6ab9db 100644 --- a/src/analyzer/protocol/smb/smb2_events.bif +++ b/src/analyzer/protocol/smb/smb2_events.bif @@ -13,5 +13,5 @@ ## ## is_orig: True if the message came from the originator side. ## -## .. bro:see:: smb1_message +## .. zeek:see:: smb1_message event smb2_message%(c: connection, hdr: SMB2::Header, is_orig: bool%); diff --git a/src/analyzer/protocol/smb/types.bif b/src/analyzer/protocol/smb/types.bif index 33f1a5c5a2..2acbe6d16e 100644 --- a/src/analyzer/protocol/smb/types.bif +++ b/src/analyzer/protocol/smb/types.bif @@ -6,3 +6,9 @@ type SMB2::Header: record; type SMB2::GUID: record; type SMB2::FileAttrs: record; type SMB2::Fscontrol: record; + +type SMB2::PreAuthIntegrityCapabilities: record; +type SMB2::EncryptionCapabilities: record; +type SMB2::CompressionCapabilities: record; +type SMB2::NegotiateContextValue: record; +type SMB2::NegotiateContextValues: vector; diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif index 898e98e0d1..9bc9190b31 100644 --- a/src/analyzer/protocol/smtp/events.bif +++ b/src/analyzer/protocol/smtp/events.bif @@ -16,7 +16,7 @@ ## ## arg: The request command's arguments. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_reply ## @@ -47,7 +47,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## line. If so, further events will be raised and a handler may want to ## reassemble the pieces before processing the response any further. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_data smtp_request ## @@ -70,7 +70,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## data: The raw data. Note that the size of each chunk is undefined and ## depends on specifics of the underlying TCP connection. ## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## @@ -96,7 +96,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%); ## ## detail: The actual SMTP line triggering the event. ## -## .. bro:see:: smtp_data smtp_request smtp_reply +## .. zeek:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); ## Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. diff --git a/src/analyzer/protocol/smtp/functions.bif b/src/analyzer/protocol/smtp/functions.bif index 8630685096..a5670c7d64 100644 --- a/src/analyzer/protocol/smtp/functions.bif +++ b/src/analyzer/protocol/smtp/functions.bif @@ -7,7 +7,7 @@ ## ## c: The SMTP connection. ## -## .. bro:see:: skip_http_entity_data +## .. zeek:see:: skip_http_entity_data function skip_smtp_data%(c: connection%): any %{ analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 206b632fe0..f625851d0a 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -161,13 +161,13 @@ refine connection SOCKS_Conn += { function socks5_unsupported_authentication_method(auth_method: uint8): bool %{ - reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_method_%d", auth_method)); + reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication_method", fmt("%d", auth_method)); return true; %} function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool %{ - reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d_%d", auth_method, version)); + reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication", fmt("method %d, version %d", auth_method, version)); return true; %} diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index cb6c5e248e..6ff62e501d 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -7,7 +7,7 @@ ## ## version: The identification string ## -## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed +## .. zeek:see:: ssh_client_version ssh_auth_successful ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -23,7 +23,7 @@ event ssh_server_version%(c: connection, version: string%); ## ## version: The identification string ## -## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed +## .. zeek:see:: ssh_server_version ssh_auth_successful ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -44,7 +44,7 @@ event ssh_client_version%(c: connection, version: string%); ## :abbr:`SSH (Secure Shell)` protocol provides a mechanism for ## unauthenticated access, which some servers support. ## -## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed +## .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed ## ssh_auth_result ssh_auth_attempted ssh_capabilities ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error @@ -74,7 +74,7 @@ event ssh_auth_successful%(c: connection, auth_method_none: bool%); ## authenticated: This is true if the analyzer detected a ## successful connection from the authentication attempt. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -96,7 +96,7 @@ event ssh_auth_attempted%(c: connection, authenticated: bool%); ## capabilities: The list of algorithms and languages that the sender ## advertises support for, in order of preference. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -113,7 +113,7 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi ## key: The server's public host key. Note that this is the public key ## itself, and not just the fingerprint or hash. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh1_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -131,7 +131,7 @@ event ssh2_server_host_key%(c: connection, key: string%); ## ## e: The exponent for the serer's public host key. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params @@ -141,7 +141,7 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%); ## This event is generated when an :abbr:`SSH (Secure Shell)` ## encrypted packet is seen. This event is not handled by default, but ## is provided for heuristic analysis scripts. Note that you have to set -## :bro:id:`SSH::disable_analyzer_after_detection` to false to use this +## :zeek:id:`SSH::disable_analyzer_after_detection` to false to use this ## event. This carries a performance penalty. ## ## c: The connection over which the :abbr:`SSH (Secure Shell)` @@ -153,7 +153,7 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%); ## len: The length of the :abbr:`SSH (Secure Shell)` payload, in ## bytes. Note that this ignores reassembly, as this is unknown. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params @@ -171,7 +171,7 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); ## ## q: The DH generator. ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet @@ -191,7 +191,7 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%); ## ## err_msg: Detailed human-readable error message ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet @@ -211,7 +211,7 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e ## ## q: The ephemeral public key ## -## .. bro:see:: ssh_server_version ssh_client_version +## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index bf09f6e168..b0caebc740 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -415,7 +415,7 @@ refine connection SSH_Conn += { return true; - bro_analyzer()->Weird(fmt("ssh_unknown_kex_algorithm=%s", c_str(kex_algorithm_))); + bro_analyzer()->Weird("ssh_unknown_kex_algorithm", c_str(kex_algorithm_)); return true; } diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 14e41892c8..3193470635 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -8,6 +8,7 @@ bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc) bro_plugin_bif(types.bif) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) +bro_plugin_bif(consts.bif) bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac proc-client-hello.pac proc-server-hello.pac @@ -16,7 +17,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz ) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac proc-client-hello.pac - proc-server-hello.pac + proc-server-hello.pac proc-certificate.pac ) bro_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac) diff --git a/src/analyzer/protocol/ssl/consts.bif b/src/analyzer/protocol/ssl/consts.bif new file mode 100644 index 0000000000..9dcbaa65d5 --- /dev/null +++ b/src/analyzer/protocol/ssl/consts.bif @@ -0,0 +1,2 @@ +const SSL::dtls_max_version_errors: count; +const SSL::dtls_max_reported_version_errors: count; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 771aa267b3..70897a585c 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -45,15 +45,40 @@ type Handshake(rec: SSLRecord) = record { refine connection SSL_Conn += { + %member{ + uint16 invalid_version_count_; + uint16 reported_errors_; + %} + + %init{ + invalid_version_count_ = 0; + reported_errors_ = 0; + %} + function dtls_version_ok(version: uint16): uint16 %{ switch ( version ) { case DTLSv10: case DTLSv12: + // Reset only to 0 once we have seen a client hello. + // This means the connection gets a limited amount of valid/invalid + // packets before a client hello has to be seen - which seems reasonable. + if ( bro_analyzer()->ProtocolConfirmed() ) + invalid_version_count_ = 0; return true; default: - bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + invalid_version_count_++; + + if ( bro_analyzer()->ProtocolConfirmed() ) + { + reported_errors_++; + if ( reported_errors_ <= BifConst::SSL::dtls_max_reported_version_errors ) + bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + } + + if ( invalid_version_count_ > BifConst::SSL::dtls_max_version_errors ) + bro_analyzer()->SetSkip(true); return false; } %} diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index b08dd61f8f..b2aa34d5c5 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -10,6 +10,7 @@ namespace analyzer { namespace dtls { class DTLS_Analyzer; } } typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer; #include "DTLS.h" +#include "consts.bif.h" %} extern type DTLSAnalyzer; diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2ef675554f..03a2a93868 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -10,7 +10,7 @@ ## ## version: The protocol version as extracted from the client's message. The ## values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## :zeek:id:`SSL::version_strings` table maps them to descriptive names. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -25,12 +25,12 @@ ## ## ciphers: The list of ciphers the client offered to use. The values are ## standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. +## :zeek:id:`SSL::cipher_desc` table maps them to descriptive names. ## ## comp_methods: The list of compression methods that the client offered to use. ## This value is not sent in TLSv1.3 or SSLv2. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_handshake_message ## ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params @@ -49,7 +49,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po ## ## version: The protocol version as extracted from the server's message. ## The values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## :zeek:id:`SSL::version_strings` table maps them to descriptive names. ## ## record_version: TLS version given in the record layer of the message. ## Set to 0 for SSLv2. @@ -65,14 +65,14 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po ## the connection-id is returned. ## ## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps ## them to descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. This value is not ## sent in TLSv1.3 or SSLv2. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_session_ticket_handshake x509_certificate ssl_server_curve ## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params @@ -91,12 +91,12 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps ## them to descriptive names. ## ## val: The raw extension value that was sent in the message. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension_ec_point_formats ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share @@ -113,7 +113,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ## curves: List of supported elliptic curves. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm @@ -133,7 +133,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ## point_formats: List of supported point formats. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm @@ -154,7 +154,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ## signature_algorithms: List of supported signature and hash algorithm pairs. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_key_share @@ -173,7 +173,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ## curves: List of supported/chosen named groups. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve @@ -193,7 +193,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params ## event. This event will be removed in a future version of Bro. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_key_share @@ -212,7 +212,7 @@ event ssl_server_curve%(c: connection, curve: count%) &deprecated; ## ## point: The server's ECDH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); @@ -229,7 +229,7 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%); ## ## Ys: The server's DH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms @@ -252,7 +252,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## corresponding to the certified public key in the server's certificate ## message is used for signing. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); @@ -265,7 +265,7 @@ event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::Sig ## ## point: The client's ECDH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms event ssl_ecdh_client_params%(c: connection, point: string%); @@ -278,7 +278,7 @@ event ssl_ecdh_client_params%(c: connection, point: string%); ## ## Yc: The client's DH public key. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms event ssl_dh_client_params%(c: connection, Yc: string%); @@ -291,7 +291,7 @@ event ssl_dh_client_params%(c: connection, Yc: string%); ## ## pms: The encrypted pre-master secret. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params event ssl_rsa_client_pms%(c: connection, pms: string%); @@ -309,7 +309,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%); ## ## protocols: List of supported application layer protocols. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share @@ -329,7 +329,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ## names: A list of server names (DNS hostnames). ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -359,7 +359,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## signature: signature part of the digitally_signed struct ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share @@ -379,7 +379,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, ## ## versions: List of supported TLS versions. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -396,7 +396,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: ## ## versions: List of supported Pre-Shared Key Exchange Modes. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation @@ -415,7 +415,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: ## ## c: The connection. ## -## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate event ssl_established%(c: connection%); @@ -438,7 +438,7 @@ event ssl_established%(c: connection%); ## desc: A numerical value identifying the cause of the *alert*. The values are ## defined as part of the SSL/TLS protocol. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); @@ -459,7 +459,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## ## ticket: The raw ticket data. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); @@ -481,7 +481,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## payload: payload contained in the heartbeat message. Size can differ from ## payload_length, if payload_length and actual packet length disagree. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_encrypted_data event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%); @@ -504,14 +504,14 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type ## ## length: length of the entire message. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); ## Generated for SSL/TLS messages that are sent after session encryption ## started. ## -## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be changed +## Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed ## from its default to false for this event to be generated. ## ## c: The connection. @@ -526,7 +526,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c ## ## length: length of the entire message. ## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); @@ -551,7 +551,7 @@ event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); ## ## length: Length of the handshake message that was seen. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_change_cipher_spec event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%); @@ -563,7 +563,7 @@ event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, leng ## ## is_orig: True if event is raised for originator side of the connection. ## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_handshake_message event ssl_change_cipher_spec%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 7d2986efe3..5cf250c366 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -172,7 +172,7 @@ refine connection Handshake_Conn += { ServerName* servername = (*list)[i]; if ( servername->name_type() != 0 ) { - bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type())); + bro_analyzer()->Weird("ssl_ext_unknown_server_name_type", fmt("%d", servername->name_type())); continue; } diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac index 6657a63699..46e2cc171d 100644 --- a/src/analyzer/protocol/syslog/syslog-analyzer.pac +++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac @@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer) flow Syslog_Flow { - datagram = Syslog_Message withcontext(connection, this); + datagram = Syslog_Message_Optional_PRI withcontext(connection, this); function process_syslog_message(m: Syslog_Message): bool %{ - BifEvent::generate_syslog_message(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${m.PRI.facility}, - ${m.PRI.severity}, - new StringVal(${m.msg}.length(), (const char*) ${m.msg}.begin()) - ); + if ( ${m.has_pri} ) + BifEvent::generate_syslog_message( + connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + ${m.PRI.facility}, + ${m.PRI.severity}, + new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin()) + ); + else + BifEvent::generate_syslog_message( + connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + 999, + 999, + new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin()) + ); + return true; %} diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac index c1502fc534..41c42eba59 100644 --- a/src/analyzer/protocol/syslog/syslog-protocol.pac +++ b/src/analyzer/protocol/syslog/syslog-protocol.pac @@ -1,12 +1,27 @@ -type Syslog_Message = record { - PRI: Syslog_Priority; +type Syslog_Message_Optional_PRI = record { + lt: uint8; + after_lt: bytestring &restofdata &transient; +} +&byteorder = littleendian +&exportsourcedata +&let { + standard: Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<' + nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60); +}; + +type Syslog_Message(has_pri: bool) = record { + opt_pri: case has_pri of { + true -> PRI: Syslog_Priority; + false -> nothing: empty; + }; + msg: bytestring &restofdata; } &byteorder = littleendian; type Syslog_Priority = record { - lt : uint8; # &check(lt == 60); # '<' + lt : uint8 &enforce(lt == 60); # '<' val : RE/[[:digit:]]+/; - gt : uint8; # &check(gt == 62); # '>' + gt : uint8 &enforce(gt == 62); # '>' } &let { val_length: int = sizeof(val) - 1; int_val: int = bytestring_to_int(val, 10); diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 9329b103ed..188df11092 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1019,9 +1019,9 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) } } -static uint64 get_relative_seq(const TCP_Endpoint* endpoint, - uint32 cur_base, uint32 last, uint32 wraps, - bool* underflow = 0) +uint64 TCP_Analyzer::get_relative_seq(const TCP_Endpoint* endpoint, + uint32 cur_base, uint32 last, + uint32 wraps, bool* underflow) { int32 delta = seq_delta(cur_base, last); @@ -1052,7 +1052,7 @@ static uint64 get_relative_seq(const TCP_Endpoint* endpoint, return endpoint->ToRelativeSeqSpace(cur_base, wraps); } -static int get_segment_len(int payload_len, TCP_Flags flags) +int TCP_Analyzer::get_segment_len(int payload_len, TCP_Flags flags) { int seg_len = payload_len; @@ -1350,11 +1350,9 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, Weird("TCP_ack_underflow_or_misorder"); } else if ( ! flags.RST() ) - // Don't trust ack's in RSt packets. + // Don't trust ack's in RST packets. update_ack_seq(peer, ack_seq); } - - peer->AckReceived(rel_ack); } int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len); @@ -1365,6 +1363,15 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq, len, delta_last, is_orig, flags, do_close, gen_event); + if ( flags.ACK() ) + // We wait on doing this until we've updated the state + // machine so that if the ack reveals a content gap, + // we can tell whether it came at the very end of the + // connection (in a FIN or RST). Those gaps aren't + // reliable - especially those for RSTs - and we refrain + // from flagging them in the connection history. + peer->AckReceived(rel_ack); + if ( tcp_packet ) GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig, flags); diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 69f3482ae0..95ef5c72d7 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -174,6 +174,13 @@ protected: const u_char* option, TCP_Analyzer* analyzer, bool is_orig, void* cookie); + // A couple utility functions that may also be useful to derived analyzers. + static uint64 get_relative_seq(const TCP_Endpoint* endpoint, + uint32 cur_base, uint32 last, + uint32 wraps, bool* underflow = 0); + + static int get_segment_len(int payload_len, TCP_Flags flags); + private: TCP_Endpoint* orig; TCP_Endpoint* resp; diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index 7e7b316e10..99551cd211 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -32,8 +32,8 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig) tcp_analyzer = arg_analyzer; is_orig = arg_is_orig; - chk_cnt = rxmt_cnt = win0_cnt = 0; - chk_thresh = rxmt_thresh = win0_thresh = 1; + gap_cnt = chk_cnt = rxmt_cnt = win0_cnt = 0; + gap_thresh = chk_thresh = rxmt_thresh = win0_thresh = 1; hist_last_SYN = hist_last_FIN = hist_last_RST = 0; @@ -313,3 +313,11 @@ void TCP_Endpoint::ZeroWindow() Conn()->HistoryThresholdEvent(tcp_multiple_zero_windows, IsOrig(), t); } + +void TCP_Endpoint::Gap(uint64 seq, uint64 len) + { + uint32 t = gap_thresh; + if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'G' : 'g', + gap_cnt, gap_thresh) ) + Conn()->HistoryThresholdEvent(tcp_multiple_gap, IsOrig(), t); + } diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index 4c38aadd93..b17cfef700 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -175,6 +175,9 @@ public: // Called to inform endpoint that it has offered a zero window. void ZeroWindow(); + // Called to inform endpoint that a gap occurred. + void Gap(uint64 seq, uint64 len); + // Returns true if the data was used (and hence should be recorded // in the save file), false otherwise. int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data, @@ -240,6 +243,7 @@ protected: uint32 chk_cnt, chk_thresh; uint32 rxmt_cnt, rxmt_thresh; uint32 win0_cnt, win0_thresh; + uint32 gap_cnt, gap_thresh; }; #define ENDIAN_UNKNOWN 0 diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index ef68f621b5..e91f400d76 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -112,27 +112,36 @@ void TCP_Reassembler::SetContentsFile(BroFile* f) record_contents_file = f; } -static inline bool established(const TCP_Endpoint* a, const TCP_Endpoint* b) +static inline bool is_clean(const TCP_Endpoint* a) { - return a->state == TCP_ENDPOINT_ESTABLISHED && - b->state == TCP_ENDPOINT_ESTABLISHED; + return a->state == TCP_ENDPOINT_ESTABLISHED || + (a->state == TCP_ENDPOINT_CLOSED && + a->prev_state == TCP_ENDPOINT_ESTABLISHED); + } + +static inline bool established_or_cleanly_closing(const TCP_Endpoint* a, + const TCP_Endpoint* b) + { + return is_clean(a) && is_clean(b); } static inline bool report_gap(const TCP_Endpoint* a, const TCP_Endpoint* b) { return content_gap && - ( BifConst::report_gaps_for_partial || established(a, b) ); + ( BifConst::report_gaps_for_partial || + established_or_cleanly_closing(a, b) ); } void TCP_Reassembler::Gap(uint64 seq, uint64 len) { // Only report on content gaps for connections that - // are in a cleanly established state. In other - // states, these can arise falsely due to things + // are in a cleanly established or closing state. In + // other states, these can arise falsely due to things // like sequence number mismatches in RSTs, or // unseen previous packets in partial connections. - // The one opportunity we lose here is on clean FIN - // handshakes, but Oh Well. + + if ( established_or_cleanly_closing(endp, endp->peer) ) + endp->Gap(seq, len); if ( report_gap(endp, endp->peer) ) { diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index d93ebe4819..72cf44c243 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -5,7 +5,7 @@ ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -15,13 +15,13 @@ event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when ## an originator unsuccessfully attempted to establish a connection. -## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## "Unsuccessful" is defined as at least :zeek:id:`tcp_attempt_delay` seconds ## having elapsed since the originator first sent a connection establishment ## packet to the destination without seeing a reply. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_established +## .. zeek:see:: connection_EOF connection_SYN_packet connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -31,15 +31,15 @@ event connection_attempt%(c: connection%); ## Generated when seeing a SYN-ACK packet from the responder in a TCP ## handshake. An associated SYN packet was not seen from the originator -## side if its state is not set to :bro:see:`TCP_ESTABLISHED`. +## side if its state is not set to :zeek:see:`TCP_ESTABLISHED`. ## The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of -## :bro:type:`connection` to see if the originator sent an ACK, indicated by +## :zeek:type:`connection` to see if the originator sent an ACK, indicated by ## 'A' in the history string. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -54,7 +54,7 @@ event connection_established%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -66,12 +66,12 @@ event partial_connection%(c: connection%); ## Generated when a previously inactive endpoint attempts to close a TCP ## connection via a normal FIN handshake or an abort RST sequence. When the ## endpoint sent one of these packets, Bro waits -## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give ## the other endpoint a chance to close the connection normally. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -84,7 +84,7 @@ event connection_partial_close%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -98,7 +98,7 @@ event connection_finished%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -112,7 +112,7 @@ event connection_half_finished%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove @@ -121,10 +121,10 @@ event connection_half_finished%(c: connection%); ## ## .. note:: ## -## If the responder does not respond at all, :bro:id:`connection_attempt` is +## If the responder does not respond at all, :zeek:id:`connection_attempt` is ## raised instead. If the responder initially accepts the connection but -## aborts it later, Bro first generates :bro:id:`connection_established` -## and then :bro:id:`connection_reset`. +## aborts it later, Bro first generates :zeek:id:`connection_established` +## and then :zeek:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised @@ -133,7 +133,7 @@ event connection_rejected%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused @@ -146,12 +146,12 @@ event connection_reset%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove ## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection bro_done +## new_connection new_connection_contents partial_connection zeek_done event connection_pending%(c: connection%); ## Generated for a SYN packet. Bro raises this event for every SYN packet seen @@ -161,7 +161,7 @@ event connection_pending%(c: connection%); ## ## pkt: Information extracted from the SYN packet. ## -## .. bro:see:: connection_EOF connection_attempt connection_established +## .. zeek:see:: connection_EOF connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -182,7 +182,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -202,7 +202,7 @@ event connection_first_ACK%(c: connection%); ## ## is_orig: True if the event is raised for the originator side. ## -## .. bro:see:: connection_SYN_packet connection_attempt connection_established +## .. zeek:see:: connection_SYN_packet connection_attempt connection_established ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove @@ -213,7 +213,7 @@ event connection_EOF%(c: connection, is_orig: bool%); ## Generated for every TCP packet. This is a very low-level and expensive event ## that should be avoided when at all possible. It's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. It's -## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## slightly better than :zeek:id:`new_packet` because it affects only TCP, but ## not much. That said, if you work from a trace and want to do some ## packet-level analysis, it may come in handy. ## @@ -235,7 +235,7 @@ event connection_EOF%(c: connection, is_orig: bool%); ## payload: The raw TCP payload. Note that this may be shorter than *len* if ## the packet was not fully captured. ## -## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit +## .. zeek:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); ## Generated for each option found in a TCP header. Like many of the ``tcp_*`` @@ -250,16 +250,16 @@ event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: ## ## optlen: The length of the options value. ## -## .. bro:see:: tcp_packet tcp_contents tcp_rexmit +## .. zeek:see:: tcp_packet tcp_contents tcp_rexmit ## ## .. note:: There is currently no way to get the actual option value, if any. event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## Generated for each chunk of reassembled TCP payload. When content delivery is -## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, -## :bro:id:`tcp_content_delivery_ports_resp`, -## :bro:id:`tcp_content_deliver_all_orig`, -## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk +## enabled for a TCP connection (via :zeek:id:`tcp_content_delivery_ports_orig`, +## :zeek:id:`tcp_content_delivery_ports_resp`, +## :zeek:id:`tcp_content_deliver_all_orig`, +## :zeek:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk ## of in-order payload reconstructed from the packet stream. Note that this ## event is potentially expensive if many connections carry significant amounts ## of data as then all that data needs to be passed on to the scripting layer. @@ -273,7 +273,7 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## ## contents: The raw payload, which will be non-empty. ## -## .. bro:see:: tcp_packet tcp_option tcp_rexmit +## .. zeek:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp ## tcp_content_deliver_all_resp tcp_content_deliver_all_orig ## @@ -299,8 +299,8 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## ## threshold: the threshold that was crossed ## -## .. bro:see:: udp_multiple_checksum_errors -## tcp_multiple_zero_windows tcp_multiple_retransmissions +## .. zeek:see:: udp_multiple_checksum_errors +## tcp_multiple_zero_windows tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a zero-window threshold, per @@ -312,7 +312,7 @@ event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: cou ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count%); ## Generated if a TCP flow crosses a retransmission threshold, per @@ -324,9 +324,21 @@ event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count% ## ## threshold: the threshold that was crossed ## -## .. bro:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: count%); +## Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history +## reporting. +## +## c: The connection record for the TCP connection. +## +## is_orig: True if the event is raised for the originator side. +## +## threshold: the threshold that was crossed +## +## .. zeek:see:: tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions +event tcp_multiple_gap%(c: connection, is_orig: bool, threshold: count%); + ## Generated when failing to write contents of a TCP stream to a file. ## ## c: The connection whose contents are being recorded. @@ -335,5 +347,5 @@ event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: cou ## ## msg: A reason or description for the failure. ## -## .. bro:see:: set_contents_file get_contents_file +## .. zeek:see:: set_contents_file get_contents_file event contents_file_write_failure%(c: connection, is_orig: bool, msg: string%); diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif index 90c3e5ae2a..4aa218991e 100644 --- a/src/analyzer/protocol/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -12,7 +12,7 @@ ## Returns: The highest sequence number sent by a connection's originator, or 0 ## if *cid* does not point to an active TCP connection. ## -## .. bro:see:: get_resp_seq +## .. zeek:see:: get_resp_seq function get_orig_seq%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -41,7 +41,7 @@ function get_orig_seq%(cid: conn_id%): count ## Returns: The highest sequence number sent by a connection's responder, or 0 ## if *cid* does not point to an active TCP connection. ## -## .. bro:see:: get_orig_seq +## .. zeek:see:: get_orig_seq function get_resp_seq%(cid: conn_id%): count %{ Connection* c = sessions->FindConnection(cid); @@ -89,9 +89,9 @@ function get_resp_seq%(cid: conn_id%): count ## contents of individual packets. Reordering and duplicates are ## removed. If any data is missing, the recording stops at the ## missing data; this can happen, e.g., due to an -## :bro:id:`content_gap` event. +## :zeek:id:`content_gap` event. ## -## .. bro:see:: get_contents_file set_record_packets contents_file_write_failure +## .. zeek:see:: get_contents_file set_record_packets contents_file_write_failure function set_contents_file%(cid: conn_id, direction: count, f: file%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -107,14 +107,14 @@ function set_contents_file%(cid: conn_id, direction: count, f: file%): bool ## cid: The connection ID. ## ## direction: Controls what sides of the connection to record. See -## :bro:id:`set_contents_file` for possible values. +## :zeek:id:`set_contents_file` for possible values. ## -## Returns: The :bro:type:`file` handle for the contents file of the +## Returns: The :zeek:type:`file` handle for the contents file of the ## connection identified by *cid*. If the connection exists ## but there is no contents file for *direction*, then the function ## generates an error and returns a file handle to ``stderr``. ## -## .. bro:see:: set_contents_file set_record_packets contents_file_write_failure +## .. zeek:see:: set_contents_file set_record_packets contents_file_write_failure function get_contents_file%(cid: conn_id, direction: count%): file %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/analyzer/protocol/teredo/events.bif b/src/analyzer/protocol/teredo/events.bif index 62bc7d06cd..080eb1bf6e 100644 --- a/src/analyzer/protocol/teredo/events.bif +++ b/src/analyzer/protocol/teredo/events.bif @@ -5,7 +5,7 @@ ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. @@ -19,7 +19,7 @@ event teredo_packet%(outer: connection, inner: teredo_hdr%); ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. @@ -33,21 +33,21 @@ event teredo_authentication%(outer: connection, inner: teredo_hdr%); ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated -## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`. ## See :rfc:`4380` for more information about the Teredo protocol. ## ## outer: The Teredo tunnel connection. ## ## inner: The Teredo-encapsulated IPv6 packet header and transport header. ## -## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 0da1a2bd65..ca144941b6 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -7,6 +7,7 @@ #include "Net.h" #include "NetVar.h" #include "analyzer/protocol/udp/UDP.h" +#include "analyzer/Manager.h" #include "Reporter.h" #include "Conn.h" @@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int chksum = up->uh_sum; - if ( ! ignore_checksums && caplen >= len ) + auto validate_checksum = ! ignore_checksums && caplen >=len; + constexpr auto vxlan_len = 8; + constexpr auto eth_len = 14; + + if ( validate_checksum && + len > ((int)sizeof(struct udphdr) + vxlan_len + eth_len) && + (data[0] & 0x08) == 0x08 ) + { + auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); + + if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), + ntohs(up->uh_dport)) != vxlan_ports.end() ) + { + // Looks like VXLAN on a well-known port, so the checksum should be + // transmitted as zero, and we should accept that. If not + // transmitted as zero, then validating the checksum is optional. + if ( chksum == 0 ) + validate_checksum = false; + else + validate_checksum = BifConst::Tunnel::validate_vxlan_checksums; + } + } + + if ( validate_checksum ) { bool bad = false; @@ -100,7 +124,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int ulen = ntohs(up->uh_ulen); if ( ulen != len ) - Weird(fmt("UDP_datagram_length_mismatch(%d!=%d)", ulen, len)); + Weird("UDP_datagram_length_mismatch", fmt("%d != %d", ulen, len)); len -= sizeof(struct udphdr); ulen -= sizeof(struct udphdr); diff --git a/src/analyzer/protocol/udp/events.bif b/src/analyzer/protocol/udp/events.bif index afcace330b..60326bf601 100644 --- a/src/analyzer/protocol/udp/events.bif +++ b/src/analyzer/protocol/udp/events.bif @@ -4,7 +4,7 @@ ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_reply udp_session_done +## .. zeek:see:: udp_contents udp_reply udp_session_done event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially @@ -13,17 +13,17 @@ event udp_request%(u: connection%); ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_request udp_session_done +## .. zeek:see:: udp_contents udp_request udp_session_done event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP ## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets -## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## ports configured in :zeek:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :zeek:id:`udp_content_delivery_ports_resp` ## (for packets sent by the flow's responder). However, delivery can be enabled ## for all UDP request and reply packets by setting -## :bro:id:`udp_content_deliver_all_orig` or -## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## :zeek:id:`udp_content_deliver_all_orig` or +## :zeek:id:`udp_content_deliver_all_resp`, respectively. Note that this ## event is also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. @@ -32,7 +32,7 @@ event udp_reply%(u: connection%); ## ## contents: TODO. ## -## .. bro:see:: udp_reply udp_request udp_session_done +## .. zeek:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); @@ -46,6 +46,6 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%); ## ## threshold: the threshold that was crossed ## -## .. bro:see:: udp_reply udp_request udp_session_done +## .. zeek:see:: udp_reply udp_request udp_session_done ## tcp_multiple_checksum_errors event udp_multiple_checksum_errors%(u: connection, is_orig: bool, threshold: count%); diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt new file mode 100644 index 0000000000..e531555321 --- /dev/null +++ b/src/analyzer/protocol/vxlan/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro VXLAN) +bro_plugin_cc(VXLAN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc new file mode 100644 index 0000000000..1c214d691f --- /dev/null +++ b/src/analyzer/protocol/vxlan/Plugin.cc @@ -0,0 +1,24 @@ +// See the file in the main distribution directory for copyright. + +#include "plugin/Plugin.h" + +#include "VXLAN.h" + +namespace plugin { +namespace Bro_VXLAN { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::VXLAN"; + config.description = "VXLAN analyzer"; + return config; + } +} plugin; + +} +} diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc new file mode 100644 index 0000000000..858f514fd8 --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -0,0 +1,101 @@ +// See the file in the main distribution directory for copyright. + +#include "VXLAN.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" +#include "IP.h" +#include "Reporter.h" + +#include "events.bif.h" + +using namespace analyzer::vxlan; + +void VXLAN_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + // Outer Ethernet, IP, and UDP layers already skipped. + // Also, generic UDP analyzer already checked/guarantees caplen >= len. + + constexpr auto vxlan_len = 8; + + if ( len < vxlan_len ) + { + ProtocolViolation("VXLAN header truncation", (const char*) data, len); + return; + } + + if ( (data[0] & 0x08) == 0 ) + { + ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len); + return; + } + + const EncapsulationStack* estack = Conn()->GetEncapsulation(); + + if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(Conn(), "tunnel_depth"); + return; + } + + int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + data += vxlan_len; + caplen -= vxlan_len; + len -= vxlan_len; + + pkt_timeval ts; + ts.tv_sec = (time_t) current_timestamp; + ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + + if ( ! pkt.Layer2Valid() ) + { + ProtocolViolation("VXLAN invalid inner ethernet frame", + (const char*) data, len); + return; + } + + data += pkt.hdr_size; + len -= pkt.hdr_size; + caplen -= pkt.hdr_size; + + IP_Hdr* inner = nullptr; + int res = 0; + + switch ( pkt.l3_proto ) { + case L3_IPV4: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); + break; + case L3_IPV6: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); + break; + default: + return; + } + + if ( res < 0 ) + { + delete inner; + ProtocolViolation("Truncated VXLAN or invalid inner IP", + (const char*) data, len); + return; + } + + ProtocolConfirmation(); + + if ( vxlan_packet ) + Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(), + val_mgr->GetCount(vni)); + + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); + sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); + } diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h new file mode 100644 index 0000000000..d8e02404fa --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -0,0 +1,29 @@ +// See the file in the main distribution directory for copyright. + +#ifndef ANALYZER_PROTOCOL_VXLAN_VXLAN_H +#define ANALYZER_PROTOCOL_VXLAN_VXLAN_H + +#include "analyzer/Analyzer.h" +#include "NetVar.h" +#include "Reporter.h" + +namespace analyzer { namespace vxlan { + +class VXLAN_Analyzer : public analyzer::Analyzer { +public: + explicit VXLAN_Analyzer(Connection* conn) + : Analyzer("VXLAN", conn) + {} + + void Done() override; + + void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new VXLAN_Analyzer(conn); } +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif new file mode 100644 index 0000000000..d05c74dfbe --- /dev/null +++ b/src/analyzer/protocol/vxlan/events.bif @@ -0,0 +1,12 @@ +## Generated for any packet encapsulated in a VXLAN tunnel. +## See :rfc:`7348` for more information about the VXLAN protocol. +## +## outer: The VXLAN tunnel connection. +## +## inner: The VXLAN-encapsulated Ethernet packet header and transport header. +## +## vni: VXLAN Network Identifier. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/src/bro.bif b/src/bro.bif index 6f06126e31..7493d5618b 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -303,7 +303,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n) ## Returns the current wall-clock time. ## -## In general, you should use :bro:id:`network_time` instead +## In general, you should use :zeek:id:`network_time` instead ## unless you are using Bro for non-networking uses (such as general ## scripting; not particularly recommended), because otherwise your script ## may behave very differently on live traffic versus played-back traffic @@ -311,7 +311,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n) ## ## Returns: The wall-clock time. ## -## .. bro:see:: network_time +## .. zeek:see:: network_time function current_time%(%): time %{ return new Val(current_time(), TYPE_TIME); @@ -323,7 +323,7 @@ function current_time%(%): time ## ## Returns: The timestamp of the packet processed. ## -## .. bro:see:: current_time +## .. zeek:see:: current_time function network_time%(%): time %{ return new Val(network_time, TYPE_TIME); @@ -336,7 +336,7 @@ function network_time%(%): time ## Returns: The system environment variable identified by *var*, or an empty ## string if it is not defined. ## -## .. bro:see:: setenv +## .. zeek:see:: setenv function getenv%(var: string%): string %{ const char* env_val = getenv(var->CheckString()); @@ -353,7 +353,7 @@ function getenv%(var: string%): string ## ## Returns: True on success. ## -## .. bro:see:: getenv +## .. zeek:see:: getenv function setenv%(var: string, val: string%): bool %{ int result = setenv(var->AsString()->CheckString(), @@ -368,7 +368,7 @@ function setenv%(var: string, val: string%): bool ## ## code: The exit code to return with. ## -## .. bro:see:: terminate +## .. zeek:see:: terminate function exit%(code: int%): any %{ exit(code); @@ -380,7 +380,7 @@ function exit%(code: int%): any ## Returns: True after successful termination and false when Bro is still in ## the process of shutting down. ## -## .. bro:see:: exit bro_is_terminating +## .. zeek:see:: exit bro_is_terminating function terminate%(%): bool %{ if ( terminating ) @@ -440,13 +440,13 @@ static int do_system(const char* s) ## Invokes a command via the ``system`` function of the OS. ## The command runs in the background with ``stdout`` redirecting to ## ``stderr``. Here is a usage example: -## ``system(fmt("rm \"%s\"", str_shell_escape(sniffed_data)));`` +## ``system(fmt("rm %s", safe_shell_quote(sniffed_data)));`` ## ## str: The command to execute. ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system_env str_shell_escape piped_exec +## .. zeek:see:: system_env safe_shell_quote piped_exec ## ## .. note:: ## @@ -461,18 +461,18 @@ function system%(str: string%): int %} ## Invokes a command via the ``system`` function of the OS with a prepared -## environment. The function is essentially the same as :bro:id:`system`, +## environment. The function is essentially the same as :zeek:id:`system`, ## but changes the environment before invoking the command. ## ## str: The command to execute. ## -## env: A :bro:type:`table` with the environment variables in the form +## env: A :zeek:type:`table` with the environment variables in the form ## of key-value pairs. Each specified environment variable name ## will be automatically prepended with ``BRO_ARG_``. ## ## Returns: The return value from the OS ``system`` function. ## -## .. bro:see:: system str_shell_escape piped_exec +## .. zeek:see:: system safe_shell_quote piped_exec function system_env%(str: string, env: table_string_of_string%): int %{ if ( env->Type()->Tag() != TYPE_TABLE ) @@ -500,7 +500,7 @@ function system_env%(str: string, env: table_string_of_string%): int ## ## Returns: True on success. ## -## .. bro:see:: system system_env +## .. zeek:see:: system system_env function piped_exec%(program: string, to_write: string%): bool %{ const char* prog = program->CheckString(); @@ -536,14 +536,14 @@ function piped_exec%(program: string, to_write: string%): bool ## ## Returns: The MD5 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`md5_hash_init` and +## For incremental hash computation, see :zeek:id:`md5_hash_init` and ## friends. function md5_hash%(...%): string %{ @@ -556,14 +556,14 @@ function md5_hash%(...%): string ## ## Returns: The SHA1 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`sha1_hash_init` and +## For incremental hash computation, see :zeek:id:`sha1_hash_init` and ## friends. function sha1_hash%(...%): string %{ @@ -576,14 +576,14 @@ function sha1_hash%(...%): string ## ## Returns: The SHA256 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash_init sha256_hash_update sha256_hash_finish ## ## .. note:: ## ## This function performs a one-shot computation of its arguments. -## For incremental hash computation, see :bro:id:`sha256_hash_init` and +## For incremental hash computation, see :zeek:id:`sha256_hash_init` and ## friends. function sha256_hash%(...%): string %{ @@ -598,7 +598,7 @@ function sha256_hash%(...%): string ## ## Returns: The HMAC-MD5 hash value of the concatenated arguments. ## -## .. bro:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hmac%(...%): string @@ -609,8 +609,8 @@ function md5_hmac%(...%): string %} ## Constructs an MD5 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`md5_hash_update` and -## eventually need to call :bro:id:`md5_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`md5_hash_update` and +## eventually need to call :zeek:id:`md5_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental MD5 values of transferred files in @@ -618,12 +618,12 @@ function md5_hmac%(...%): string ## HTTP session record. Then, one would call ## ``c$http$md5_handle = md5_hash_init()`` once before invoking ## ``md5_hash_update(c$http$md5_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`md5_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`md5_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_init%(%): opaque of md5 @@ -634,8 +634,8 @@ function md5_hash_init%(%): opaque of md5 %} ## Constructs an SHA1 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`sha1_hash_update` and -## finally need to call :bro:id:`sha1_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`sha1_hash_update` and +## finally need to call :zeek:id:`sha1_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental SHA1 values of transferred files in @@ -643,12 +643,12 @@ function md5_hash_init%(%): opaque of md5 ## HTTP session record. Then, one would call ## ``c$http$sha1_handle = sha1_hash_init()`` once before invoking ## ``sha1_hash_update(c$http$sha1_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`sha1_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`sha1_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_init%(%): opaque of sha1 @@ -659,8 +659,8 @@ function sha1_hash_init%(%): opaque of sha1 %} ## Constructs an SHA256 handle to enable incremental hash computation. You can -## feed data to the returned opaque value with :bro:id:`sha256_hash_update` and -## finally need to call :bro:id:`sha256_hash_finish` to finish the computation +## feed data to the returned opaque value with :zeek:id:`sha256_hash_update` and +## finally need to call :zeek:id:`sha256_hash_finish` to finish the computation ## and get the hash digest. ## ## For example, when computing incremental SHA256 values of transferred files in @@ -668,12 +668,12 @@ function sha1_hash_init%(%): opaque of sha1 ## HTTP session record. Then, one would call ## ``c$http$sha256_handle = sha256_hash_init()`` once before invoking ## ``sha256_hash_update(c$http$sha256_handle, some_more_data)`` in the -## :bro:id:`http_entity_data` event handler. When all data has arrived, a call -## to :bro:id:`sha256_hash_finish` returns the final hash value. +## :zeek:id:`http_entity_data` event handler. When all data has arrived, a call +## to :zeek:id:`sha256_hash_finish` returns the final hash value. ## ## Returns: The opaque handle associated with this hash computation. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_update sha256_hash_finish function sha256_hash_init%(%): opaque of sha256 @@ -684,7 +684,7 @@ function sha256_hash_init%(%): opaque of sha256 %} ## Updates the MD5 value associated with a given index. It is required to -## call :bro:id:`md5_hash_init` once before calling this +## call :zeek:id:`md5_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -693,7 +693,7 @@ function sha256_hash_init%(%): opaque of sha256 ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_update%(handle: opaque of md5, data: string%): bool @@ -703,7 +703,7 @@ function md5_hash_update%(handle: opaque of md5, data: string%): bool %} ## Updates the SHA1 value associated with a given index. It is required to -## call :bro:id:`sha1_hash_init` once before calling this +## call :zeek:id:`sha1_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -712,7 +712,7 @@ function md5_hash_update%(handle: opaque of md5, data: string%): bool ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_update%(handle: opaque of sha1, data: string%): bool @@ -722,7 +722,7 @@ function sha1_hash_update%(handle: opaque of sha1, data: string%): bool %} ## Updates the SHA256 value associated with a given index. It is required to -## call :bro:id:`sha256_hash_init` once before calling this +## call :zeek:id:`sha256_hash_init` once before calling this ## function. ## ## handle: The opaque handle associated with this hash computation. @@ -731,7 +731,7 @@ function sha1_hash_update%(handle: opaque of sha1, data: string%): bool ## ## Returns: True on success. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_finish function sha256_hash_update%(handle: opaque of sha256, data: string%): bool @@ -746,7 +746,7 @@ function sha256_hash_update%(handle: opaque of sha256, data: string%): bool ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hash_finish%(handle: opaque of md5%): string @@ -760,7 +760,7 @@ function md5_hash_finish%(handle: opaque of md5%): string ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function sha1_hash_finish%(handle: opaque of sha1%): string @@ -774,7 +774,7 @@ function sha1_hash_finish%(handle: opaque of sha1%): string ## ## Returns: The hash value associated with the computation of *handle*. ## -## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish +## .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update function sha256_hash_finish%(handle: opaque of sha256%): string @@ -789,7 +789,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string ## ## Returns: The hashed value. ## -## .. bro:see:: hrw_weight +## .. zeek:see:: hrw_weight function fnv1a32%(input: any%): count %{ ODesc desc(DESC_BINARY); @@ -814,14 +814,14 @@ function fnv1a32%(input: any%): count ## The weight function used is the one recommended in the original ## paper: ``_. ## -## key_digest: A 32-bit digest of a key. E.g. use :bro:see:`fnv1a32` to +## key_digest: A 32-bit digest of a key. E.g. use :zeek:see:`fnv1a32` to ## produce this. ## ## site_id: A 32-bit site/node identifier. ## ## Returns: The weight value for the key/site pair. ## -## .. bro:see:: fnv1a32 +## .. zeek:see:: fnv1a32 function hrw_weight%(key_digest: count, site_id: count%): count %{ uint32 d = key_digest; @@ -845,7 +845,7 @@ function hrw_weight%(key_digest: count, site_id: count%): count ## ## Returns: a random positive integer in the interval *[0, max)*. ## -## .. bro:see:: srand +## .. zeek:see:: srand ## ## .. note:: ## @@ -857,11 +857,11 @@ function rand%(max: count%): count return val_mgr->GetCount(result); %} -## Sets the seed for subsequent :bro:id:`rand` calls. +## Sets the seed for subsequent :zeek:id:`rand` calls. ## ## seed: The seed for the PRNG. ## -## .. bro:see:: rand +## .. zeek:see:: rand ## ## .. note:: ## @@ -897,7 +897,7 @@ function syslog%(s: string%): any ## Returns: The MIME type of *data*, or "" if there was an error ## or no match. This is the strongest signature match. ## -## .. bro:see:: file_magic +## .. zeek:see:: file_magic function identify_data%(data: string, return_mime: bool &default=T%): string %{ if ( ! return_mime ) @@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string ## ## Returns: All matching signatures, in order of strength. ## -## .. bro:see:: identify_data +## .. zeek:see:: identify_data function file_magic%(data: string%): mime_matches %{ RuleMatcher::MIME_Matches matches; @@ -965,7 +965,7 @@ function file_magic%(data: string%): mime_matches ## which each byte in the file depends upon the previous byte. ## For random sequences this value will be close to zero. ## -## .. bro:see:: entropy_test_init entropy_test_add entropy_test_finish +## .. zeek:see:: entropy_test_init entropy_test_add entropy_test_finish function find_entropy%(data: string%): entropy_test_result %{ double montepi, scc, ent, mean, chisq; @@ -987,7 +987,7 @@ function find_entropy%(data: string%): entropy_test_result ## ## Returns: An opaque handle to be used in subsequent operations. ## -## .. bro:see:: find_entropy entropy_test_add entropy_test_finish +## .. zeek:see:: find_entropy entropy_test_add entropy_test_finish function entropy_test_init%(%): opaque of entropy %{ return new EntropyVal(); @@ -1001,7 +1001,7 @@ function entropy_test_init%(%): opaque of entropy ## ## Returns: True on success. ## -## .. bro:see:: find_entropy entropy_test_add entropy_test_finish +## .. zeek:see:: find_entropy entropy_test_add entropy_test_finish function entropy_test_add%(handle: opaque of entropy, data: string%): bool %{ bool status = static_cast(handle)->Feed(data->Bytes(), @@ -1010,15 +1010,15 @@ function entropy_test_add%(handle: opaque of entropy, data: string%): bool %} ## Finishes an incremental entropy calculation. Before using this function, -## one needs to obtain an opaque handle with :bro:id:`entropy_test_init` and -## add data to it via :bro:id:`entropy_test_add`. +## one needs to obtain an opaque handle with :zeek:id:`entropy_test_init` and +## add data to it via :zeek:id:`entropy_test_add`. ## ## handle: The opaque handle representing the entropy calculation state. ## -## Returns: The result of the entropy test. See :bro:id:`find_entropy` for a +## Returns: The result of the entropy test. See :zeek:id:`find_entropy` for a ## description of the individual components. ## -## .. bro:see:: find_entropy entropy_test_init entropy_test_add +## .. zeek:see:: find_entropy entropy_test_init entropy_test_add function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result %{ double montepi, scc, ent, mean, chisq; @@ -1040,7 +1040,7 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result ## ## Returns: A string identifier that is unique. ## -## .. bro:see:: unique_id_from +## .. zeek:see:: unique_id_from function unique_id%(prefix: string%) : string %{ char tmp[20]; @@ -1056,7 +1056,7 @@ function unique_id%(prefix: string%) : string ## ## Returns: A string identifier that is unique. ## -## .. bro:see:: unique_id +## .. zeek:see:: unique_id function unique_id_from%(pool: int, prefix: string%) : string %{ pool += UID_POOL_CUSTOM_SCRIPT; // Make sure we don't conflict with internal pool. @@ -1181,7 +1181,7 @@ function val_size%(v: any%): count ## ## newsize: The new size of *aggr*. ## -## Returns: The old size of *aggr*, or 0 if *aggr* is not a :bro:type:`vector`. +## Returns: The old size of *aggr*, or 0 if *aggr* is not a :zeek:type:`vector`. function resize%(aggr: any, newsize: count%) : count %{ if ( aggr->Type()->Tag() != TYPE_VECTOR ) @@ -1200,7 +1200,7 @@ function resize%(aggr: any, newsize: count%) : count ## ## Returns: True if any element in *v* is true. ## -## .. bro:see:: all_set +## .. zeek:see:: all_set function any_set%(v: any%) : bool %{ if ( v->Type()->Tag() != TYPE_VECTOR || @@ -1225,7 +1225,7 @@ function any_set%(v: any%) : bool ## ## Returns: True iff all elements in *v* are true or there are no elements. ## -## .. bro:see:: any_set +## .. zeek:see:: any_set ## ## .. note:: ## @@ -1324,7 +1324,7 @@ bool indirect_unsigned_sort_function(size_t a, size_t b) ## Returns: The vector, sorted from minimum to maximum value. If the vector ## could not be sorted, then the original vector is returned instead. ## -## .. bro:see:: order +## .. zeek:see:: order function sort%(v: any, ...%) : any %{ v->Ref(); // we always return v @@ -1384,7 +1384,7 @@ function sort%(v: any, ...%) : any %} ## Returns the order of the elements in a vector according to some -## comparison function. See :bro:id:`sort` for details about the comparison +## comparison function. See :zeek:id:`sort` for details about the comparison ## function. ## ## v: The vector whose order to compute. @@ -1393,7 +1393,7 @@ function sort%(v: any, ...%) : any ## For example, the elements of *v* in order are (assuming ``o`` ## is the vector returned by ``order``): v[o[0]], v[o[1]], etc. ## -## .. bro:see:: sort +## .. zeek:see:: sort function order%(v: any, ...%) : index_vec %{ VectorVal* result_v = new VectorVal( @@ -1501,7 +1501,7 @@ function cat%(...%): string %} ## Concatenates all arguments, with a separator placed between each one. This -## function is similar to :bro:id:`cat`, but places a separator between each +## function is similar to :zeek:id:`cat`, but places a separator between each ## given argument. If any of the variable arguments is an empty string it is ## replaced by a given default string instead. ## @@ -1512,7 +1512,7 @@ function cat%(...%): string ## Returns: A concatenation of all arguments with *sep* between each one and ## empty strings replaced with *def*. ## -## .. bro:see:: cat string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat string_cat cat_string_array cat_string_array_n function cat_sep%(sep: string, def: string, ...%): string %{ ODesc d; @@ -1574,12 +1574,12 @@ function cat_sep%(sep: string, def: string, ...%): string ## ## - ``[efg]``: Double ## -## Returns: Returns the formatted string. Given no arguments, :bro:id:`fmt` +## Returns: Returns the formatted string. Given no arguments, :zeek:id:`fmt` ## returns an empty string. Given no format string or the wrong ## number of additional arguments for the given format specifier, -## :bro:id:`fmt` generates a run-time error. +## :zeek:id:`fmt` generates a run-time error. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n function fmt%(...%): string %{ if ( @ARGC@ == 0 ) @@ -1623,27 +1623,27 @@ function fmt%(...%): string # # =========================================================================== -## Computes the greatest integer less than the given :bro:type:`double` value. +## Computes the greatest integer less than the given :zeek:type:`double` value. ## For example, ``floor(3.14)`` returns ``3.0``, and ``floor(-3.14)`` ## returns ``-4.0``. ## -## d: The :bro:type:`double` to manipulate. +## d: The :zeek:type:`double` to manipulate. ## -## Returns: The next lowest integer of *d* as :bro:type:`double`. +## Returns: The next lowest integer of *d* as :zeek:type:`double`. ## -## .. bro:see:: sqrt exp ln log10 +## .. zeek:see:: sqrt exp ln log10 function floor%(d: double%): double %{ return new Val(floor(d), TYPE_DOUBLE); %} -## Computes the square root of a :bro:type:`double`. +## Computes the square root of a :zeek:type:`double`. ## ## x: The number to compute the square root of. ## ## Returns: The square root of *x*. ## -## .. bro:see:: floor exp ln log10 +## .. zeek:see:: floor exp ln log10 function sqrt%(x: double%): double %{ if ( x < 0 ) @@ -1661,7 +1661,7 @@ function sqrt%(x: double%): double ## ## Returns: *e* to the power of *d*. ## -## .. bro:see:: floor sqrt ln log10 +## .. zeek:see:: floor sqrt ln log10 function exp%(d: double%): double %{ return new Val(exp(d), TYPE_DOUBLE); @@ -1673,7 +1673,7 @@ function exp%(d: double%): double ## ## Returns: The natural logarithm of *d*. ## -## .. bro:see:: exp floor sqrt log10 +## .. zeek:see:: exp floor sqrt log10 function ln%(d: double%): double %{ return new Val(log(d), TYPE_DOUBLE); @@ -1685,7 +1685,7 @@ function ln%(d: double%): double ## ## Returns: The common logarithm of *d*. ## -## .. bro:see:: exp floor sqrt ln +## .. zeek:see:: exp floor sqrt ln function log10%(d: double%): double %{ return new Val(log10(d), TYPE_DOUBLE); @@ -1787,7 +1787,7 @@ function type_name%(t: any%): string ## ## Returns: True if reading traffic from a network interface. ## -## .. bro:see:: reading_traces +## .. zeek:see:: reading_traces function reading_live_traffic%(%): bool %{ return val_mgr->GetBool(reading_live); @@ -1798,7 +1798,7 @@ function reading_live_traffic%(%): bool ## ## Returns: True if reading traffic from a network trace. ## -## .. bro:see:: reading_live_traffic +## .. zeek:see:: reading_live_traffic function reading_traces%(%): bool %{ return val_mgr->GetBool(reading_traces); @@ -1810,7 +1810,7 @@ function reading_traces%(%): bool ## ## Returns: A table that maps variable names to their sizes. ## -## .. bro:see:: global_ids +## .. zeek:see:: global_ids function global_sizes%(%): var_sizes %{ TableVal* sizes = new TableVal(var_sizes); @@ -1837,7 +1837,7 @@ function global_sizes%(%): var_sizes ## ## Returns: A table that maps identifier names to information about them. ## -## .. bro:see:: global_sizes +## .. zeek:see:: global_sizes function global_ids%(%): id_table %{ TableVal* ids = new TableVal(id_table); @@ -1977,10 +1977,10 @@ function record_fields%(rec: any%): record_field_table ## Enables detailed collection of profiling statistics. Statistics include ## CPU/memory usage, connections, TCP states/reassembler, DNS lookups, -## timers, and script-level state. The script variable :bro:id:`profiling_file` +## timers, and script-level state. The script variable :zeek:id:`profiling_file` ## holds the name of the file. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -2052,7 +2052,7 @@ function is_local_interface%(ip: addr%) : bool ## ## Returns: True (unconditionally). ## -## .. bro:see:: get_matcher_stats +## .. zeek:see:: get_matcher_stats function dump_rule_stats%(f: file%): bool %{ if ( rule_matcher ) @@ -2065,7 +2065,7 @@ function dump_rule_stats%(f: file%): bool ## ## Returns: True if Bro is in the process of shutting down. ## -## .. bro:see:: terminate +## .. zeek:see:: terminate function bro_is_terminating%(%): bool %{ return val_mgr->GetBool(terminating); @@ -2143,10 +2143,10 @@ function is_v6_subnet%(s: subnet%): bool # # =========================================================================== -## Converts the *data* field of :bro:type:`ip6_routing` records that have +## Converts the *data* field of :zeek:type:`ip6_routing` records that have ## *rtype* of 0 into a vector of addresses. ## -## s: The *data* field of an :bro:type:`ip6_routing` record that has +## s: The *data* field of an :zeek:type:`ip6_routing` record that has ## an *rtype* of 0. ## ## Returns: The vector of addresses contained in the routing header data. @@ -2173,14 +2173,14 @@ function routing0_data_to_addrs%(s: string%): addr_vec return rval; %} -## Converts an :bro:type:`addr` to an :bro:type:`index_vec`. +## Converts an :zeek:type:`addr` to an :zeek:type:`index_vec`. ## ## a: The address to convert into a vector of counts. ## ## Returns: A vector containing the host-order address representation, ## four elements in size for IPv6 addresses, or one element for IPv4. ## -## .. bro:see:: counts_to_addr +## .. zeek:see:: counts_to_addr function addr_to_counts%(a: addr%): index_vec %{ VectorVal* rval = new VectorVal(internal_type("index_vec")->AsVectorType()); @@ -2193,14 +2193,14 @@ function addr_to_counts%(a: addr%): index_vec return rval; %} -## Converts an :bro:type:`index_vec` to an :bro:type:`addr`. +## Converts an :zeek:type:`index_vec` to an :zeek:type:`addr`. ## ## v: The vector containing host-order IP address representation, ## one element for IPv4 addresses, four elements for IPv6 addresses. ## ## Returns: An IP address. ## -## .. bro:see:: addr_to_counts +## .. zeek:see:: addr_to_counts function counts_to_addr%(v: index_vec%): addr %{ if ( v->AsVector()->size() == 1 ) @@ -2223,11 +2223,11 @@ function counts_to_addr%(v: index_vec%): addr } %} -## Converts an :bro:type:`enum` to an :bro:type:`int`. +## Converts an :zeek:type:`enum` to an :zeek:type:`int`. ## -## e: The :bro:type:`enum` to convert. +## e: The :zeek:type:`enum` to convert. ## -## Returns: The :bro:type:`int` value that corresponds to the :bro:type:`enum`. +## Returns: The :zeek:type:`int` value that corresponds to the :zeek:type:`enum`. function enum_to_int%(e: any%): int %{ if ( e->Type()->Tag() != TYPE_ENUM ) @@ -2239,13 +2239,13 @@ function enum_to_int%(e: any%): int return val_mgr->GetInt(e->AsEnum()); %} -## Converts a :bro:type:`string` to an :bro:type:`int`. +## Converts a :zeek:type:`string` to an :zeek:type:`int`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as :bro:type:`int`. +## Returns: The :zeek:type:`string` *str* as :zeek:type:`int`. ## -## .. bro:see:: to_addr to_port to_subnet +## .. zeek:see:: to_addr to_port to_subnet function to_int%(str: string%): int %{ const char* s = str->CheckString(); @@ -2264,11 +2264,11 @@ function to_int%(str: string%): int %} -## Converts a (positive) :bro:type:`int` to a :bro:type:`count`. +## Converts a (positive) :zeek:type:`int` to a :zeek:type:`count`. ## -## n: The :bro:type:`int` to convert. +## n: The :zeek:type:`int` to convert. ## -## Returns: The :bro:type:`int` *n* as unsigned integer, or 0 if *n* < 0. +## Returns: The :zeek:type:`int` *n* as unsigned integer, or 0 if *n* < 0. function int_to_count%(n: int%): count %{ if ( n < 0 ) @@ -2279,13 +2279,13 @@ function int_to_count%(n: int%): count return val_mgr->GetCount(n); %} -## Converts a :bro:type:`double` to a :bro:type:`count`. +## Converts a :zeek:type:`double` to a :zeek:type:`count`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0. +## Returns: The :zeek:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0. ## -## .. bro:see:: double_to_time +## .. zeek:see:: double_to_time function double_to_count%(d: double%): count %{ if ( d < 0.0 ) @@ -2294,14 +2294,14 @@ function double_to_count%(d: double%): count return val_mgr->GetCount(bro_uint_t(rint(d))); %} -## Converts a :bro:type:`string` to a :bro:type:`count`. +## Converts a :zeek:type:`string` to a :zeek:type:`count`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as unsigned integer, or 0 if *str* has +## Returns: The :zeek:type:`string` *str* as unsigned integer, or 0 if *str* has ## an invalid format. ## -## .. bro:see:: to_addr to_int to_port to_subnet +## .. zeek:see:: to_addr to_int to_port to_subnet function to_count%(str: string%): count %{ const char* s = str->CheckString(); @@ -2318,88 +2318,88 @@ function to_count%(str: string%): count return val_mgr->GetCount(u); %} -## Converts an :bro:type:`interval` to a :bro:type:`double`. +## Converts an :zeek:type:`interval` to a :zeek:type:`double`. ## -## i: The :bro:type:`interval` to convert. +## i: The :zeek:type:`interval` to convert. ## -## Returns: The :bro:type:`interval` *i* as :bro:type:`double`. +## Returns: The :zeek:type:`interval` *i* as :zeek:type:`double`. ## -## .. bro:see:: double_to_interval +## .. zeek:see:: double_to_interval function interval_to_double%(i: interval%): double %{ return new Val(i, TYPE_DOUBLE); %} -## Converts a :bro:type:`time` value to a :bro:type:`double`. +## Converts a :zeek:type:`time` value to a :zeek:type:`double`. ## -## t: The :bro:type:`time` to convert. +## t: The :zeek:type:`time` to convert. ## -## Returns: The :bro:type:`time` value *t* as :bro:type:`double`. +## Returns: The :zeek:type:`time` value *t* as :zeek:type:`double`. ## -## .. bro:see:: double_to_time +## .. zeek:see:: double_to_time function time_to_double%(t: time%): double %{ return new Val(t, TYPE_DOUBLE); %} -## Converts a :bro:type:`double` value to a :bro:type:`time`. +## Converts a :zeek:type:`double` value to a :zeek:type:`time`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` value *d* as :bro:type:`time`. +## Returns: The :zeek:type:`double` value *d* as :zeek:type:`time`. ## -## .. bro:see:: time_to_double double_to_count +## .. zeek:see:: time_to_double double_to_count function double_to_time%(d: double%): time %{ return new Val(d, TYPE_TIME); %} -## Converts a :bro:type:`double` to an :bro:type:`interval`. +## Converts a :zeek:type:`double` to an :zeek:type:`interval`. ## -## d: The :bro:type:`double` to convert. +## d: The :zeek:type:`double` to convert. ## -## Returns: The :bro:type:`double` *d* as :bro:type:`interval`. +## Returns: The :zeek:type:`double` *d* as :zeek:type:`interval`. ## -## .. bro:see:: interval_to_double +## .. zeek:see:: interval_to_double function double_to_interval%(d: double%): interval %{ return new Val(d, TYPE_INTERVAL); %} -## Converts a :bro:type:`port` to a :bro:type:`count`. +## Converts a :zeek:type:`port` to a :zeek:type:`count`. ## -## p: The :bro:type:`port` to convert. +## p: The :zeek:type:`port` to convert. ## -## Returns: The :bro:type:`port` *p* as :bro:type:`count`. +## Returns: The :zeek:type:`port` *p* as :zeek:type:`count`. ## -## .. bro:see:: count_to_port +## .. zeek:see:: count_to_port function port_to_count%(p: port%): count %{ return val_mgr->GetCount(p->Port()); %} -## Converts a :bro:type:`count` and ``transport_proto`` to a :bro:type:`port`. +## Converts a :zeek:type:`count` and ``transport_proto`` to a :zeek:type:`port`. ## -## num: The :bro:type:`port` number. +## num: The :zeek:type:`port` number. ## ## proto: The transport protocol. ## -## Returns: The :bro:type:`count` *num* as :bro:type:`port`. +## Returns: The :zeek:type:`count` *num* as :zeek:type:`port`. ## -## .. bro:see:: port_to_count +## .. zeek:see:: port_to_count function count_to_port%(num: count, proto: transport_proto%): port %{ return val_mgr->GetPort(num, (TransportProto)proto->AsEnum()); %} -## Converts a :bro:type:`string` to an :bro:type:`addr`. +## Converts a :zeek:type:`string` to an :zeek:type:`addr`. ## -## ip: The :bro:type:`string` to convert. +## ip: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *ip* as :bro:type:`addr`, or the unspecified +## Returns: The :zeek:type:`string` *ip* as :zeek:type:`addr`, or the unspecified ## address ``::`` if the input string does not parse correctly. ## -## .. bro:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr +## .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr ## to_subnet function to_addr%(ip: string%): addr %{ @@ -2409,14 +2409,14 @@ function to_addr%(ip: string%): addr return ret; %} -## Converts a :bro:type:`string` to a :bro:type:`subnet`. +## Converts a :zeek:type:`string` to a :zeek:type:`subnet`. ## ## sn: The subnet to convert. ## -## Returns: The *sn* string as a :bro:type:`subnet`, or the unspecified subnet +## Returns: The *sn* string as a :zeek:type:`subnet`, or the unspecified subnet ## ``::/0`` if the input string does not parse correctly. ## -## .. bro:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr +## .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr ## to_addr function to_subnet%(sn: string%): subnet %{ @@ -2426,49 +2426,49 @@ function to_subnet%(sn: string%): subnet return ret; %} -## Converts a :bro:type:`addr` to a :bro:type:`subnet`. +## Converts a :zeek:type:`addr` to a :zeek:type:`subnet`. ## ## a: The address to convert. ## -## Returns: The address as a :bro:type:`subnet`. +## Returns: The address as a :zeek:type:`subnet`. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function addr_to_subnet%(a: addr%): subnet %{ int width = (a->AsAddr().GetFamily() == IPv4 ? 32 : 128); return new SubNetVal(a->AsAddr(), width); %} -## Converts a :bro:type:`subnet` to an :bro:type:`addr` by +## Converts a :zeek:type:`subnet` to an :zeek:type:`addr` by ## extracting the prefix. ## ## sn: The subnet to convert. ## -## Returns: The subnet as an :bro:type:`addr`. +## Returns: The subnet as an :zeek:type:`addr`. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function subnet_to_addr%(sn: subnet%): addr %{ return new AddrVal(sn->Prefix()); %} -## Returns the width of a :bro:type:`subnet`. +## Returns the width of a :zeek:type:`subnet`. ## ## sn: The subnet. ## ## Returns: The width of the subnet. ## -## .. bro:see:: to_subnet +## .. zeek:see:: to_subnet function subnet_width%(sn: subnet%): count %{ return val_mgr->GetCount(sn->Width()); %} -## Converts a :bro:type:`string` to a :bro:type:`double`. +## Converts a :zeek:type:`string` to a :zeek:type:`double`. ## -## str: The :bro:type:`string` to convert. +## str: The :zeek:type:`string` to convert. ## -## Returns: The :bro:type:`string` *str* as double, or 0 if *str* has +## Returns: The :zeek:type:`string` *str* as double, or 0 if *str* has ## an invalid format. ## function to_double%(str: string%): double @@ -2487,13 +2487,13 @@ function to_double%(str: string%): double return new Val(d, TYPE_DOUBLE); %} -## Converts a :bro:type:`count` to an :bro:type:`addr`. +## Converts a :zeek:type:`count` to an :zeek:type:`addr`. ## -## ip: The :bro:type:`count` to convert. +## ip: The :zeek:type:`count` to convert. ## -## Returns: The :bro:type:`count` *ip* as :bro:type:`addr`. +## Returns: The :zeek:type:`count` *ip* as :zeek:type:`addr`. ## -## .. bro:see:: raw_bytes_to_v4_addr to_addr to_subnet +## .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet function count_to_v4_addr%(ip: count%): addr %{ if ( ip > 4294967295LU ) @@ -2505,15 +2505,15 @@ function count_to_v4_addr%(ip: count%): addr return new AddrVal(htonl(uint32(ip))); %} -## Converts a :bro:type:`string` of bytes into an IPv4 address. In particular, +## Converts a :zeek:type:`string` of bytes into an IPv4 address. In particular, ## this function interprets the first 4 bytes of the string as an IPv4 address ## in network order. ## -## b: The raw bytes (:bro:type:`string`) to convert. +## b: The raw bytes (:zeek:type:`string`) to convert. ## -## Returns: The byte :bro:type:`string` *b* as :bro:type:`addr`. +## Returns: The byte :zeek:type:`string` *b* as :zeek:type:`addr`. ## -## .. bro:see:: raw_bytes_to_v4_addr to_addr to_subnet +## .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet function raw_bytes_to_v4_addr%(b: string%): addr %{ uint32 a = 0; @@ -2530,13 +2530,13 @@ function raw_bytes_to_v4_addr%(b: string%): addr return new AddrVal(htonl(a)); %} -## Converts a :bro:type:`string` to a :bro:type:`port`. +## Converts a :zeek:type:`string` to a :zeek:type:`port`. ## -## s: The :bro:type:`string` to convert. +## s: The :zeek:type:`string` to convert. ## -## Returns: A :bro:type:`port` converted from *s*. +## Returns: A :zeek:type:`port` converted from *s*. ## -## .. bro:see:: to_addr to_count to_int to_subnet +## .. zeek:see:: to_addr to_count to_int to_subnet function to_port%(s: string%): port %{ int port = 0; @@ -2561,7 +2561,7 @@ function to_port%(s: string%): port return val_mgr->GetPort(port, TRANSPORT_UNKNOWN); %} -## Converts a string of bytes (in network byte order) to a :bro:type:`double`. +## Converts a string of bytes (in network byte order) to a :zeek:type:`double`. ## ## s: A string of bytes containing the binary representation of a double value. ## @@ -2582,7 +2582,7 @@ function bytestring_to_double%(s: string%): double return new Val(ntohd(d), TYPE_DOUBLE); %} -## Converts a string of bytes to a :bro:type:`count`. +## Converts a string of bytes to a :zeek:type:`count`. ## ## s: A string of bytes containing the binary representation of the value. ## @@ -2680,7 +2680,7 @@ function bytestring_to_count%(s: string, is_le: bool &default=F%): count ## ## Returns: The IP address corresponding to *s*. ## -## .. bro:see:: addr_to_ptr_name to_addr +## .. zeek:see:: addr_to_ptr_name to_addr function ptr_name_to_addr%(s: string%): addr %{ if ( s->Len() != 72 ) @@ -2744,7 +2744,7 @@ function ptr_name_to_addr%(s: string%): addr ## ## Returns: The reverse pointer representation of *a*. ## -## .. bro:see:: ptr_name_to_addr to_addr +## .. zeek:see:: ptr_name_to_addr to_addr function addr_to_ptr_name%(a: addr%): string %{ return new StringVal(a->AsAddr().PtrName().c_str()); @@ -2757,7 +2757,7 @@ function addr_to_ptr_name%(a: addr%): string ## ## Returns: The hexadecimal representation of *bytestring*. ## -## .. bro:see:: hexdump hexstr_to_bytestring +## .. zeek:see:: hexdump hexstr_to_bytestring function bytestring_to_hexstr%(bytestring: string%): string %{ bro_uint_t len = bytestring->AsString()->Len(); @@ -2781,7 +2781,7 @@ function bytestring_to_hexstr%(bytestring: string%): string ## ## Returns: The binary representation of *hexstr*. ## -## .. bro:see:: hexdump bytestring_to_hexstr +## .. zeek:see:: hexdump bytestring_to_hexstr function hexstr_to_bytestring%(hexstr: string%): string %{ bro_uint_t len = hexstr->AsString()->Len(); @@ -2826,7 +2826,7 @@ function hexstr_to_bytestring%(hexstr: string%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: decode_base64 +## .. zeek:see:: decode_base64 function encode_base64%(s: string, a: string &default=""%): string %{ BroString* t = encode_base64(s->AsString(), a->AsString()); @@ -2849,7 +2849,7 @@ function encode_base64%(s: string, a: string &default=""%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: encode_base64 +## .. zeek:see:: encode_base64 function encode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = encode_base64(s->AsString(), a->AsString()); @@ -2871,7 +2871,7 @@ function encode_base64_custom%(s: string, a: string%): string &deprecated ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64_conn encode_base64 +## .. zeek:see:: decode_base64_conn encode_base64 function decode_base64%(s: string, a: string &default=""%): string %{ BroString* t = decode_base64(s->AsString(), a->AsString()); @@ -2897,7 +2897,7 @@ function decode_base64%(s: string, a: string &default=""%): string ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64 +## .. zeek:see:: decode_base64 function decode_base64_conn%(cid: conn_id, s: string, a: string &default=""%): string %{ Connection* conn = sessions->FindConnection(cid); @@ -2926,7 +2926,7 @@ function decode_base64_conn%(cid: conn_id, s: string, a: string &default=""%): s ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64 decode_base64_conn +## .. zeek:see:: decode_base64 decode_base64_conn function decode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = decode_base64(s->AsString(), a->AsString()); @@ -2990,12 +2990,12 @@ function uuid_to_string%(uuid: string%): string ## ## Returns: The compiled pattern of the concatenation of *p1* and *p2*. ## -## .. bro:see:: convert_for_pattern string_to_pattern +## .. zeek:see:: convert_for_pattern string_to_pattern ## ## .. note:: ## -## This function must be called at Bro startup time, e.g., in the event -## :bro:id:`bro_init`. +## This function must be called at Zeek startup time, e.g., in the event +## :zeek:id:`zeek_init`. function merge_pattern%(p1: pattern, p2: pattern%): pattern &deprecated %{ RE_Matcher* re = new RE_Matcher(); @@ -3028,16 +3028,16 @@ char* to_pat_str(int sn, const char* ss) } %%} -## Escapes a string so that it becomes a valid :bro:type:`pattern` and can be -## used with the :bro:id:`string_to_pattern`. Any character from the set +## Escapes a string so that it becomes a valid :zeek:type:`pattern` and can be +## used with the :zeek:id:`string_to_pattern`. Any character from the set ## ``^$-:"\/|*+?.(){}[]`` is prefixed with a ``\``. ## ## s: The string to escape. ## ## Returns: An escaped version of *s* that has the structure of a valid -## :bro:type:`pattern`. +## :zeek:type:`pattern`. ## -## .. bro:see:: merge_pattern string_to_pattern +## .. zeek:see:: merge_pattern string_to_pattern ## function convert_for_pattern%(s: string%): string %{ @@ -3047,22 +3047,22 @@ function convert_for_pattern%(s: string%): string return ret; %} -## Converts a :bro:type:`string` into a :bro:type:`pattern`. +## Converts a :zeek:type:`string` into a :zeek:type:`pattern`. ## ## s: The string to convert. ## ## convert: If true, *s* is first passed through the function -## :bro:id:`convert_for_pattern` to escape special characters of +## :zeek:id:`convert_for_pattern` to escape special characters of ## patterns. ## -## Returns: *s* as :bro:type:`pattern`. +## Returns: *s* as :zeek:type:`pattern`. ## -## .. bro:see:: convert_for_pattern merge_pattern +## .. zeek:see:: convert_for_pattern merge_pattern ## ## .. note:: ## -## This function must be called at Bro startup time, e.g., in the event -## :bro:id:`bro_init`. +## This function must be called at Zeek startup time, e.g., in the event +## :zeek:id:`zeek_init`. function string_to_pattern%(s: string, convert: bool%): pattern %{ const char* ss = (const char*) (s->Bytes()); @@ -3147,7 +3147,7 @@ function strptime%(fmt: string, d: string%) : time ## ## Returns: The address *a* masked down to *top_bits_to_keep* bits. ## -## .. bro:see:: remask_addr +## .. zeek:see:: remask_addr function mask_addr%(a: addr, top_bits_to_keep: count%): subnet %{ return new SubNetVal(a->AsAddr(), top_bits_to_keep); @@ -3169,7 +3169,7 @@ function mask_addr%(a: addr, top_bits_to_keep: count%): subnet ## ## Returns: The address *a* masked down to *top_bits_to_keep* bits. ## -## .. bro:see:: mask_addr +## .. zeek:see:: mask_addr function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr %{ IPAddr addr1(a1->AsAddr()); @@ -3179,37 +3179,37 @@ function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr return new AddrVal(addr1|addr2); %} -## Checks whether a given :bro:type:`port` has TCP as transport protocol. +## Checks whether a given :zeek:type:`port` has TCP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is a TCP port. ## -## .. bro:see:: is_udp_port is_icmp_port +## .. zeek:see:: is_udp_port is_icmp_port function is_tcp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsTCP()); %} -## Checks whether a given :bro:type:`port` has UDP as transport protocol. +## Checks whether a given :zeek:type:`port` has UDP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is a UDP port. ## -## .. bro:see:: is_icmp_port is_tcp_port +## .. zeek:see:: is_icmp_port is_tcp_port function is_udp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsUDP()); %} -## Checks whether a given :bro:type:`port` has ICMP as transport protocol. +## Checks whether a given :zeek:type:`port` has ICMP as transport protocol. ## -## p: The :bro:type:`port` to check. +## p: The :zeek:type:`port` to check. ## ## Returns: True iff *p* is an ICMP port. ## -## .. bro:see:: is_tcp_port is_udp_port +## .. zeek:see:: is_tcp_port is_udp_port function is_icmp_port%(p: port%): bool %{ return val_mgr->GetBool(p->IsICMP()); @@ -3251,7 +3251,7 @@ EnumVal* map_conn_type(TransportProto tp) ## ## Returns: The transport protocol of the connection identified by *cid*. ## -## .. bro:see:: get_port_transport_proto +## .. zeek:see:: get_port_transport_proto ## get_orig_seq get_resp_seq function get_conn_transport_proto%(cid: conn_id%): transport_proto %{ @@ -3265,13 +3265,13 @@ function get_conn_transport_proto%(cid: conn_id%): transport_proto return map_conn_type(c->ConnTransport()); %} -## Extracts the transport protocol from a :bro:type:`port`. +## Extracts the transport protocol from a :zeek:type:`port`. ## ## p: The port. ## ## Returns: The transport protocol of the port *p*. ## -## .. bro:see:: get_conn_transport_proto +## .. zeek:see:: get_conn_transport_proto ## get_orig_seq get_resp_seq function get_port_transport_proto%(p: port%): transport_proto %{ @@ -3284,7 +3284,7 @@ function get_port_transport_proto%(p: port%): transport_proto ## ## Returns: True if the connection identified by *c* exists. ## -## .. bro:see:: lookup_connection +## .. zeek:see:: lookup_connection function connection_exists%(c: conn_id%): bool %{ if ( sessions->FindConnection(c) ) @@ -3293,15 +3293,15 @@ function connection_exists%(c: conn_id%): bool return val_mgr->GetBool(0); %} -## Returns the :bro:type:`connection` record for a given connection identifier. +## Returns the :zeek:type:`connection` record for a given connection identifier. ## ## cid: The connection ID. ## -## Returns: The :bro:type:`connection` record for *cid*. If *cid* does not point +## Returns: The :zeek:type:`connection` record for *cid*. If *cid* does not point ## to an existing connection, the function generates a run-time error ## and returns a dummy value. ## -## .. bro:see:: connection_exists +## .. zeek:see:: connection_exists function lookup_connection%(cid: conn_id%): connection %{ Connection* conn = sessions->FindConnection(cid); @@ -3361,7 +3361,7 @@ const char* conn_id_string(Val* c) ## ## Returns: True on success. ## -## .. bro:see:: dump_packet get_current_packet send_current_packet +## .. zeek:see:: dump_packet get_current_packet send_current_packet function dump_current_packet%(file_name: string%) : bool %{ const Packet* pkt; @@ -3392,7 +3392,7 @@ function dump_current_packet%(file_name: string%) : bool ## Returns: The currently processed packet, which is a record ## containing the timestamp, ``snaplen``, and packet data. ## -## .. bro:see:: dump_current_packet dump_packet send_current_packet +## .. zeek:see:: dump_current_packet dump_packet send_current_packet function get_current_packet%(%) : pcap_packet %{ const Packet* p; @@ -3422,10 +3422,10 @@ function get_current_packet%(%) : pcap_packet ## Function to get the raw headers of the currently processed packet. ## -## Returns: The :bro:type:`raw_pkt_hdr` record containing the Layer 2, 3 and +## Returns: The :zeek:type:`raw_pkt_hdr` record containing the Layer 2, 3 and ## 4 headers of the currently processed packet. ## -## .. bro:see:: raw_pkt_hdr get_current_packet +## .. zeek:see:: raw_pkt_hdr get_current_packet function get_current_packet_header%(%) : raw_pkt_hdr %{ const Packet* p; @@ -3448,7 +3448,7 @@ function get_current_packet_header%(%) : raw_pkt_hdr ## ## Returns: True on success ## -## .. bro:see:: get_current_packet dump_current_packet send_current_packet +## .. zeek:see:: get_current_packet dump_current_packet send_current_packet function dump_packet%(pkt: pcap_packet, file_name: string%) : bool %{ if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString()) @@ -3555,7 +3555,7 @@ private: ## ## Returns: The DNS name of *host*. ## -## .. bro:see:: lookup_hostname +## .. zeek:see:: lookup_hostname function lookup_addr%(host: addr%) : string %{ // FIXME: It should be easy to adapt the function to synchronous @@ -3584,7 +3584,7 @@ function lookup_addr%(host: addr%) : string ## ## Returns: The DNS TXT record associated with *host*. ## -## .. bro:see:: lookup_hostname +## .. zeek:see:: lookup_hostname function lookup_hostname_txt%(host: string%) : string %{ // FIXME: Is should be easy to adapt the function to synchronous @@ -3613,7 +3613,7 @@ function lookup_hostname_txt%(host: string%) : string ## ## Returns: A set of DNS A and AAAA records associated with *host*. ## -## .. bro:see:: lookup_addr +## .. zeek:see:: lookup_addr function lookup_hostname%(host: string%) : addr_set %{ // FIXME: Is should be easy to adapt the function to synchronous @@ -3945,7 +3945,7 @@ static bool mmdb_try_open_asn () ## ## Returns: A boolean indicating whether the db was successfully opened. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function mmdb_open_location_db%(f: string%) : bool %{ #ifdef USE_GEOIP @@ -3962,7 +3962,7 @@ function mmdb_open_location_db%(f: string%) : bool ## ## Returns: A boolean indicating whether the db was successfully opened. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function mmdb_open_asn_db%(f: string%) : bool %{ #ifdef USE_GEOIP @@ -3979,7 +3979,7 @@ function mmdb_open_asn_db%(f: string%) : bool ## ## Returns: A record with country, region, city, latitude, and longitude. ## -## .. bro:see:: lookup_asn +## .. zeek:see:: lookup_asn function lookup_location%(a: addr%) : geo_location %{ RecordVal* location = new RecordVal(geo_location); @@ -4064,7 +4064,7 @@ function lookup_location%(a: addr%) : geo_location ## ## Returns: The number of the ASN that contains *a*. ## -## .. bro:see:: lookup_location +## .. zeek:see:: lookup_location function lookup_asn%(a: addr%) : count %{ #ifdef USE_GEOIP @@ -4128,7 +4128,7 @@ function lookup_asn%(a: addr%) : count ## ## Returns: Distance in miles. ## -## .. bro:see:: haversine_distance_ip +## .. zeek:see:: haversine_distance_ip function haversine_distance%(lat1: double, long1: double, lat2: double, long2: double%): double %{ const double PI = 3.14159; @@ -4254,7 +4254,7 @@ function file_mode%(mode: count%): string ## Returns: True if the connection identified by *cid* exists and has analyzer ## *aid*. ## -## .. bro:see:: Analyzer::schedule_analyzer Analyzer::name +## .. zeek:see:: Analyzer::schedule_analyzer Analyzer::name function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &default=T%) : bool %{ Connection* c = sessions->FindConnection(cid); @@ -4289,7 +4289,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau ## .. note:: ## ## Bro will still generate connection-oriented events such as -## :bro:id:`connection_finished`. +## :zeek:id:`connection_finished`. function skip_further_processing%(cid: conn_id%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -4311,15 +4311,15 @@ function skip_further_processing%(cid: conn_id%): bool ## Returns: False if *cid* does not point to an active connection, and true ## otherwise. ## -## .. bro:see:: skip_further_processing +## .. zeek:see:: skip_further_processing ## ## .. note:: ## ## This is independent of whether Bro processes the packets of this ## connection, which is controlled separately by -## :bro:id:`skip_further_processing`. +## :zeek:id:`skip_further_processing`. ## -## .. bro:see:: get_contents_file set_contents_file +## .. zeek:see:: get_contents_file set_contents_file function set_record_packets%(cid: conn_id, do_record: bool%): bool %{ Connection* c = sessions->FindConnection(cid); @@ -4357,13 +4357,13 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval # =========================================================================== ## Opens a file for writing. If a file with the same name already exists, this -## function overwrites it (as opposed to :bro:id:`open_for_append`). +## function overwrites it (as opposed to :zeek:id:`open_for_append`). ## ## f: The path to the file. ## -## Returns: A :bro:type:`file` handle for subsequent operations. +## Returns: A :zeek:type:`file` handle for subsequent operations. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function open%(f: string%): file @@ -4377,13 +4377,13 @@ function open%(f: string%): file %} ## Opens a file for writing or appending. If a file with the same name already -## exists, this function appends to it (as opposed to :bro:id:`open`). +## exists, this function appends to it (as opposed to :zeek:id:`open`). ## ## f: The path to the file. ## -## Returns: A :bro:type:`file` handle for subsequent operations. +## Returns: A :zeek:type:`file` handle for subsequent operations. ## -## .. bro:see:: active_file open close write_file +## .. zeek:see:: active_file open close write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function open_for_append%(f: string%): file @@ -4393,11 +4393,11 @@ function open_for_append%(f: string%): file ## Closes an open file and flushes any buffered content. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append write_file +## .. zeek:see:: active_file open open_for_append write_file ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function close%(f: file%): bool @@ -4407,13 +4407,13 @@ function close%(f: file%): bool ## Writes data to an open file. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## data: The data to write to *f*. ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name set_buf flush_all mkdir enable_raw_output ## rmdir unlink rename function write_file%(f: file, data: string%): bool @@ -4426,14 +4426,14 @@ function write_file%(f: file, data: string%): bool ## Alters the buffering behavior of a file. ## -## f: A :bro:type:`file` handle to an open file. +## f: A :zeek:type:`file` handle to an open file. ## ## buffered: When true, *f* is fully buffered, i.e., bytes are saved in a ## buffer until the block size has been reached. When ## false, *f* is line buffered, i.e., bytes are saved up until a ## newline occurs. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name write_file flush_all mkdir enable_raw_output ## rmdir unlink rename function set_buf%(f: file, buffered: bool%): any @@ -4446,7 +4446,7 @@ function set_buf%(f: file, buffered: bool%): any ## ## Returns: True on success. ## -## .. bro:see:: active_file open open_for_append close +## .. zeek:see:: active_file open open_for_append close ## get_file_name write_file set_buf mkdir enable_raw_output ## rmdir unlink rename function flush_all%(%): bool @@ -4461,7 +4461,7 @@ function flush_all%(%): bool ## Returns: True if the operation succeeds or if *f* already exists, ## and false if the file creation fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## rmdir unlink rename function mkdir%(f: string%): bool @@ -4493,7 +4493,7 @@ function mkdir%(f: string%): bool ## Returns: True if the operation succeeds, and false if the ## directory delete operation fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir unlink rename function rmdir%(d: string%): bool @@ -4517,7 +4517,7 @@ function rmdir%(d: string%): bool ## Returns: True if the operation succeeds and the file was deleted, ## and false if the deletion fails. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir rmdir rename function unlink%(f: string%): bool @@ -4542,7 +4542,7 @@ function unlink%(f: string%): bool ## ## Returns: True if the rename succeeds and false otherwise. ## -## .. bro:see:: active_file open_for_append close write_file +## .. zeek:see:: active_file open_for_append close write_file ## get_file_name set_buf flush_all enable_raw_output ## mkdir rmdir unlink function rename%(src_f: string, dst_f: string%): bool @@ -4564,7 +4564,7 @@ function rename%(src_f: string, dst_f: string%): bool ## ## f: The file to check. ## -## Returns: True if *f* is an open :bro:type:`file`. +## Returns: True if *f* is an open :zeek:type:`file`. ## ## .. todo:: Rename to ``is_open``. function active_file%(f: file%): bool @@ -4578,7 +4578,7 @@ function active_file%(f: file%): bool ## ## Returns: The filename associated with *f*. ## -## .. bro:see:: open +## .. zeek:see:: open function get_file_name%(f: file%): string %{ if ( ! f ) @@ -4594,7 +4594,7 @@ function get_file_name%(f: file%): string ## Returns: Rotation statistics which include the original file name, the name ## after the rotation, and the time when *f* was opened/closed. ## -## .. bro:see:: rotate_file_by_name calc_next_rotate +## .. zeek:see:: rotate_file_by_name calc_next_rotate function rotate_file%(f: file%): rotate_info %{ RecordVal* info = f->Rotate(); @@ -4618,7 +4618,7 @@ function rotate_file%(f: file%): rotate_info ## Returns: Rotation statistics which include the original file name, the name ## after the rotation, and the time when *f* was opened/closed. ## -## .. bro:see:: rotate_file calc_next_rotate +## .. zeek:see:: rotate_file calc_next_rotate function rotate_file_by_name%(f: string%): rotate_info %{ RecordVal* info = new RecordVal(rotate_info); @@ -4672,7 +4672,7 @@ function rotate_file_by_name%(f: string%): rotate_info ## ## Returns: The duration until the next file rotation time. ## -## .. bro:see:: rotate_file rotate_file_by_name +## .. zeek:see:: rotate_file rotate_file_by_name function calc_next_rotate%(i: interval%) : interval %{ const char* base_time = log_rotate_base_time ? @@ -4697,16 +4697,16 @@ function file_size%(f: string%) : double return new Val(double(s.st_size), TYPE_DOUBLE); %} -## Disables sending :bro:id:`print_hook` events to remote peers for a given +## Disables sending :zeek:id:`print_hook` events to remote peers for a given ## file. In a ## distributed setup, communicating Bro instances generate the event -## :bro:id:`print_hook` for each print statement and send it to the remote +## :zeek:id:`print_hook` for each print statement and send it to the remote ## side. When disabled for a particular file, these events will not be ## propagated to other peers. ## -## f: The file to disable :bro:id:`print_hook` events for. +## f: The file to disable :zeek:id:`print_hook` events for. ## -## .. bro:see:: enable_raw_output +## .. zeek:see:: enable_raw_output function disable_print_hook%(f: file%): any %{ f->DisablePrintHook(); @@ -4714,11 +4714,11 @@ function disable_print_hook%(f: file%): any %} ## Prevents escaping of non-ASCII characters when writing to a file. -## This function is equivalent to :bro:attr:`&raw_output`. +## This function is equivalent to :zeek:attr:`&raw_output`. ## ## f: The file to disable raw output for. ## -## .. bro:see:: disable_print_hook +## .. zeek:see:: disable_print_hook function enable_raw_output%(f: file%): any %{ f->EnableRawOutput(); @@ -4745,7 +4745,7 @@ function enable_raw_output%(f: file%): any ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -4775,7 +4775,7 @@ function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : b ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## uninstall_src_addr_filter @@ -4799,7 +4799,7 @@ function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%) ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4820,7 +4820,7 @@ function uninstall_src_addr_filter%(ip: addr%) : bool ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4850,7 +4850,7 @@ function uninstall_src_net_filter%(snet: subnet%) : bool ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4880,7 +4880,7 @@ function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : b ## ## Returns: True (unconditionally). ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4904,7 +4904,7 @@ function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%) ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4925,7 +4925,7 @@ function uninstall_dst_addr_filter%(ip: addr%) : bool ## ## Returns: True on success. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter @@ -4953,7 +4953,7 @@ function enable_communication%(%): any &deprecated %{ if ( bro_start_network_time != 0.0 ) { - builtin_error("communication must be enabled in bro_init"); + builtin_error("communication must be enabled in zeek_init"); return 0; } @@ -4966,13 +4966,13 @@ function enable_communication%(%): any &deprecated return 0; %} -## Flushes in-memory state tagged with the :bro:attr:`&persistent` attribute +## Flushes in-memory state tagged with the :zeek:attr:`&persistent` attribute ## to disk. The function writes the state to the file ``.state/state.bst`` in ## the directory where Bro was started. ## ## Returns: True on success. ## -## .. bro:see:: rescan_state +## .. zeek:see:: rescan_state function checkpoint_state%(%) : bool %{ return val_mgr->GetBool(persistence_serializer->WriteState(true)); @@ -4980,11 +4980,11 @@ function checkpoint_state%(%) : bool ## Reads persistent state and populates the in-memory data structures ## accordingly. Persistent state is read from the ``.state`` directory. -## This function is the dual to :bro:id:`checkpoint_state`. +## This function is the dual to :zeek:id:`checkpoint_state`. ## ## Returns: True on success. ## -## .. bro:see:: checkpoint_state +## .. zeek:see:: checkpoint_state function rescan_state%(%) : bool %{ return val_mgr->GetBool(persistence_serializer->ReadAll(false, true)); @@ -4997,7 +4997,7 @@ function rescan_state%(%) : bool ## ## Returns: True if opening the target file succeeds. ## -## .. bro:see:: capture_state_updates +## .. zeek:see:: capture_state_updates function capture_events%(filename: string%) : bool %{ if ( ! event_serializer ) @@ -5009,14 +5009,14 @@ function capture_events%(filename: string%) : bool (const char*) filename->CheckString())); %} -## Writes state updates generated by :bro:attr:`&synchronized` variables to a +## Writes state updates generated by :zeek:attr:`&synchronized` variables to a ## file. ## ## filename: The name of the file which stores the state updates. ## ## Returns: True if opening the target file succeeds. ## -## .. bro:see:: capture_events +## .. zeek:see:: capture_events function capture_state_updates%(filename: string%) : bool %{ if ( ! state_serializer ) @@ -5049,7 +5049,7 @@ function capture_state_updates%(filename: string%) : bool ## ## Returns: A locally unique ID of the new peer. ## -## .. bro:see:: disconnect +## .. zeek:see:: disconnect ## listen ## request_remote_events ## request_remote_sync @@ -5068,11 +5068,11 @@ function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: ## Terminate the connection with a peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: connect listen +## .. zeek:see:: connect listen function disconnect%(p: event_peer%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5082,13 +5082,13 @@ function disconnect%(p: event_peer%) : bool &deprecated ## Subscribes to all events from a remote peer whose names match a given ## pattern. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## handlers: The pattern describing the events to request from peer *p*. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_sync +## .. zeek:see:: request_remote_sync ## request_remote_logs ## set_accept_state function request_remote_events%(p: event_peer, handlers: pattern%) : bool &deprecated @@ -5099,14 +5099,14 @@ function request_remote_events%(p: event_peer, handlers: pattern%) : bool &depre ## Requests synchronization of IDs with a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## auth: If true, the local instance considers its current state authoritative ## and sends it to *p* right after the handshake. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_logs ## set_accept_state function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated @@ -5117,11 +5117,11 @@ function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated ## Requests logs from a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_sync function request_remote_logs%(p: event_peer%) : bool &deprecated %{ @@ -5131,13 +5131,13 @@ function request_remote_logs%(p: event_peer%) : bool &deprecated ## Sets a boolean flag indicating whether Bro accepts state from a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## accept: True if Bro accepts state from peer *p*, or false otherwise. ## ## Returns: True on success. ## -## .. bro:see:: request_remote_events +## .. zeek:see:: request_remote_events ## request_remote_sync ## set_compression_level function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated @@ -5148,14 +5148,14 @@ function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated ## Sets the compression level of the session with a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## level: Allowed values are in the range *[0, 9]*, where 0 is the default and ## means no compression. ## ## Returns: True on success. ## -## .. bro:see:: set_accept_state +## .. zeek:see:: set_accept_state function set_compression_level%(p: event_peer, level: count%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5181,7 +5181,7 @@ function set_compression_level%(p: event_peer, level: count%) : bool &deprecated ## ## Returns: True on success. ## -## .. bro:see:: connect disconnect +## .. zeek:see:: connect disconnect function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool &deprecated %{ return val_mgr->GetBool(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval)); @@ -5197,11 +5197,11 @@ function is_remote_event%(%) : bool ## Sends all persistent state to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. ## -## .. bro:see:: send_id send_ping send_current_packet send_capture_filter +## .. zeek:see:: send_id send_ping send_current_packet send_capture_filter function send_state%(p: event_peer%) : bool %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5211,13 +5211,13 @@ function send_state%(p: event_peer%) : bool ## Sends a global identifier to a remote peer, which then might install it ## locally. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## id: The identifier to send. ## ## Returns: True on success. ## -## .. bro:see:: send_state send_ping send_current_packet send_capture_filter +## .. zeek:see:: send_state send_ping send_current_packet send_capture_filter function send_id%(p: event_peer, id: string%) : bool &deprecated %{ RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5245,7 +5245,7 @@ function terminate_communication%(%) : bool &deprecated ## Signals a remote peer that the local Bro instance finished the initial ## handshake. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True on success. function complete_handshake%(p: event_peer%) : bool &deprecated @@ -5255,16 +5255,16 @@ function complete_handshake%(p: event_peer%) : bool &deprecated %} ## Sends a ping event to a remote peer. In combination with an event handler -## for :bro:id:`remote_pong`, this function can be used to measure latency +## for :zeek:id:`remote_pong`, this function can be used to measure latency ## between two peers. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## -## seq: A sequence number (also included by :bro:id:`remote_pong`). +## seq: A sequence number (also included by :zeek:id:`remote_pong`). ## ## Returns: True if sending the ping succeeds. ## -## .. bro:see:: send_state send_id send_current_packet send_capture_filter +## .. zeek:see:: send_state send_id send_current_packet send_capture_filter function send_ping%(p: event_peer, seq: count%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5273,11 +5273,11 @@ function send_ping%(p: event_peer, seq: count%) : bool &deprecated ## Sends the currently processed packet to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## Returns: True if sending the packet succeeds. ## -## .. bro:see:: send_id send_state send_ping send_capture_filter +## .. zeek:see:: send_id send_state send_ping send_capture_filter ## dump_packet dump_current_packet get_current_packet function send_current_packet%(p: event_peer%) : bool &deprecated %{ @@ -5301,7 +5301,7 @@ function send_current_packet%(p: event_peer%) : bool &deprecated ## ## Returns: The ID of the peer who generated the last event. ## -## .. bro:see:: get_local_event_peer +## .. zeek:see:: get_local_event_peer function get_event_peer%(%) : event_peer &deprecated %{ SourceID src = mgr.CurrentSource(); @@ -5340,7 +5340,7 @@ function get_event_peer%(%) : event_peer &deprecated ## ## Returns: The peer ID of the local Bro instance. ## -## .. bro:see:: get_event_peer +## .. zeek:see:: get_event_peer function get_local_event_peer%(%) : event_peer &deprecated %{ RecordVal* p = mgr.GetLocalPeerVal(); @@ -5350,13 +5350,13 @@ function get_local_event_peer%(%) : event_peer &deprecated ## Sends a capture filter to a remote peer. ## -## p: The peer ID returned from :bro:id:`connect`. +## p: The peer ID returned from :zeek:id:`connect`. ## ## s: The capture filter. ## ## Returns: True if sending the packet succeeds. ## -## .. bro:see:: send_id send_state send_ping send_current_packet +## .. zeek:see:: send_id send_state send_ping send_current_packet function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated %{ RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount(); @@ -5367,7 +5367,7 @@ function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated ## distributed trace processing with communication enabled ## (*pseudo-realtime* mode). ## -## .. bro:see:: continue_processing suspend_state_updates resume_state_updates +## .. zeek:see:: continue_processing suspend_state_updates resume_state_updates function suspend_processing%(%) : any %{ net_suspend_processing(); @@ -5376,16 +5376,16 @@ function suspend_processing%(%) : any ## Resumes Bro's packet processing. ## -## .. bro:see:: suspend_processing suspend_state_updates resume_state_updates +## .. zeek:see:: suspend_processing suspend_state_updates resume_state_updates function continue_processing%(%) : any %{ net_continue_processing(); return 0; %} -## Stops propagating :bro:attr:`&synchronized` accesses. +## Stops propagating :zeek:attr:`&synchronized` accesses. ## -## .. bro:see:: suspend_processing continue_processing resume_state_updates +## .. zeek:see:: suspend_processing continue_processing resume_state_updates function suspend_state_updates%(%) : any &deprecated %{ if ( remote_serializer ) @@ -5393,9 +5393,9 @@ function suspend_state_updates%(%) : any &deprecated return 0; %} -## Resumes propagating :bro:attr:`&synchronized` accesses. +## Resumes propagating :zeek:attr:`&synchronized` accesses. ## -## .. bro:see:: suspend_processing continue_processing suspend_state_updates +## .. zeek:see:: suspend_processing continue_processing suspend_state_updates function resume_state_updates%(%) : any &deprecated %{ if ( remote_serializer ) @@ -5442,7 +5442,7 @@ function match_signatures%(c: connection, pattern_type: int, s: string, ## ## width: The number of bits from the top that should remain intact. ## -## .. bro:see:: preserve_subnet anonymize_addr +## .. zeek:see:: preserve_subnet anonymize_addr ## ## .. todo:: Currently dysfunctional. function preserve_prefix%(a: addr, width: count%): any @@ -5468,7 +5468,7 @@ function preserve_prefix%(a: addr, width: count%): any ## ## a: The subnet to preserve. ## -## .. bro:see:: preserve_prefix anonymize_addr +## .. zeek:see:: preserve_prefix anonymize_addr ## ## .. todo:: Currently dysfunctional. function preserve_subnet%(a: subnet%): any @@ -5504,7 +5504,7 @@ function preserve_subnet%(a: subnet%): any ## ## Returns: An anonymized version of *a*. ## -## .. bro:see:: preserve_prefix preserve_subnet +## .. zeek:see:: preserve_prefix preserve_subnet ## ## .. todo:: Currently dysfunctional. function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 38ab4cd60d..ec69308790 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -138,7 +138,7 @@ Manager::Manager(bool arg_reading_pcaps) { bound_port = 0; reading_pcaps = arg_reading_pcaps; - after_bro_init = false; + after_zeek_init = false; peer_count = 0; log_topic_func = nullptr; vector_of_data_type = nullptr; @@ -772,7 +772,7 @@ RecordVal* Manager::MakeEvent(val_list* args, Frame* frame) bool Manager::Subscribe(const string& topic_prefix) { DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str()); - bstate->subscriber.add_topic(topic_prefix, ! after_bro_init); + bstate->subscriber.add_topic(topic_prefix, ! after_zeek_init); return true; } @@ -799,7 +799,7 @@ bool Manager::Unsubscribe(const string& topic_prefix) } DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str()); - bstate->subscriber.remove_topic(topic_prefix, ! after_bro_init); + bstate->subscriber.remove_topic(topic_prefix, ! after_zeek_init); return true; } @@ -918,8 +918,8 @@ void Manager::Process() { had_input = true; - auto& topic = message.first; - auto& msg = message.second; + auto& topic = broker::get_topic(message); + auto& msg = broker::get_data(message); try { diff --git a/src/broker/Manager.h b/src/broker/Manager.h index 87aba80058..a0520698da 100644 --- a/src/broker/Manager.h +++ b/src/broker/Manager.h @@ -66,8 +66,8 @@ public: */ void InitPostScript(); - void BroInitDone() - { after_bro_init = true; } + void ZeekInitDone() + { after_zeek_init = true; } /** * Shuts Broker down at termination. @@ -380,7 +380,7 @@ private: uint16_t bound_port; bool reading_pcaps; - bool after_bro_init; + bool after_zeek_init; int peer_count; Func* log_topic_func; diff --git a/src/broker/data.bif b/src/broker/data.bif index 2f6dc2cd77..53ce5d506c 100644 --- a/src/broker/data.bif +++ b/src/broker/data.bif @@ -7,7 +7,7 @@ module Broker; -## Enumerates the possible types that :bro:see:`Broker::Data` may be in +## Enumerates the possible types that :zeek:see:`Broker::Data` may be in ## terms of Bro data types. enum DataType %{ NONE, diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif index ec7696c752..807cefa3fc 100644 --- a/src/broker/messaging.bif +++ b/src/broker/messaging.bif @@ -74,7 +74,7 @@ module Broker; type Broker::Event: record; ## Create a data structure that may be used to send a remote event via -## :bro:see:`Broker::publish`. +## :zeek:see:`Broker::publish`. ## ## args: an event, followed by a list of argument values that may be used ## to call it. @@ -93,7 +93,7 @@ function Broker::make_event%(...%): Broker::Event ## topic: a topic associated with the event message. ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. @@ -172,7 +172,7 @@ type Cluster::Pool: record; ## script like "Intel::cluster_rr_key". ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. @@ -215,7 +215,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool ## distribute keys among available nodes. ## ## args: Either the event arguments as already made by -## :bro:see:`Broker::make_event` or the argument list to pass along +## :zeek:see:`Broker::make_event` or the argument list to pass along ## to it. ## ## Returns: true if the message is sent. diff --git a/src/const.bif b/src/const.bif index 2d062d854a..9da5950259 100644 --- a/src/const.bif +++ b/src/const.bif @@ -1,6 +1,6 @@ ##! Declaration of various scripting-layer constants that the Bro core uses ##! internally. Documentation and default values for the scripting-layer -##! variables themselves are found in :doc:`/scripts/base/init-bare.bro`. +##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`. const ignore_keep_alive_rexmit: bool; const skip_http_data: bool; @@ -22,5 +22,6 @@ const Tunnel::enable_gre: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; +const Tunnel::validate_vxlan_checksums: bool; const Threading::heartbeat_interval: interval; diff --git a/src/event.bif b/src/event.bif index 28ed7f6807..3505c686a5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -24,42 +24,48 @@ # # - Parameters # -# - .. bro:see:: +# - .. zeek:see:: # # - .. note:: # # - .. todo:: -## Generated at Bro initialization time. The event engine generates this +## Generated at Zeek initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute -## one-time initialization code at startup. At the time a handler runs, Bro will +## one-time initialization code at startup. At the time a handler runs, Zeek will ## have executed any global initializations and statements. ## -## .. bro:see:: bro_done +## .. zeek:see:: zeek_done ## ## .. note:: ## -## When a ``bro_init`` handler executes, Bro has not yet seen any input -## packets and therefore :bro:id:`network_time` is not initialized yet. An -## artifact of that is that any timer installed in a ``bro_init`` handler +## When a ``zeek_init`` handler executes, Zeek has not yet seen any input +## packets and therefore :zeek:id:`network_time` is not initialized yet. An +## artifact of that is that any timer installed in a ``zeek_init`` handler ## will fire immediately with the first packet. The standard way to work ## around that is to ignore the first time the timer fires and immediately ## reschedule. ## -event bro_init%(%); +event zeek_init%(%); -## Generated at Bro termination time. The event engine generates this event when -## Bro is about to terminate, either due to having exhausted reading its input -## trace file(s), receiving a termination signal, or because Bro was run without +## Deprecated synonym for :zeek:see:`zeek_init`. +event bro_init%(%) &deprecated; + +## Generated at Zeek termination time. The event engine generates this event when +## Zeek is about to terminate, either due to having exhausted reading its input +## trace file(s), receiving a termination signal, or because Zeek was run without ## a network input source and has finished executing any global statements. ## -## .. bro:see:: bro_init +## .. zeek:see:: zeek_init ## ## .. note:: ## -## If Bro terminates due to an invocation of :bro:id:`exit`, then this event +## If Zeek terminates due to an invocation of :zeek:id:`exit`, then this event ## is not generated. -event bro_done%(%); +event zeek_done%(%); + +## Deprecated synonym for :zeek:see:`zeek_done`. +event bro_done%(%) &deprecated; ## Generated for every new connection. This event is raised with the first ## packet of a previously unknown connection. Bro uses a flow-based definition @@ -68,7 +74,7 @@ event bro_done%(%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -98,12 +104,12 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## Generated when a TCP connection timed out. This event is raised when ## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## :zeek:id:`tcp_connection_linger`, and either one endpoint has already ## closed the connection or one side never became active. ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -115,7 +121,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## ## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling -## :bro:id:`connection_state_remove` is the better option. That one will be +## :zeek:id:`connection_state_remove` is the better option. That one will be ## generated reliably when an interval of ``tcp_inactivity_timeout`` has ## passed without any activity seen (but also for all other ways a ## connection may terminate). @@ -130,7 +136,7 @@ event connection_timeout%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -145,7 +151,7 @@ event connection_state_remove%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_state_remove @@ -159,7 +165,7 @@ event connection_reused%(c: connection%); ## ## c: The connection. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -178,7 +184,7 @@ event connection_status_update%(c: connection%); ## ## new_label: The new flow label that the endpoint is using. ## -## .. bro:see:: connection_established new_connection +## .. zeek:see:: connection_established new_connection event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%); ## Generated for a new connection received from the communication subsystem. @@ -198,11 +204,11 @@ event connection_external%(c: connection, tag: string%); ## ## u: The connection record for the corresponding UDP flow. ## -## .. bro:see:: udp_contents udp_reply udp_request +## .. zeek:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); ## Generated when a connection is seen that is marked as being expected. -## The function :bro:id:`Analyzer::schedule_analyzer` tells Bro to expect a +## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a ## particular connection to come up, and which analyzer to associate with it. ## Once the first packet of such a connection is indeed seen, this event is ## raised. @@ -210,11 +216,11 @@ event udp_session_done%(u: connection%); ## c: The connection. ## ## a: The analyzer that was scheduled for the connection with the -## :bro:id:`Analyzer::schedule_analyzer` call. When the event is raised, that +## :zeek:id:`Analyzer::schedule_analyzer` call. When the event is raised, that ## analyzer will already have been activated to process the connection. The ## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``. ## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused @@ -233,11 +239,11 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet packet_contents +## .. zeek:see:: new_packet packet_contents event raw_packet%(p: raw_pkt_hdr%); ## Generated for all packets that make it into Bro's connection processing. In -## contrast to :bro:id:`raw_packet` this filters out some more packets that don't +## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't ## pass certain sanity checks. ## ## This is a very low-level and expensive event that should be avoided when at all @@ -249,7 +255,7 @@ event raw_packet%(p: raw_pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: tcp_packet packet_contents raw_packet +## .. zeek:see:: tcp_packet packet_contents raw_packet event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every IPv6 packet that contains extension headers. @@ -260,7 +266,7 @@ event new_packet%(c: connection, p: pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet packet_contents esp_packet +## .. zeek:see:: new_packet tcp_packet packet_contents esp_packet event ipv6_ext_headers%(c: connection, p: pkt_hdr%); ## Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) @@ -268,35 +274,35 @@ event ipv6_ext_headers%(c: connection, p: pkt_hdr%); ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet ipv6_ext_headers +## .. zeek:see:: new_packet tcp_packet ipv6_ext_headers event esp_packet%(p: pkt_hdr%); ## Generated for any packet using a Mobile IPv6 Mobility Header. ## ## p: Information from the header of the packet that triggered the event. ## -## .. bro:see:: new_packet tcp_packet ipv6_ext_headers +## .. zeek:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even ## medium volumes of traffic in real-time. It's even worse than -## :bro:id:`new_packet`. That said, if you work from a trace and want to +## :zeek:id:`new_packet`. That said, if you work from a trace and want to ## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## ## contents: The raw transport-layer payload. ## -## .. bro:see:: new_packet tcp_packet +## .. zeek:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassembling a TCP stream, Bro buffers all payload until it sees the ## responder acking it. If during that time, the sender resends a chunk of ## payload but with different content than originally, this event will be -## raised. In addition, if :bro:id:`tcp_max_old_segments` is larger than zero, +## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero, ## mismatches with that older still-buffered data will likewise trigger the event. ## ## c: The connection showing the inconsistency. @@ -311,7 +317,7 @@ event packet_contents%(c: connection, contents: string%); ## ``A`` -> ACK; ``P`` -> PUSH. This string will not always be set, ## only if the information is available; it's "best effort". ## -## .. bro:see:: tcp_rexmit tcp_contents +## .. zeek:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%); ## Generated when Bro detects a gap in a reassembled TCP payload stream. This @@ -352,14 +358,14 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like -## :bro:id:`disable_analyzer`. +## :zeek:id:`disable_analyzer`. ## -## .. bro:see:: protocol_violation +## .. zeek:see:: protocol_violation ## ## .. note:: ## ## Bro's default scripts use this event to determine the ``service`` column -## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed +## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); @@ -380,16 +386,16 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can ## be used to reference the analyzer when using builtin functions like -## :bro:id:`disable_analyzer`. +## :zeek:id:`disable_analyzer`. ## ## reason: TODO. ## -## .. bro:see:: protocol_confirmation +## .. zeek:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via -## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's +## :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's ## however a script-level decision and not done automatically by the event ## engine. event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); @@ -404,7 +410,7 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso ## ## rs: Statistics for the responder endpoint. ## -## .. bro:see:: connection_state_remove +## .. zeek:see:: connection_state_remove event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When @@ -421,7 +427,7 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## ## addl: Optional additional context further describing the situation. ## -## .. bro:see:: flow_weird net_weird +## .. zeek:see:: flow_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -444,7 +450,7 @@ event conn_weird%(name: string, c: connection, addl: string%); ## ## dst: The destination address corresponding to the activity. ## -## .. bro:see:: conn_weird net_weird +## .. zeek:see:: conn_weird net_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -462,7 +468,7 @@ event flow_weird%(name: string, src: addr, dst: addr%); ## scripts use this name in filtering policies that specify which ## "weirds" are worth reporting. ## -## .. bro:see:: flow_weird +## .. zeek:see:: flow_weird file_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol @@ -470,8 +476,29 @@ event flow_weird%(name: string, src: addr, dst: addr%); ## endpoint's implementation interprets an RFC quite liberally. event net_weird%(name: string%); +## Generated for unexpected activity that is tied to a file. +## When Bro's packet analysis encounters activity that +## does not conform to a protocol's specification, it raises one of the +## ``*_weird`` events to report that. +## +## name: A unique name for the specific type of "weird" situation. Bro's default +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. +## +## f: The corresponding file. +## +## addl: Additional information related to the weird. +## +## .. zeek:see:: flow_weird net_weird conn_weird +## +## .. note:: "Weird" activity is much more common in real-world network traffic +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. +event file_weird%(name: string, f: fa_file, addl: string%); + ## Generated regularly for the purpose of profiling Bro's processing. This event -## is raised for every :bro:id:`load_sample_freq` packet. For these packets, +## is raised for every :zeek:id:`load_sample_freq` packet. For these packets, ## Bro records script-level functions executed during their processing as well ## as further internal locations. By sampling the processing in this form, one ## can understand where Bro spends its time. @@ -507,7 +534,7 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event, assuming it can parse it (if not, -## :bro:id:`software_parse_error` will be generated instead). +## :zeek:id:`software_parse_error` will be generated instead). ## ## c: The connection. ## @@ -518,7 +545,7 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## descr: The raw (unparsed) software identification string as extracted from ## the protocol. ## -## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found +## .. zeek:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); @@ -526,7 +553,7 @@ event software_version_found%(c: connection, host: addr, ## used on a system but cannot parse it. This is a protocol-independent event ## that is fed by different analyzers. For example, the HTTP analyzer reports ## user-agent and server software by raising this event if it cannot parse them -## directly (if it can :bro:id:`software_version_found` will be generated +## directly (if it can :zeek:id:`software_version_found` will be generated ## instead). ## ## c: The connection. @@ -536,7 +563,7 @@ event software_version_found%(c: connection, host: addr, ## descr: The raw (unparsed) software identification string as extracted from ## the protocol. ## -## .. bro:see:: software_version_found software_unparsed_version_found +## .. zeek:see:: software_version_found software_unparsed_version_found ## OS_version_found event software_parse_error%(c: connection, host: addr, descr: string%); @@ -544,7 +571,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and ## server software by raising this event. Different from -## :bro:id:`software_version_found` and :bro:id:`software_parse_error`, this +## :zeek:id:`software_version_found` and :zeek:id:`software_parse_error`, this ## event is always raised, independent of whether Bro can parse the version ## string. ## @@ -554,13 +581,13 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## ## str: The software identification string as extracted from the protocol. ## -## .. bro:see:: software_parse_error software_version_found OS_version_found +## .. zeek:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## Generated when an operating system has been fingerprinted. Bro uses `p0f ## `__ to fingerprint endpoints passively, ## and it raises this event for each system identified. The p0f fingerprints are -## defined by :bro:id:`passive_fingerprint_file`. +## defined by :zeek:id:`passive_fingerprint_file`. ## ## c: The connection. ## @@ -568,7 +595,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## ## OS: The OS version string. ## -## .. bro:see:: passive_fingerprint_file software_parse_error +## .. zeek:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); @@ -579,7 +606,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_established%(p: event_peer%); @@ -590,7 +617,7 @@ event remote_connection_established%(p: event_peer%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook @@ -602,7 +629,7 @@ event remote_connection_closed%(p: event_peer%); ## ## p: A record describing the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook event remote_connection_handshake_done%(p: event_peer%); @@ -615,7 +642,7 @@ event remote_connection_handshake_done%(p: event_peer%); ## ## name: TODO. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook @@ -629,7 +656,7 @@ event remote_event_registered%(p: event_peer, name: string%); ## ## reason: A textual description of the error. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook @@ -643,20 +670,20 @@ event remote_connection_error%(p: event_peer, reason: string%); ## ## filter: The filter string sent by the peer. ## -## .. bro:see:: remote_connection_closed remote_connection_error +## .. zeek:see:: remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook event remote_capture_filter%(p: event_peer, filter: string%); -## Generated after a call to :bro:id:`send_state` when all data has been +## Generated after a call to :zeek:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. ## ## p: A record describing the remote peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed remote_state_inconsistency print_hook @@ -665,7 +692,7 @@ event finished_send_state%(p: event_peer%); ## Generated if state synchronization detects an inconsistency. While this ## event is intended primarily for use by Bro's communication framework, it can ## also trigger additional code if helpful. This event is only raised if -## :bro:id:`remote_check_sync_consistency` is false. +## :zeek:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## @@ -678,7 +705,7 @@ event finished_send_state%(p: event_peer%); ## found before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## -## .. bro:see:: remote_capture_filter remote_connection_closed +## .. zeek:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_event_registered remote_log remote_pong ## remote_state_access_performed print_hook remote_check_sync_consistency @@ -689,17 +716,17 @@ event remote_state_inconsistency%(operation: string, id: string, ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. ## -## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or -## :bro:id:`REMOTE_LOG_ERROR`. +## level: The log level, which is either :zeek:id:`REMOTE_LOG_INFO` or +## :zeek:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the communication system that logged the message. -## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's -## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or -## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). +## Currently, this will be one of :zeek:id:`REMOTE_SRC_CHILD` (Bro's +## child process), :zeek:id:`REMOTE_SRC_PARENT` (Bro's main process), or +## :zeek:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log_peer @@ -708,21 +735,21 @@ event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. This event is equivalent to -## :bro:see:`remote_log` except the message is with respect to a certain peer. +## :zeek:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. ## -## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or -## :bro:id:`REMOTE_LOG_ERROR`. +## level: The log level, which is either :zeek:id:`REMOTE_LOG_INFO` or +## :zeek:id:`REMOTE_LOG_ERROR`. ## ## src: The component of the communication system that logged the message. -## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's -## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or -## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). +## Currently, this will be one of :zeek:id:`REMOTE_SRC_CHILD` (Bro's +## child process), :zeek:id:`REMOTE_SRC_PARENT` (Bro's main process), or +## :zeek:id:`REMOTE_SRC_SCRIPT` (the script level). ## ## msg: The message logged. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_pong remote_state_access_performed ## remote_state_inconsistency print_hook remote_log @@ -730,12 +757,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping -## by calling :bro:id:`send_ping` and when a corresponding reply is received, +## by calling :zeek:id:`send_ping` and when a corresponding reply is received, ## this event will be raised. ## ## p: The peer sending us the pong. ## -## seq: The sequence number passed to the original :bro:id:`send_ping` call. +## seq: The sequence number passed to the original :zeek:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This @@ -748,7 +775,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## ping and when its parent process sent the pong. This is the ## processing latency at the peer. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook @@ -762,27 +789,27 @@ event remote_pong%(p: event_peer, seq: count, ## ## v: The new value of the variable. ## -## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error +## .. zeek:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done ## remote_event_registered remote_log remote_pong remote_state_inconsistency ## print_hook event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is -## defined by :bro:id:`profiling_file`, and its update frequency by -## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. +## defined by :zeek:id:`profiling_file`, and its update frequency by +## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## ## expensive: True if this event corresponds to heavier-weight profiling as -## indicated by the :bro:id:`expensive_profiling_multiple` variable. +## indicated by the :zeek:id:`expensive_profiling_multiple` variable. ## -## .. bro:see:: profiling_interval expensive_profiling_multiple +## .. zeek:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other -## scripts calling :bro:id:`Reporter::info`. +## scripts calling :zeek:id:`Reporter::info`. ## ## t: The time the message was passed to the reporter. ## @@ -791,7 +818,7 @@ event profiling_update%(f: file, expensive: bool%); ## location: A (potentially empty) string describing a location associated with ## the message. ## -## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning +## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -801,7 +828,7 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling -## :bro:id:`Reporter::warning`. +## :zeek:id:`Reporter::warning`. ## ## t: The time the warning was passed to the reporter. ## @@ -810,7 +837,7 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## location: A (potentially empty) string describing a location associated with ## the warning. ## -## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning +## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -820,7 +847,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may ## be generated internally by the event engine and also by other scripts calling -## :bro:id:`Reporter::error`. +## :zeek:id:`Reporter::error`. ## ## t: The time the error was passed to the reporter. ## @@ -829,7 +856,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## location: A (potentially empty) string describing a location associated with ## the error. ## -## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning +## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## ## .. note:: Bro will not call reporter events recursively. If the handler of @@ -841,12 +868,15 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## ## path: The full path to the script loaded. ## -## level: The "nesting level": zero for a top-level Bro script and incremented +## level: The "nesting level": zero for a top-level Zeek script and incremented ## recursively for each ``@load``. -event bro_script_loaded%(path: string, level: count%); +event zeek_script_loaded%(path: string, level: count%); + +## Deprecated synonym for :zeek:see:`zeek_script_loaded`. +event bro_script_loaded%(path: string, level: count%) &deprecated; ## Generated each time Bro's script interpreter opens a file. This event is -## triggered only for files opened via :bro:id:`open`, and in particular not for +## triggered only for files opened via :zeek:id:`open`, and in particular not for ## normal log files as created by log writers. ## ## f: The opened file. @@ -860,7 +890,7 @@ event event_queue_flush_point%(%); ## belongs. All incoming data to the framework is buffered, and depends ## on a handler for this event to return a string value that uniquely ## identifies a file. Among all handlers of this event, the last one to -## call :bro:see:`set_file_handle` will "win". +## call :zeek:see:`set_file_handle` will "win". ## ## tag: The analyzer which is carrying the file data. ## @@ -868,15 +898,15 @@ event event_queue_flush_point%(%); ## ## is_orig: The direction the file data is flowing over the connection. ## -## .. bro:see:: set_file_handle +## .. zeek:see:: set_file_handle event get_file_handle%(tag: Analyzer::Tag, c: connection, is_orig: bool%); ## Indicates that an analysis of a new file has begun. The analysis can be -## augmented at this time via :bro:see:`Files::add_analyzer`. +## augmented at this time via :zeek:see:`Files::add_analyzer`. ## ## f: The file. ## -## .. bro:see:: file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_over_new_connection file_timeout file_gap ## file_sniff file_state_remove event file_new%(f: fa_file%); @@ -889,16 +919,16 @@ event file_new%(f: fa_file%); ## ## is_orig: true if the originator of *c* is the one sending the file. ## -## .. bro:see:: file_new file_timeout file_gap file_sniff +## .. zeek:see:: file_new file_timeout file_gap file_sniff ## file_state_remove event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); ## Provide all metadata that has been inferred about a particular file ## from inspection of the initial content that been seen at the beginning ## of the file. The analysis can be augmented at this time via -## :bro:see:`Files::add_analyzer`. The amount of data fed into the file +## :zeek:see:`Files::add_analyzer`. The amount of data fed into the file ## sniffing can be increased or decreased by changing either -## :bro:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field +## :zeek:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field ## in an `fa_file` record. The event will be raised even if content inspection ## has been unable to infer any metadata, in which case the fields in *meta* ## will be left all unset. @@ -907,7 +937,7 @@ event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); ## ## meta: Metadata that's been discovered about the file. ## -## .. bro:see:: file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_over_new_connection file_timeout file_gap ## file_state_remove event file_sniff%(f: fa_file, meta: fa_metadata%); @@ -916,7 +946,7 @@ event file_sniff%(f: fa_file, meta: fa_metadata%); ## ## f: The file. ## -## .. bro:see:: file_new file_over_new_connection file_gap +## .. zeek:see:: file_new file_over_new_connection file_gap ## file_sniff file_state_remove default_file_timeout_interval ## Files::set_timeout_interval event file_timeout%(f: fa_file%); @@ -929,12 +959,12 @@ event file_timeout%(f: fa_file%); ## ## len: The number of missing bytes. ## -## .. bro:see:: file_new file_over_new_connection file_timeout +## .. zeek:see:: file_new file_over_new_connection file_timeout ## file_sniff file_state_remove file_reassembly_overflow event file_gap%(f: fa_file, offset: count, len: count%); ## Indicates that the file had an overflow of the reassembly buffer. -## This is a specialization of the :bro:id:`file_gap` event. +## This is a specialization of the :zeek:id:`file_gap` event. ## ## f: The file. ## @@ -945,7 +975,7 @@ event file_gap%(f: fa_file, offset: count, len: count%); ## file data and get back under the reassembly buffer size limit. ## This value will also be represented as a gap. ## -## .. bro:see:: file_new file_over_new_connection file_timeout +## .. zeek:see:: file_new file_over_new_connection file_timeout ## file_sniff file_state_remove file_gap ## Files::enable_reassembler Files::reassembly_buffer_size ## Files::enable_reassembly Files::disable_reassembly @@ -956,7 +986,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%); ## ## f: The file. ## -## .. bro:see:: file_new file_over_new_connection file_timeout file_gap +## .. zeek:see:: file_new file_over_new_connection file_timeout file_gap ## file_sniff event file_state_remove%(f: fa_file%); @@ -967,7 +997,7 @@ event file_state_remove%(f: fa_file%); ## ## dm: A record describing the new resolver result (which matches the old one). ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); @@ -979,7 +1009,7 @@ event dns_mapping_valid%(dm: dns_mapping%); ## ## dm: A record describing the old resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); @@ -990,7 +1020,7 @@ event dns_mapping_unverified%(dm: dns_mapping%); ## ## dm: A record describing the new resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_new_name%(dm: dns_mapping%); @@ -1002,7 +1032,7 @@ event dns_mapping_new_name%(dm: dns_mapping%); ## ## dm: A record describing the old resolver result. ## -## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_lost_name%(dm: dns_mapping%); @@ -1019,7 +1049,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%); ## new_addrs: Addresses that were not part of the returned set for the query ## described by *dm*, but now are. ## -## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## .. zeek:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 92c4356bda..641943909e 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -649,3 +649,9 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl) analyzers.DrainModifications(); } } + +bool File::PermitWeird(const char* name, uint64 threshold, uint64 rate, + double duration) + { + return ::PermitWeird(weird_state, name, threshold, rate, duration); + } diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 1d4fb03789..0c4c313f06 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -13,6 +13,7 @@ #include "Tag.h" #include "AnalyzerSet.h" #include "BroString.h" +#include "WeirdState.h" namespace file_analysis { @@ -192,6 +193,13 @@ public: */ bool SetMime(const string& mime_type); + /** + * Whether to permit a weird to carry on through the full reporter/weird + * framework. + */ + bool PermitWeird(const char* name, uint64 threshold, uint64 rate, + double duration); + protected: friend class Manager; friend class FileReassembler; @@ -325,6 +333,8 @@ protected: BroString::CVec chunks; } bof_buffer; /**< Beginning of file buffer. */ + WeirdStateMap weird_state; + static int id_idx; static int parent_id_idx; static int source_idx; diff --git a/src/file_analysis/analyzer/extract/events.bif b/src/file_analysis/analyzer/extract/events.bif index d1dfe0c654..2324294b88 100644 --- a/src/file_analysis/analyzer/extract/events.bif +++ b/src/file_analysis/analyzer/extract/events.bif @@ -1,17 +1,17 @@ ## This event is generated when a file extraction analyzer is about ## to exceed the maximum permitted file size allowed by the -## *extract_limit* field of :bro:see:`Files::AnalyzerArgs`. +## *extract_limit* field of :zeek:see:`Files::AnalyzerArgs`. ## The analyzer is automatically removed from file *f*. ## ## f: The file. ## ## args: Arguments that identify a particular file extraction analyzer. ## This is only provided to be able to pass along to -## :bro:see:`FileExtract::set_limit`. +## :zeek:see:`FileExtract::set_limit`. ## ## limit: The limit, in bytes, the extracted file is about to breach. ## ## len: The length of the file chunk about to be written. ## -## .. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT +## .. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT event file_extraction_limit%(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count%); diff --git a/src/file_analysis/analyzer/extract/functions.bif b/src/file_analysis/analyzer/extract/functions.bif index 18e9dde171..c91f0590bd 100644 --- a/src/file_analysis/analyzer/extract/functions.bif +++ b/src/file_analysis/analyzer/extract/functions.bif @@ -6,7 +6,7 @@ module FileExtract; #include "file_analysis/Manager.h" %%} -## :bro:see:`FileExtract::set_limit`. +## :zeek:see:`FileExtract::set_limit`. function FileExtract::__set_limit%(file_id: string, args: any, n: count%): bool %{ using BifType::Record::Files::AnalyzerArgs; diff --git a/src/file_analysis/analyzer/hash/events.bif b/src/file_analysis/analyzer/hash/events.bif index e03cbf359a..814c4741e6 100644 --- a/src/file_analysis/analyzer/hash/events.bif +++ b/src/file_analysis/analyzer/hash/events.bif @@ -7,6 +7,6 @@ ## ## hash: The result of the hashing. ## -## .. bro:see:: Files::add_analyzer Files::ANALYZER_MD5 +## .. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5 ## Files::ANALYZER_SHA1 Files::ANALYZER_SHA256 event file_hash%(f: fa_file, kind: string, hash: string%); diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt index 7fc89bfd51..5708f98e8f 100644 --- a/src/file_analysis/analyzer/pe/CMakeLists.txt +++ b/src/file_analysis/analyzer/pe/CMakeLists.txt @@ -6,5 +6,12 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro PE) bro_plugin_cc(PE.cc Plugin.cc) bro_plugin_bif(events.bif) -bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac) +bro_plugin_pac( + pe.pac + pe-analyzer.pac + pe-file-headers.pac + pe-file-idata.pac + pe-file.pac + pe-file-types.pac +) bro_plugin_end() diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 9db13291b0..070aff32dd 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -20,7 +20,8 @@ PE::~PE() bool PE::DeliverStream(const u_char* data, uint64 len) { if ( conn->is_done() ) - return true; + return false; + try { interp->NewData(data, data + len); @@ -30,7 +31,7 @@ bool PE::DeliverStream(const u_char* data, uint64 len) return false; } - return true; + return ! conn->is_done(); } bool PE::EndOfFile() diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif index c804937c49..1d25936a65 100644 --- a/src/file_analysis/analyzer/pe/events.bif +++ b/src/file_analysis/analyzer/pe/events.bif @@ -6,7 +6,7 @@ ## ## h: The parsed DOS header information. ## -## .. bro:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); ## A :abbr:`PE (Portable Executable)` file DOS stub was parsed. @@ -17,7 +17,7 @@ event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); ## ## code: The DOS stub ## -## .. bro:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header event pe_dos_code%(f: fa_file, code: string%); ## A :abbr:`PE (Portable Executable)` file file header was parsed. @@ -29,7 +29,7 @@ event pe_dos_code%(f: fa_file, code: string%); ## ## h: The parsed file header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header event pe_file_header%(f: fa_file, h: PE::FileHeader%); ## A :abbr:`PE (Portable Executable)` file optional header was parsed. @@ -42,7 +42,7 @@ event pe_file_header%(f: fa_file, h: PE::FileHeader%); ## ## h: The parsed optional header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); ## A :abbr:`PE (Portable Executable)` file section header was parsed. @@ -53,5 +53,5 @@ event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); ## ## h: The parsed section header information. ## -## .. bro:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header +## .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header event pe_section_header%(f: fa_file, h: PE::SectionHeader%); diff --git a/src/file_analysis/analyzer/pe/pe-file-headers.pac b/src/file_analysis/analyzer/pe/pe-file-headers.pac index f12d76e035..9eee6e03da 100644 --- a/src/file_analysis/analyzer/pe/pe-file-headers.pac +++ b/src/file_analysis/analyzer/pe/pe-file-headers.pac @@ -1,3 +1,8 @@ +# Do not try parsing if the DOS stub program seems larger than 4mb. +# DOS stub programs are not expected to be much more than on the order of +# hundreds of bytes even though the format allows a full 32-bit range. +let MAX_DOS_CODE_LENGTH = 4 * 1024 * 1024; + type Headers = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); @@ -6,6 +11,9 @@ type Headers = record { } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader > 64 ? dos_header.AddressOfNewExeHeader - 64 : 0; length: uint64 = 64 + dos_code_len + pe_header.length + section_headers.length; + + # Do not care about parsing rest of the file so mark done now ... + proc: bool = $context.connection.mark_done(); }; # The DOS header gives us the offset of the NT headers @@ -28,7 +36,7 @@ type DOS_Header = record { OEMid : uint16; OEMinfo : uint16; Reserved2 : uint16[10]; - AddressOfNewExeHeader : uint32; + AddressOfNewExeHeader : uint32 &enforce(AddressOfNewExeHeader >= 64 && (AddressOfNewExeHeader - 64) < MAX_DOS_CODE_LENGTH); } &length=64; type DOS_Code(len: uint32) = record { diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index b5ec4f30c6..c49481c23a 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -160,11 +160,11 @@ bool file_analysis::OCSP::EndOfFile() if (!req) { - reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error"); return false; } - ParseRequest(req, GetFile()->GetID().c_str()); + ParseRequest(req); OCSP_REQUEST_free(req); } else @@ -173,12 +173,12 @@ bool file_analysis::OCSP::EndOfFile() if (!resp) { - reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error"); return false; } OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership - ParseResponse(resp_val, GetFile()->GetID().c_str()); + ParseResponse(resp_val); Unref(resp_val); } @@ -412,7 +412,7 @@ static uint64 parse_request_version(OCSP_REQUEST* req) } #endif -void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) +void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); @@ -453,7 +453,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) BIO_free(bio); } -void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) +void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) { OCSP_RESPONSE *resp = resp_val->GetResp(); //OCSP_RESPBYTES *resp_bytes = resp->responseBytes; @@ -532,7 +532,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) produced_at = OCSP_resp_get0_produced_at(basic_resp); #endif - vl->append(new Val(GetTimeFromAsn1(produced_at, fid, reporter), TYPE_TIME)); + vl->append(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME)); // responses @@ -579,7 +579,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) // revocation time and reason if revoked if ( status == V_OCSP_CERTSTATUS_REVOKED ) { - rvl->append(new Val(GetTimeFromAsn1(revoke_time, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME)); if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) { @@ -596,12 +596,12 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid) } if ( this_update ) - rvl->append(new Val(GetTimeFromAsn1(this_update, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME)); else rvl->append(new Val(0.0, TYPE_TIME)); if ( next_update ) - rvl->append(new Val(GetTimeFromAsn1(next_update, fid, reporter), TYPE_TIME)); + rvl->append(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME)); else rvl->append(new Val(0.0, TYPE_TIME)); diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 75caf3120a..eb6499794c 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -29,8 +29,8 @@ protected: OCSP(RecordVal* args, File* file, bool request); private: - void ParseResponse(OCSP_RESPVal*, const char* fid = 0); - void ParseRequest(OCSP_REQUEST*, const char* fid = 0); + void ParseResponse(OCSP_RESPVal*); + void ParseRequest(OCSP_REQUEST*); void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; std::string ocsp_data; diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index e34bf58d82..38422897db 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -47,14 +47,14 @@ bool file_analysis::X509::EndOfFile() ::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size()); if ( ! ssl_cert ) { - reporter->Weird(fmt("Could not parse X509 certificate (fuid %s)", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_cert_parse_error"); return false; } X509Val* cert_val = new X509Val(ssl_cert); // cert_val takes ownership of ssl_cert // parse basic information into record. - RecordVal* cert_record = ParseCertificate(cert_val, GetFile()->GetID().c_str()); + RecordVal* cert_record = ParseCertificate(cert_val, GetFile()); // and send the record on to scriptland val_list* vl = new val_list(); @@ -86,7 +86,7 @@ bool file_analysis::X509::EndOfFile() return false; } -RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* fid) +RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f) { ::X509* ssl_cert = cert_val->GetCertificate(); @@ -133,8 +133,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* pX509Cert->Assign(3, new StringVal(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME)); - pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME)); + pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter), TYPE_TIME)); + pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter), TYPE_TIME)); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -236,7 +236,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) } else - reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_invalid_basic_constraint"); } void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) @@ -266,7 +266,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext); if ( ! altname ) { - reporter->Weird(fmt("Could not parse subject alternative names. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_parse_error"); return; } @@ -286,7 +286,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) { if ( ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING ) { - reporter->Weird(fmt("DNS-field does not contain an IA5String. fuid %s", GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_non_string"); continue; } @@ -337,7 +337,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) else { - reporter->Weird(fmt("Weird IP address length %d in subject alternative name. fuid %s", gen->d.ip->length, GetFile()->GetID().c_str())); + reporter->Weird(GetFile(), "x509_san_ip_length", fmt("%d", gen->d.ip->length)); continue; } } diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 91a5a7a5a1..a3dc62e533 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -79,13 +79,13 @@ public: * * @param cert_val The certificate to converts. * - * @param fid A file ID associated with the certificate, if any + * @param f A file associated with the certificate, if any * (primarily for error reporting). * * @param Returns the new record value and passes ownership to * caller. */ - static RecordVal* ParseCertificate(X509Val* cert_val, const char* fid = 0); + static RecordVal* ParseCertificate(X509Val* cert_val, File* file = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return new X509(args, file); } diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index d59a383b78..b6c16fc1dc 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -20,9 +20,16 @@ X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* ar { } -double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter) +static void EmitWeird(const char* name, File* file, const char* addl = "") + { + if ( file ) + reporter->Weird(file, name, addl); + else + reporter->Weird(name); + } + +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter) { - const char *fid = arg_fid ? arg_fid : ""; time_t lResult = 0; char lBuffer[26]; @@ -35,14 +42,14 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, { if ( remaining < 11 || remaining > 17 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid)); + EmitWeird("x509_utc_length", f); return 0; } if ( pString[remaining-1] != 'Z' ) { // not valid according to RFC 2459 4.1.2.5.1 - reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid)); + EmitWeird("x509_utc_format", f); return 0; } @@ -71,7 +78,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, if ( remaining < 12 || remaining > 23 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid)); + EmitWeird("x509_gen_time_length", f); return 0; } @@ -82,7 +89,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, } else { - reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid)); + EmitWeird("x509_invalid_time_type", f); return 0; } @@ -115,7 +122,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, else { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid)); + EmitWeird("x509_time_add_char", f); return 0; } @@ -130,13 +137,13 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, { if ( remaining < 5 ) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid)); + EmitWeird("x509_time_offset_underflow", f); return 0; } if ((*pString != '+') && (*pString != '-')) { - reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid)); + EmitWeird("x509_time_offset_type", f); return 0; } @@ -249,7 +256,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP } } - StringVal* ext_val = GetExtensionFromBIO(bio); + StringVal* ext_val = GetExtensionFromBIO(bio, GetFile()); if ( ! ext_val ) ext_val = new StringVal(0, ""); @@ -282,7 +289,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP ParseExtensionsSpecific(ex, global, ext_asn, oid); } -StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) +StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f) { BIO_flush(bio); ERR_clear_error(); @@ -292,7 +299,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio) { char tmp[120]; ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp)); - reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp)); + EmitWeird("x509_get_ext_from_bio", f, tmp); BIO_free_all(bio); return 0; } diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h index a7015bc235..2f02357cca 100644 --- a/src/file_analysis/analyzer/x509/X509Common.h +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -25,11 +25,13 @@ public: * @param bio the OpenSSL BIO to read. It will be freed by the function, * including when an error occurs. * + * @param f an associated file, if any (used for error reporting). + * * @return The X509 extension value. */ - static StringVal* GetExtensionFromBIO(BIO* bio); + static StringVal* GetExtensionFromBIO(BIO* bio, File* f = 0); - static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter); + static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter); protected: X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index 68afe5340a..fd4f9fadfe 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -11,7 +11,7 @@ ## ## cert: The parsed certificate information. ## -## .. bro:see:: x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%); @@ -25,7 +25,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif ## ## ext: The parsed extension. ## -## .. bro:see:: x509_certificate x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_extension%(f: fa_file, ext: X509::Extension%); @@ -37,7 +37,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%); ## ## ext: The parsed basic constraints extension. ## -## .. bro:see:: x509_certificate x509_extension +## .. zeek:see:: x509_certificate x509_extension ## x509_ext_subject_alternative_name x509_parse x509_verify ## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); @@ -51,7 +51,7 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## ## ext: The parsed subject alternative name extension. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); @@ -76,7 +76,7 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## ## signature: signature part of the digitally_signed struct ## -## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints +## .. zeek:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints ## x509_parse x509_verify x509_ext_subject_alternative_name ## x509_get_certificate_string ssl_extension_signed_certificate_timestamp ## sct_verify ocsp_request ocsp_request_certificate ocsp_response_status diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e4e263fd35..40d4ec6da8 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -192,7 +192,7 @@ const EVP_MD* hash_to_evp(int hash) ## ## Returns: A X509::Certificate structure. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_verify ## x509_get_certificate_string function x509_parse%(cert: opaque of x509%): X509::Certificate @@ -213,7 +213,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate ## ## Returns: X509 certificate as a string. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse x509_verify function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string %{ @@ -249,7 +249,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F ## Returns: A record of type X509::Result containing the result code of the ## verify operation. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_verify function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result @@ -536,7 +536,7 @@ x509_ocsp_cleanup: ## verify operation. In case of success also returns the full ## certificate chain. ## -## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints +## .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints ## x509_ext_subject_alternative_name x509_parse ## x509_get_certificate_string x509_ocsp_verify sct_verify function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result @@ -646,7 +646,7 @@ x509_verify_chainerror: ## ## Returns: T if the validation could be performed succesfully, F otherwhise. ## -## .. bro:see:: ssl_extension_signed_certificate_timestamp +## .. zeek:see:: ssl_extension_signed_certificate_timestamp ## x509_ocsp_ext_signed_certificate_timestamp ## x509_verify function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool @@ -876,7 +876,7 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_issuer_name_hash x509_spki_hash +## .. zeek:see:: x509_issuer_name_hash x509_spki_hash ## x509_verify sct_verify function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ @@ -894,7 +894,7 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_subject_name_hash x509_spki_hash +## .. zeek:see:: x509_subject_name_hash x509_spki_hash ## x509_verify sct_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ @@ -912,7 +912,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string ## ## Returns: The hash as a string. ## -## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash +## .. zeek:see:: x509_subject_name_hash x509_issuer_name_hash ## x509_verify sct_verify function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string %{ diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index f49208d238..564126b2bb 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -7,7 +7,7 @@ ## ## req: version: the version of the OCSP request. Typically 0 (Version 1). ## -## .. bro:see:: ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request%(f: fa_file, version: count%); @@ -27,7 +27,7 @@ event ocsp_request%(f: fa_file, version: count%); ## ## serialNumber: Serial number of the certificate for which the status is requested. ## -## .. bro:see:: ocsp_request ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%); @@ -41,7 +41,7 @@ event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHas ## ## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). ## -## .. bro:see:: ocsp_request ocsp_request_certificate +## .. zeek:see:: ocsp_request ocsp_request_certificate ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_status%(f: fa_file, status: string%); @@ -68,7 +68,7 @@ event ocsp_response_status%(f: fa_file, status: string%); ## certs: Optional list of certificates that are sent with the OCSP response; these typically ## are needed to perform validation of the reply. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); @@ -96,7 +96,7 @@ event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: st ## ## nextUpdate: Time next response will be ready; 0 if not supploed. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%); @@ -111,7 +111,7 @@ event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHa ## global_resp: T if extension encountered in the global response (in ResponseData), ## F when encountered in a SingleResponse. ## -## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status +## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ## x509_ocsp_ext_signed_certificate_timestamp event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%); diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 81435bc3b5..f3086041b0 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -8,35 +8,35 @@ module Files; type AnalyzerArgs: record; -## :bro:see:`Files::set_timeout_interval`. +## :zeek:see:`Files::set_timeout_interval`. function Files::__set_timeout_interval%(file_id: string, t: interval%): bool %{ bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t); return val_mgr->GetBool(result); %} -## :bro:see:`Files::enable_reassembly`. +## :zeek:see:`Files::enable_reassembly`. function Files::__enable_reassembly%(file_id: string%): bool %{ bool result = file_mgr->EnableReassembly(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::disable_reassembly`. +## :zeek:see:`Files::disable_reassembly`. function Files::__disable_reassembly%(file_id: string%): bool %{ bool result = file_mgr->DisableReassembly(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::set_reassembly_buffer_size`. +## :zeek:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); return val_mgr->GetBool(result); %} -## :bro:see:`Files::add_analyzer`. +## :zeek:see:`Files::add_analyzer`. function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; @@ -47,7 +47,7 @@ function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): b return val_mgr->GetBool(result); %} -## :bro:see:`Files::remove_analyzer`. +## :zeek:see:`Files::remove_analyzer`. function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ using BifType::Record::Files::AnalyzerArgs; @@ -58,20 +58,20 @@ function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%) return val_mgr->GetBool(result); %} -## :bro:see:`Files::stop`. +## :zeek:see:`Files::stop`. function Files::__stop%(file_id: string%): bool %{ bool result = file_mgr->IgnoreFile(file_id->CheckString()); return val_mgr->GetBool(result); %} -## :bro:see:`Files::analyzer_name`. +## :zeek:see:`Files::analyzer_name`. function Files::__analyzer_name%(tag: Files::Tag%) : string %{ return new StringVal(file_mgr->GetComponentName(tag)); %} -## :bro:see:`Files::file_exists`. +## :zeek:see:`Files::file_exists`. function Files::__file_exists%(fuid: string%): bool %{ if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr ) @@ -80,7 +80,7 @@ function Files::__file_exists%(fuid: string%): bool return val_mgr->GetFalse(); %} -## :bro:see:`Files::lookup_file`. +## :zeek:see:`Files::lookup_file`. function Files::__lookup_file%(fuid: string%): fa_file %{ auto f = file_mgr->LookupFile(fuid->CheckString()); @@ -95,14 +95,14 @@ function Files::__lookup_file%(fuid: string%): fa_file module GLOBAL; -## For use within a :bro:see:`get_file_handle` handler to set a unique +## For use within a :zeek:see:`get_file_handle` handler to set a unique ## identifier to associate with the current input to the file analysis ## framework. Using an empty string for the handle signifies that the ## input will be ignored/discarded. ## ## handle: A string that uniquely identifies a file. ## -## .. bro:see:: get_file_handle +## .. zeek:see:: get_file_handle function set_file_handle%(handle: string%): any %{ auto bytes = reinterpret_cast(handle->Bytes()); diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc index 30eff2669d..5ea11cf4d8 100644 --- a/src/input/readers/ascii/Ascii.cc +++ b/src/input/readers/ascii/Ascii.cc @@ -82,6 +82,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines; fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem; + path_prefix.assign((const char*) BifConst::InputAscii::path_prefix->Bytes(), + BifConst::InputAscii::path_prefix->Len()); + // Set per-filter configuration options. for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) { @@ -137,18 +140,34 @@ bool Ascii::OpenFile() if ( file.is_open() ) return true; - file.open(Info().source); + // Handle path-prefixing. See similar logic in Binary::DoInit(). + fname = Info().source; + + if ( fname.front() != '/' && ! path_prefix.empty() ) + { + string path = path_prefix; + std::size_t last = path.find_last_not_of("/"); + + if ( last == string::npos ) // Nothing but slashes -- weird but ok... + path = "/"; + else + path.erase(last + 1); + + fname = path + "/" + fname; + } + + file.open(fname); if ( ! file.is_open() ) { - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", fname.c_str()), true); return ! fail_on_file_problem; } if ( ReadHeader(false) == false ) { - FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", fname.c_str()), true); file.close(); return ! fail_on_file_problem; @@ -169,7 +188,7 @@ bool Ascii::ReadHeader(bool useCached) if ( ! GetLine(line) ) { FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read", - Info().source), true); + fname.c_str()), true); return false; } @@ -212,7 +231,7 @@ bool Ascii::ReadHeader(bool useCached) } FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.", - field->name, Info().source), true); + field->name, fname.c_str()), true); return false; } @@ -274,9 +293,9 @@ bool Ascii::DoUpdate() { // check if the file has changed struct stat sb; - if ( stat(Info().source, &sb) == -1 ) + if ( stat(fname.c_str(), &sb) == -1 ) { - FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true); + FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", fname.c_str()), true); file.close(); return ! fail_on_file_problem; diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h index 4fd236761e..91177519bc 100644 --- a/src/input/readers/ascii/Ascii.h +++ b/src/input/readers/ascii/Ascii.h @@ -66,6 +66,11 @@ private: time_t mtime; ino_t ino; + // The name using which we actually load the file -- compared + // to the input source name, this one may have a path_prefix + // attached to it. + string fname; + // map columns in the file to columns to send back to the manager vector columnMap; @@ -79,6 +84,7 @@ private: string unset_field; bool fail_on_invalid_lines; bool fail_on_file_problem; + string path_prefix; // this is an internal indicator in case the read is currently in a failed state // it's used to suppress duplicate error messages. diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif index 80ff4611e7..0fe6ddb73d 100644 --- a/src/input/readers/ascii/ascii.bif +++ b/src/input/readers/ascii/ascii.bif @@ -7,3 +7,4 @@ const empty_field: string; const unset_field: string; const fail_on_invalid_lines: bool; const fail_on_file_problem: bool; +const path_prefix: string; diff --git a/src/input/readers/binary/Binary.cc b/src/input/readers/binary/Binary.cc index 5ae3cc7c15..9964cced1e 100644 --- a/src/input/readers/binary/Binary.cc +++ b/src/input/readers/binary/Binary.cc @@ -81,6 +81,9 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, ino = 0; firstrun = true; + path_prefix.assign((const char*) BifConst::InputBinary::path_prefix->Bytes(), + BifConst::InputBinary::path_prefix->Len()); + if ( ! info.source || strlen(info.source) == 0 ) { Error("No source path provided"); @@ -104,6 +107,20 @@ bool Binary::DoInit(const ReaderInfo& info, int num_fields, // do initialization fname = info.source; + // Handle path-prefixing. See similar logic in Ascii::OpenFile(). + if ( fname.front() != '/' && ! path_prefix.empty() ) + { + string path = path_prefix; + std::size_t last = path.find_last_not_of("/"); + + if ( last == string::npos ) // Nothing but slashes -- weird but ok... + path = "/"; + else + path.erase(last + 1); + + fname = path + "/" + fname; + } + if ( ! OpenInput() ) return false; diff --git a/src/input/readers/binary/Binary.h b/src/input/readers/binary/Binary.h index 796640bfb4..414c748a73 100644 --- a/src/input/readers/binary/Binary.h +++ b/src/input/readers/binary/Binary.h @@ -42,6 +42,7 @@ private: // options set from the script-level. static streamsize chunk_size; + string path_prefix; }; } diff --git a/src/input/readers/binary/binary.bif b/src/input/readers/binary/binary.bif index 54e32ff453..6fdfcf3f0e 100644 --- a/src/input/readers/binary/binary.bif +++ b/src/input/readers/binary/binary.bif @@ -2,3 +2,4 @@ module InputBinary; const chunk_size: count; +const path_prefix: string; diff --git a/src/iosource/BPF_Program.cc b/src/iosource/BPF_Program.cc index 451a74bed3..ca5a6eef54 100644 --- a/src/iosource/BPF_Program.cc +++ b/src/iosource/BPF_Program.cc @@ -104,6 +104,17 @@ bool BPF_Program::Compile(int snaplen, int linktype, const char* filter, { FreeCode(); + if ( linktype == DLT_NFLOG ) + { + // No-op, NFLOG does not support BPF filters. + // Raising a warning might be good, but it would also be noisy + // since the default scripts will always attempt to compile + // and install a default filter + m_compiled = true; + m_matches_anything = true; + return true; + } + #ifdef LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER char my_error[PCAP_ERRBUF_SIZE]; diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 5b858e828e..3bb6e34e50 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -92,6 +92,14 @@ int Packet::GetLinkHeaderSize(int link_type) case DLT_IEEE802_11_RADIO: // 802.11 plus RadioTap return 59; + case DLT_NFLOG: + // Linux netlink NETLINK NFLOG socket log messages + // The actual header size is variable, but we return the minimum + // expected size here, which is 4 bytes for the main header plus at + // least 2 bytes each for the type and length values assoicated with + // the final TLV carrying the packet payload. + return 8; + case DLT_RAW: return 0; } @@ -395,6 +403,85 @@ void Packet::ProcessLayer2() break; } + case DLT_NFLOG: + { + // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html + + uint8 protocol = pdata[0]; + + if ( protocol == AF_INET ) + l3_proto = L3_IPV4; + else if ( protocol == AF_INET6 ) + l3_proto = L3_IPV6; + else + { + Weird("non_ip_in_nflog"); + return; + } + + uint8 version = pdata[1]; + + if ( version != 0 ) + { + Weird("unknown_nflog_version"); + return; + } + + // Skip to TLVs. + pdata += 4; + + uint16 tlv_len; + uint16 tlv_type; + + while ( true ) + { + if ( pdata + 4 >= end_of_data ) + { + Weird("nflog_no_pcap_payload"); + return; + } + + // TLV Type and Length values are specified in host byte order + // (libpcap should have done any needed byteswapping already). + + tlv_len = *(reinterpret_cast(pdata)); + tlv_type = *(reinterpret_cast(pdata + 2)); + + auto constexpr nflog_type_payload = 9; + + if ( tlv_type == nflog_type_payload ) + { + // The raw packet payload follows this TLV. + pdata += 4; + break; + } + else + { + // The Length value includes the 4 octets for the Type and + // Length values, but TLVs are also implicitly padded to + // 32-bit alignments (that padding may not be included in + // the Length value). + + if ( tlv_len < 4 ) + { + Weird("nflog_bad_tlv_len"); + return; + } + else + { + auto rem = tlv_len % 4; + + if ( rem != 0 ) + tlv_len += 4 - rem; + } + + pdata += tlv_len; + } + } + + break; + } + default: { // Assume we're pointing at IP. Just figure out which version. diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 0a0633ece0..fb9954981c 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -247,10 +247,20 @@ bool PcapSource::SetFilter(int index) return false; } - if ( pcap_setfilter(pd, code->GetProgram()) < 0 ) + if ( LinkType() == DLT_NFLOG ) { - PcapError(); - return false; + // No-op, NFLOG does not support BPF filters. + // Raising a warning might be good, but it would also be noisy + // since the default scripts will always attempt to compile + // and install a default filter + } + else + { + if ( pcap_setfilter(pd, code->GetProgram()) < 0 ) + { + PcapError(); + return false; + } } #ifndef HAVE_LINUX diff --git a/src/iosource/pcap/pcap.bif b/src/iosource/pcap/pcap.bif index 1e7ca8a844..9e6e0238ba 100644 --- a/src/iosource/pcap/pcap.bif +++ b/src/iosource/pcap/pcap.bif @@ -12,7 +12,7 @@ const bufsize: count; ## ## Returns: True if *s* is valid and precompiles successfully. ## -## .. bro:see:: Pcap::install_pcap_filter +## .. zeek:see:: Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -51,14 +51,14 @@ function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool %} ## Installs a PCAP filter that has been precompiled with -## :bro:id:`Pcap::precompile_pcap_filter`. +## :zeek:id:`Pcap::precompile_pcap_filter`. ## ## id: The PCAP filter id of a precompiled filter. ## ## Returns: True if the filter associated with *id* has been installed ## successfully. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## install_src_addr_filter ## install_src_net_filter ## uninstall_src_addr_filter @@ -90,7 +90,7 @@ function Pcap::install_pcap_filter%(id: PcapFilterID%): bool ## ## Returns: A descriptive error message of the PCAP function that failed. ## -## .. bro:see:: Pcap::precompile_pcap_filter +## .. zeek:see:: Pcap::precompile_pcap_filter ## Pcap::install_pcap_filter ## install_src_addr_filter ## install_src_net_filter diff --git a/src/main.cc b/src/main.cc index 473f3a72e7..af29b1e7d7 100644 --- a/src/main.cc +++ b/src/main.cc @@ -55,7 +55,7 @@ extern "C" { #include "analyzer/Tag.h" #include "plugin/Manager.h" #include "file_analysis/Manager.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "iosource/Manager.h" #include "broker/Manager.h" @@ -91,7 +91,7 @@ input::Manager* input_mgr = 0; plugin::Manager* plugin_mgr = 0; analyzer::Manager* analyzer_mgr = 0; file_analysis::Manager* file_mgr = 0; -broxygen::Manager* broxygen_mgr = 0; +zeexygen::Manager* zeexygen_mgr = 0; iosource::Manager* iosource_mgr = 0; bro_broker::Manager* broker_mgr = 0; @@ -194,7 +194,7 @@ void usage(int code = 1) fprintf(stderr, " -T|--re-level | set 'RE_level' for rules\n"); fprintf(stderr, " -U|--status-file | Record process status in file\n"); fprintf(stderr, " -W|--watchdog | activate watchdog timer\n"); - fprintf(stderr, " -X|--broxygen | generate documentation based on config file\n"); + fprintf(stderr, " -X|--zeexygen | generate documentation based on config file\n"); #ifdef USE_PERFTOOLS_DEBUG fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n"); @@ -214,7 +214,7 @@ void usage(int code = 1) fprintf(stderr, " $BRO_SEED_FILE | file to load seeds from (not set)\n"); fprintf(stderr, " $BRO_LOG_SUFFIX | ASCII log file extension (.%s)\n", logging::writer::Ascii::LogExt().c_str()); fprintf(stderr, " $BRO_PROFILER_FILE | Output file for script execution statistics (not set)\n"); - fprintf(stderr, " $BRO_DISABLE_BROXYGEN | Disable Broxygen documentation support (%s)\n", getenv("BRO_DISABLE_BROXYGEN") ? "set" : "not set"); + fprintf(stderr, " $BRO_DISABLE_BROXYGEN | Disable Zeexygen documentation support (%s)\n", getenv("BRO_DISABLE_BROXYGEN") ? "set" : "not set"); fprintf(stderr, "\n"); @@ -339,9 +339,9 @@ void terminate_bro() brofiler.WriteStats(); - EventHandlerPtr bro_done = internal_handler("bro_done"); - if ( bro_done ) - mgr.QueueEvent(bro_done, new val_list); + EventHandlerPtr zeek_done = internal_handler("zeek_done"); + if ( zeek_done ) + mgr.QueueEvent(zeek_done, new val_list); timer_mgr->Expire(); mgr.Drain(); @@ -370,7 +370,7 @@ void terminate_bro() plugin_mgr->FinishPlugins(); - delete broxygen_mgr; + delete zeexygen_mgr; delete timer_mgr; delete persistence_serializer; delete event_serializer; @@ -534,7 +534,7 @@ int main(int argc, char** argv) {"filter", required_argument, 0, 'f'}, {"help", no_argument, 0, 'h'}, {"iface", required_argument, 0, 'i'}, - {"broxygen", required_argument, 0, 'X'}, + {"zeexygen", required_argument, 0, 'X'}, {"prefix", required_argument, 0, 'p'}, {"readfile", required_argument, 0, 'r'}, {"rulefile", required_argument, 0, 's'}, @@ -586,7 +586,7 @@ int main(int argc, char** argv) if ( p ) add_to_name_list(p, ':', prefixes); - string broxygen_config; + string zeexygen_config; #ifdef USE_IDMEF string libidmef_dtd_path = "idmef-message.dtd"; @@ -739,7 +739,7 @@ int main(int argc, char** argv) break; case 'X': - broxygen_config = optarg; + zeexygen_config = optarg; break; #ifdef USE_PERFTOOLS_DEBUG @@ -821,13 +821,13 @@ int main(int argc, char** argv) timer_mgr = new PQ_TimerMgr(""); // timer_mgr = new CQ_TimerMgr(); - broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]); + zeexygen_mgr = new zeexygen::Manager(zeexygen_config, bro_argv[0]); - add_essential_input_file("base/init-bare.bro"); - add_essential_input_file("base/init-frameworks-and-bifs.bro"); + add_essential_input_file("base/init-bare.zeek"); + add_essential_input_file("base/init-frameworks-and-bifs.zeek"); if ( ! bare_mode ) - add_input_file("base/init-default.bro"); + add_input_file("base/init-default.zeek"); plugin_mgr->SearchDynamicPlugins(bro_plugin_path()); @@ -872,7 +872,7 @@ int main(int argc, char** argv) plugin_mgr->InitPreScript(); analyzer_mgr->InitPreScript(); file_mgr->InitPreScript(); - broxygen_mgr->InitPreScript(); + zeexygen_mgr->InitPreScript(); bool missing_plugin = false; @@ -891,10 +891,6 @@ int main(int argc, char** argv) if ( events_file ) event_player = new EventPlayer(events_file); - // Must come after plugin activation (and also after hash - // initialization). - binpac::init(); - init_event_handlers(); md5_type = new OpaqueType("md5"); @@ -945,13 +941,24 @@ int main(int argc, char** argv) init_net_var(); init_builtin_funcs_subdirs(); + // Must come after plugin activation (and also after hash + // initialization). + binpac::FlowBuffer::Policy flowbuffer_policy; + flowbuffer_policy.max_capacity = global_scope()->Lookup( + "BinPAC::flowbuffer_capacity_max")->ID_Val()->AsCount(); + flowbuffer_policy.min_capacity = global_scope()->Lookup( + "BinPAC::flowbuffer_capacity_min")->ID_Val()->AsCount(); + flowbuffer_policy.contract_threshold = global_scope()->Lookup( + "BinPAC::flowbuffer_contract_threshold")->ID_Val()->AsCount(); + binpac::init(&flowbuffer_policy); + plugin_mgr->InitBifs(); if ( reporter->Errors() > 0 ) exit(1); plugin_mgr->InitPostScript(); - broxygen_mgr->InitPostScript(); + zeexygen_mgr->InitPostScript(); broker_mgr->InitPostScript(); if ( print_plugins ) @@ -981,7 +988,7 @@ int main(int argc, char** argv) } reporter->InitOptions(); - broxygen_mgr->GenerateDocs(); + zeexygen_mgr->GenerateDocs(); if ( user_pcap_filter ) { @@ -1129,9 +1136,9 @@ int main(int argc, char** argv) // we don't have any other source for it. net_update_time(current_time()); - EventHandlerPtr bro_init = internal_handler("bro_init"); - if ( bro_init ) //### this should be a function - mgr.QueueEvent(bro_init, new val_list); + EventHandlerPtr zeek_init = internal_handler("zeek_init"); + if ( zeek_init ) //### this should be a function + mgr.QueueEvent(zeek_init, new val_list); EventRegistry::string_list* dead_handlers = event_registry->UnusedHandlers(); @@ -1186,7 +1193,7 @@ int main(int argc, char** argv) val_list* vl = new val_list; vl->append(new StringVal(i->name.c_str())); vl->append(val_mgr->GetCount(i->include_level)); - mgr.QueueEvent(bro_script_loaded, vl); + mgr.QueueEvent(zeek_script_loaded, vl); } reporter->ReportViaEvents(true); @@ -1197,7 +1204,7 @@ int main(int argc, char** argv) if ( reporter->Errors() > 0 && ! getenv("ZEEK_ALLOW_INIT_ERRORS") ) reporter->FatalError("errors occurred while initializing"); - broker_mgr->BroInitDone(); + broker_mgr->ZeekInitDone(); analyzer_mgr->DumpDebug(); have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; diff --git a/src/option.bif b/src/option.bif index 2156808763..849e6ccfb0 100644 --- a/src/option.bif +++ b/src/option.bif @@ -48,10 +48,10 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val, ## ## Returns: true on success, false when an error occurred. ## -## .. bro:see:: Option::set_change_handler Config::set_value +## .. zeek:see:: Option::set_change_handler Config::set_value ## -## .. note:: :bro:id:`Option::set` only works on one node and does not distribute -## new values across a cluster. The higher-level :bro:id:`Config::set_value` +## .. note:: :zeek:id:`Option::set` only works on one node and does not distribute +## new values across a cluster. The higher-level :zeek:id:`Config::set_value` ## supports clusterization and should typically be used instead of this ## lower-level function. function Option::set%(ID: string, val: any, location: string &default=""%): bool @@ -105,7 +105,7 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool %} ## Set a change handler for an option. The change handler will be -## called anytime :bro:id:`Option::set` is called for the option. +## called anytime :zeek:id:`Option::set` is called for the option. ## ## ID: The ID of the option for which change notifications are desired. ## @@ -127,7 +127,7 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool ## ## Returns: true when the change handler was set, false when an error occurred. ## -## .. bro:see:: Option::set +## .. zeek:see:: Option::set function Option::set_change_handler%(ID: string, on_change: any, priority: int &default=0%): bool %{ auto i = global_scope()->Lookup(ID->CheckString()); diff --git a/src/parse.y b/src/parse.y index db7e0f846f..0e363eb321 100644 --- a/src/parse.y +++ b/src/parse.y @@ -88,7 +88,7 @@ #include "Scope.h" #include "Reporter.h" #include "Brofiler.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include #include @@ -1039,7 +1039,7 @@ type_decl: $$ = new TypeDecl($3, $1, $4, (in_record > 0)); if ( in_record > 0 && cur_decl_type_id ) - broxygen_mgr->RecordField(cur_decl_type_id, $$, ::filename); + zeexygen_mgr->RecordField(cur_decl_type_id, $$, ::filename); } ; @@ -1073,7 +1073,7 @@ decl: TOK_MODULE TOK_ID ';' { current_module = $2; - broxygen_mgr->ModuleUsage(::filename, current_module); + zeexygen_mgr->ModuleUsage(::filename, current_module); } | TOK_EXPORT '{' { is_export = true; } decl_list '}' @@ -1082,36 +1082,36 @@ decl: | TOK_GLOBAL def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_REGULAR); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_OPTION def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_OPTION); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_CONST); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_REDEF global_id opt_type init_class opt_init opt_attr ';' { add_global($2, $3, $4, $5, $6, VAR_REDEF); - broxygen_mgr->Redef($2, ::filename); + zeexygen_mgr->Redef($2, ::filename); } | TOK_REDEF TOK_ENUM global_id TOK_ADD_TO '{' - { parser_redef_enum($3); broxygen_mgr->Redef($3, ::filename); } + { parser_redef_enum($3); zeexygen_mgr->Redef($3, ::filename); } enum_body '}' ';' { - // Broxygen already grabbed new enum IDs as the type created them. + // Zeexygen already grabbed new enum IDs as the type created them. } | TOK_REDEF TOK_RECORD global_id - { cur_decl_type_id = $3; broxygen_mgr->Redef($3, ::filename); } + { cur_decl_type_id = $3; zeexygen_mgr->Redef($3, ::filename); } TOK_ADD_TO '{' { ++in_record; } type_decl_list @@ -1127,12 +1127,12 @@ decl: } | TOK_TYPE global_id ':' - { cur_decl_type_id = $2; broxygen_mgr->StartType($2); } + { cur_decl_type_id = $2; zeexygen_mgr->StartType($2); } type opt_attr ';' { cur_decl_type_id = 0; add_type($2, $5, $6); - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | func_hdr func_body @@ -1167,10 +1167,19 @@ func_hdr: begin_func($2, current_module.c_str(), FUNC_FLAVOR_FUNCTION, 0, $3, $4); $$ = $3; - broxygen_mgr->Identifier($2); + zeexygen_mgr->Identifier($2); } | TOK_EVENT event_id func_params opt_attr { + // Gracefully handle the deprecation of bro_init, bro_done, + // and bro_script_loaded + if ( streq("bro_init", $2->Name()) ) + $2 = global_scope()->Lookup("zeek_init"); + else if ( streq("bro_done", $2->Name()) ) + $2 = global_scope()->Lookup("zeek_done"); + else if ( streq("bro_script_loaded", $2->Name()) ) + $2 = global_scope()->Lookup("zeek_script_loaded"); + begin_func($2, current_module.c_str(), FUNC_FLAVOR_EVENT, 0, $3, $4); $$ = $3; @@ -1592,7 +1601,7 @@ for_head: if ( loop_var ) { if ( loop_var->IsGlobal() ) - loop_var->Error("global used in for loop"); + loop_var->Error("global variable used in for loop"); } else @@ -1606,8 +1615,62 @@ for_head: } | TOK_FOR '(' '[' local_id_list ']' TOK_IN expr ')' - { $$ = new ForStmt($4, $7); } - ; + { + $$ = new ForStmt($4, $7); + } + | + TOK_FOR '(' TOK_ID ',' TOK_ID TOK_IN expr ')' + { + set_location(@1, @8); + const char* module = current_module.c_str(); + + // Check for previous definitions of key and + // value variables. + ID* key_var = lookup_ID($3, module); + ID* val_var = lookup_ID($5, module); + + // Validate previous definitions as needed. + if ( key_var ) + { + if ( key_var->IsGlobal() ) + key_var->Error("global variable used in for loop"); + } + else + key_var = install_ID($3, module, false, false); + + if ( val_var ) + { + if ( val_var->IsGlobal() ) + val_var->Error("global variable used in for loop"); + } + else + val_var = install_ID($5, module, false, false); + + id_list* loop_vars = new id_list; + loop_vars->append(key_var); + + $$ = new ForStmt(loop_vars, $7, val_var); + } + | + TOK_FOR '(' '[' local_id_list ']' ',' TOK_ID TOK_IN expr ')' + { + set_location(@1, @10); + const char* module = current_module.c_str(); + + // Validate value variable + ID* val_var = lookup_ID($7, module); + + if ( val_var ) + { + if ( val_var->IsGlobal() ) + val_var->Error("global variable used in for loop"); + } + else + val_var = install_ID($7, module, false, false); + + $$ = new ForStmt($4, $9, val_var); + } + ; local_id_list: local_id_list ',' local_id diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h index 0069c77359..22bd2dd302 100644 --- a/src/plugin/ComponentManager.h +++ b/src/plugin/ComponentManager.h @@ -10,7 +10,7 @@ #include "Var.h" #include "Val.h" #include "Reporter.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" namespace plugin { @@ -134,7 +134,7 @@ ComponentManager::ComponentManager(const string& arg_module, const string& tag_enum_type = new EnumType(module + "::" + local_id); ::ID* id = install_ID(local_id.c_str(), module.c_str(), true, true); add_type(id, tag_enum_type, 0); - broxygen_mgr->Identifier(id); + zeexygen_mgr->Identifier(id); } template diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 836520d03a..47f7ba1ed9 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -13,6 +13,7 @@ #include "../Reporter.h" #include "../Func.h" #include "../Event.h" +#include "../util.h" using namespace plugin; @@ -182,30 +183,44 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ add_to_bro_path(scripts); } - // First load {scripts}/__preload__.bro automatically. - string init = dir + "scripts/__preload__.bro"; + string init; - if ( is_file(init) ) + // First load {scripts}/__preload__.zeek automatically. + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "scripts/__preload__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } - // Load {bif,scripts}/__load__.bro automatically. - init = dir + "lib/bif/__load__.bro"; - - if ( is_file(init) ) + // Load {bif,scripts}/__load__.zeek automatically. + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "lib/bif/__load__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } - init = dir + "scripts/__load__.bro"; - - if ( is_file(init) ) + for (const string& ext : script_extensions) { - DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); - scripts_to_load.push_back(init); + init = dir + "scripts/__load__" + ext; + + if ( is_file(init) ) + { + DBG_LOG(DBG_PLUGINS, " Loading %s", init.c_str()); + scripts_to_load.push_back(init); + break; + } } // Load shared libraries. diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc index e01b4e41b6..d3d3d6a132 100644 --- a/src/probabilistic/Topk.cc +++ b/src/probabilistic/Topk.cc @@ -78,6 +78,13 @@ TopkVal::~TopkVal() void TopkVal::Merge(const TopkVal* value, bool doPrune) { + if ( ! value->type ) + { + // Merge-from is empty. Nothing to do. + assert(value->numElements == 0); + return; + } + if ( type == 0 ) { assert(numElements == 0); diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif index 468a6eeae2..284aebc745 100644 --- a/src/probabilistic/bloom-filter.bif +++ b/src/probabilistic/bloom-filter.bif @@ -22,14 +22,14 @@ module GLOBAL; ## rate of *fp*. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_basic_init%(fp: double, capacity: count, name: string &default=""%): opaque of bloomfilter @@ -50,7 +50,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count, %} ## Creates a basic Bloom filter. This function serves as a low-level -## alternative to :bro:id:`bloomfilter_basic_init` where the user has full +## alternative to :zeek:id:`bloomfilter_basic_init` where the user has full ## control over the number of hash functions and cells in the underlying bit ## vector. ## @@ -59,14 +59,14 @@ function bloomfilter_basic_init%(fp: double, capacity: count, ## cells: The number of cells of the underlying bit vector. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_basic_init2%(k: count, cells: count, name: string &default=""%): opaque of bloomfilter @@ -103,14 +103,14 @@ function bloomfilter_basic_init2%(k: count, cells: count, ## counter vector becomes a cell of size *w* bits. ## ## name: A name that uniquely identifies and seeds the Bloom filter. If empty, -## the filter will use :bro:id:`global_hash_seed` if that's set, and +## the filter will use :zeek:id:`global_hash_seed` if that's set, and ## otherwise use a local seed tied to the current Bro process. Only ## filters with the same seed can be merged with -## :bro:id:`bloomfilter_merge`. +## :zeek:id:`bloomfilter_merge`. ## ## Returns: A Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add ## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed function bloomfilter_counting_init%(k: count, cells: count, max: count, name: string &default=""%): opaque of bloomfilter @@ -139,7 +139,7 @@ function bloomfilter_counting_init%(k: count, cells: count, max: count, ## ## x: The element to add. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear ## bloomfilter_merge function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any @@ -166,7 +166,7 @@ function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any ## ## Returns: the counter associated with *x* in *bf*. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_clear ## bloomfilter_merge function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count @@ -191,7 +191,7 @@ function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count ## ## bf: The Bloom filter handle. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_lookup ## bloomfilter_merge function bloomfilter_clear%(bf: opaque of bloomfilter%): any @@ -216,7 +216,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any ## ## Returns: The union of *bf1* and *bf2*. ## -## .. bro:see:: bloomfilter_basic_init bloomfilter_basic_init2 +## .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 ## bloomfilter_counting_init bloomfilter_add bloomfilter_lookup ## bloomfilter_clear function bloomfilter_merge%(bf1: opaque of bloomfilter, diff --git a/src/probabilistic/cardinality-counter.bif b/src/probabilistic/cardinality-counter.bif index 4ba528bd3c..2fa7953c9e 100644 --- a/src/probabilistic/cardinality-counter.bif +++ b/src/probabilistic/cardinality-counter.bif @@ -17,7 +17,7 @@ module GLOBAL; ## ## Returns: a HLL cardinality handle. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_copy function hll_cardinality_init%(err: double, confidence: double%): opaque of cardinality %{ @@ -35,7 +35,7 @@ function hll_cardinality_init%(err: double, confidence: double%): opaque of card ## ## Returns: true on success. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool %{ @@ -60,7 +60,7 @@ function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool ## Merges a HLL cardinality counter into another. ## ## .. note:: The same restrictions as for Bloom filter merging apply, -## see :bro:id:`bloomfilter_merge`. +## see :zeek:id:`bloomfilter_merge`. ## ## handle1: the first HLL handle, which will contain the merged result. ## @@ -68,7 +68,7 @@ function hll_cardinality_add%(handle: opaque of cardinality, elem: any%): bool ## ## Returns: true on success. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_add ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_merge_into%(handle1: opaque of cardinality, handle2: opaque of cardinality%): bool %{ @@ -103,7 +103,7 @@ function hll_cardinality_merge_into%(handle1: opaque of cardinality, handle2: op ## ## Returns: the cardinality estimate. Returns -1.0 if the counter is empty. ## -## .. bro:see:: hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_init hll_cardinality_copy function hll_cardinality_estimate%(handle: opaque of cardinality%): double %{ @@ -121,7 +121,7 @@ function hll_cardinality_estimate%(handle: opaque of cardinality%): double ## ## Returns: copy of handle. ## -## .. bro:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add +## .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add ## hll_cardinality_init function hll_cardinality_copy%(handle: opaque of cardinality%): opaque of cardinality %{ diff --git a/src/probabilistic/top-k.bif b/src/probabilistic/top-k.bif index 8d2a8c0fd8..8691521f31 100644 --- a/src/probabilistic/top-k.bif +++ b/src/probabilistic/top-k.bif @@ -10,7 +10,7 @@ ## ## Returns: Opaque pointer to the data structure. ## -## .. bro:see:: topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_init%(size: count%): opaque of topk %{ @@ -28,7 +28,7 @@ function topk_init%(size: count%): opaque of topk ## ## value: observed value. ## -## .. bro:see:: topk_init topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_add%(handle: opaque of topk, value: any%): any %{ @@ -47,7 +47,7 @@ function topk_add%(handle: opaque of topk, value: any%): any ## ## Returns: vector of the first k elements. ## -## .. bro:see:: topk_init topk_add topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_count topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_get_top%(handle: opaque of topk, k: count%): any_vec %{ @@ -68,7 +68,7 @@ function topk_get_top%(handle: opaque of topk, k: count%): any_vec ## ## Returns: Overestimated number for how often the element has been encountered. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_epsilon ## topk_size topk_sum topk_merge topk_merge_prune function topk_count%(handle: opaque of topk, value: any%): count %{ @@ -79,7 +79,7 @@ function topk_count%(handle: opaque of topk, value: any%): count ## Get the maximal overestimation for count. ## -## .. note:: Same restrictions as for :bro:id:`topk_count` apply. +## .. note:: Same restrictions as for :zeek:id:`topk_count` apply. ## ## handle: the TopK handle. ## @@ -88,7 +88,7 @@ function topk_count%(handle: opaque of topk, value: any%): count ## Returns: Number which represents the maximal overestimation for the count of ## this element. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count +## .. zeek:see:: topk_init topk_add topk_get_top topk_count ## topk_size topk_sum topk_merge topk_merge_prune function topk_epsilon%(handle: opaque of topk, value: any%): count %{ @@ -107,7 +107,7 @@ function topk_epsilon%(handle: opaque of topk, value: any%): count ## ## Returns: size given during initialization. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_sum topk_merge topk_merge_prune function topk_size%(handle: opaque of topk%): count %{ @@ -120,14 +120,14 @@ function topk_size%(handle: opaque of topk%): count ## ## .. note:: This is equal to the number of all inserted objects if the data ## structure never has been pruned. Do not use after -## calling :bro:id:`topk_merge_prune` (will throw a warning message if used +## calling :zeek:id:`topk_merge_prune` (will throw a warning message if used ## afterwards). ## ## handle: the TopK handle. ## ## Returns: sum of all counts. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_merge topk_merge_prune function topk_sum%(handle: opaque of topk%): count %{ @@ -145,7 +145,7 @@ function topk_sum%(handle: opaque of topk%): count ## .. note:: This does not remove any elements, the resulting data structure ## can be bigger than the maximum size given on initialization. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge_prune function topk_merge%(handle1: opaque of topk, handle2: opaque of topk%): any %{ @@ -164,14 +164,14 @@ function topk_merge%(handle1: opaque of topk, handle2: opaque of topk%): any ## data structure back to the size given on initialization. ## ## .. note:: Use with care and only when being aware of the restrictions this -## entails. Do not call :bro:id:`topk_size` or :bro:id:`topk_add` afterwards, +## entails. Do not call :zeek:id:`topk_size` or :zeek:id:`topk_add` afterwards, ## results will probably not be what you expect. ## ## handle1: the TopK handle in which the second TopK structure is merged. ## ## handle2: the TopK handle in which is merged into the first TopK structure. ## -## .. bro:see:: topk_init topk_add topk_get_top topk_count topk_epsilon +## .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon ## topk_size topk_sum topk_merge function topk_merge_prune%(handle1: opaque of topk, handle2: opaque of topk%): any %{ diff --git a/src/reporter.bif b/src/reporter.bif index 4a58e2728b..dd74b944d6 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -4,7 +4,7 @@ ##! If event handlers do exist, it's assumed they take care of determining ##! how/where to output the messages. ##! -##! See :doc:`/scripts/base/frameworks/reporter/main.bro` for a convenient +##! See :doc:`/scripts/base/frameworks/reporter/main.zeek` for a convenient ##! reporter message logging framework. module Reporter; @@ -19,7 +19,7 @@ module Reporter; ## ## Returns: Always true. ## -## .. bro:see:: reporter_info +## .. zeek:see:: reporter_info function Reporter::info%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); @@ -34,7 +34,7 @@ function Reporter::info%(msg: string%): bool ## ## Returns: Always true. ## -## .. bro:see:: reporter_warning +## .. zeek:see:: reporter_warning function Reporter::warning%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); @@ -50,7 +50,7 @@ function Reporter::warning%(msg: string%): bool ## ## Returns: Always true. ## -## .. bro:see:: reporter_error +## .. zeek:see:: reporter_error function Reporter::error%(msg: string%): bool %{ reporter->PushLocation(frame->GetCall()->GetLocationInfo()); @@ -127,6 +127,27 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul return val_mgr->GetBool(1); %} +## Generates a "file" weird. +## +## name: the name of the weird. +## +## f: the file associated with the weird. +## +## addl: additional information to accompany the weird. +## +## Returns: true if the file was still valid, else false. +function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool + %{ + auto fuid = f->AsRecordVal()->Lookup(0)->AsStringVal(); + auto file = file_mgr->LookupFile(fuid->CheckString()); + + if ( ! file ) + return val_mgr->GetBool(0); + + reporter->Weird(file, name->CheckString(), addl->CheckString()); + return val_mgr->GetBool(1); + %} + ## Gets the weird sampling whitelist ## ## Returns: Current weird sampling whitelist diff --git a/src/scan.l b/src/scan.l index c2be426044..4da90394e7 100644 --- a/src/scan.l +++ b/src/scan.l @@ -29,7 +29,7 @@ #include "Traverse.h" #include "analyzer/Analyzer.h" -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "plugin/Manager.h" @@ -77,6 +77,17 @@ static string find_relative_file(const string& filename, const string& ext) return find_file(filename, bro_path(), ext); } +static string find_relative_script_file(const string& filename) + { + if ( filename.empty() ) + return string(); + + if ( filename[0] == '.' ) + return find_script_file(filename, SafeDirname(::filename).result); + else + return find_script_file(filename, bro_path()); + } + static ino_t get_inode_num(FILE* f, const string& path) { struct stat b; @@ -141,7 +152,7 @@ D [0-9]+ HEX [0-9a-fA-F]+ IDCOMPONENT [A-Za-z_][A-Za-z_0-9]* ID {IDCOMPONENT}(::{IDCOMPONENT})* -IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]") +IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}:){6}({D}"."){3}{D}"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]") FILE [^ \t\n]+ PREFIX [^ \t\n]+ FLOAT (({D}*"."?{D})|({D}"."?{D}*))([eE][-+]?{D})? @@ -151,19 +162,19 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) %% ##!.* { - broxygen_mgr->SummaryComment(::filename, yytext + 3); + zeexygen_mgr->SummaryComment(::filename, yytext + 3); } ##<.* { string hint(cur_enum_type && last_id_tok ? make_full_var_name(current_module.c_str(), last_id_tok) : ""); - broxygen_mgr->PostComment(yytext + 3, hint); + zeexygen_mgr->PostComment(yytext + 3, hint); } ##.* { if ( yytext[2] != '#' ) - broxygen_mgr->PreComment(yytext + 2); + zeexygen_mgr->PreComment(yytext + 2); } #{OWS}@no-test.* return TOK_NO_TEST; @@ -363,14 +374,14 @@ when return TOK_WHEN; @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". string loader = ::filename; // load_files may change ::filename, save copy - string loading = find_relative_file(new_file, "bro"); + string loading = find_relative_script_file(new_file); (void) load_files(new_file); - broxygen_mgr->ScriptDependency(loader, loading); + zeexygen_mgr->ScriptDependency(loader, loading); } @load-sigs{WS}{FILE} { const char* file = skip_whitespace(yytext + 10); - string path = find_relative_file(file, "sig"); + string path = find_relative_file(file, ".sig"); int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1); switch ( rc ) { @@ -430,7 +441,7 @@ when return TOK_WHEN; @unload{WS}{FILE} { // Skip "@unload". const char* file = skip_whitespace(yytext + 7); - string path = find_relative_file(file, "bro"); + string path = find_relative_script_file(file); if ( path.empty() ) reporter->Error("failed find file associated with @unload %s", file); @@ -624,7 +635,7 @@ static bool already_scanned(const string& path) static int load_files(const char* orig_file) { - string file_path = find_relative_file(orig_file, "bro"); + string file_path = find_relative_script_file(orig_file); int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1); if ( rc == 1 ) @@ -709,7 +720,7 @@ static int load_files(const char* orig_file) else file_stack.append(new FileInfo); - broxygen_mgr->Script(file_path); + zeexygen_mgr->Script(file_path); DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str()); @@ -912,7 +923,7 @@ int yywrap() if ( ! did_builtin_init && file_stack.length() == 1 ) { // ### This is a gross hack - we know that the first file - // we parse is init-bare.bro, and after it it's safe to initialize + // we parse is init-bare.zeek, and after it it's safe to initialize // the built-ins. Furthermore, we want to initialize the // built-in's *right* after parsing bro.init, so that other // source files can use built-in's when initializing globals. @@ -950,7 +961,7 @@ int yywrap() // prefixed and flattened version of the loaded file in BROPATH. The // flattening involves taking the path in BROPATH in which the // scanned file lives and replacing '/' path separators with a '.' If - // the scanned file is "__load__.bro", that part of the flattened + // the scanned file is "__load__.zeek", that part of the flattened // file name is discarded. If the prefix is non-empty, it gets placed // in front of the flattened path, separated with another '.' std::list::iterator it; @@ -970,7 +981,7 @@ int yywrap() string canon = without_bropath_component(it->name); string flat = flatten_script_name(canon, prefixes[i]); - string path = find_relative_file(flat, "bro"); + string path = find_relative_script_file(flat); if ( ! path.empty() ) { diff --git a/src/stats.bif b/src/stats.bif index bb4d92586f..d31f66de4e 100644 --- a/src/stats.bif +++ b/src/stats.bif @@ -25,7 +25,7 @@ RecordType* ReporterStats; ## ## Returns: A record of packet statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -74,7 +74,7 @@ function get_net_stats%(%): NetStats ## ## Returns: A record with connection and packet statistics. ## -## .. bro:see:: get_dns_stats +## .. zeek:see:: get_dns_stats ## get_event_stats ## get_file_analysis_stats ## get_gap_stats @@ -125,7 +125,7 @@ function get_conn_stats%(%): ConnStats ## ## Returns: A record with process statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -182,7 +182,7 @@ function get_proc_stats%(%): ProcStats ## ## Returns: A record with event engine statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_file_analysis_stats ## get_gap_stats @@ -209,7 +209,7 @@ function get_event_stats%(%): EventStats ## ## Returns: A record with reassembler statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -238,7 +238,7 @@ function get_reassembler_stats%(%): ReassemblerStats ## ## Returns: A record with DNS lookup statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_event_stats ## get_file_analysis_stats ## get_gap_stats @@ -272,7 +272,7 @@ function get_dns_stats%(%): DNSStats ## ## Returns: A record with timer usage statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -300,7 +300,7 @@ function get_timer_stats%(%): TimerStats ## ## Returns: A record with file analysis statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_gap_stats @@ -328,7 +328,7 @@ function get_file_analysis_stats%(%): FileAnalysisStats ## ## Returns: A record with thread usage statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -354,7 +354,7 @@ function get_thread_stats%(%): ThreadStats ## ## Returns: A record with TCP gap statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -386,7 +386,7 @@ function get_gap_stats%(%): GapStats ## ## Returns: A record with matcher statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -423,7 +423,7 @@ function get_matcher_stats%(%): MatcherStats ## ## Returns: A record with Broker statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats @@ -459,7 +459,7 @@ function get_broker_stats%(%): BrokerStats ## ## Returns: A record with reporter statistics. ## -## .. bro:see:: get_conn_stats +## .. zeek:see:: get_conn_stats ## get_dns_stats ## get_event_stats ## get_file_analysis_stats diff --git a/src/strings.bif b/src/strings.bif index 7435f5cffb..ef584ee7af 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -55,7 +55,7 @@ function levenshtein_distance%(s1: string, s2: string%): count ## ## Returns: The concatenation of all (string) arguments. ## -## .. bro:see:: cat cat_sep cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep cat_string_array cat_string_array_n ## fmt ## join_string_vec join_string_array function string_cat%(...%): string @@ -123,11 +123,11 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end) ## Concatenates all elements in an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: The concatenation of all elements in *a*. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array_n ## fmt ## join_string_vec join_string_array function cat_string_array%(a: string_array%): string &deprecated @@ -138,7 +138,7 @@ function cat_string_array%(a: string_array%): string &deprecated ## Concatenates a specific range of elements in an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## start: The array index of the first element of the range. ## @@ -146,7 +146,7 @@ function cat_string_array%(a: string_array%): string &deprecated ## ## Returns: The concatenation of the range *[start, end]* in *a*. ## -## .. bro:see:: cat string_cat cat_string_array +## .. zeek:see:: cat string_cat cat_string_array ## fmt ## join_string_vec join_string_array function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated @@ -160,12 +160,12 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string ## ## sep: The separator to place between each element. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: The concatenation of all elements in *a*, with *sep* placed ## between each element. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_vec function join_string_array%(sep: string, a: string_array%): string &deprecated @@ -196,12 +196,12 @@ function join_string_array%(sep: string, a: string_array%): string &deprecated ## ## sep: The separator to place between each element. ## -## vec: The :bro:type:`string_vec` (``vector of string``). +## vec: The :zeek:type:`string_vec` (``vector of string``). ## ## Returns: The concatenation of all elements in *vec*, with *sep* placed ## between each element. ## -## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n +## .. zeek:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_array function join_string_vec%(vec: string_vec, sep: string%): string @@ -233,11 +233,11 @@ function join_string_vec%(vec: string_vec, sep: string%): string ## Sorts an array of strings. ## -## a: The :bro:type:`string_array` (``table[count] of string``). +## a: The :zeek:type:`string_array` (``table[count] of string``). ## ## Returns: A sorted copy of *a*. ## -## .. bro:see:: sort +## .. zeek:see:: sort function sort_string_array%(a: string_array%): string_array &deprecated %{ TableVal* tbl = a->AsTableVal(); @@ -278,7 +278,7 @@ function sort_string_array%(a: string_array%): string_array &deprecated ## Returns: An edited version of *arg_s* where *arg_edit_char* triggers the ## deletion of the last character. ## -## .. bro:see:: clean +## .. zeek:see:: clean ## to_string_literal ## escape_string ## strip @@ -558,7 +558,7 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all) ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split +## .. zeek:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split ## ## .. note:: The returned table starts at index 1. Note that conceptually the ## return value is meant to be a vector and this might change in the @@ -578,7 +578,7 @@ function split%(str: string, re: pattern%): string_array &deprecated ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split_string1 split_string_all split_string_n str_split +## .. zeek:see:: split_string1 split_string_all split_string_n str_split ## function split_string%(str: string, re: pattern%): string_vec %{ @@ -586,7 +586,7 @@ function split_string%(str: string, re: pattern%): string_vec %} ## Splits a string *once* into a two-element array of strings according to a -## pattern. This function is the same as :bro:id:`split`, but *str* is only +## pattern. This function is the same as :zeek:id:`split`, but *str* is only ## split once (if possible) at the earliest position and an array of two strings ## is returned. ## @@ -599,14 +599,14 @@ function split_string%(str: string, re: pattern%): string_vec ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split +## .. zeek:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split function split1%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 1); %} ## Splits a string *once* into a two-element array of strings according to a -## pattern. This function is the same as :bro:id:`split_string`, but *str* is +## pattern. This function is the same as :zeek:id:`split_string`, but *str* is ## only split once (if possible) at the earliest position and an array of two ## strings is returned. ## @@ -619,14 +619,14 @@ function split1%(str: string, re: pattern%): string_array &deprecated ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split_string split_string_all split_string_n str_split +## .. zeek:see:: split_string split_string_all split_string_n str_split function split_string1%(str: string, re: pattern%): string_vec %{ return do_split_string(str, re, 0, 1); %} ## Splits a string into an array of strings according to a pattern. This -## function is the same as :bro:id:`split`, except that the separators are +## function is the same as :zeek:id:`split`, except that the separators are ## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns ## ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do not match the ## pattern and even-indexed ones do. @@ -639,14 +639,14 @@ function split_string1%(str: string, re: pattern%): string_vec ## to a substring in *str* of the part not matching *re* (odd-indexed) ## and the part that matches *re* (even-indexed). ## -## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split +## .. zeek:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split function split_all%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 1, 0); %} ## Splits a string into an array of strings according to a pattern. This -## function is the same as :bro:id:`split_string`, except that the separators +## function is the same as :zeek:id:`split_string`, except that the separators ## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)`` ## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the ## pattern and even-indexed ones do not. @@ -659,15 +659,15 @@ function split_all%(str: string, re: pattern%): string_array &deprecated ## to a substring in *str* of the part not matching *re* (even-indexed) ## and the part that matches *re* (odd-indexed). ## -## .. bro:see:: split_string split_string1 split_string_n str_split +## .. zeek:see:: split_string split_string1 split_string_n str_split function split_string_all%(str: string, re: pattern%): string_vec %{ return do_split_string(str, re, 1, 0); %} ## Splits a string a given number of times into an array of strings according -## to a pattern. This function is similar to :bro:id:`split1` and -## :bro:id:`split_all`, but with customizable behavior with respect to +## to a pattern. This function is similar to :zeek:id:`split1` and +## :zeek:id:`split_all`, but with customizable behavior with respect to ## including separators in the result and the number of times to split. ## ## str: The string to split. @@ -675,7 +675,7 @@ function split_string_all%(str: string, re: pattern%): string_vec ## re: The pattern describing the element separator in *str*. ## ## incl_sep: A flag indicating whether to include the separator matches in the -## result (as in :bro:id:`split_all`). +## result (as in :zeek:id:`split_all`). ## ## max_num_sep: The number of times to split *str*. ## @@ -684,7 +684,7 @@ function split_string_all%(str: string, re: pattern%): string_vec ## not matching *re* (odd-indexed) and the part that matches *re* ## (even-indexed). ## -## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split +## .. zeek:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split function split_n%(str: string, re: pattern, incl_sep: bool, max_num_sep: count%): string_array &deprecated %{ @@ -692,8 +692,8 @@ function split_n%(str: string, re: pattern, %} ## Splits a string a given number of times into an array of strings according -## to a pattern. This function is similar to :bro:id:`split_string1` and -## :bro:id:`split_string_all`, but with customizable behavior with respect to +## to a pattern. This function is similar to :zeek:id:`split_string1` and +## :zeek:id:`split_string_all`, but with customizable behavior with respect to ## including separators in the result and the number of times to split. ## ## str: The string to split. @@ -701,7 +701,7 @@ function split_n%(str: string, re: pattern, ## re: The pattern describing the element separator in *str*. ## ## incl_sep: A flag indicating whether to include the separator matches in the -## result (as in :bro:id:`split_string_all`). +## result (as in :zeek:id:`split_string_all`). ## ## max_num_sep: The number of times to split *str*. ## @@ -710,7 +710,7 @@ function split_n%(str: string, re: pattern, ## not matching *re* (even-indexed) and the part that matches *re* ## (odd-indexed). ## -## .. bro:see:: split_string split_string1 split_string_all str_split +## .. zeek:see:: split_string split_string1 split_string_all str_split function split_string_n%(str: string, re: pattern, incl_sep: bool, max_num_sep: count%): string_vec %{ @@ -729,7 +729,7 @@ function split_string_n%(str: string, re: pattern, ## Returns: A copy of *str* with the first occurence of *re* replaced with ## *repl*. ## -## .. bro:see:: gsub subst_string +## .. zeek:see:: gsub subst_string function sub%(str: string, re: pattern, repl: string%): string %{ return do_sub(str, re, repl, 0); @@ -746,7 +746,7 @@ function sub%(str: string, re: pattern, repl: string%): string ## ## Returns: A copy of *str* with all occurrences of *re* replaced with *repl*. ## -## .. bro:see:: sub subst_string +## .. zeek:see:: sub subst_string function gsub%(str: string, re: pattern, repl: string%): string %{ return do_sub(str, re, repl, 1); @@ -775,7 +775,7 @@ function strcmp%(s1: string, s2: string%): int ## Returns: The location of *little* in *big*, or 0 if *little* is not found in ## *big*. ## -## .. bro:see:: find_all find_last +## .. zeek:see:: find_all find_last function strstr%(big: string, little: string%): count %{ return val_mgr->GetCount( @@ -792,7 +792,7 @@ function strstr%(big: string, little: string%): count ## ## Returns: A copy of *s* where each occurrence of *from* is replaced with *to*. ## -## .. bro:see:: sub gsub +## .. zeek:see:: sub gsub function subst_string%(s: string, from: string, to: string%): string %{ const int little_len = from->Len(); @@ -843,7 +843,7 @@ function subst_string%(s: string, from: string, to: string%): string ## by ``isascii`` and ``isupper``) folded to lowercase ## (via ``tolower``). ## -## .. bro:see:: to_upper is_ascii +## .. zeek:see:: to_upper is_ascii function to_lower%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -872,7 +872,7 @@ function to_lower%(str: string%): string ## by ``isascii`` and ``islower``) folded to uppercase ## (via ``toupper``). ## -## .. bro:see:: to_lower is_ascii +## .. zeek:see:: to_lower is_ascii function to_upper%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -900,13 +900,13 @@ function to_upper%(str: string%): string ## ## If the string does not yet have a trailing NUL, one is added internally. ## -## In contrast to :bro:id:`escape_string`, this encoding is *not* fully reversible.` +## In contrast to :zeek:id:`escape_string`, this encoding is *not* fully reversible.` ## ## str: The string to escape. ## ## Returns: The escaped string. ## -## .. bro:see:: to_string_literal escape_string +## .. zeek:see:: to_string_literal escape_string function clean%(str: string%): string %{ char* s = str->AsString()->Render(); @@ -924,7 +924,7 @@ function clean%(str: string%): string ## ## Returns: The escaped string. ## -## .. bro:see:: clean escape_string +## .. zeek:see:: clean escape_string function to_string_literal%(str: string%): string %{ char* s = str->AsString()->Render(BroString::BRO_STRING_LITERAL); @@ -938,7 +938,7 @@ function to_string_literal%(str: string%): string ## Returns: False if any byte value of *str* is greater than 127, and true ## otherwise. ## -## .. bro:see:: to_upper to_lower +## .. zeek:see:: to_upper to_lower function is_ascii%(str: string%): bool %{ int n = str->Len(); @@ -957,13 +957,13 @@ function is_ascii%(str: string%): bool ## - values not in *[32, 126]* to ``\xXX`` ## - ``\`` to ``\\`` ## -## In contrast to :bro:id:`clean`, this encoding is fully reversible.` +## In contrast to :zeek:id:`clean`, this encoding is fully reversible.` ## ## str: The string to escape. ## ## Returns: The escaped string. ## -## .. bro:see:: clean to_string_literal +## .. zeek:see:: clean to_string_literal function escape_string%(s: string%): string %{ char* escstr = s->AsString()->Render(BroString::ESC_HEX | BroString::ESC_ESC); @@ -1022,7 +1022,7 @@ function str_smith_waterman%(s1: string, s2: string, params: sw_params%) : sw_su ## ## Returns: A vector of strings. ## -## .. bro:see:: split split1 split_all split_n +## .. zeek:see:: split split1 split_all split_n function str_split%(s: string, idx: index_vec%): string_vec %{ vector* idx_v = idx->AsVector(); @@ -1057,7 +1057,7 @@ function str_split%(s: string, idx: index_vec%): string_vec ## ## Returns: A copy of *str* with leading and trailing whitespace removed. ## -## .. bro:see:: sub gsub lstrip rstrip +## .. zeek:see:: sub gsub lstrip rstrip function strip%(str: string%): string %{ const u_char* s = str->Bytes(); @@ -1105,7 +1105,7 @@ static bool should_strip(u_char c, const BroString* strip_chars) ## Returns: A copy of *str* with the characters in *chars* removed from ## the beginning. ## -## .. bro:see:: sub gsub strip rstrip +## .. zeek:see:: sub gsub strip rstrip function lstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string %{ const u_char* s = str->Bytes(); @@ -1136,7 +1136,7 @@ function lstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string ## Returns: A copy of *str* with the characters in *chars* removed from ## the end. ## -## .. bro:see:: sub gsub strip lstrip +## .. zeek:see:: sub gsub strip lstrip function rstrip%(str: string, chars: string &default=" \t\n\r\v\f"%): string %{ const u_char* s = str->Bytes(); @@ -1180,14 +1180,58 @@ function string_fill%(len: int, source: string%): string ## Takes a string and escapes characters that would allow execution of ## commands at the shell level. Must be used before including strings in -## :bro:id:`system` or similar calls. +## :zeek:id:`system` or similar calls. +## +## source: The string to escape. +## +## Returns: A shell-escaped version of *source*. Specifically, this +## backslash-escapes characters whose literal value is not otherwise +## preserved by enclosure in double-quotes (dollar-sign, backquote, +## backslash, and double-quote itself), and then encloses that +## backslash-escaped string in double-quotes to ultimately preserve +## the literal value of all input characters. +## +## .. zeek:see:: system safe_shell_quote +function safe_shell_quote%(source: string%): string + %{ + unsigned j = 0; + const u_char* src = source->Bytes(); + unsigned n = source->Len(); + byte_vec dst = new u_char[n * 2 + 1 + 2]; + dst[j++] = '"'; + + for ( unsigned i = 0; i < n; ++i ) + { + switch ( src[i] ) { + case '`': case '"': case '\\': case '$': + dst[j++] = '\\'; + break; + default: + break; + } + + dst[j++] = src[i]; + } + + dst[j++] = '"'; + dst[j] = '\0'; + return new StringVal(new BroString(1, dst, j)); + %} + +## Takes a string and escapes characters that would allow execution of +## commands at the shell level. Must be used before including strings in +## :zeek:id:`system` or similar calls. This function is deprecated, use +## :zeek:see:`safe_shell_quote` as a replacement. The difference is that +## :zeek:see:`safe_shell_quote` automatically returns a value that is +## wrapped in double-quotes, which is required to correctly and fully +## escape any characters that might be interpreted by the shell. ## ## source: The string to escape. ## ## Returns: A shell-escaped version of *source*. ## -## .. bro:see:: system -function str_shell_escape%(source: string%): string +## .. zeek:see:: system safe_shell_quote +function str_shell_escape%(source: string%): string &deprecated %{ unsigned j = 0; const u_char* src = source->Bytes(); @@ -1223,7 +1267,7 @@ function str_shell_escape%(source: string%): string ## ## Returns: The set of strings in *str* that match *re*, or the empty set. ## -## .. bro:see: find_last strstr +## .. zeek:see: find_last strstr function find_all%(str: string, re: pattern%) : string_set %{ TableVal* a = new TableVal(string_set); @@ -1257,7 +1301,7 @@ function find_all%(str: string, re: pattern%) : string_set ## ## Returns: The last string in *str* that matches *re*, or the empty string. ## -## .. bro:see: find_all strstr +## .. zeek:see: find_all strstr function find_last%(str: string, re: pattern%) : string %{ const u_char* s = str->Bytes(); @@ -1281,7 +1325,7 @@ function find_last%(str: string, re: pattern%) : string ## ## Returns: The hex dump of the given string. ## -## .. bro:see:: string_to_ascii_hex bytestring_to_hexstr +## .. zeek:see:: string_to_ascii_hex bytestring_to_hexstr ## ## .. note:: Based on Netdude's hex editor code. ## diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc index f495a76b62..73e9489dc5 100644 --- a/src/threading/formatters/JSON.cc +++ b/src/threading/formatters/JSON.cc @@ -77,17 +77,8 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const case TYPE_COUNT: case TYPE_COUNTER: - { - // JSON doesn't support unsigned 64bit ints. - if ( val->val.uint_val >= INT64_MAX ) - { - GetThread()->Error(GetThread()->Fmt("count value too large for JSON: %" PRIu64, val->val.uint_val)); - desc->AddRaw("null", 4); - } - else - desc->Add(val->val.uint_val); + desc->Add(val->val.uint_val); break; - } case TYPE_PORT: desc->Add(val->val.port_val.port); @@ -149,16 +140,9 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const else if ( timestamps == TS_MILLIS ) { - // ElasticSearch uses milliseconds for timestamps and json only - // supports signed ints (uints can be too large). + // ElasticSearch uses milliseconds for timestamps uint64_t ts = (uint64_t) (val->val.double_val * 1000); - if ( ts < INT64_MAX ) - desc->Add(ts); - else - { - GetThread()->Error(GetThread()->Fmt("time value too large for JSON milliseconds: %" PRIu64, ts)); - desc->AddRaw("null", 4); - } + desc->Add(ts); } break; diff --git a/src/types.bif b/src/types.bif index 145a8af89e..79f5780f52 100644 --- a/src/types.bif +++ b/src/types.bif @@ -141,7 +141,7 @@ enum createmode_t %{ %} # Declare record types that we want to access from the event engine. These are -# defined in init-bare.bro. +# defined in init-bare.zeek. type info_t: record; type fattr_t: record; type sattr_t: record; @@ -192,6 +192,7 @@ enum Type %{ GTPv1, HTTP, GRE, + VXLAN, %} type EncapsulatingConn: record; diff --git a/src/util.cc b/src/util.cc index cce49a7f6d..0367700ffb 100644 --- a/src/util.cc +++ b/src/util.cc @@ -20,6 +20,7 @@ #endif #include +#include #include #include #include @@ -1007,7 +1008,20 @@ string bro_prefixes() return rval; } -const char* PACKAGE_LOADER = "__load__.bro"; +const array script_extensions = {".zeek", ".bro"}; + +bool is_package_loader(const string& path) + { + string filename(std::move(SafeBasename(path).result)); + + for ( const string& ext : script_extensions ) + { + if ( filename == "__load__" + ext ) + return true; + } + + return false; + } FILE* open_file(const string& path, const string& mode) { @@ -1034,13 +1048,22 @@ static bool can_read(const string& path) FILE* open_package(string& path, const string& mode) { string arg_path = path; - path.append("/").append(PACKAGE_LOADER); + path.append("/__load__"); - if ( can_read(path) ) - return open_file(path, mode); + for ( const string& ext : script_extensions ) + { + string p = path + ext; + if ( can_read(p) ) + { + path.append(ext); + return open_file(path, mode); + } + } + path.append(script_extensions[0]); + string package_loader = "__load__" + script_extensions[0]; reporter->Error("Failed to open package '%s': missing '%s' file", - arg_path.c_str(), PACKAGE_LOADER); + arg_path.c_str(), package_loader.c_str()); return 0; } @@ -1123,7 +1146,7 @@ string flatten_script_name(const string& name, const string& prefix) if ( ! rval.empty() ) rval.append("."); - if ( SafeBasename(name).result == PACKAGE_LOADER ) + if ( is_package_loader(name) ) rval.append(SafeDirname(name).result); else rval.append(name); @@ -1221,7 +1244,7 @@ string without_bropath_component(const string& path) } static string find_file_in_path(const string& filename, const string& path, - const string& opt_ext = "") + const vector& opt_ext) { if ( filename.empty() ) return string(); @@ -1239,10 +1262,13 @@ static string find_file_in_path(const string& filename, const string& path, if ( ! opt_ext.empty() ) { - string with_ext = abs_path + '.' + opt_ext; + for ( const string& ext : opt_ext ) + { + string with_ext = abs_path + ext; - if ( can_read(with_ext) ) - return with_ext; + if ( can_read(with_ext) ) + return with_ext; + } } if ( can_read(abs_path) ) @@ -1257,9 +1283,13 @@ string find_file(const string& filename, const string& path_set, vector paths; tokenize_string(path_set, ":", &paths); + vector ext; + if ( ! opt_ext.empty() ) + ext.push_back(opt_ext); + for ( size_t n = 0; n < paths.size(); ++n ) { - string f = find_file_in_path(filename, paths[n], opt_ext); + string f = find_file_in_path(filename, paths[n], ext); if ( ! f.empty() ) return f; @@ -1268,6 +1298,40 @@ string find_file(const string& filename, const string& path_set, return string(); } +static bool ends_with(const std::string& s, const std::string& ending) + { + if ( ending.size() > s.size() ) + return false; + + return std::equal(ending.rbegin(), ending.rend(), s.rbegin()); + } + +string find_script_file(const string& filename, const string& path_set) + { + vector paths; + tokenize_string(path_set, ":", &paths); + + vector ext(script_extensions.begin(), script_extensions.end()); + + for ( size_t n = 0; n < paths.size(); ++n ) + { + string f = find_file_in_path(filename, paths[n], ext); + + if ( ! f.empty() ) + return f; + } + + if ( ends_with(filename, ".bro") ) + { + // We were looking for a file explicitly ending in .bro and didn't + // find it, so fall back to one ending in .zeek, if it exists. + auto fallback = string(filename.data(), filename.size() - 4) + ".zeek"; + return find_script_file(fallback, path_set); + } + + return string(); + } + FILE* rotate_file(const char* name, RecordVal* rotate_info) { // Build file names. diff --git a/src/util.h b/src/util.h index 232275d9c9..b63b74a3f7 100644 --- a/src/util.h +++ b/src/util.h @@ -26,6 +26,7 @@ #include #include +#include #include #include #include @@ -248,16 +249,16 @@ static const SourceID SOURCE_BROKER = 0xffffffff; extern void pinpoint(); extern int int_list_cmp(const void* v1, const void* v2); -// Contains the name of the script file that gets read -// when a package is loaded (i.e., "__load__.bro). -extern const char* PACKAGE_LOADER; - extern const std::string& bro_path(); extern const char* bro_magic_path(); extern const char* bro_plugin_path(); extern const char* bro_plugin_activate(); extern std::string bro_prefixes(); +extern const std::array script_extensions; + +bool is_package_loader(const std::string& path); + extern void add_to_bro_path(const std::string& dir); @@ -308,7 +309,7 @@ std::string implode_string_vector(const std::vector& v, /** * Flatten a script name by replacing '/' path separators with '.'. - * @param file A path to a Bro script. If it is a __load__.bro, that part + * @param file A path to a Bro script. If it is a __load__.zeek, that part * is discarded when constructing the flattened the name. * @param prefix A string to prepend to the flattened script name. * @return The flattened script name. @@ -341,6 +342,14 @@ std::string without_bropath_component(const std::string& path); std::string find_file(const std::string& filename, const std::string& path_set, const std::string& opt_ext = ""); +/** + * Locate a script file within a given search path. + * @param filename Name of a file to find. + * @param path_set Colon-delimited set of paths to search for the file. + * @return Path to the found file, or an empty string if not found. + */ +std::string find_script_file(const std::string& filename, const std::string& path_set); + // Wrapper around fopen(3). Emits an error when failing to open. FILE* open_file(const std::string& path, const std::string& mode = "r"); diff --git a/src/broxygen/CMakeLists.txt b/src/zeexygen/CMakeLists.txt similarity index 73% rename from src/broxygen/CMakeLists.txt rename to src/zeexygen/CMakeLists.txt index f41cd68ff5..43060866a9 100644 --- a/src/broxygen/CMakeLists.txt +++ b/src/zeexygen/CMakeLists.txt @@ -7,7 +7,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) -set(broxygen_SRCS +set(zeexygen_SRCS Manager.cc Info.h PackageInfo.cc @@ -19,7 +19,7 @@ set(broxygen_SRCS utils.cc ) -bif_target(broxygen.bif) -bro_add_subdir_library(broxygen ${broxygen_SRCS}) +bif_target(zeexygen.bif) +bro_add_subdir_library(zeexygen ${zeexygen_SRCS}) -add_dependencies(bro_broxygen generate_outputs) +add_dependencies(bro_zeexygen generate_outputs) diff --git a/src/broxygen/Configuration.cc b/src/zeexygen/Configuration.cc similarity index 87% rename from src/broxygen/Configuration.cc rename to src/zeexygen/Configuration.cc index 4780e6ad99..7b1f5e35fd 100644 --- a/src/broxygen/Configuration.cc +++ b/src/zeexygen/Configuration.cc @@ -11,7 +11,7 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; static TargetFactory create_target_factory() @@ -37,7 +37,7 @@ Config::Config(const string& arg_file, const string& delim) ifstream f(file.c_str()); if ( ! f.is_open() ) - reporter->FatalError("failed to open Broxygen config file '%s': %s", + reporter->FatalError("failed to open Zeexygen config file '%s': %s", file.c_str(), strerror(errno)); string line; @@ -59,20 +59,20 @@ Config::Config(const string& arg_file, const string& delim) continue; if ( tokens.size() != 3 ) - reporter->FatalError("malformed Broxygen target in %s:%u: %s", + reporter->FatalError("malformed Zeexygen target in %s:%u: %s", file.c_str(), line_number, line.c_str()); Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); if ( ! target ) - reporter->FatalError("unknown Broxygen target type: %s", + reporter->FatalError("unknown Zeexygen target type: %s", tokens[0].c_str()); targets.push_back(target); } if ( f.bad() ) - reporter->InternalError("error reading Broxygen config file '%s': %s", + reporter->InternalError("error reading Zeexygen config file '%s': %s", file.c_str(), strerror(errno)); } @@ -99,5 +99,5 @@ time_t Config::GetModificationTime() const if ( file.empty() ) return 0; - return broxygen::get_mtime(file); + return zeexygen::get_mtime(file); } diff --git a/src/broxygen/Configuration.h b/src/zeexygen/Configuration.h similarity index 80% rename from src/broxygen/Configuration.h rename to src/zeexygen/Configuration.h index d41deb2c71..a0da9761bc 100644 --- a/src/broxygen/Configuration.h +++ b/src/zeexygen/Configuration.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_CONFIGURATION_H -#define BROXYGEN_CONFIGURATION_H +#ifndef ZEEXYGEN_CONFIGURATION_H +#define ZEEXYGEN_CONFIGURATION_H #include "Info.h" #include "Target.h" @@ -9,7 +9,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Manages the generation of reStructuredText documents corresponding to @@ -22,8 +22,8 @@ class Config { public: /** - * Read a Broxygen configuration file, parsing all targets in it. - * @param file The file containing a list of Broxygen targets. If it's + * Read a Zeexygen configuration file, parsing all targets in it. + * @param file The file containing a list of Zeexygen targets. If it's * an empty string most methods are a no-op. * @param delim The delimiter between target fields. */ @@ -41,7 +41,7 @@ public: void FindDependencies(const std::vector& infos); /** - * Build each Broxygen target (i.e. write out the reST documents to disk). + * Build each Zeexygen target (i.e. write out the reST documents to disk). */ void GenerateDocs() const; @@ -58,6 +58,6 @@ private: TargetFactory target_factory; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/IdentifierInfo.cc b/src/zeexygen/IdentifierInfo.cc similarity index 97% rename from src/broxygen/IdentifierInfo.cc rename to src/zeexygen/IdentifierInfo.cc index afc0cf751a..ebb15373bf 100644 --- a/src/broxygen/IdentifierInfo.cc +++ b/src/zeexygen/IdentifierInfo.cc @@ -7,7 +7,7 @@ #include "Val.h" using namespace std; -using namespace broxygen; +using namespace zeexygen; IdentifierInfo::IdentifierInfo(ID* arg_id, ScriptInfo* script) : Info(), @@ -128,7 +128,7 @@ string IdentifierInfo::DoReStructuredText(bool roles_only) const { string s = comments[i]; - if ( broxygen::prettify_params(s) ) + if ( zeexygen::prettify_params(s) ) d.NL(); d.Add(s.c_str()); diff --git a/src/broxygen/IdentifierInfo.h b/src/zeexygen/IdentifierInfo.h similarity index 92% rename from src/broxygen/IdentifierInfo.h rename to src/zeexygen/IdentifierInfo.h index be7e721838..a930f67feb 100644 --- a/src/broxygen/IdentifierInfo.h +++ b/src/zeexygen/IdentifierInfo.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_IDENTIFIERINFO_H -#define BROXYGEN_IDENTIFIERINFO_H +#ifndef ZEEXYGEN_IDENTIFIERINFO_H +#define ZEEXYGEN_IDENTIFIERINFO_H #include "Info.h" #include "ScriptInfo.h" @@ -14,7 +14,7 @@ #include #include -namespace broxygen { +namespace zeexygen { class ScriptInfo; @@ -42,7 +42,7 @@ public: * Add a comment associated with the identifier. If the identifier is a * record type and it's in the middle of parsing fields, the comment is * associated with the last field that was parsed. - * @param comment A string extracted from Broxygen-style comment. + * @param comment A string extracted from Zeexygen-style comment. */ void AddComment(const std::string& comment) { last_field_seen ? last_field_seen->comments.push_back(comment) @@ -102,13 +102,13 @@ public: std::string GetDeclaringScriptForField(const std::string& field) const; /** - * @return All Broxygen comments associated with the identifier. + * @return All Zeexygen comments associated with the identifier. */ std::vector GetComments() const; /** * @param field A record field name. - * @return All Broxygen comments associated with the record field. + * @return All Zeexygen comments associated with the record field. */ std::vector GetFieldComments(const std::string& field) const; @@ -118,7 +118,7 @@ public: struct Redefinition { std::string from_script; /**< Name of script doing the redef. */ std::string new_val_desc; /**< Description of new value bound to ID. */ - std::vector comments; /**< Broxygen comments on redef. */ + std::vector comments; /**< Zeexygen comments on redef. */ }; /** @@ -159,6 +159,6 @@ private: ScriptInfo* declaring_script; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Info.h b/src/zeexygen/Info.h similarity index 89% rename from src/broxygen/Info.h rename to src/zeexygen/Info.h index 9df73f899f..46fba7b7b6 100644 --- a/src/broxygen/Info.h +++ b/src/zeexygen/Info.h @@ -1,15 +1,15 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_INFO_H -#define BROXYGEN_INFO_H +#ifndef ZEEXYGEN_INFO_H +#define ZEEXYGEN_INFO_H #include #include -namespace broxygen { +namespace zeexygen { /** - * Abstract base class for any thing that Broxygen can document. + * Abstract base class for any thing that Zeexygen can document. */ class Info { @@ -68,6 +68,6 @@ private: { } }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Manager.cc b/src/zeexygen/Manager.cc similarity index 87% rename from src/broxygen/Manager.cc rename to src/zeexygen/Manager.cc index c54b05754e..d638705d8b 100644 --- a/src/broxygen/Manager.cc +++ b/src/zeexygen/Manager.cc @@ -7,7 +7,7 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; static void DbgAndWarn(const char* msg) @@ -19,7 +19,7 @@ static void DbgAndWarn(const char* msg) return; reporter->Warning("%s", msg); - DBG_LOG(DBG_BROXYGEN, "%s", msg); + DBG_LOG(DBG_ZEEXYGEN, "%s", msg); } static void WarnMissingScript(const char* type, const ID* id, @@ -28,7 +28,7 @@ static void WarnMissingScript(const char* type, const ID* id, if ( script == "" ) return; - DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, " + DbgAndWarn(fmt("Can't generate Zeexygen doumentation for %s %s, " "lookup of %s failed", type, id->Name(), script.c_str())); } @@ -83,7 +83,7 @@ Manager::Manager(const string& arg_config, const string& bro_command) // a PATH component that starts with a tilde (such as "~/bin"). A simple // workaround is to just run bro with a relative or absolute path. if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 ) - reporter->InternalError("Broxygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s", + reporter->InternalError("Zeexygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s", path_to_bro.c_str(), strerror(errno)); bro_mtime = s.st_mtime; @@ -129,7 +129,7 @@ void Manager::Script(const string& path) if ( scripts.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s", + DbgAndWarn(fmt("Duplicate Zeexygen script documentation: %s", name.c_str())); return; } @@ -137,7 +137,7 @@ void Manager::Script(const string& path) ScriptInfo* info = new ScriptInfo(name, path); scripts.map[name] = info; all_info.push_back(info); - DBG_LOG(DBG_BROXYGEN, "Made ScriptInfo %s", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Made ScriptInfo %s", name.c_str()); if ( ! info->IsPkgLoader() ) return; @@ -146,7 +146,7 @@ void Manager::Script(const string& path) if ( packages.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s", + DbgAndWarn(fmt("Duplicate Zeexygen package documentation: %s", name.c_str())); return; } @@ -154,7 +154,7 @@ void Manager::Script(const string& path) PackageInfo* pkginfo = new PackageInfo(name); packages.map[name] = pkginfo; all_info.push_back(pkginfo); - DBG_LOG(DBG_BROXYGEN, "Made PackageInfo %s", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Made PackageInfo %s", name.c_str()); } void Manager::ScriptDependency(const string& path, const string& dep) @@ -164,7 +164,7 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( dep.empty() ) { - DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s", + DbgAndWarn(fmt("Empty Zeexygen script doc dependency: %s", path.c_str())); return; } @@ -175,17 +175,17 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s " + DbgAndWarn(fmt("Failed to add Zeexygen script doc dependency %s " "for %s", depname.c_str(), name.c_str())); return; } script_info->AddDependency(depname); - DBG_LOG(DBG_BROXYGEN, "Added script dependency %s for %s", + DBG_LOG(DBG_ZEEXYGEN, "Added script dependency %s for %s", depname.c_str(), name.c_str()); for ( size_t i = 0; i < comment_buffer.size(); ++i ) - DbgAndWarn(fmt("Discarded extraneous Broxygen comment: %s", + DbgAndWarn(fmt("Discarded extraneous Zeexygen comment: %s", comment_buffer[i].c_str())); } @@ -199,13 +199,13 @@ void Manager::ModuleUsage(const string& path, const string& module) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s", + DbgAndWarn(fmt("Failed to add Zeexygen module usage %s in %s", module.c_str(), name.c_str())); return; } script_info->AddModule(module); - DBG_LOG(DBG_BROXYGEN, "Added module usage %s in %s", + DBG_LOG(DBG_ZEEXYGEN, "Added module usage %s in %s", module.c_str(), name.c_str()); } @@ -246,7 +246,7 @@ void Manager::StartType(ID* id) if ( id->GetLocationInfo() == &no_location ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for %s, " "no location available", id->Name())); return; } @@ -261,7 +261,7 @@ void Manager::StartType(ID* id) } incomplete_type = CreateIdentifierInfo(id, script_info); - DBG_LOG(DBG_BROXYGEN, "Made IdentifierInfo (incomplete) %s, in %s", + DBG_LOG(DBG_ZEEXYGEN, "Made IdentifierInfo (incomplete) %s, in %s", id->Name(), script.c_str()); } @@ -279,7 +279,7 @@ void Manager::Identifier(ID* id) { if ( incomplete_type->Name() == id->Name() ) { - DBG_LOG(DBG_BROXYGEN, "Finished document for type %s", id->Name()); + DBG_LOG(DBG_ZEEXYGEN, "Finished document for type %s", id->Name()); incomplete_type->CompletedTypeDecl(); incomplete_type = 0; return; @@ -309,7 +309,7 @@ void Manager::Identifier(ID* id) { // Internally-created identifier (e.g. file/proto analyzer enum tags). // Handled specially since they don't have a script location. - DBG_LOG(DBG_BROXYGEN, "Made internal IdentifierInfo %s", + DBG_LOG(DBG_ZEEXYGEN, "Made internal IdentifierInfo %s", id->Name()); CreateIdentifierInfo(id, 0); return; @@ -325,7 +325,7 @@ void Manager::Identifier(ID* id) } CreateIdentifierInfo(id, script_info); - DBG_LOG(DBG_BROXYGEN, "Made IdentifierInfo %s, in script %s", + DBG_LOG(DBG_ZEEXYGEN, "Made IdentifierInfo %s, in script %s", id->Name(), script.c_str()); } @@ -339,7 +339,7 @@ void Manager::RecordField(const ID* id, const TypeDecl* field, if ( ! idd ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for " "record field %s, unknown record: %s", field->id, id->Name())); return; @@ -348,7 +348,7 @@ void Manager::RecordField(const ID* id, const TypeDecl* field, string script = NormalizeScriptPath(path); idd->AddRecordField(field, script, comment_buffer); comment_buffer.clear(); - DBG_LOG(DBG_BROXYGEN, "Document record field %s, identifier %s, script %s", + DBG_LOG(DBG_ZEEXYGEN, "Document record field %s, identifier %s, script %s", field->id, id->Name(), script.c_str()); } @@ -365,7 +365,7 @@ void Manager::Redef(const ID* id, const string& path) if ( ! id_info ) { - DbgAndWarn(fmt("Can't generate broxygen doumentation for " + DbgAndWarn(fmt("Can't generate zeexygen doumentation for " "redef of %s, identifier lookup failed", id->Name())); return; @@ -384,7 +384,7 @@ void Manager::Redef(const ID* id, const string& path) script_info->AddRedef(id_info); comment_buffer.clear(); last_identifier_seen = id_info; - DBG_LOG(DBG_BROXYGEN, "Added redef of %s from %s", + DBG_LOG(DBG_ZEEXYGEN, "Added redef of %s from %s", id->Name(), from_script.c_str()); } @@ -421,7 +421,7 @@ void Manager::PostComment(const string& comment, const string& id_hint) if ( last_identifier_seen ) last_identifier_seen->AddComment(RemoveLeadingSpace(comment)); else - DbgAndWarn(fmt("Discarded unassociated Broxygen comment %s", + DbgAndWarn(fmt("Discarded unassociated Zeexygen comment %s", comment.c_str())); return; diff --git a/src/broxygen/Manager.h b/src/zeexygen/Manager.h similarity index 89% rename from src/broxygen/Manager.h rename to src/zeexygen/Manager.h index 7978adc180..5b2142e047 100644 --- a/src/broxygen/Manager.h +++ b/src/zeexygen/Manager.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_MANAGER_H -#define BROXYGEN_MANAGER_H +#ifndef ZEEXYGEN_MANAGER_H +#define ZEEXYGEN_MANAGER_H #include "Configuration.h" #include "Info.h" @@ -21,7 +21,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Map of info objects. Just a wrapper around std::map to improve code @@ -54,7 +54,7 @@ public: /** * Ctor. - * @param config Path to a Broxygen config file if documentation is to be + * @param config Path to a Zeexygen config file if documentation is to be * written to disk. * @param bro_command The command used to invoke the bro process. * It's used when checking for out-of-date targets. If the bro binary is @@ -80,7 +80,7 @@ public: void InitPostScript(); /** - * Builds all Broxygen targets specified by config file and write out + * Builds all Zeexygen targets specified by config file and write out * documentation to disk. */ void GenerateDocs() const; @@ -140,24 +140,24 @@ public: void Redef(const ID* id, const std::string& path); /** - * Register Broxygen script summary content. + * Register Zeexygen script summary content. * @param path Absolute path to a Bro script. - * @param comment Broxygen-style summary comment ("##!") to associate with + * @param comment Zeexygen-style summary comment ("##!") to associate with * script given by \a path. */ void SummaryComment(const std::string& path, const std::string& comment); /** - * Register a Broxygen comment ("##") for an upcoming identifier (i.e. + * Register a Zeexygen comment ("##") for an upcoming identifier (i.e. * this content is buffered and consumed by next identifier/field * declaration. - * @param comment Content of the Broxygen comment. + * @param comment Content of the Zeexygen comment. */ void PreComment(const std::string& comment); /** - * Register a Broxygen comment ("##<") for the last identifier seen. - * @param comment Content of the Broxygen comment. + * Register a Zeexygen comment ("##<") for the last identifier seen. + * @param comment Content of the Zeexygen comment. * @param identifier_hint Expected name of identifier with which to * associate \a comment. */ @@ -197,11 +197,11 @@ public: { return packages.GetInfo(name); } /** - * Check if a Broxygen target is up-to-date. - * @param target_file output file of a Broxygen target. + * Check if a Zeexygen target is up-to-date. + * @param target_file output file of a Zeexygen target. * @param dependencies all dependencies of the target. * @return true if modification time of \a target_file is newer than - * modification time of Bro binary, Broxygen config file, and all + * modification time of Bro binary, Zeexygen config file, and all * dependencies, else false. */ template @@ -241,7 +241,7 @@ bool Manager::IsUpToDate(const string& target_file, // Doesn't exist. return false; - reporter->InternalError("Broxygen failed to stat target file '%s': %s", + reporter->InternalError("Zeexygen failed to stat target file '%s': %s", target_file.c_str(), strerror(errno)); } @@ -258,8 +258,8 @@ bool Manager::IsUpToDate(const string& target_file, return true; } -} // namespace broxygen +} // namespace zeexygen -extern broxygen::Manager* broxygen_mgr; +extern zeexygen::Manager* zeexygen_mgr; #endif diff --git a/src/broxygen/PackageInfo.cc b/src/zeexygen/PackageInfo.cc similarity index 85% rename from src/broxygen/PackageInfo.cc rename to src/zeexygen/PackageInfo.cc index 1cbff5a07f..1fd607fd08 100644 --- a/src/broxygen/PackageInfo.cc +++ b/src/zeexygen/PackageInfo.cc @@ -9,7 +9,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; PackageInfo::PackageInfo(const string& arg_name) : Info(), @@ -23,7 +23,7 @@ PackageInfo::PackageInfo(const string& arg_name) ifstream f(readme_file.c_str()); if ( ! f.is_open() ) - reporter->InternalWarning("Broxygen failed to open '%s': %s", + reporter->InternalWarning("Zeexygen failed to open '%s': %s", readme_file.c_str(), strerror(errno)); string line; @@ -32,7 +32,7 @@ PackageInfo::PackageInfo(const string& arg_name) readme.push_back(line); if ( f.bad() ) - reporter->InternalWarning("Broxygen error reading '%s': %s", + reporter->InternalWarning("Zeexygen error reading '%s': %s", readme_file.c_str(), strerror(errno)); } @@ -54,5 +54,5 @@ time_t PackageInfo::DoGetModificationTime() const if ( readme_file.empty() ) return 0; - return broxygen::get_mtime(readme_file); + return zeexygen::get_mtime(readme_file); } diff --git a/src/broxygen/PackageInfo.h b/src/zeexygen/PackageInfo.h similarity index 89% rename from src/broxygen/PackageInfo.h rename to src/zeexygen/PackageInfo.h index 967bbe3443..977f31fece 100644 --- a/src/broxygen/PackageInfo.h +++ b/src/zeexygen/PackageInfo.h @@ -1,14 +1,14 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_PACKAGEINFO_H -#define BROXYGEN_PACKAGEINFO_H +#ifndef ZEEXYGEN_PACKAGEINFO_H +#define ZEEXYGEN_PACKAGEINFO_H #include "Info.h" #include #include -namespace broxygen { +namespace zeexygen { /** * Information about a Bro script package. @@ -45,6 +45,6 @@ private: std::vector readme; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/ReStructuredTextTable.cc b/src/zeexygen/ReStructuredTextTable.cc similarity index 98% rename from src/broxygen/ReStructuredTextTable.cc rename to src/zeexygen/ReStructuredTextTable.cc index 2cdb774224..c8306313e5 100644 --- a/src/broxygen/ReStructuredTextTable.cc +++ b/src/zeexygen/ReStructuredTextTable.cc @@ -5,7 +5,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; ReStructuredTextTable::ReStructuredTextTable(size_t arg_num_cols) : num_cols(arg_num_cols), rows(), longest_row_in_column() diff --git a/src/broxygen/ReStructuredTextTable.h b/src/zeexygen/ReStructuredTextTable.h similarity index 92% rename from src/broxygen/ReStructuredTextTable.h rename to src/zeexygen/ReStructuredTextTable.h index 34cc30c332..9a4059ca83 100644 --- a/src/broxygen/ReStructuredTextTable.h +++ b/src/zeexygen/ReStructuredTextTable.h @@ -1,12 +1,12 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_RESTTABLE_H -#define BROXYGEN_RESTTABLE_H +#ifndef ZEEXYGEN_RESTTABLE_H +#define ZEEXYGEN_RESTTABLE_H #include #include -namespace broxygen { +namespace zeexygen { /** * A reST table with arbitrary number of columns. @@ -48,6 +48,6 @@ private: std::vector longest_row_in_column; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/ScriptInfo.cc b/src/zeexygen/ScriptInfo.cc similarity index 82% rename from src/broxygen/ScriptInfo.cc rename to src/zeexygen/ScriptInfo.cc index a32d96cdd5..47769c615a 100644 --- a/src/broxygen/ScriptInfo.cc +++ b/src/zeexygen/ScriptInfo.cc @@ -10,7 +10,7 @@ #include "Desc.h" using namespace std; -using namespace broxygen; +using namespace zeexygen; bool IdInfoComp::operator ()(const IdentifierInfo* lhs, const IdentifierInfo* rhs) const @@ -24,11 +24,11 @@ static vector summary_comment(const vector& cmnts) for ( size_t i = 0; i < cmnts.size(); ++i ) { - size_t end = broxygen::end_of_first_sentence(cmnts[i]); + size_t end = zeexygen::end_of_first_sentence(cmnts[i]); if ( end == string::npos ) { - if ( broxygen::is_all_whitespace(cmnts[i]) ) + if ( zeexygen::is_all_whitespace(cmnts[i]) ) break; rval.push_back(cmnts[i]); @@ -86,7 +86,7 @@ static string make_summary(const string& heading, char underline, char border, add_summary_rows(d, summary_comment((*it)->GetComments()), &table); } - return broxygen::make_heading(heading, underline) + table.AsString(border) + return zeexygen::make_heading(heading, underline) + table.AsString(border) + "\n"; } @@ -115,7 +115,7 @@ static string make_redef_summary(const string& heading, char underline, add_summary_rows(d, summary_comment(iit->comments), &table); } - return broxygen::make_heading(heading, underline) + table.AsString(border) + return zeexygen::make_heading(heading, underline) + table.AsString(border) + "\n"; } @@ -125,7 +125,7 @@ static string make_details(const string& heading, char underline, if ( id_list.empty() ) return ""; - string rval = broxygen::make_heading(heading, underline); + string rval = zeexygen::make_heading(heading, underline); for ( id_info_list::const_iterator it = id_list.begin(); it != id_list.end(); ++it ) @@ -143,7 +143,7 @@ static string make_redef_details(const string& heading, char underline, if ( id_set.empty() ) return ""; - string rval = broxygen::make_heading(heading, underline); + string rval = zeexygen::make_heading(heading, underline); for ( id_info_set::const_iterator it = id_set.begin(); it != id_set.end(); ++it ) @@ -158,7 +158,7 @@ static string make_redef_details(const string& heading, char underline, ScriptInfo::ScriptInfo(const string& arg_name, const string& arg_path) : Info(), name(arg_name), path(arg_path), - is_pkg_loader(SafeBasename(name).result == PACKAGE_LOADER), + is_pkg_loader(is_package_loader(name)), dependencies(), module_usages(), comments(), id_info(), redef_options(), constants(), state_vars(), types(), events(), hooks(), functions(), redefs() @@ -178,13 +178,13 @@ void ScriptInfo::DoInitPostScript() IdentifierInfo* info = it->second; ID* id = info->GetID(); - if ( ! broxygen::is_public_api(id) ) + if ( ! zeexygen::is_public_api(id) ) continue; if ( id->AsType() ) { types.push_back(info); - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a type", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a type", id->Name(), name.c_str()); continue; } @@ -193,17 +193,17 @@ void ScriptInfo::DoInitPostScript() { switch ( id->Type()->AsFuncType()->Flavor() ) { case FUNC_FLAVOR_HOOK: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a hook", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a hook", id->Name(), name.c_str()); hooks.push_back(info); break; case FUNC_FLAVOR_EVENT: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a event", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a event", id->Name(), name.c_str()); events.push_back(info); break; case FUNC_FLAVOR_FUNCTION: - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a function", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a function", id->Name(), name.c_str()); functions.push_back(info); break; @@ -219,13 +219,13 @@ void ScriptInfo::DoInitPostScript() { if ( id->FindAttr(ATTR_REDEF) ) { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a redef_option", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a redef_option", id->Name(), name.c_str()); redef_options.push_back(info); } else { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a constant", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a constant", id->Name(), name.c_str()); constants.push_back(info); } @@ -234,7 +234,7 @@ void ScriptInfo::DoInitPostScript() } else if ( id->IsOption() ) { - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as an runtime option", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as an runtime option", id->Name(), name.c_str()); options.push_back(info); @@ -246,19 +246,19 @@ void ScriptInfo::DoInitPostScript() // documentation. continue; - DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a state variable", + DBG_LOG(DBG_ZEEXYGEN, "Filter id '%s' in '%s' as a state variable", id->Name(), name.c_str()); state_vars.push_back(info); } // The following enum types are automatically created internally in Bro, // so just manually associating them with scripts for now. - if ( name == "base/frameworks/input/main.bro" ) + if ( name == "base/frameworks/input/main.zeek" ) { auto id = global_scope()->Lookup("Input::Reader"); types.push_back(new IdentifierInfo(id, this)); } - else if ( name == "base/frameworks/logging/main.bro" ) + else if ( name == "base/frameworks/logging/main.zeek" ) { auto id = global_scope()->Lookup("Log::Writer"); types.push_back(new IdentifierInfo(id, this)); @@ -275,11 +275,11 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const string rval; rval += ":tocdepth: 3\n\n"; - rval += broxygen::make_heading(name, '='); + rval += zeexygen::make_heading(name, '='); for ( string_set::const_iterator it = module_usages.begin(); it != module_usages.end(); ++it ) - rval += ".. bro:namespace:: " + *it + "\n"; + rval += ".. zeek:namespace:: " + *it + "\n"; rval += "\n"; @@ -314,7 +314,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const if ( it != dependencies.begin() ) rval += ", "; - string path = find_file(*it, bro_path(), "bro"); + string path = find_script_file(*it, bro_path()); string doc = *it; if ( ! path.empty() && is_dir(path.c_str()) ) @@ -329,7 +329,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const //rval += fmt(":Source File: :download:`/scripts/%s`\n", name.c_str()); rval += "\n"; - rval += broxygen::make_heading("Summary", '~'); + rval += zeexygen::make_heading("Summary", '~'); rval += make_summary("Runtime Options", '#', '=', options); rval += make_summary("Redefinable Options", '#', '=', redef_options); rval += make_summary("Constants", '#', '=', constants); @@ -340,7 +340,7 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const rval += make_summary("Hooks", '#', '=', hooks); rval += make_summary("Functions", '#', '=', functions); rval += "\n"; - rval += broxygen::make_heading("Detailed Interface", '~'); + rval += zeexygen::make_heading("Detailed Interface", '~'); rval += make_details("Runtime Options", '#', options); rval += make_details("Redefinable Options", '#', redef_options); rval += make_details("Constants", '#', constants); @@ -356,20 +356,25 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const time_t ScriptInfo::DoGetModificationTime() const { - time_t most_recent = broxygen::get_mtime(path); + time_t most_recent = zeexygen::get_mtime(path); for ( string_set::const_iterator it = dependencies.begin(); it != dependencies.end(); ++it ) { - Info* info = broxygen_mgr->GetScriptInfo(*it); + Info* info = zeexygen_mgr->GetScriptInfo(*it); if ( ! info ) { - string pkg_name = *it + "/" + PACKAGE_LOADER; - info = broxygen_mgr->GetScriptInfo(pkg_name); + for (const string& ext : script_extensions) + { + string pkg_name = *it + "/__load__" + ext; + info = zeexygen_mgr->GetScriptInfo(pkg_name); + if ( info ) + break; + } if ( ! info ) - reporter->InternalWarning("Broxygen failed to get mtime of %s", + reporter->InternalWarning("Zeexygen failed to get mtime of %s", it->c_str()); continue; } diff --git a/src/broxygen/ScriptInfo.h b/src/zeexygen/ScriptInfo.h similarity index 92% rename from src/broxygen/ScriptInfo.h rename to src/zeexygen/ScriptInfo.h index d7328ef7c8..fb0f0c15ae 100644 --- a/src/broxygen/ScriptInfo.h +++ b/src/zeexygen/ScriptInfo.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_SCRIPTINFO_H -#define BROXYGEN_SCRIPTINFO_H +#ifndef ZEEXYGEN_SCRIPTINFO_H +#define ZEEXYGEN_SCRIPTINFO_H #include "Info.h" #include "IdentifierInfo.h" @@ -12,7 +12,7 @@ #include #include -namespace broxygen { +namespace zeexygen { class IdentifierInfo; @@ -39,7 +39,7 @@ public: ScriptInfo(const std::string& name, const std::string& path); /** - * Associate a Broxygen summary comment ("##!") with the script. + * Associate a Zeexygen summary comment ("##!") with the script. * @param comment String extracted from the comment. */ void AddComment(const std::string& comment) @@ -77,13 +77,13 @@ public: { redefs.insert(info); } /** - * @return Whether the script is a package loader (i.e. "__load__.bro"). + * @return Whether the script is a package loader (i.e. "__load__.zeek"). */ bool IsPkgLoader() const { return is_pkg_loader; } /** - * @return All the scripts Broxygen summary comments. + * @return All the scripts Zeexygen summary comments. */ std::vector GetComments() const; @@ -119,6 +119,6 @@ private: id_info_set redefs; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/Target.cc b/src/zeexygen/Target.cc similarity index 89% rename from src/broxygen/Target.cc rename to src/zeexygen/Target.cc index dba0d67d6c..406f6ffe4d 100644 --- a/src/broxygen/Target.cc +++ b/src/zeexygen/Target.cc @@ -16,7 +16,7 @@ #include using namespace std; -using namespace broxygen; +using namespace zeexygen; static void write_plugin_section_heading(FILE* f, const plugin::Plugin* p) { @@ -38,7 +38,7 @@ static void write_analyzer_component(FILE* f, const analyzer::Component* c) if ( atag->Lookup("Analyzer", tag.c_str()) < 0 ) reporter->InternalError("missing analyzer tag for %s", tag.c_str()); - fprintf(f, ":bro:enum:`Analyzer::%s`\n\n", tag.c_str()); + fprintf(f, ":zeek:enum:`Analyzer::%s`\n\n", tag.c_str()); } static void write_analyzer_component(FILE* f, const file_analysis::Component* c) @@ -49,7 +49,7 @@ static void write_analyzer_component(FILE* f, const file_analysis::Component* c) if ( atag->Lookup("Files", tag.c_str()) < 0 ) reporter->InternalError("missing analyzer tag for %s", tag.c_str()); - fprintf(f, ":bro:enum:`Files::%s`\n\n", tag.c_str()); + fprintf(f, ":zeek:enum:`Files::%s`\n\n", tag.c_str()); } static void write_plugin_components(FILE* f, const plugin::Plugin* p) @@ -123,13 +123,13 @@ static void write_plugin_bif_items(FILE* f, const plugin::Plugin* p, for ( it = bifitems.begin(); it != bifitems.end(); ++it ) { - broxygen::IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo( + zeexygen::IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo( it->GetID()); if ( doc ) fprintf(f, "%s\n\n", doc->ReStructuredText().c_str()); else - reporter->InternalWarning("Broxygen ID lookup failed: %s\n", + reporter->InternalWarning("Zeexygen ID lookup failed: %s\n", it->GetID().c_str()); } } @@ -138,10 +138,10 @@ static void WriteAnalyzerTagDefn(FILE* f, const string& module) { string tag_id = module + "::Tag"; - broxygen::IdentifierInfo* doc = broxygen_mgr->GetIdentifierInfo(tag_id); + zeexygen::IdentifierInfo* doc = zeexygen_mgr->GetIdentifierInfo(tag_id); if ( ! doc ) - reporter->InternalError("Broxygen failed analyzer tag lookup: %s", + reporter->InternalError("Zeexygen failed analyzer tag lookup: %s", tag_id.c_str()); fprintf(f, "%s\n", doc->ReStructuredText().c_str()); @@ -177,7 +177,7 @@ static vector filter_matches(const vector& from, Target* t) if ( t->MatchesPattern(d) ) { - DBG_LOG(DBG_BROXYGEN, "'%s' matched pattern for target '%s'", + DBG_LOG(DBG_ZEEXYGEN, "'%s' matched pattern for target '%s'", d->Name().c_str(), t->Name().c_str()); rval.push_back(d); } @@ -194,14 +194,14 @@ TargetFile::TargetFile(const string& arg_name) string dir = SafeDirname(name).result; if ( ! ensure_intermediate_dirs(dir.c_str()) ) - reporter->FatalError("Broxygen failed to make dir %s", + reporter->FatalError("Zeexygen failed to make dir %s", dir.c_str()); } f = fopen(name.c_str(), "w"); if ( ! f ) - reporter->FatalError("Broxygen failed to open '%s' for writing: %s", + reporter->FatalError("Zeexygen failed to open '%s' for writing: %s", name.c_str(), strerror(errno)); } @@ -210,7 +210,7 @@ TargetFile::~TargetFile() if ( f ) fclose(f); - DBG_LOG(DBG_BROXYGEN, "Wrote out-of-date target '%s'", name.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Wrote out-of-date target '%s'", name.c_str()); } @@ -245,11 +245,11 @@ void AnalyzerTarget::DoFindDependencies(const std::vector& infos) void AnalyzerTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), vector()) ) + if ( zeexygen_mgr->IsUpToDate(Name(), vector()) ) return; if ( Pattern() != "*" ) - reporter->InternalWarning("Broxygen only implements analyzer target" + reporter->InternalWarning("Zeexygen only implements analyzer target" " pattern '*'"); TargetFile file(Name()); @@ -313,7 +313,7 @@ void PackageTarget::DoFindDependencies(const vector& infos) pkg_deps = filter_matches(infos, this); if ( pkg_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); for ( size_t i = 0; i < infos.size(); ++i ) @@ -329,7 +329,7 @@ void PackageTarget::DoFindDependencies(const vector& infos) pkg_deps[j]->Name().size())) continue; - DBG_LOG(DBG_BROXYGEN, "Script %s associated with package %s", + DBG_LOG(DBG_ZEEXYGEN, "Script %s associated with package %s", script->Name().c_str(), pkg_deps[j]->Name().c_str()); pkg_manifest[pkg_deps[j]].push_back(script); script_deps.push_back(script); @@ -339,8 +339,8 @@ void PackageTarget::DoFindDependencies(const vector& infos) void PackageTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) && - broxygen_mgr->IsUpToDate(Name(), pkg_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) && + zeexygen_mgr->IsUpToDate(Name(), pkg_deps) ) return; TargetFile file(Name()); @@ -382,13 +382,13 @@ void PackageIndexTarget::DoFindDependencies(const vector& infos) pkg_deps = filter_matches(infos, this); if ( pkg_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); } void PackageIndexTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), pkg_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), pkg_deps) ) return; TargetFile file(Name()); @@ -402,7 +402,7 @@ void ScriptTarget::DoFindDependencies(const vector& infos) script_deps = filter_matches(infos, this); if ( script_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); if ( ! IsDir() ) @@ -410,7 +410,7 @@ void ScriptTarget::DoFindDependencies(const vector& infos) for ( size_t i = 0; i < script_deps.size(); ++i ) { - if ( SafeBasename(script_deps[i]->Name()).result == PACKAGE_LOADER ) + if ( is_package_loader(script_deps[i]->Name()) ) { string pkg_dir = SafeDirname(script_deps[i]->Name()).result; string target_file = Name() + pkg_dir + "/index.rst"; @@ -483,7 +483,7 @@ void ScriptTarget::DoGenerate() const vector dep; dep.push_back(script_deps[i]); - if ( broxygen_mgr->IsUpToDate(target_filename, dep) ) + if ( zeexygen_mgr->IsUpToDate(target_filename, dep) ) continue; TargetFile file(target_filename); @@ -508,7 +508,7 @@ void ScriptTarget::DoGenerate() const reporter->Warning("Failed to unlink %s: %s", f.c_str(), strerror(errno)); - DBG_LOG(DBG_BROXYGEN, "Delete stale script file %s", f.c_str()); + DBG_LOG(DBG_ZEEXYGEN, "Delete stale script file %s", f.c_str()); } return; @@ -516,7 +516,7 @@ void ScriptTarget::DoGenerate() const // Target is a single file, all matching scripts get written there. - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -527,7 +527,7 @@ void ScriptTarget::DoGenerate() const void ScriptSummaryTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -552,7 +552,7 @@ void ScriptSummaryTarget::DoGenerate() const void ScriptIndexTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), script_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), script_deps) ) return; TargetFile file(Name()); @@ -577,13 +577,13 @@ void IdentifierTarget::DoFindDependencies(const vector& infos) id_deps = filter_matches(infos, this); if ( id_deps.empty() ) - reporter->FatalError("No match for Broxygen target '%s' pattern '%s'", + reporter->FatalError("No match for Zeexygen target '%s' pattern '%s'", Name().c_str(), Pattern().c_str()); } void IdentifierTarget::DoGenerate() const { - if ( broxygen_mgr->IsUpToDate(Name(), id_deps) ) + if ( zeexygen_mgr->IsUpToDate(Name(), id_deps) ) return; TargetFile file(Name()); diff --git a/src/broxygen/Target.h b/src/zeexygen/Target.h similarity index 95% rename from src/broxygen/Target.h rename to src/zeexygen/Target.h index 9a5a23107c..ef3c8b2e00 100644 --- a/src/broxygen/Target.h +++ b/src/zeexygen/Target.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_TARGET_H -#define BROXYGEN_TARGET_H +#ifndef ZEEXYGEN_TARGET_H +#define ZEEXYGEN_TARGET_H #include "Info.h" #include "PackageInfo.h" @@ -13,7 +13,7 @@ #include #include -namespace broxygen { +namespace zeexygen { /** * Helper class to create files in arbitrary file paths and automatically @@ -39,9 +39,9 @@ struct TargetFile { }; /** - * A Broxygen target abstract base class. A target is generally any portion of + * A Zeexygen target abstract base class. A target is generally any portion of * documentation that Bro can build. It's identified by a type (e.g. script, - * identifier, package), a pattern (e.g. "example.bro", "HTTP::Info"), and + * identifier, package), a pattern (e.g. "example.zeek", "HTTP::Info"), and * a path to an output file. */ class Target { @@ -125,7 +125,7 @@ public: /** * Register a new target type. - * @param type_name The target type name as it will appear in Broxygen + * @param type_name The target type name as it will appear in Zeexygen * config files. */ template @@ -136,7 +136,7 @@ public: /** * Instantiate a target. - * @param type_name The target type name as it appears in Broxygen config + * @param type_name The target type name as it appears in Zeexygen config * files. * @param name The output file name of the target. * @param pattern The dependency pattern of the target. @@ -384,6 +384,6 @@ private: std::vector id_deps; }; -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/utils.cc b/src/zeexygen/utils.cc similarity index 83% rename from src/broxygen/utils.cc rename to src/zeexygen/utils.cc index 93f822b846..5cf76c1af6 100644 --- a/src/broxygen/utils.cc +++ b/src/zeexygen/utils.cc @@ -7,10 +7,10 @@ #include #include -using namespace broxygen; +using namespace zeexygen; using namespace std; -bool broxygen::prettify_params(string& s) +bool zeexygen::prettify_params(string& s) { size_t identifier_start_pos = 0; bool in_identifier = false; @@ -76,29 +76,29 @@ bool broxygen::prettify_params(string& s) return false; } -bool broxygen::is_public_api(const ID* id) +bool zeexygen::is_public_api(const ID* id) { return (id->Scope() == SCOPE_GLOBAL) || (id->Scope() == SCOPE_MODULE && id->IsExport()); } -time_t broxygen::get_mtime(const string& filename) +time_t zeexygen::get_mtime(const string& filename) { struct stat s; if ( stat(filename.c_str(), &s) < 0 ) - reporter->InternalError("Broxygen failed to stat file '%s': %s", + reporter->InternalError("Zeexygen failed to stat file '%s': %s", filename.c_str(), strerror(errno)); return s.st_mtime; } -string broxygen::make_heading(const string& heading, char underline) +string zeexygen::make_heading(const string& heading, char underline) { return heading + "\n" + string(heading.size(), underline) + "\n"; } -size_t broxygen::end_of_first_sentence(const string& s) +size_t zeexygen::end_of_first_sentence(const string& s) { size_t rval = 0; @@ -119,7 +119,7 @@ size_t broxygen::end_of_first_sentence(const string& s) return rval; } -bool broxygen::is_all_whitespace(const string& s) +bool zeexygen::is_all_whitespace(const string& s) { for ( size_t i = 0; i < s.size(); ++i ) if ( ! isspace(s[i]) ) @@ -128,7 +128,7 @@ bool broxygen::is_all_whitespace(const string& s) return true; } -string broxygen::redef_indication(const string& from_script) +string zeexygen::redef_indication(const string& from_script) { return fmt("(present if :doc:`/scripts/%s` is loaded)", from_script.c_str()); diff --git a/src/broxygen/utils.h b/src/zeexygen/utils.h similarity index 88% rename from src/broxygen/utils.h rename to src/zeexygen/utils.h index 7e11019a3d..b9a99a71f7 100644 --- a/src/broxygen/utils.h +++ b/src/zeexygen/utils.h @@ -1,18 +1,18 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef BROXYGEN_UTILS_H -#define BROXYGEN_UTILS_H +#ifndef ZEEXYGEN_UTILS_H +#define ZEEXYGEN_UTILS_H #include "ID.h" #include -namespace broxygen { +namespace zeexygen { /** - * Transform content of a Broxygen comment which may contain function + * Transform content of a Zeexygen comment which may contain function * parameter or return value documentation to a prettier reST format. - * @param s Content from a Broxygen comment to transform. "id: ..." and + * @param s Content from a Zeexygen comment to transform. "id: ..." and * "Returns: ..." change to ":id: ..." and ":returns: ...". * @return Whether any content in \a s was transformed. */ @@ -62,6 +62,6 @@ bool is_all_whitespace(const std::string& s); */ std::string redef_indication(const std::string& from_script); -} // namespace broxygen +} // namespace zeexygen #endif diff --git a/src/broxygen/broxygen.bif b/src/zeexygen/zeexygen.bif similarity index 80% rename from src/broxygen/broxygen.bif rename to src/zeexygen/zeexygen.bif index d1b3028edc..f7ce04d292 100644 --- a/src/broxygen/broxygen.bif +++ b/src/zeexygen/zeexygen.bif @@ -3,7 +3,7 @@ ##! Functions for querying script, package, or variable documentation. %%{ -#include "broxygen/Manager.h" +#include "zeexygen/Manager.h" #include "util.h" static StringVal* comments_to_val(const vector& comments) @@ -12,7 +12,7 @@ static StringVal* comments_to_val(const vector& comments) } %%} -## Retrieve the Broxygen-style comments (``##``) associated with an identifier +## Retrieve the Zeexygen-style comments (``##``) associated with an identifier ## (e.g. a variable or type). ## ## name: a script-level identifier for which to retrieve comments. @@ -21,8 +21,8 @@ static StringVal* comments_to_val(const vector& comments) ## identifier, an empty string is returned. function get_identifier_comments%(name: string%): string %{ - using namespace broxygen; - IdentifierInfo* d = broxygen_mgr->GetIdentifierInfo(name->CheckString()); + using namespace zeexygen; + IdentifierInfo* d = zeexygen_mgr->GetIdentifierInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -30,19 +30,19 @@ function get_identifier_comments%(name: string%): string return comments_to_val(d->GetComments()); %} -## Retrieve the Broxygen-style summary comments (``##!``) associated with +## Retrieve the Zeexygen-style summary comments (``##!``) associated with ## a Bro script. ## ## name: the name of a Bro script. It must be a relative path to where ## it is located within a particular component of BROPATH and use -## the same file name extension/suffix as the actual file (e.g. ".bro"). +## the same file name extension/suffix as the actual file (e.g. ".zeek"). ## ## Returns: summary comments associated with script with *name*. If ## *name* is not a known script, an empty string is returned. function get_script_comments%(name: string%): string %{ - using namespace broxygen; - ScriptInfo* d = broxygen_mgr->GetScriptInfo(name->CheckString()); + using namespace zeexygen; + ScriptInfo* d = zeexygen_mgr->GetScriptInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -59,8 +59,8 @@ function get_script_comments%(name: string%): string ## package, an empty string is returned. function get_package_readme%(name: string%): string %{ - using namespace broxygen; - PackageInfo* d = broxygen_mgr->GetPackageInfo(name->CheckString()); + using namespace zeexygen; + PackageInfo* d = zeexygen_mgr->GetPackageInfo(name->CheckString()); if ( ! d ) return val_mgr->GetEmptyString(); @@ -68,7 +68,7 @@ function get_package_readme%(name: string%): string return comments_to_val(d->GetReadme()); %} -## Retrieve the Broxygen-style comments (``##``) associated with a record field. +## Retrieve the Zeexygen-style comments (``##``) associated with a record field. ## ## name: the name of a record type and a field within it formatted like ## a typical record field access: "$". @@ -78,7 +78,7 @@ function get_package_readme%(name: string%): string ## type, an empty string is returned. function get_record_field_comments%(name: string%): string %{ - using namespace broxygen; + using namespace zeexygen; string accessor = name->CheckString(); size_t i = accessor.find('$'); @@ -87,7 +87,7 @@ function get_record_field_comments%(name: string%): string string id = accessor.substr(0, i); - IdentifierInfo* d = broxygen_mgr->GetIdentifierInfo(id); + IdentifierInfo* d = zeexygen_mgr->GetIdentifierInfo(id); if ( ! d ) return val_mgr->GetEmptyString(); diff --git a/testing/btest/Baseline/bifs.global_sizes/out b/testing/btest/Baseline/bifs.global_sizes/out index 76c40b297a..fe0e737de0 100644 --- a/testing/btest/Baseline/bifs.global_sizes/out +++ b/testing/btest/Baseline/bifs.global_sizes/out @@ -1 +1 @@ -found bro_init +found zeek_init diff --git a/testing/btest/Baseline/bifs.safe_shell_quote/out b/testing/btest/Baseline/bifs.safe_shell_quote/out new file mode 100644 index 0000000000..33e291680c --- /dev/null +++ b/testing/btest/Baseline/bifs.safe_shell_quote/out @@ -0,0 +1,2 @@ +echo `pwd` ${TEST} > "my file"; echo -e "\n" +"echo \`pwd\` \${TEST} > \"my file\"; echo -e \"\\n\"" diff --git a/testing/btest/Baseline/bifs.to_double_from_string/error b/testing/btest/Baseline/bifs.to_double_from_string/error index d6c6c0c75b..ed0ae3a1f9 100644 --- a/testing/btest/Baseline/bifs.to_double_from_string/error +++ b/testing/btest/Baseline/bifs.to_double_from_string/error @@ -1,2 +1,2 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 15: bad conversion to double (to_double(d) and NotADouble) -error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.bro, line 16: bad conversion to double (to_double(d) and ) +error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 15: bad conversion to double (to_double(d) and NotADouble) +error in /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 7 and /da/home/robin/bro/master/testing/btest/.tmp/bifs.to_double_from_string/to_double_from_string.zeek, line 16: bad conversion to double (to_double(d) and ) diff --git a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log index 9da1a8d3ba..ee45663170 100644 --- a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log +++ b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log @@ -6,5 +6,5 @@ #open 2012-04-05-21-56-51 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string -1333663011.602839 - - - - - unknown_protocol_135 - F bro +1333663011.602839 - - - - - unknown_protocol - F bro #close 2012-04-05-21-56-51 diff --git a/testing/btest/Baseline/core.div-by-zero/out b/testing/btest/Baseline/core.div-by-zero/out index dca1894e32..702d00c156 100644 --- a/testing/btest/Baseline/core.div-by-zero/out +++ b/testing/btest/Baseline/core.div-by-zero/out @@ -1,5 +1,5 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 6: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 11: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 16: division by zero (a / b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 21: modulo by zero (a % b) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.bro, line 26: modulo by zero (a % b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 6: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 11: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 16: division by zero (a / b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 21: modulo by zero (a % b) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.div-by-zero/div-by-zero.zeek, line 26: modulo by zero (a % b) diff --git a/testing/btest/Baseline/core.expr-exception/reporter.log b/testing/btest/Baseline/core.expr-exception/reporter.log index f546142dca..e2e1a4103f 100644 --- a/testing/btest/Baseline/core.expr-exception/reporter.log +++ b/testing/btest/Baseline/core.expr-exception/reporter.log @@ -6,13 +6,13 @@ #open 2011-03-18-19-06-08 #fields ts level message location #types time enum string string -1300475168.783842 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.915940 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.916118 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.918295 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.952193 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.952228 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.954761 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475168.962628 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 -1300475169.780331 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.783842 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.915940 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.916118 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.918295 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.952193 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.952228 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.954761 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475168.962628 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 +1300475169.780331 Reporter::ERROR field value missing (c$ftp) /da/home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.zeek, line 10 #close 2011-03-18-19-06-13 diff --git a/testing/btest/Baseline/core.init-error/out b/testing/btest/Baseline/core.init-error/out index 50aea70a75..3079bdfcbd 100644 --- a/testing/btest/Baseline/core.init-error/out +++ b/testing/btest/Baseline/core.init-error/out @@ -1,4 +1,4 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.init-error/init-error.bro, line 15: no such index (v[10]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.init-error/init-error.zeek, line 15: no such index (v[10]) fatal error: errors occurred while initializing 1st event 2nd event diff --git a/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out b/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out new file mode 100644 index 0000000000..c67eefbfc1 --- /dev/null +++ b/testing/btest/Baseline/core.load-explicit-bro-suffix-fallback/out @@ -0,0 +1 @@ +loaded foo.zeek diff --git a/testing/btest/Baseline/core.load-file-extension/bro_only b/testing/btest/Baseline/core.load-file-extension/bro_only new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_only @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/bro_preferred b/testing/btest/Baseline/core.load-file-extension/bro_preferred new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_preferred @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 b/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 new file mode 100644 index 0000000000..bb2333014b --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/bro_preferred_2 @@ -0,0 +1 @@ +Bro script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/no_extension b/testing/btest/Baseline/core.load-file-extension/no_extension new file mode 100644 index 0000000000..b9cfe8016f --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/no_extension @@ -0,0 +1 @@ +No file extension script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/xyz_preferred b/testing/btest/Baseline/core.load-file-extension/xyz_preferred new file mode 100644 index 0000000000..8883b557a3 --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/xyz_preferred @@ -0,0 +1 @@ +Non-standard file extension script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_only b/testing/btest/Baseline/core.load-file-extension/zeek_only new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_only @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_preferred b/testing/btest/Baseline/core.load-file-extension/zeek_preferred new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_preferred @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred b/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred new file mode 100644 index 0000000000..129000059a --- /dev/null +++ b/testing/btest/Baseline/core.load-file-extension/zeek_script_preferred @@ -0,0 +1 @@ +Zeek script loaded diff --git a/testing/btest/Baseline/core.load-pkg/output b/testing/btest/Baseline/core.load-pkg/output index 119b2f9a18..ab438bfe3b 100644 --- a/testing/btest/Baseline/core.load-pkg/output +++ b/testing/btest/Baseline/core.load-pkg/output @@ -1 +1,2 @@ -Foo loaded +test.zeek loaded +__load__.zeek loaded diff --git a/testing/btest/Baseline/core.load-pkg/output2 b/testing/btest/Baseline/core.load-pkg/output2 new file mode 100644 index 0000000000..1021a36092 --- /dev/null +++ b/testing/btest/Baseline/core.load-pkg/output2 @@ -0,0 +1,2 @@ +test.zeek loaded +__load__.bro loaded diff --git a/testing/btest/Baseline/core.load-prefixes/output b/testing/btest/Baseline/core.load-prefixes/output index ea35b3a8c0..05e54cb3b9 100644 --- a/testing/btest/Baseline/core.load-prefixes/output +++ b/testing/btest/Baseline/core.load-prefixes/output @@ -1,4 +1,4 @@ -loaded lcl2.base.utils.site.bro -loaded lcl.base.utils.site.bro +loaded lcl2.base.utils.site.zeek +loaded lcl.base.utils.site.zeek loaded lcl2.base.protocols.http.bro -loaded lcl.base.protocols.http.bro +loaded lcl.base.protocols.http.zeek diff --git a/testing/btest/Baseline/core.load-unload/output2 b/testing/btest/Baseline/core.load-unload/output2 new file mode 100644 index 0000000000..bd327f15d4 --- /dev/null +++ b/testing/btest/Baseline/core.load-unload/output2 @@ -0,0 +1 @@ +Loaded: dontloadme.bro diff --git a/testing/btest/Baseline/core.nflog/http.log b/testing/btest/Baseline/core.nflog/http.log new file mode 100644 index 0000000000..3f274f8cf9 --- /dev/null +++ b/testing/btest/Baseline/core.nflog/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-03-20-02-08-50 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1470574779.148133 CHhAvVGS1DHFjwGM9 10.0.2.15 49762 93.184.216.34 80 1 GET www.example.net / - 1.1 curl/7.50.1 - 0 1270 200 OK - - (empty) - - - - - - F57zxQB092IOFcB15 - text/html +#close 2019-03-20-02-08-50 diff --git a/testing/btest/Baseline/core.old_comm_usage/out b/testing/btest/Baseline/core.old_comm_usage/out index 219a2f5620..cf4820d82e 100644 --- a/testing/btest/Baseline/core.old_comm_usage/out +++ b/testing/btest/Baseline/core.old_comm_usage/out @@ -1,2 +1,2 @@ -warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication) +warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.zeek, line 6: deprecated (terminate_communication) fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system. Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions, but the suggested solution is to port scripts to use the new Broker API. diff --git a/testing/btest/Baseline/core.option-errors-2/.stderr b/testing/btest/Baseline/core.option-errors-2/.stderr index 90011d5c85..ef9fb3ae4e 100644 --- a/testing/btest/Baseline/core.option-errors-2/.stderr +++ b/testing/btest/Baseline/core.option-errors-2/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.bro, line 2: option variable must be initialized (testbool) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.zeek, line 2: option variable must be initialized (testbool) diff --git a/testing/btest/Baseline/core.option-errors-3/.stderr b/testing/btest/Baseline/core.option-errors-3/.stderr index ffe699c739..a3c52db614 100644 --- a/testing/btest/Baseline/core.option-errors-3/.stderr +++ b/testing/btest/Baseline/core.option-errors-3/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.bro, line 3: option is not a modifiable lvalue (testopt) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.zeek, line 3: option is not a modifiable lvalue (testopt) diff --git a/testing/btest/Baseline/core.option-errors/.stderr b/testing/btest/Baseline/core.option-errors/.stderr index 27a73e180d..3e5dc6c86c 100644 --- a/testing/btest/Baseline/core.option-errors/.stderr +++ b/testing/btest/Baseline/core.option-errors/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.bro, line 4: no type given (testbool) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.zeek, line 4: no type given (testbool) diff --git a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr index 3b4cf422f5..6f385fbb29 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.bro, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.zeek, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr index 8fd7de5d2e..b0f531df70 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.bro, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.zeek, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr index 635b287c6b..bd38eea092 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.bro, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.zeek, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr index 7b58339d8b..738cfff6e5 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr index ad027f69db..25d102b9f7 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.bro, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.zeek, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, )) diff --git a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr index 2c98b170b7..d784841888 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.bro, line 3: ID 'A' is not an option (Option::set(A, 6, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.zeek, line 3: ID 'A' is not an option (Option::set(A, 6, )) diff --git a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr index a965ddd3ae..ec76dc4be4 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.bro, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.zeek, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr index d931ff062a..4130f865d6 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr index 593c239155..ee01ccfb1f 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.bro, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.zeek, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr index 57f7b5c21b..6d5f9f4595 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr index 2e7735f433..90cec05f47 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr index a95196eef7..f2ce6efd83 100644 --- a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.bro, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.zeek, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int))) diff --git a/testing/btest/Baseline/core.option-runtime-errors/.stderr b/testing/btest/Baseline/core.option-runtime-errors/.stderr index f3ad46d382..0d4da12312 100644 --- a/testing/btest/Baseline/core.option-runtime-errors/.stderr +++ b/testing/btest/Baseline/core.option-runtime-errors/.stderr @@ -1 +1 @@ -error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.bro, line 8: Could not find ID named 'B' (Option::set(B, 6, )) +error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.zeek, line 8: Could not find ID named 'B' (Option::set(B, 6, )) diff --git a/testing/btest/Baseline/core.pcap.filter-error/output b/testing/btest/Baseline/core.pcap.filter-error/output index 82804bb483..f52fdf7e0a 100644 --- a/testing/btest/Baseline/core.pcap.filter-error/output +++ b/testing/btest/Baseline/core.pcap.filter-error/output @@ -1,3 +1,3 @@ -fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.bro, line 282: Bad pcap filter 'kaputt' +fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.zeek, line 282: Bad pcap filter 'kaputt' ---- error, cannot compile BPF filter "kaputt, too" diff --git a/testing/btest/Baseline/core.plugins.hooks/output b/testing/btest/Baseline/core.plugins.hooks/output index 87f20f8512..2725e48507 100644 --- a/testing/btest/Baseline/core.plugins.hooks/output +++ b/testing/btest/Baseline/core.plugins.hooks/output @@ -188,7 +188,7 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, ()) -> -0.000000 MetaHookPost CallFunction(bro_init, ()) -> +0.000000 MetaHookPost CallFunction(zeek_init, ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> @@ -275,7 +275,7 @@ 0.000000 MetaHookPost LoadFile(./average) -> -1 0.000000 MetaHookPost LoadFile(./bloom-filter.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./bro.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(./broxygen.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(./zeexygen.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./cardinality-counter.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./const.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(./consts) -> -1 @@ -576,7 +576,7 @@ 0.000000 MetaHookPost LoadFile(base/utils/thresholds) -> -1 0.000000 MetaHookPost LoadFile(base/utils/time) -> -1 0.000000 MetaHookPost LoadFile(base/utils/urls) -> -1 -0.000000 MetaHookPost QueueEvent(bro_init()) -> false +0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) @@ -768,7 +768,7 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, ()) -0.000000 MetaHookPre CallFunction(bro_init, ()) +0.000000 MetaHookPre CallFunction(zeek_init, ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, ()) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) @@ -855,7 +855,7 @@ 0.000000 MetaHookPre LoadFile(./average) 0.000000 MetaHookPre LoadFile(./bloom-filter.bif.bro) 0.000000 MetaHookPre LoadFile(./bro.bif.bro) -0.000000 MetaHookPre LoadFile(./broxygen.bif.bro) +0.000000 MetaHookPre LoadFile(./zeexygen.bif.bro) 0.000000 MetaHookPre LoadFile(./cardinality-counter.bif.bro) 0.000000 MetaHookPre LoadFile(./const.bif.bro) 0.000000 MetaHookPre LoadFile(./consts) @@ -1156,7 +1156,7 @@ 0.000000 MetaHookPre LoadFile(base/utils/thresholds) 0.000000 MetaHookPre LoadFile(base/utils/time) 0.000000 MetaHookPre LoadFile(base/utils/urls) -0.000000 MetaHookPre QueueEvent(bro_init()) +0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN) @@ -1348,7 +1348,7 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}) 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}) 0.000000 | HookCallFunction SumStats::register_observe_plugins() -0.000000 | HookCallFunction bro_init() +0.000000 | HookCallFunction zeek_init() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) @@ -1435,7 +1435,7 @@ 0.000000 | HookLoadFile ./average.bro/bro 0.000000 | HookLoadFile ./bloom-filter.bif.bro/bro 0.000000 | HookLoadFile ./bro.bif.bro/bro -0.000000 | HookLoadFile ./broxygen.bif.bro/bro +0.000000 | HookLoadFile ./zeexygen.bif.bro/bro 0.000000 | HookLoadFile ./cardinality-counter.bif.bro/bro 0.000000 | HookLoadFile ./const.bif.bro/bro 0.000000 | HookLoadFile ./consts.bif.bro/bro @@ -1736,7 +1736,7 @@ 0.000000 | HookLoadFile base/utils/thresholds.bro/bro 0.000000 | HookLoadFile base/utils/time.bro/bro 0.000000 | HookLoadFile base/utils/urls.bro/bro -0.000000 | HookQueueEvent bro_init() +0.000000 | HookQueueEvent zeek_init() 0.000000 | HookQueueEvent filter_change_tracking() 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, ()) -> 1362692526.869344 MetaHookPost CallFunction(filter_change_tracking, ()) -> @@ -2193,7 +2193,7 @@ 1362692527.080972 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692527.080972 MetaHookPost CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> -1362692527.080972 MetaHookPost CallFunction(bro_done, ()) -> +1362692527.080972 MetaHookPost CallFunction(zeek_done, ()) -> 1362692527.080972 MetaHookPost CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(filter_change_tracking, ()) -> 1362692527.080972 MetaHookPost CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> @@ -2214,7 +2214,7 @@ 1362692527.080972 MetaHookPost DrainEvents() -> 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false -1362692527.080972 MetaHookPost QueueEvent(bro_done()) -> false +1362692527.080972 MetaHookPost QueueEvent(zeek_done()) -> false 1362692527.080972 MetaHookPost QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false 1362692527.080972 MetaHookPost QueueEvent(filter_change_tracking()) -> false 1362692527.080972 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false @@ -2227,7 +2227,7 @@ 1362692527.080972 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692527.080972 MetaHookPre CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) 1362692527.080972 MetaHookPre CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -1362692527.080972 MetaHookPre CallFunction(bro_done, ()) +1362692527.080972 MetaHookPre CallFunction(zeek_done, ()) 1362692527.080972 MetaHookPre CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(filter_change_tracking, ()) 1362692527.080972 MetaHookPre CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -2248,7 +2248,7 @@ 1362692527.080972 MetaHookPre DrainEvents() 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) -1362692527.080972 MetaHookPre QueueEvent(bro_done()) +1362692527.080972 MetaHookPre QueueEvent(zeek_done()) 1362692527.080972 MetaHookPre QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre QueueEvent(filter_change_tracking()) 1362692527.080972 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -2262,7 +2262,7 @@ 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]) -1362692527.080972 | HookCallFunction bro_done() +1362692527.080972 | HookCallFunction zeek_done() 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction filter_change_tracking() 1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) @@ -2283,7 +2283,7 @@ 1362692527.080972 | HookDrainEvents 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() -1362692527.080972 | HookQueueEvent bro_done() +1362692527.080972 | HookQueueEvent zeek_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookQueueEvent filter_change_tracking() 1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index e7f8f8714a..f14621c261 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 - -#close 2016-07-13-16-12-59 +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 3da7f62f77..d8067da821 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-57 +#open 2019-03-12-03-25-12 #fields ts node filter init success #types time string string bool bool -1468426377.846975 bro ip or not ip T T -#close 2016-07-13-16-12-57 +1552361112.763592 bro ip or not ip T T +#close 2019-03-12-03-25-12 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-13 #fields ts node filter init success #types time string string bool bool -1468426378.362651 bro port 42 T T -#close 2016-07-13-16-12-58 +1552361113.442916 bro port 42 T T +#close 2019-03-12-03-25-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts node filter init success #types time string string bool bool -1468426378.944945 bro (vlan) and (ip or not ip) T T -#close 2016-07-13-16-12-59 +1552361114.111534 bro (vlan) and (ip or not ip) T T +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 26a4b5fa85..d46c6b1f1f 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -21,6 +21,7 @@ 1 4011 2 443 1 445 +1 4789 1 502 1 5060 1 5072 @@ -54,8 +55,8 @@ 1 992 1 993 1 995 -61 and -60 or -61 port +62 and +61 or +62 port 42 tcp -19 udp +20 udp diff --git a/testing/btest/Baseline/core.reporter-error-in-handler/output b/testing/btest/Baseline/core.reporter-error-in-handler/output index ab5309b659..85014657a3 100644 --- a/testing/btest/Baseline/core.reporter-error-in-handler/output +++ b/testing/btest/Baseline/core.reporter-error-in-handler/output @@ -1,3 +1,3 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 28: no such index (a[1]) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.zeek, line 28: no such index (a[1]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.zeek, line 22: no such index (a[2]) 1st error printed on script level diff --git a/testing/btest/Baseline/core.reporter-fmt-strings/output b/testing/btest/Baseline/core.reporter-fmt-strings/output index bbd76f3447..4e31478caa 100644 --- a/testing/btest/Baseline/core.reporter-fmt-strings/output +++ b/testing/btest/Baseline/core.reporter-fmt-strings/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s)) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.zeek, line 9: not an event (dont_interpret_this(%s)) diff --git a/testing/btest/Baseline/core.reporter-parse-error/output b/testing/btest/Baseline/core.reporter-parse-error/output index 76535f75d1..4dd922fd24 100644 --- a/testing/btest/Baseline/core.reporter-parse-error/output +++ b/testing/btest/Baseline/core.reporter-parse-error/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE" +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.zeek, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE" diff --git a/testing/btest/Baseline/core.reporter-runtime-error/output b/testing/btest/Baseline/core.reporter-runtime-error/output index 695e2e2f81..7e0ab11845 100644 --- a/testing/btest/Baseline/core.reporter-runtime-error/output +++ b/testing/btest/Baseline/core.reporter-runtime-error/output @@ -1,2 +1,2 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.zeek, line 12: no such index (a[1]) fatal error: failed to execute script statements at top-level scope diff --git a/testing/btest/Baseline/core.reporter-type-mismatch/output b/testing/btest/Baseline/core.reporter-type-mismatch/output index 23eefd13e8..d54e6e2b9b 100644 --- a/testing/btest/Baseline/core.reporter-type-mismatch/output +++ b/testing/btest/Baseline/core.reporter-type-mismatch/output @@ -1,3 +1,3 @@ -error in string and /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42) -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string) -error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42)) +error in string and /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11: arithmetic mixed with non-arithmetic (string and 42) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11 and string: type mismatch (42 and string) +error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.zeek, line 11: argument type mismatch in event invocation (foo(42)) diff --git a/testing/btest/Baseline/core.reporter/logger-test.log b/testing/btest/Baseline/core.reporter/logger-test.log index 4ee0d03341..1dc58b65cd 100644 --- a/testing/btest/Baseline/core.reporter/logger-test.log +++ b/testing/btest/Baseline/core.reporter/logger-test.log @@ -1,6 +1,6 @@ -reporter_info|init test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000 -reporter_warning|init test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000 -reporter_error|init test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000 -reporter_info|done test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000 -reporter_warning|done test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000 -reporter_error|done test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000 +reporter_info|init test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 8|0.000000 +reporter_warning|init test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 9|0.000000 +reporter_error|init test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 10|0.000000 +reporter_info|done test-info|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 15|0.000000 +reporter_warning|done test-warning|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 16|0.000000 +reporter_error|done test-error|/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 17|0.000000 diff --git a/testing/btest/Baseline/core.reporter/output b/testing/btest/Baseline/core.reporter/output index 24a12f9679..12069545ba 100644 --- a/testing/btest/Baseline/core.reporter/output +++ b/testing/btest/Baseline/core.reporter/output @@ -1,9 +1,9 @@ -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 8: init test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 9: init test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 10: init test-error -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 15: done test-info -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 16: done test-warning -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.bro, line 17: done test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 52: pre test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 53: pre test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 54: pre test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 8: init test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 9: init test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 10: init test-error +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 15: done test-info +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 16: done test-warning +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.reporter/reporter.zeek, line 17: done test-error diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log index 8da44df913..fbb4a71369 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-01 +#open 2019-04-19-18-10-57 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 - -1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 - +1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 5416642848 ShAdgfFa 13 688 12 24454 - 1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 - -#close 2016-07-13-16-13-01 +#close 2019-04-19-18-10-57 diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log index 31087d58cc..15de6047b6 100644 --- a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log +++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path files -#open 2017-01-25-07-03-11 +#open 2019-04-17-20-41-29 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count 1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - - - 1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - - - -#close 2017-01-25-07-03-11 +#close 2019-04-17-20-41-29 diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log index b33aec3366..e8d6102398 100644 --- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log +++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-02 +#open 2019-04-19-18-11-06 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 - -#close 2016-07-13-16-13-02 +1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafgF 5 750 4 172 - +#close 2019-04-19-18-11-07 diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log index 43daf101a3..466f882257 100644 --- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log +++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-01-12-21-43-34 +#open 2019-04-17-20-42-43 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADadtR 17 1250 22 28961 - -#close 2018-01-12-21-43-34 +1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADaGdgtR 17 1250 22 28961 - +#close 2019-04-17-20-42-43 diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log index 22d4ec3ab9..e75d9487d0 100644 --- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log +++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-01-12-21-43-35 +#open 2019-04-17-20-42-44 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 - @@ -40,4 +40,4 @@ 1300475168.859163 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 - 1300475168.892936 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 - 1300475168.895267 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 - -#close 2018-01-12-21-43-35 +#close 2019-04-17-20-42-44 diff --git a/testing/btest/Baseline/core.tunnels.ayiya/http.log b/testing/btest/Baseline/core.tunnels.ayiya/http.log index 22a553b50d..ee4a4d6d18 100644 --- a/testing/btest/Baseline/core.tunnels.ayiya/http.log +++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-04 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1257655301.652206 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - (empty) - - - - - - FYAtjT24MvCBUs5K5f - text/html -1257655302.514424 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - - -1257655303.603569 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - - -#close 2016-07-13-16-13-04 +#open 2019-03-13-20-02-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1257655301.652206 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) - 0 10102 200 OK - - (empty) - - - - - - FYAtjT24MvCBUs5K5f - text/html +1257655302.514424 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) - 0 0 204 No Content - - (empty) - - - - - - - - - +1257655303.603569 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) - 0 0 204 No Content - - (empty) - - - - - - - - - +#close 2019-03-13-20-02-18 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log index bb04405317..779a50d1ef 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-06 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1333458850.340368 ClEkJM2Vm5giqnMf4h 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - (empty) - - - - - - FHKKd91EMHBEK0hbdg - application/x-shockwave-flash -1333458850.399501 ClEkJM2Vm5giqnMf4h 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - (empty) - - - - - - Fu64Vqjy6nBop9nRd - application/x-shockwave-flash -#close 2016-07-13-16-13-06 +#open 2019-03-13-20-03-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1333458850.340368 ClEkJM2Vm5giqnMf4h 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) - 0 31461 200 OK - - (empty) - - - - - - FHKKd91EMHBEK0hbdg - application/x-shockwave-flash +1333458850.399501 ClEkJM2Vm5giqnMf4h 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 1.1 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) - 0 31461 200 OK - - (empty) - - - - - - Fu64Vqjy6nBop9nRd - application/x-shockwave-flash +#close 2019-03-13-20-03-31 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log index 4c598b386d..dfa705f258 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-13-10 +#open 2019-04-19-18-10-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1333458850.364667 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - - 0 ShADadfF 27 3204 41 52594 CHhAvVGS1DHFjwGM9 +1333458850.364667 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - - 5760 ShADadfgF 27 3204 41 52594 CHhAvVGS1DHFjwGM9 1333458850.364667 CHhAvVGS1DHFjwGM9 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - - 0 Dd 27 4176 41 54070 - -#close 2016-07-13-16-13-10 +#close 2019-04-19-18-10-49 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log index 3bd0d4126f..1a3ab3ce90 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-10 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1333458850.375568 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf 1.1 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - (empty) - - - - - - FNJkBA1b8FSHt5N8jl - - -#close 2016-07-13-16-13-10 +#open 2019-03-13-20-09-34 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1333458850.375568 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf 1.1 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 - 0 56320 206 Partial Content - - (empty) - - - - - - FNJkBA1b8FSHt5N8jl - - +#close 2019-03-13-20-09-34 diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log index 3f8c43475f..ff361391cf 100644 --- a/testing/btest/Baseline/core.tunnels.teredo/http.log +++ b/testing/btest/Baseline/core.tunnels.teredo/http.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-14 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1210953057.917183 C3eiCBGOLw3VtHfOj 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - 1.1 Syncer/4.80 (av_pro-1169;f) 589 0 204 - - (empty) - - - Fp32SIJztq0Szn5Qc - text/plain - - - -1210953061.585996 CNnMIj2QSd84NKf7U3 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - (empty) - - - - - - FNFYdH11h5iQcoD3a2 - text/html -1210953073.381474 CNnMIj2QSd84NKf7U3 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - (empty) - - - - - - FHD5nv1iSVFZVM0aH7 - text/html -1210953074.674817 CpmdRlaUoJLN3uIRa 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - (empty) - - - - - - FS7lUf2cJFAVBCu6w6 - text/html -#close 2016-07-13-16-13-14 +#open 2019-03-13-20-10-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1210953057.917183 C3eiCBGOLw3VtHfOj 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - 1.1 Syncer/4.80 (av_pro-1169;f) - 589 0 204 - - (empty) - - - Fp32SIJztq0Szn5Qc - text/plain - - - +1210953061.585996 CNnMIj2QSd84NKf7U3 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 - 0 6640 200 OK - - (empty) - - - - - - FNFYdH11h5iQcoD3a2 - text/html +1210953073.381474 CNnMIj2QSd84NKf7U3 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 - 0 25119 200 OK - - (empty) - - - - - - FHD5nv1iSVFZVM0aH7 - text/html +1210953074.674817 CpmdRlaUoJLN3uIRa 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 - 0 11845 200 OK - - (empty) - - - - - - FS7lUf2cJFAVBCu6w6 - text/html +#close 2019-03-13-20-10-25 diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log index e3fc5b79a1..8f7bbbf756 100644 --- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-14 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1340127577.361683 CP5puj4I8PtEU4qzYg 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - (empty) - - - - - - FWSTWv4EZLVlc2Zywi - text/html -1340127577.379360 CP5puj4I8PtEU4qzYg 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - (empty) - - - - - - FGKV3B3jz083xhGO13 - text/html -#close 2016-07-13-16-13-14 +#open 2019-03-13-19-35-20 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1340127577.361683 CP5puj4I8PtEU4qzYg 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 - 0 6640 200 OK - - (empty) - - - - - - FWSTWv4EZLVlc2Zywi - text/html +1340127577.379360 CP5puj4I8PtEU4qzYg 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 - 0 25119 200 OK - - (empty) - - - - - - FGKV3B3jz083xhGO13 - text/html +#close 2019-03-13-19-35-20 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log new file mode 100644 index 0000000000..3805f6d92f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -0,0 +1,14 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2019-03-12-03-29-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 udp vxlan 3.004434 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.675392 CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.675732 ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 udp vxlan 3.004278 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.676047 CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.004616 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/out b/testing/btest/Baseline/core.tunnels.vxlan/out new file mode 100644 index 0000000000..a8da7f7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/out @@ -0,0 +1,8 @@ +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log new file mode 100644 index 0000000000..95f062bd67 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2019-03-12-03-29-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818435.680663 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::CLOSE +1467818435.680663 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::CLOSE +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output index 27a90d137c..3abe7bcfd0 100644 --- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output @@ -1,12 +1,12 @@ -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 47: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 91: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 72: field value missing (myrecord$notset) -expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 103: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 47: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 91: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 72: field value missing (myrecord$notset) +expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.zeek, line 103: field value missing (myrecord$notset) received termination signal [f(F)] f() done, no exception, T [f(T)] -[bro_init()] +[zeek_init()] timeout g(), T timeout timeout g(), F diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..1976784e41 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,178 +3,181 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-06-08-16-37-15 +#open 2019-04-04-19-22-03 #fields name #types string -scripts/base/init-bare.bro - build/scripts/base/bif/const.bif.bro - build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/bro.bif.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/reporter.bif.bro - build/scripts/base/bif/strings.bif.bro - build/scripts/base/bif/option.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro - build/scripts/base/bif/event.bif.bro -scripts/base/init-frameworks-and-bifs.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/broker/__load__.bro - scripts/base/frameworks/broker/main.bro - build/scripts/base/bif/comm.bif.bro - build/scripts/base/bif/messaging.bif.bro - scripts/base/frameworks/broker/store.bro - build/scripts/base/bif/data.bif.bro - build/scripts/base/bif/store.bif.bro - scripts/base/frameworks/broker/log.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/config.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - scripts/base/frameworks/packet-filter/utils.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/files/__load__.bro - scripts/base/frameworks/files/main.bro - build/scripts/base/bif/file_analysis.bif.bro - scripts/base/utils/site.bro - scripts/base/utils/patterns.bro - scripts/base/frameworks/files/magic/__load__.bro - build/scripts/base/bif/__load__.bro - build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro - build/scripts/base/bif/bloom-filter.bif.bro - build/scripts/base/bif/cardinality-counter.bif.bro - build/scripts/base/bif/top-k.bif.bro - build/scripts/base/bif/plugins/__load__.bro - build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro - build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro - build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro - build/scripts/base/bif/plugins/Bro_File.events.bif.bro - build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro - build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro - build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro - build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro - build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro - build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro - build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro - build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro - build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro - build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro - build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro - build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro - build/scripts/base/bif/plugins/Bro_PE.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.events.bif.bro - build/scripts/base/bif/plugins/Bro_X509.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro - build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro - build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro - build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro - build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro -scripts/policy/misc/loaded-scripts.bro - scripts/base/utils/paths.bro -#close 2018-06-08-16-37-15 +scripts/base/init-bare.zeek + build/scripts/base/bif/const.bif.zeek + build/scripts/base/bif/types.bif.zeek + build/scripts/base/bif/bro.bif.zeek + build/scripts/base/bif/stats.bif.zeek + build/scripts/base/bif/reporter.bif.zeek + build/scripts/base/bif/strings.bif.zeek + build/scripts/base/bif/option.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek + build/scripts/base/bif/event.bif.zeek +scripts/base/init-frameworks-and-bifs.zeek + scripts/base/frameworks/logging/__load__.zeek + scripts/base/frameworks/logging/main.zeek + build/scripts/base/bif/logging.bif.zeek + scripts/base/frameworks/logging/postprocessors/__load__.zeek + scripts/base/frameworks/logging/postprocessors/scp.zeek + scripts/base/frameworks/logging/postprocessors/sftp.zeek + scripts/base/frameworks/logging/writers/ascii.zeek + scripts/base/frameworks/logging/writers/sqlite.zeek + scripts/base/frameworks/logging/writers/none.zeek + scripts/base/frameworks/broker/__load__.zeek + scripts/base/frameworks/broker/main.zeek + build/scripts/base/bif/comm.bif.zeek + build/scripts/base/bif/messaging.bif.zeek + scripts/base/frameworks/broker/store.zeek + build/scripts/base/bif/data.bif.zeek + build/scripts/base/bif/store.bif.zeek + scripts/base/frameworks/broker/log.zeek + scripts/base/frameworks/input/__load__.zeek + scripts/base/frameworks/input/main.zeek + build/scripts/base/bif/input.bif.zeek + scripts/base/frameworks/input/readers/ascii.zeek + scripts/base/frameworks/input/readers/raw.zeek + scripts/base/frameworks/input/readers/benchmark.zeek + scripts/base/frameworks/input/readers/binary.zeek + scripts/base/frameworks/input/readers/config.zeek + scripts/base/frameworks/input/readers/sqlite.zeek + scripts/base/frameworks/analyzer/__load__.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek + scripts/base/frameworks/files/__load__.zeek + scripts/base/frameworks/files/main.zeek + build/scripts/base/bif/file_analysis.bif.zeek + scripts/base/utils/site.zeek + scripts/base/utils/patterns.zeek + scripts/base/frameworks/files/magic/__load__.zeek + build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/zeexygen.bif.zeek + build/scripts/base/bif/pcap.bif.zeek + build/scripts/base/bif/bloom-filter.bif.zeek + build/scripts/base/bif/cardinality-counter.bif.zeek + build/scripts/base/bif/top-k.bif.zeek + build/scripts/base/bif/plugins/__load__.zeek + build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_File.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek + build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek + build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek + build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek + build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek + build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek +scripts/policy/misc/loaded-scripts.zeek + scripts/base/utils/paths.zeek +#close 2019-04-04-19-22-03 diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index e11a4ca00f..6595a63eb3 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -1,18 +1,18 @@ -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//broxygen/__load__.bro:10 "Use '@load base/protocols/smb' instead" -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead" +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/testing/btest/../../scripts//zeexygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/testing/btest/../../scripts//policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from command line arguments "Use '@load base/protocols/smb' instead" diff --git a/testing/btest/Baseline/coverage.coverage-blacklist/output b/testing/btest/Baseline/coverage.coverage-blacklist/output index c54e4283b2..e27574face 100644 --- a/testing/btest/Baseline/coverage.coverage-blacklist/output +++ b/testing/btest/Baseline/coverage.coverage-blacklist/output @@ -1,5 +1,5 @@ -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 13 print cover me; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 17 print always executed; -0 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 26 print also impossible, but included in code coverage analysis; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 29 print success; -1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.bro, line 5 print first; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 13 print cover me; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 17 print always executed; +0 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 26 print also impossible, but included in code coverage analysis; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 29 print success; +1 /da/home/robin/bro/master/testing/btest/.tmp/coverage.coverage-blacklist/coverage-blacklist.zeek, line 5 print first; diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..7951d68e2b 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,372 +3,375 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-09-05-20-33-08 +#open 2019-04-16-17-02-20 #fields name #types string -scripts/base/init-bare.bro - build/scripts/base/bif/const.bif.bro - build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/bro.bif.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/reporter.bif.bro - build/scripts/base/bif/strings.bif.bro - build/scripts/base/bif/option.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro - build/scripts/base/bif/event.bif.bro -scripts/base/init-frameworks-and-bifs.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/broker/__load__.bro - scripts/base/frameworks/broker/main.bro - build/scripts/base/bif/comm.bif.bro - build/scripts/base/bif/messaging.bif.bro - scripts/base/frameworks/broker/store.bro - build/scripts/base/bif/data.bif.bro - build/scripts/base/bif/store.bif.bro - scripts/base/frameworks/broker/log.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/config.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - scripts/base/frameworks/packet-filter/utils.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/files/__load__.bro - scripts/base/frameworks/files/main.bro - build/scripts/base/bif/file_analysis.bif.bro - scripts/base/utils/site.bro - scripts/base/utils/patterns.bro - scripts/base/frameworks/files/magic/__load__.bro - build/scripts/base/bif/__load__.bro - build/scripts/base/bif/broxygen.bif.bro - build/scripts/base/bif/pcap.bif.bro - build/scripts/base/bif/bloom-filter.bif.bro - build/scripts/base/bif/cardinality-counter.bif.bro - build/scripts/base/bif/top-k.bif.bro - build/scripts/base/bif/plugins/__load__.bro - build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro - build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro - build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro - build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro - build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro - build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro - build/scripts/base/bif/plugins/Bro_File.events.bif.bro - build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro - build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro - build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro - build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro - build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro - build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.events.bif.bro - build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro - build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro - build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro - build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro - build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro - build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro - build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_RDP.types.bif.bro - build/scripts/base/bif/plugins/Bro_RFB.events.bif.bro - build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro - build/scripts/base/bif/plugins/Bro_SIP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.consts.bif.bro - build/scripts/base/bif/plugins/Bro_SMB.types.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro - build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro - build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro - build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro - build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro - build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro - build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro - build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro - build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro - build/scripts/base/bif/plugins/Bro_PE.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro - build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.events.bif.bro - build/scripts/base/bif/plugins/Bro_X509.types.bif.bro - build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro - build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro - build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro - build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro - build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro - build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro - build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro - build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro -scripts/base/init-default.bro - scripts/base/utils/active-http.bro - scripts/base/utils/exec.bro - scripts/base/utils/addrs.bro - scripts/base/utils/conn-ids.bro - scripts/base/utils/dir.bro - scripts/base/frameworks/reporter/__load__.bro - scripts/base/frameworks/reporter/main.bro - scripts/base/utils/paths.bro - scripts/base/utils/directions-and-hosts.bro - scripts/base/utils/email.bro - scripts/base/utils/files.bro - scripts/base/utils/geoip-distance.bro - scripts/base/utils/hash_hrw.bro - scripts/base/utils/numbers.bro - scripts/base/utils/queue.bro - scripts/base/utils/strings.bro - scripts/base/utils/thresholds.bro - scripts/base/utils/time.bro - scripts/base/utils/urls.bro - scripts/base/frameworks/notice/__load__.bro - scripts/base/frameworks/notice/main.bro - scripts/base/frameworks/cluster/__load__.bro - scripts/base/frameworks/cluster/main.bro - scripts/base/frameworks/control/__load__.bro - scripts/base/frameworks/control/main.bro - scripts/base/frameworks/cluster/pools.bro - scripts/base/frameworks/notice/weird.bro - scripts/base/frameworks/notice/actions/drop.bro - scripts/base/frameworks/netcontrol/__load__.bro - scripts/base/frameworks/netcontrol/types.bro - scripts/base/frameworks/netcontrol/main.bro - scripts/base/frameworks/netcontrol/plugin.bro - scripts/base/frameworks/netcontrol/plugins/__load__.bro - scripts/base/frameworks/netcontrol/plugins/debug.bro - scripts/base/frameworks/netcontrol/plugins/openflow.bro - scripts/base/frameworks/openflow/__load__.bro - scripts/base/frameworks/openflow/consts.bro - scripts/base/frameworks/openflow/types.bro - scripts/base/frameworks/openflow/main.bro - scripts/base/frameworks/openflow/plugins/__load__.bro - scripts/base/frameworks/openflow/plugins/ryu.bro - scripts/base/utils/json.bro - scripts/base/frameworks/openflow/plugins/log.bro - scripts/base/frameworks/openflow/plugins/broker.bro - scripts/base/frameworks/openflow/non-cluster.bro - scripts/base/frameworks/netcontrol/plugins/packetfilter.bro - scripts/base/frameworks/netcontrol/plugins/broker.bro - scripts/base/frameworks/netcontrol/plugins/acld.bro - scripts/base/frameworks/netcontrol/drop.bro - scripts/base/frameworks/netcontrol/shunt.bro - scripts/base/frameworks/netcontrol/catch-and-release.bro - scripts/base/frameworks/netcontrol/non-cluster.bro - scripts/base/frameworks/notice/actions/email_admin.bro - scripts/base/frameworks/notice/actions/page.bro - scripts/base/frameworks/notice/actions/add-geodata.bro - scripts/base/frameworks/notice/actions/pp-alarms.bro - scripts/base/frameworks/dpd/__load__.bro - scripts/base/frameworks/dpd/main.bro - scripts/base/frameworks/signatures/__load__.bro - scripts/base/frameworks/signatures/main.bro - scripts/base/frameworks/packet-filter/__load__.bro - scripts/base/frameworks/packet-filter/main.bro - scripts/base/frameworks/packet-filter/netstats.bro - scripts/base/frameworks/software/__load__.bro - scripts/base/frameworks/software/main.bro - scripts/base/frameworks/intel/__load__.bro - scripts/base/frameworks/intel/main.bro - scripts/base/frameworks/intel/files.bro - scripts/base/frameworks/intel/input.bro - scripts/base/frameworks/config/__load__.bro - scripts/base/frameworks/config/main.bro - scripts/base/frameworks/config/input.bro - scripts/base/frameworks/config/weird.bro - scripts/base/frameworks/sumstats/__load__.bro - scripts/base/frameworks/sumstats/main.bro - scripts/base/frameworks/sumstats/plugins/__load__.bro - scripts/base/frameworks/sumstats/plugins/average.bro - scripts/base/frameworks/sumstats/plugins/hll_unique.bro - scripts/base/frameworks/sumstats/plugins/last.bro - scripts/base/frameworks/sumstats/plugins/max.bro - scripts/base/frameworks/sumstats/plugins/min.bro - scripts/base/frameworks/sumstats/plugins/sample.bro - scripts/base/frameworks/sumstats/plugins/std-dev.bro - scripts/base/frameworks/sumstats/plugins/variance.bro - scripts/base/frameworks/sumstats/plugins/sum.bro - scripts/base/frameworks/sumstats/plugins/topk.bro - scripts/base/frameworks/sumstats/plugins/unique.bro - scripts/base/frameworks/sumstats/non-cluster.bro - scripts/base/frameworks/tunnels/__load__.bro - scripts/base/frameworks/tunnels/main.bro - scripts/base/protocols/conn/__load__.bro - scripts/base/protocols/conn/main.bro - scripts/base/protocols/conn/contents.bro - scripts/base/protocols/conn/inactivity.bro - scripts/base/protocols/conn/polling.bro - scripts/base/protocols/conn/thresholds.bro - scripts/base/protocols/dce-rpc/__load__.bro - scripts/base/protocols/dce-rpc/consts.bro - scripts/base/protocols/dce-rpc/main.bro - scripts/base/protocols/dhcp/__load__.bro - scripts/base/protocols/dhcp/consts.bro - scripts/base/protocols/dhcp/main.bro - scripts/base/protocols/dnp3/__load__.bro - scripts/base/protocols/dnp3/main.bro - scripts/base/protocols/dnp3/consts.bro - scripts/base/protocols/dns/__load__.bro - scripts/base/protocols/dns/consts.bro - scripts/base/protocols/dns/main.bro - scripts/base/protocols/ftp/__load__.bro - scripts/base/protocols/ftp/utils-commands.bro - scripts/base/protocols/ftp/info.bro - scripts/base/protocols/ftp/main.bro - scripts/base/protocols/ftp/utils.bro - scripts/base/protocols/ftp/files.bro - scripts/base/protocols/ftp/gridftp.bro - scripts/base/protocols/ssl/__load__.bro - scripts/base/protocols/ssl/consts.bro - scripts/base/protocols/ssl/main.bro - scripts/base/protocols/ssl/mozilla-ca-list.bro - scripts/base/protocols/ssl/ct-list.bro - scripts/base/protocols/ssl/files.bro - scripts/base/files/x509/__load__.bro - scripts/base/files/x509/main.bro - scripts/base/files/hash/__load__.bro - scripts/base/files/hash/main.bro - scripts/base/protocols/http/__load__.bro - scripts/base/protocols/http/main.bro - scripts/base/protocols/http/entities.bro - scripts/base/protocols/http/utils.bro - scripts/base/protocols/http/files.bro - scripts/base/protocols/imap/__load__.bro - scripts/base/protocols/imap/main.bro - scripts/base/protocols/irc/__load__.bro - scripts/base/protocols/irc/main.bro - scripts/base/protocols/irc/dcc-send.bro - scripts/base/protocols/irc/files.bro - scripts/base/protocols/krb/__load__.bro - scripts/base/protocols/krb/main.bro - scripts/base/protocols/krb/consts.bro - scripts/base/protocols/krb/files.bro - scripts/base/protocols/modbus/__load__.bro - scripts/base/protocols/modbus/consts.bro - scripts/base/protocols/modbus/main.bro - scripts/base/protocols/mysql/__load__.bro - scripts/base/protocols/mysql/main.bro - scripts/base/protocols/mysql/consts.bro - scripts/base/protocols/ntlm/__load__.bro - scripts/base/protocols/ntlm/main.bro - scripts/base/protocols/pop3/__load__.bro - scripts/base/protocols/radius/__load__.bro - scripts/base/protocols/radius/main.bro - scripts/base/protocols/radius/consts.bro - scripts/base/protocols/rdp/__load__.bro - scripts/base/protocols/rdp/consts.bro - scripts/base/protocols/rdp/main.bro - scripts/base/protocols/rfb/__load__.bro - scripts/base/protocols/rfb/main.bro - scripts/base/protocols/sip/__load__.bro - scripts/base/protocols/sip/main.bro - scripts/base/protocols/snmp/__load__.bro - scripts/base/protocols/snmp/main.bro - scripts/base/protocols/smb/__load__.bro - scripts/base/protocols/smb/consts.bro - scripts/base/protocols/smb/const-dos-error.bro - scripts/base/protocols/smb/const-nt-status.bro - scripts/base/protocols/smb/main.bro - scripts/base/protocols/smb/smb1-main.bro - scripts/base/protocols/smb/smb2-main.bro - scripts/base/protocols/smb/files.bro - scripts/base/protocols/smtp/__load__.bro - scripts/base/protocols/smtp/main.bro - scripts/base/protocols/smtp/entities.bro - scripts/base/protocols/smtp/files.bro - scripts/base/protocols/socks/__load__.bro - scripts/base/protocols/socks/consts.bro - scripts/base/protocols/socks/main.bro - scripts/base/protocols/ssh/__load__.bro - scripts/base/protocols/ssh/main.bro - scripts/base/protocols/syslog/__load__.bro - scripts/base/protocols/syslog/consts.bro - scripts/base/protocols/syslog/main.bro - scripts/base/protocols/tunnels/__load__.bro - scripts/base/protocols/xmpp/__load__.bro - scripts/base/protocols/xmpp/main.bro - scripts/base/files/pe/__load__.bro - scripts/base/files/pe/consts.bro - scripts/base/files/pe/main.bro - scripts/base/files/extract/__load__.bro - scripts/base/files/extract/main.bro - scripts/base/files/unified2/__load__.bro - scripts/base/files/unified2/main.bro - scripts/base/misc/find-checksum-offloading.bro - scripts/base/misc/find-filtered-trace.bro - scripts/base/misc/version.bro -scripts/policy/misc/loaded-scripts.bro -#close 2018-09-05-20-33-08 +scripts/base/init-bare.zeek + build/scripts/base/bif/const.bif.zeek + build/scripts/base/bif/types.bif.zeek + build/scripts/base/bif/bro.bif.zeek + build/scripts/base/bif/stats.bif.zeek + build/scripts/base/bif/reporter.bif.zeek + build/scripts/base/bif/strings.bif.zeek + build/scripts/base/bif/option.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek + build/scripts/base/bif/event.bif.zeek +scripts/base/init-frameworks-and-bifs.zeek + scripts/base/frameworks/logging/__load__.zeek + scripts/base/frameworks/logging/main.zeek + build/scripts/base/bif/logging.bif.zeek + scripts/base/frameworks/logging/postprocessors/__load__.zeek + scripts/base/frameworks/logging/postprocessors/scp.zeek + scripts/base/frameworks/logging/postprocessors/sftp.zeek + scripts/base/frameworks/logging/writers/ascii.zeek + scripts/base/frameworks/logging/writers/sqlite.zeek + scripts/base/frameworks/logging/writers/none.zeek + scripts/base/frameworks/broker/__load__.zeek + scripts/base/frameworks/broker/main.zeek + build/scripts/base/bif/comm.bif.zeek + build/scripts/base/bif/messaging.bif.zeek + scripts/base/frameworks/broker/store.zeek + build/scripts/base/bif/data.bif.zeek + build/scripts/base/bif/store.bif.zeek + scripts/base/frameworks/broker/log.zeek + scripts/base/frameworks/input/__load__.zeek + scripts/base/frameworks/input/main.zeek + build/scripts/base/bif/input.bif.zeek + scripts/base/frameworks/input/readers/ascii.zeek + scripts/base/frameworks/input/readers/raw.zeek + scripts/base/frameworks/input/readers/benchmark.zeek + scripts/base/frameworks/input/readers/binary.zeek + scripts/base/frameworks/input/readers/config.zeek + scripts/base/frameworks/input/readers/sqlite.zeek + scripts/base/frameworks/analyzer/__load__.zeek + scripts/base/frameworks/analyzer/main.zeek + scripts/base/frameworks/packet-filter/utils.zeek + build/scripts/base/bif/analyzer.bif.zeek + scripts/base/frameworks/files/__load__.zeek + scripts/base/frameworks/files/main.zeek + build/scripts/base/bif/file_analysis.bif.zeek + scripts/base/utils/site.zeek + scripts/base/utils/patterns.zeek + scripts/base/frameworks/files/magic/__load__.zeek + build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/zeexygen.bif.zeek + build/scripts/base/bif/pcap.bif.zeek + build/scripts/base/bif/bloom-filter.bif.zeek + build/scripts/base/bif/cardinality-counter.bif.zeek + build/scripts/base/bif/top-k.bif.zeek + build/scripts/base/bif/plugins/__load__.zeek + build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek + build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_File.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek + build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek + build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek + build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek + build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek + build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek + build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek + build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek + build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek + build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek + build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek + build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek + build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek + build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek + build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek + build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek +scripts/base/init-default.zeek + scripts/base/utils/active-http.zeek + scripts/base/utils/exec.zeek + scripts/base/utils/addrs.zeek + scripts/base/utils/conn-ids.zeek + scripts/base/utils/dir.zeek + scripts/base/frameworks/reporter/__load__.zeek + scripts/base/frameworks/reporter/main.zeek + scripts/base/utils/paths.zeek + scripts/base/utils/directions-and-hosts.zeek + scripts/base/utils/email.zeek + scripts/base/utils/files.zeek + scripts/base/utils/geoip-distance.zeek + scripts/base/utils/hash_hrw.zeek + scripts/base/utils/numbers.zeek + scripts/base/utils/queue.zeek + scripts/base/utils/strings.zeek + scripts/base/utils/thresholds.zeek + scripts/base/utils/time.zeek + scripts/base/utils/urls.zeek + scripts/base/frameworks/notice/__load__.zeek + scripts/base/frameworks/notice/main.zeek + scripts/base/frameworks/cluster/__load__.zeek + scripts/base/frameworks/cluster/main.zeek + scripts/base/frameworks/control/__load__.zeek + scripts/base/frameworks/control/main.zeek + scripts/base/frameworks/cluster/pools.zeek + scripts/base/frameworks/notice/weird.zeek + scripts/base/frameworks/notice/actions/drop.zeek + scripts/base/frameworks/netcontrol/__load__.zeek + scripts/base/frameworks/netcontrol/types.zeek + scripts/base/frameworks/netcontrol/main.zeek + scripts/base/frameworks/netcontrol/plugin.zeek + scripts/base/frameworks/netcontrol/plugins/__load__.zeek + scripts/base/frameworks/netcontrol/plugins/debug.zeek + scripts/base/frameworks/netcontrol/plugins/openflow.zeek + scripts/base/frameworks/openflow/__load__.zeek + scripts/base/frameworks/openflow/consts.zeek + scripts/base/frameworks/openflow/types.zeek + scripts/base/frameworks/openflow/main.zeek + scripts/base/frameworks/openflow/plugins/__load__.zeek + scripts/base/frameworks/openflow/plugins/ryu.zeek + scripts/base/utils/json.zeek + scripts/base/frameworks/openflow/plugins/log.zeek + scripts/base/frameworks/openflow/plugins/broker.zeek + scripts/base/frameworks/openflow/non-cluster.zeek + scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek + scripts/base/frameworks/netcontrol/plugins/broker.zeek + scripts/base/frameworks/netcontrol/plugins/acld.zeek + scripts/base/frameworks/netcontrol/drop.zeek + scripts/base/frameworks/netcontrol/shunt.zeek + scripts/base/frameworks/netcontrol/catch-and-release.zeek + scripts/base/frameworks/netcontrol/non-cluster.zeek + scripts/base/frameworks/notice/actions/email_admin.zeek + scripts/base/frameworks/notice/actions/page.zeek + scripts/base/frameworks/notice/actions/add-geodata.zeek + scripts/base/frameworks/notice/actions/pp-alarms.zeek + scripts/base/frameworks/dpd/__load__.zeek + scripts/base/frameworks/dpd/main.zeek + scripts/base/frameworks/signatures/__load__.zeek + scripts/base/frameworks/signatures/main.zeek + scripts/base/frameworks/packet-filter/__load__.zeek + scripts/base/frameworks/packet-filter/main.zeek + scripts/base/frameworks/packet-filter/netstats.zeek + scripts/base/frameworks/software/__load__.zeek + scripts/base/frameworks/software/main.zeek + scripts/base/frameworks/intel/__load__.zeek + scripts/base/frameworks/intel/main.zeek + scripts/base/frameworks/intel/files.zeek + scripts/base/frameworks/intel/input.zeek + scripts/base/frameworks/config/__load__.zeek + scripts/base/frameworks/config/main.zeek + scripts/base/frameworks/config/input.zeek + scripts/base/frameworks/config/weird.zeek + scripts/base/frameworks/sumstats/__load__.zeek + scripts/base/frameworks/sumstats/main.zeek + scripts/base/frameworks/sumstats/plugins/__load__.zeek + scripts/base/frameworks/sumstats/plugins/average.zeek + scripts/base/frameworks/sumstats/plugins/hll_unique.zeek + scripts/base/frameworks/sumstats/plugins/last.zeek + scripts/base/frameworks/sumstats/plugins/max.zeek + scripts/base/frameworks/sumstats/plugins/min.zeek + scripts/base/frameworks/sumstats/plugins/sample.zeek + scripts/base/frameworks/sumstats/plugins/std-dev.zeek + scripts/base/frameworks/sumstats/plugins/variance.zeek + scripts/base/frameworks/sumstats/plugins/sum.zeek + scripts/base/frameworks/sumstats/plugins/topk.zeek + scripts/base/frameworks/sumstats/plugins/unique.zeek + scripts/base/frameworks/sumstats/non-cluster.zeek + scripts/base/frameworks/tunnels/__load__.zeek + scripts/base/frameworks/tunnels/main.zeek + scripts/base/protocols/conn/__load__.zeek + scripts/base/protocols/conn/main.zeek + scripts/base/protocols/conn/contents.zeek + scripts/base/protocols/conn/inactivity.zeek + scripts/base/protocols/conn/polling.zeek + scripts/base/protocols/conn/thresholds.zeek + scripts/base/protocols/dce-rpc/__load__.zeek + scripts/base/protocols/dce-rpc/consts.zeek + scripts/base/protocols/dce-rpc/main.zeek + scripts/base/protocols/dhcp/__load__.zeek + scripts/base/protocols/dhcp/consts.zeek + scripts/base/protocols/dhcp/main.zeek + scripts/base/protocols/dnp3/__load__.zeek + scripts/base/protocols/dnp3/main.zeek + scripts/base/protocols/dnp3/consts.zeek + scripts/base/protocols/dns/__load__.zeek + scripts/base/protocols/dns/consts.zeek + scripts/base/protocols/dns/main.zeek + scripts/base/protocols/ftp/__load__.zeek + scripts/base/protocols/ftp/utils-commands.zeek + scripts/base/protocols/ftp/info.zeek + scripts/base/protocols/ftp/main.zeek + scripts/base/protocols/ftp/utils.zeek + scripts/base/protocols/ftp/files.zeek + scripts/base/protocols/ftp/gridftp.zeek + scripts/base/protocols/ssl/__load__.zeek + scripts/base/protocols/ssl/consts.zeek + scripts/base/protocols/ssl/main.zeek + scripts/base/protocols/ssl/mozilla-ca-list.zeek + scripts/base/protocols/ssl/ct-list.zeek + scripts/base/protocols/ssl/files.zeek + scripts/base/files/x509/__load__.zeek + scripts/base/files/x509/main.zeek + scripts/base/files/hash/__load__.zeek + scripts/base/files/hash/main.zeek + scripts/base/protocols/http/__load__.zeek + scripts/base/protocols/http/main.zeek + scripts/base/protocols/http/entities.zeek + scripts/base/protocols/http/utils.zeek + scripts/base/protocols/http/files.zeek + scripts/base/protocols/imap/__load__.zeek + scripts/base/protocols/imap/main.zeek + scripts/base/protocols/irc/__load__.zeek + scripts/base/protocols/irc/main.zeek + scripts/base/protocols/irc/dcc-send.zeek + scripts/base/protocols/irc/files.zeek + scripts/base/protocols/krb/__load__.zeek + scripts/base/protocols/krb/main.zeek + scripts/base/protocols/krb/consts.zeek + scripts/base/protocols/krb/files.zeek + scripts/base/protocols/modbus/__load__.zeek + scripts/base/protocols/modbus/consts.zeek + scripts/base/protocols/modbus/main.zeek + scripts/base/protocols/mysql/__load__.zeek + scripts/base/protocols/mysql/main.zeek + scripts/base/protocols/mysql/consts.zeek + scripts/base/protocols/ntlm/__load__.zeek + scripts/base/protocols/ntlm/main.zeek + scripts/base/protocols/pop3/__load__.zeek + scripts/base/protocols/radius/__load__.zeek + scripts/base/protocols/radius/main.zeek + scripts/base/protocols/radius/consts.zeek + scripts/base/protocols/rdp/__load__.zeek + scripts/base/protocols/rdp/consts.zeek + scripts/base/protocols/rdp/main.zeek + scripts/base/protocols/rfb/__load__.zeek + scripts/base/protocols/rfb/main.zeek + scripts/base/protocols/sip/__load__.zeek + scripts/base/protocols/sip/main.zeek + scripts/base/protocols/snmp/__load__.zeek + scripts/base/protocols/snmp/main.zeek + scripts/base/protocols/smb/__load__.zeek + scripts/base/protocols/smb/consts.zeek + scripts/base/protocols/smb/const-dos-error.zeek + scripts/base/protocols/smb/const-nt-status.zeek + scripts/base/protocols/smb/main.zeek + scripts/base/protocols/smb/smb1-main.zeek + scripts/base/protocols/smb/smb2-main.zeek + scripts/base/protocols/smb/files.zeek + scripts/base/protocols/smtp/__load__.zeek + scripts/base/protocols/smtp/main.zeek + scripts/base/protocols/smtp/entities.zeek + scripts/base/protocols/smtp/files.zeek + scripts/base/protocols/socks/__load__.zeek + scripts/base/protocols/socks/consts.zeek + scripts/base/protocols/socks/main.zeek + scripts/base/protocols/ssh/__load__.zeek + scripts/base/protocols/ssh/main.zeek + scripts/base/protocols/syslog/__load__.zeek + scripts/base/protocols/syslog/consts.zeek + scripts/base/protocols/syslog/main.zeek + scripts/base/protocols/tunnels/__load__.zeek + scripts/base/protocols/xmpp/__load__.zeek + scripts/base/protocols/xmpp/main.zeek + scripts/base/files/pe/__load__.zeek + scripts/base/files/pe/consts.zeek + scripts/base/files/pe/main.zeek + scripts/base/files/extract/__load__.zeek + scripts/base/files/extract/main.zeek + scripts/base/files/unified2/__load__.zeek + scripts/base/files/unified2/main.zeek + scripts/base/misc/find-checksum-offloading.zeek + scripts/base/misc/find-filtered-trace.zeek + scripts/base/misc/version.zeek +scripts/policy/misc/loaded-scripts.zeek +#close 2019-04-16-17-02-20 diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 31966f11c1..893a603972 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -1,10 +1,10 @@ --./frameworks/cluster/nodes/logger.bro --./frameworks/cluster/nodes/manager.bro --./frameworks/cluster/nodes/proxy.bro --./frameworks/cluster/nodes/worker.bro --./frameworks/cluster/setup-connections.bro --./frameworks/intel/cluster.bro --./frameworks/netcontrol/cluster.bro --./frameworks/openflow/cluster.bro --./frameworks/packet-filter/cluster.bro --./frameworks/sumstats/cluster.bro +-./frameworks/cluster/nodes/logger.zeek +-./frameworks/cluster/nodes/manager.zeek +-./frameworks/cluster/nodes/proxy.zeek +-./frameworks/cluster/nodes/worker.zeek +-./frameworks/cluster/setup-connections.zeek +-./frameworks/intel/cluster.zeek +-./frameworks/netcontrol/cluster.zeek +-./frameworks/openflow/cluster.zeek +-./frameworks/packet-filter/cluster.zeek +-./frameworks/sumstats/cluster.zeek diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr deleted file mode 100644 index da6c357abf..0000000000 --- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr +++ /dev/null @@ -1,11 +0,0 @@ -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 245: deprecated (dhcp_discover) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 248: deprecated (dhcp_offer) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 251: deprecated (dhcp_request) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 254: deprecated (dhcp_decline) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 257: deprecated (dhcp_ack) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 260: deprecated (dhcp_nak) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 263: deprecated (dhcp_release) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.bro, line 266: deprecated (dhcp_inform) -warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.bro, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/scripts/broxygen/__load__.bro:10 "Use '@load base/protocols/smb' instead" -error in /Users/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.bro, line 22: The '' control command is unknown. -, line 1: received termination signal diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst deleted file mode 100644 index d729ab85ee..0000000000 --- a/testing/btest/Baseline/doc.broxygen.example/example.rst +++ /dev/null @@ -1,248 +0,0 @@ -:tocdepth: 3 - -broxygen/example.bro -==================== -.. bro:namespace:: BroxygenExample - -This is an example script that demonstrates Broxygen-style -documentation. It generally will make most sense when viewing -the script's raw source code and comparing to the HTML-rendered -version. - -Comments in the from ``##!`` are meant to summarize the script's -purpose. They are transferred directly in to the generated -`reStructuredText `_ -(reST) document associated with the script. - -.. tip:: You can embed directives and roles within ``##``-stylized comments. - -There's also a custom role to reference any identifier node in -the Bro Sphinx domain that's good for "see alsos", e.g. - -See also: :bro:see:`BroxygenExample::a_var`, -:bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` - -And a custom directive does the equivalent references: - -.. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info - -:Namespace: BroxygenExample -:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.bro ` - -Summary -~~~~~~~ -Redefinable Options -################### -==================================================================================== ======================================================= -:bro:id:`BroxygenExample::an_option`: :bro:type:`set` :bro:attr:`&redef` Add documentation for "an_option" here. -:bro:id:`BroxygenExample::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` Default initialization will be generated automatically. -==================================================================================== ======================================================= - -State Variables -############### -======================================================================== ======================================================================== -:bro:id:`BroxygenExample::a_var`: :bro:type:`bool` Put some documentation for "a_var" here. -:bro:id:`BroxygenExample::summary_test`: :bro:type:`string` The first sentence for a particular identifier's summary text ends here. -:bro:id:`BroxygenExample::var_without_explicit_type`: :bro:type:`string` Types are inferred, that information is self-documenting. -======================================================================== ======================================================================== - -Types -##### -================================================================================= =========================================================== -:bro:type:`BroxygenExample::ComplexRecord`: :bro:type:`record` :bro:attr:`&redef` General documentation for a type "ComplexRecord" goes here. -:bro:type:`BroxygenExample::Info`: :bro:type:`record` An example record to be used with a logging stream. -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Documentation for the "SimpleEnum" type goes here. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` General documentation for a type "SimpleRecord" goes here. -================================================================================= =========================================================== - -Redefinitions -############# -============================================================= ==================================================================== -:bro:type:`BroxygenExample::SimpleEnum`: :bro:type:`enum` Document the "SimpleEnum" redef here with any special info regarding - the *redef* itself. -:bro:type:`BroxygenExample::SimpleRecord`: :bro:type:`record` Document the record extension *redef* itself here. -:bro:type:`Log::ID`: :bro:type:`enum` -:bro:type:`Notice::Type`: :bro:type:`enum` -============================================================= ==================================================================== - -Events -###### -====================================================== ========================== -:bro:id:`BroxygenExample::an_event`: :bro:type:`event` Summarize "an_event" here. -====================================================== ========================== - -Functions -######### -=========================================================== ======================================= -:bro:id:`BroxygenExample::a_function`: :bro:type:`function` Summarize purpose of "a_function" here. -=========================================================== ======================================= - - -Detailed Interface -~~~~~~~~~~~~~~~~~~ -Redefinable Options -################### -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -State Variables -############### -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -Types -##### -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -Events -###### -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -Functions -######### -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - - diff --git a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst deleted file mode 100644 index 06f196b73c..0000000000 --- a/testing/btest/Baseline/doc.broxygen.func-params/autogen-reST-func-params.rst +++ /dev/null @@ -1,30 +0,0 @@ -.. bro:id:: test_func_params_func - - :Type: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - - This is a global function declaration. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - -.. bro:type:: test_func_params_rec - - :Type: :bro:type:`record` - - field_func: :bro:type:`function` (i: :bro:type:`int`, j: :bro:type:`int`) : :bro:type:`string` - This is a record field function. - - - :i: First param. - - :j: Second param. - - - :returns: A string. - - diff --git a/testing/btest/Baseline/doc.broxygen.identifier/test.rst b/testing/btest/Baseline/doc.broxygen.identifier/test.rst deleted file mode 100644 index 0c7c44581d..0000000000 --- a/testing/btest/Baseline/doc.broxygen.identifier/test.rst +++ /dev/null @@ -1,230 +0,0 @@ -.. bro:id:: BroxygenExample::Broxygen_One - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "Broxygen_One". - -.. bro:id:: BroxygenExample::Broxygen_Two - - :Type: :bro:type:`Notice::Type` - - Any number of this type of comment - will document "BROXYGEN_TWO". - -.. bro:id:: BroxygenExample::Broxygen_Three - - :Type: :bro:type:`Notice::Type` - - -.. bro:id:: BroxygenExample::Broxygen_Four - - :Type: :bro:type:`Notice::Type` - - Omitting comments is fine, and so is mixing ``##`` and ``##<``, but - it's probably best to use only one style consistently. - -.. bro:id:: BroxygenExample::LOG - - :Type: :bro:type:`Log::ID` - - -.. bro:type:: BroxygenExample::SimpleEnum - - :Type: :bro:type:`enum` - - .. bro:enum:: BroxygenExample::ONE BroxygenExample::SimpleEnum - - Documentation for particular enum values is added like this. - And can also span multiple lines. - - .. bro:enum:: BroxygenExample::TWO BroxygenExample::SimpleEnum - - Or this style is valid to document the preceding enum value. - - .. bro:enum:: BroxygenExample::THREE BroxygenExample::SimpleEnum - - .. bro:enum:: BroxygenExample::FOUR BroxygenExample::SimpleEnum - - And some documentation for "FOUR". - - .. bro:enum:: BroxygenExample::FIVE BroxygenExample::SimpleEnum - - Also "FIVE". - - Documentation for the "SimpleEnum" type goes here. - It can span multiple lines. - -.. bro:id:: BroxygenExample::ONE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Documentation for particular enum values is added like this. - And can also span multiple lines. - -.. bro:id:: BroxygenExample::TWO - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Or this style is valid to document the preceding enum value. - -.. bro:id:: BroxygenExample::THREE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - -.. bro:id:: BroxygenExample::FOUR - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - And some documentation for "FOUR". - -.. bro:id:: BroxygenExample::FIVE - - :Type: :bro:type:`BroxygenExample::SimpleEnum` - - Also "FIVE". - -.. bro:type:: BroxygenExample::SimpleRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field_ext: :bro:type:`string` :bro:attr:`&optional` - Document the extending field like this. - Or here, like this. - - General documentation for a type "SimpleRecord" goes here. - The way fields can be documented is similar to what's already seen - for enums. - -.. bro:type:: BroxygenExample::ComplexRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`count` - Counts something. - - field2: :bro:type:`bool` - Toggles something. - - field3: :bro:type:`BroxygenExample::SimpleRecord` - Broxygen automatically tracks types - and cross-references are automatically - inserted in to generated docs. - - msg: :bro:type:`string` :bro:attr:`&default` = ``"blah"`` :bro:attr:`&optional` - Attributes are self-documenting. - :Attributes: :bro:attr:`&redef` - - General documentation for a type "ComplexRecord" goes here. - -.. bro:type:: BroxygenExample::Info - - :Type: :bro:type:`record` - - ts: :bro:type:`time` :bro:attr:`&log` - - uid: :bro:type:`string` :bro:attr:`&log` - - status: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional` - - An example record to be used with a logging stream. - Nothing special about it. If another script redefs this type - to add fields, the generated documentation will show all original - fields plus the extensions and the scripts which contributed to it - (provided they are also @load'ed). - -.. bro:id:: BroxygenExample::an_option - - :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`] - :Attributes: :bro:attr:`&redef` - :Default: ``{}`` - - Add documentation for "an_option" here. - The type/attribute information is all generated automatically. - -.. bro:id:: BroxygenExample::option_with_init - - :Type: :bro:type:`interval` - :Attributes: :bro:attr:`&redef` - :Default: ``10.0 msecs`` - - Default initialization will be generated automatically. - More docs can be added here. - -.. bro:id:: BroxygenExample::a_var - - :Type: :bro:type:`bool` - - Put some documentation for "a_var" here. Any global/non-const that - isn't a function/event/hook is classified as a "state variable" - in the generated docs. - -.. bro:id:: BroxygenExample::var_without_explicit_type - - :Type: :bro:type:`string` - :Default: ``"this works"`` - - Types are inferred, that information is self-documenting. - -.. bro:id:: BroxygenExample::summary_test - - :Type: :bro:type:`string` - - The first sentence for a particular identifier's summary text ends here. - And this second sentence doesn't show in the short description provided - by the table of all identifiers declared by this script. - -.. bro:id:: BroxygenExample::a_function - - :Type: :bro:type:`function` (tag: :bro:type:`string`, msg: :bro:type:`string`) : :bro:type:`string` - - Summarize purpose of "a_function" here. - Give more details about "a_function" here. - Separating the documentation of the params/return values with - empty comments is optional, but improves readability of script. - - - :tag: Function arguments can be described - like this. - - - :msg: Another param. - - - :returns: Describe the return type here. - -.. bro:id:: BroxygenExample::an_event - - :Type: :bro:type:`event` (name: :bro:type:`string`) - - Summarize "an_event" here. - Give more details about "an_event" here. - - BroxygenExample::a_function should not be confused as a parameter - in the generated docs, but it also doesn't generate a cross-reference - link. Use the see role instead: :bro:see:`BroxygenExample::a_function`. - - - :name: Describe the argument here. - -.. bro:id:: BroxygenExample::function_without_proto - - :Type: :bro:type:`function` (tag: :bro:type:`string`) : :bro:type:`string` - - -.. bro:type:: BroxygenExample::PrivateRecord - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - diff --git a/testing/btest/Baseline/doc.broxygen.package_index/test.rst b/testing/btest/Baseline/doc.broxygen.package_index/test.rst deleted file mode 100644 index f551ab1cd3..0000000000 --- a/testing/btest/Baseline/doc.broxygen.package_index/test.rst +++ /dev/null @@ -1,7 +0,0 @@ -:doc:`broxygen ` - - This package is loaded during the process which automatically generates - reference documentation for all Bro scripts (i.e. "Broxygen"). Its only - purpose is to provide an easy way to load all known Bro scripts plus any - extra scripts needed or used by the documentation process. - diff --git a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst b/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst deleted file mode 100644 index 60d80f6b07..0000000000 --- a/testing/btest/Baseline/doc.broxygen.records/autogen-reST-records.rst +++ /dev/null @@ -1,28 +0,0 @@ -.. bro:type:: TestRecord1 - - :Type: :bro:type:`record` - - field1: :bro:type:`bool` - - field2: :bro:type:`count` - - -.. bro:type:: TestRecord2 - - :Type: :bro:type:`record` - - A: :bro:type:`count` - document ``A`` - - B: :bro:type:`bool` - document ``B`` - - C: :bro:type:`TestRecord1` - and now ``C`` - is a declared type - - D: :bro:type:`set` [:bro:type:`count`, :bro:type:`bool`] - sets/tables should show the index types - - Here's the ways records and record fields can be documented. - diff --git a/testing/btest/Baseline/doc.broxygen.script_index/test.rst b/testing/btest/Baseline/doc.broxygen.script_index/test.rst deleted file mode 100644 index dda280facf..0000000000 --- a/testing/btest/Baseline/doc.broxygen.script_index/test.rst +++ /dev/null @@ -1,5 +0,0 @@ -.. toctree:: - :maxdepth: 1 - - broxygen/__load__.bro - broxygen/example.bro diff --git a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst deleted file mode 100644 index 3a26b8adc6..0000000000 --- a/testing/btest/Baseline/doc.broxygen.type-aliases/autogen-reST-type-aliases.rst +++ /dev/null @@ -1,44 +0,0 @@ -.. bro:type:: BroxygenTest::TypeAlias - - :Type: :bro:type:`bool` - - This is just an alias for a builtin type ``bool``. - -.. bro:type:: BroxygenTest::NotTypeAlias - - :Type: :bro:type:`bool` - - This type should get its own comments, not associated w/ TypeAlias. - -.. bro:type:: BroxygenTest::OtherTypeAlias - - :Type: :bro:type:`bool` - - This cross references ``bool`` in the description of its type - instead of ``TypeAlias`` just because it seems more useful -- - one doesn't have to click through the full type alias chain to - find out what the actual type is... - -.. bro:id:: BroxygenTest::a - - :Type: :bro:type:`BroxygenTest::TypeAlias` - - But this should reference a type of ``TypeAlias``. - -.. bro:id:: BroxygenTest::b - - :Type: :bro:type:`BroxygenTest::OtherTypeAlias` - - And this should reference a type of ``OtherTypeAlias``. - -.. bro:type:: BroxygenTest::MyRecord - - :Type: :bro:type:`record` - - f1: :bro:type:`BroxygenTest::TypeAlias` - - f2: :bro:type:`BroxygenTest::OtherTypeAlias` - - f3: :bro:type:`bool` - - diff --git a/testing/btest/Baseline/doc.manual.connection_record_01/.stdout b/testing/btest/Baseline/doc.manual.connection_record_01/.stdout deleted file mode 100644 index 7f134460e3..0000000000 --- a/testing/btest/Baseline/doc.manual.connection_record_01/.stdout +++ /dev/null @@ -1,5 +0,0 @@ -[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={ - -}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={ - -}], extract_orig=F, extract_resp=F] diff --git a/testing/btest/Baseline/doc.manual.connection_record_02/.stdout b/testing/btest/Baseline/doc.manual.connection_record_02/.stdout deleted file mode 100644 index 824dd03097..0000000000 --- a/testing/btest/Baseline/doc.manual.connection_record_02/.stdout +++ /dev/null @@ -1,9 +0,0 @@ -[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={ - -}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={ - -}], extract_orig=F, extract_resp=F, dns=, dns_state=[pending={ - -}, finished_answers={ -34798 -}]] diff --git a/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout b/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout deleted file mode 100644 index 4e628b9ae7..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_record_01/.stdout +++ /dev/null @@ -1,6 +0,0 @@ -Service: dns(RFC1035) - port: 53/tcp - port: 53/udp -Service: http(RFC2616) - port: 80/tcp - port: 8080/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout b/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout deleted file mode 100644 index 0428764bea..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_record_02/.stdout +++ /dev/null @@ -1,7 +0,0 @@ -System: morlock - Service: dns(RFC1035) - port: 53/tcp - port: 53/udp - Service: http(RFC2616) - port: 80/tcp - port: 8080/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout deleted file mode 100644 index d1aa16c7d3..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_set_declaration/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -SSL Port: 993/tcp -SSL Port: 22/tcp -SSL Port: 587/tcp -SSL Port: 443/tcp -Non-SSL Port: 143/tcp -Non-SSL Port: 25/tcp -Non-SSL Port: 80/tcp -Non-SSL Port: 23/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout b/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout deleted file mode 100644 index e22f36a244..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_table_complex/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai -Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai -Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai -Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada diff --git a/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout deleted file mode 100644 index 19b1648904..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_table_declaration/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -Service Name: IMAPS - Common Port: 993/tcp -Service Name: HTTPS - Common Port: 443/tcp -Service Name: SSH - Common Port: 22/tcp -Service Name: SMTPS - Common Port: 587/tcp diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout deleted file mode 100644 index 8348ce7198..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector/.stdout +++ /dev/null @@ -1,2 +0,0 @@ -[1, 2, 3, 4] -[1, 2, 3, 4] diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout deleted file mode 100644 index 48ce5d9c56..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector_declaration/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -contents of v1: [1, 2, 3, 4] -length of v1: 4 -contents of v1: [1, 2, 3, 4] -length of v2: 4 diff --git a/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout b/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout deleted file mode 100644 index 0326e6580e..0000000000 --- a/testing/btest/Baseline/doc.manual.data_struct_vector_iter/.stdout +++ /dev/null @@ -1,3 +0,0 @@ -1.2.0.0/18 -2.3.0.0/18 -3.4.0.0/18 diff --git a/testing/btest/Baseline/doc.manual.data_type_const/.stdout b/testing/btest/Baseline/doc.manual.data_type_const/.stdout deleted file mode 100644 index 0e49670a83..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_const/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -{ -[6666/tcp] = IRC, -[80/tcp] = WWW -} diff --git a/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout b/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout deleted file mode 100644 index a6f28b5e52..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_declaration/.stdout +++ /dev/null @@ -1 +0,0 @@ -A: 10, B: 10 diff --git a/testing/btest/Baseline/doc.manual.data_type_interval/.stdout b/testing/btest/Baseline/doc.manual.data_type_interval/.stdout deleted file mode 100644 index 1cd5999711..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_interval/.stdout +++ /dev/null @@ -1,15 +0,0 @@ -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118 -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 132.0 msecs 97.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 177.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 177.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 33.0 msecs 898.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 35.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 532.0 usecs -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2 - Time since last connection: 7.0 msecs 866.0 usecs diff --git a/testing/btest/Baseline/doc.manual.data_type_local/.stdout b/testing/btest/Baseline/doc.manual.data_type_local/.stdout deleted file mode 100644 index e150c0b19d..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_local/.stdout +++ /dev/null @@ -1 +0,0 @@ -i + 2 = 12 diff --git a/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout b/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout deleted file mode 100644 index 11358a776e..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout +++ /dev/null @@ -1,3 +0,0 @@ -The - brown fox jumped over the - dog. diff --git a/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout b/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout deleted file mode 100644 index 808dc3d572..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout +++ /dev/null @@ -1,2 +0,0 @@ -equality and /^?(equal)$?/ are not equal -equality and /^?(equality)$?/ are equal diff --git a/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout b/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout deleted file mode 100644 index facaaabe64..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_subnets/.stdout +++ /dev/null @@ -1,4 +0,0 @@ -172.16.4.56 belongs to subnet 172.16.0.0/20 -172.16.47.254 belongs to subnet 172.16.32.0/20 -172.16.22.45 belongs to subnet 172.16.16.0/20 -172.16.1.1 belongs to subnet 172.16.0.0/20 diff --git a/testing/btest/Baseline/doc.manual.data_type_time/.stdout b/testing/btest/Baseline/doc.manual.data_type_time/.stdout deleted file mode 100644 index 149cb40e2a..0000000000 --- a/testing/btest/Baseline/doc.manual.data_type_time/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J -2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2^J diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout b/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout deleted file mode 100644 index db47b283d0..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_01/.stdout +++ /dev/null @@ -1,10 +0,0 @@ -1 -2 -6 -24 -120 -720 -5040 -40320 -362880 -3628800 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log deleted file mode 100644 index c643116265..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_02/factor.log +++ /dev/null @@ -1,19 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor -#open 2013-03-19-03-25-33 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-19-03-25-33 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log deleted file mode 100644 index 2a466484d6..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-mod5.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-mod5 -#open 2013-03-20-03-22-52 -#fields num factorial_num -#types count count -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-20-03-22-52 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log deleted file mode 100644 index 4430dcc8a4..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_03/factor-non5.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-non5 -#open 2013-03-20-03-22-52 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -#close 2013-03-20-03-22-52 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log deleted file mode 100644 index 6b50ca55e7..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-mod5.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-mod5 -#open 2013-03-25-02-00-12 -#fields num factorial_num -#types count count -5 120 -6 720 -7 5040 -8 40320 -9 362880 -10 3628800 -#close 2013-03-25-02-00-12 diff --git a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log b/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log deleted file mode 100644 index d272ba48a9..0000000000 --- a/testing/btest/Baseline/doc.manual.framework_logging_factorial_04/factor-non5.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path factor-non5 -#open 2013-03-25-02-00-12 -#fields num factorial_num -#types count count -1 1 -2 2 -3 6 -4 24 -#close 2013-03-25-02-00-12 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_hook_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_hook_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_hook_suppression_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_hook_suppression_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_01/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_02/.stdout b/testing/btest/Baseline/doc.manual.framework_notice_shortcuts_02/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/.stdout b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/.stdout deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log deleted file mode 100644 index 6eb08725f5..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log +++ /dev/null @@ -1,43 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path conn -#open 2013-05-05-20-51-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents -#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] -1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 - -1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - 0 D 1 199 0 0 - -1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - 0 D 1 179 0 0 - -1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - 0 Dd 1 66 1 117 - -1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - 0 Dd 1 80 1 127 - -1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - 0 Dd 1 66 1 211 - -1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - 0 Dd 1 64 1 159 - -1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - 0 Dd 1 64 1 226 - -1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 85 0 0 - -1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - 0 D 7 546 0 0 - -1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - 0 D 2 162 0 0 - -1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - 0 D 2 122 0 0 - -1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - 0 D 2 162 0 0 - -1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - 0 D 2 122 0 0 - -1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - 0 D 1 78 0 0 - -1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - 0 ShADad 6 1450 4 950 - -1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - 0 DdA 2 567 1 402 - -1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - 0 ShADad 6 1498 4 950 - -1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - 0 ShADad 4 750 3 576 - -1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - 0 ShADad 6 1468 4 950 - -1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - 0 ShADad 6 1491 4 949 - -1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - 0 ShADad 6 1457 4 949 - -1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - 0 h 0 0 1 48 - -1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - 0 ShADad 4 741 3 396 - -1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - 0 ShADad 6 1445 4 950 - -#close 2013-05-05-20-51-24 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log deleted file mode 100644 index 617c1f0e6e..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/http.log +++ /dev/null @@ -1,23 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path http -#open 2013-05-05-21-12-40 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -#close 2013-05-05-21-12-40 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log deleted file mode 100644 index cc68286986..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path conn -#open 2013-05-07-14-38-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents -#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] -1320329757.771503 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 tcp http 15.161537 2899 1127 S2 - 0 ShADadF 20 3719 19 1891 - -1320329757.771262 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 tcp http 15.161772 889 377 S2 - 0 ShADadF 8 1229 8 701 - -1320329757.761327 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 tcp http 15.168898 459 189 S2 - 0 ShADadF 5 679 4 353 - -1320329757.458867 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 tcp http 15.471378 1824 751 S2 - 0 ShADadF 12 2324 13 1275 - -1320329757.761638 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 tcp http 15.168613 898 376 S2 - 0 ShADadF 8 1238 8 700 - -1320329757.771755 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 tcp http 15.161267 900 376 S2 - 0 ShADadF 8 1240 8 700 - -#close 2013-05-07-14-38-27 diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log deleted file mode 100644 index 031a9ce2ce..0000000000 --- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/http.log +++ /dev/null @@ -1,26 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path http -#open 2013-05-07-14-38-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1320329757.460004 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 1 GET bro-ids.org / - Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.772457 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 2 GET bro-ids.org /css/pygments.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.874406 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 3 GET bro-ids.org /js/jquery.zrssfeed.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.775110 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 1 GET bro-ids.org /css/960.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776072 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 1 GET bro-ids.org /js/jquery.cycle.all.min.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776421 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 1 GET bro-ids.org /js/jquery.tweet.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.776240 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 1 GET bro-ids.org /js/jquery.fancybox-1.3.4.pack.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.775251 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 1 GET bro-ids.org /css/bro-ids.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.975651 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 4 GET bro-ids.org /js/jquery.tableofcontents.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.979943 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 2 GET bro-ids.org /js/superfish.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.985656 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 2 GET bro-ids.org /js/hoverIntent.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.989904 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 2 GET bro-ids.org /js/general.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329757.991315 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 2 GET bro-ids.org /js/jquery.collapse.js http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329758.172397 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 3 GET bro-ids.org /css/print.css http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329759.998388 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 4 GET bro-ids.org /documentation/index.html http://bro-ids.org/ Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329760.146412 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 5 GET bro-ids.org /js/breadcrumbs.js http://bro-ids.org/documentation/index.html Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -1320329762.971726 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 6 GET bro-ids.org /documentation/reporting-problems.html http://bro-ids.org/documentation/index.html Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2 0 0 304 Not Modified - - - (empty) - - - - - - -#close 2013-05-07-14-38-27 diff --git a/testing/btest/Baseline/doc.zeexygen.all_scripts/.stderr b/testing/btest/Baseline/doc.zeexygen.all_scripts/.stderr new file mode 100644 index 0000000000..177214239c --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.all_scripts/.stderr @@ -0,0 +1,11 @@ +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 245: deprecated (dhcp_discover) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 248: deprecated (dhcp_offer) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 251: deprecated (dhcp_request) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 254: deprecated (dhcp_decline) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 257: deprecated (dhcp_ack) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 260: deprecated (dhcp_nak) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 263: deprecated (dhcp_release) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/dhcp/deprecated_events.zeek, line 266: deprecated (dhcp_inform) +warning in /Users/jon/projects/bro/bro/scripts/policy/protocols/smb/__load__.zeek, line 1: deprecated script loaded from /Users/jon/projects/bro/bro/scripts/broxygen/__load__.zeek:10 "Use '@load base/protocols/smb' instead" +error in /Users/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.zeek, line 22: The '' control command is unknown. +, line 1: received termination signal diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout b/testing/btest/Baseline/doc.zeexygen.all_scripts/.stdout similarity index 100% rename from testing/btest/Baseline/doc.broxygen.all_scripts/.stdout rename to testing/btest/Baseline/doc.zeexygen.all_scripts/.stdout diff --git a/testing/btest/Baseline/doc.broxygen.command_line/output b/testing/btest/Baseline/doc.zeexygen.command_line/output similarity index 100% rename from testing/btest/Baseline/doc.broxygen.command_line/output rename to testing/btest/Baseline/doc.zeexygen.command_line/output diff --git a/testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out b/testing/btest/Baseline/doc.zeexygen.comment_retrieval_bifs/out similarity index 100% rename from testing/btest/Baseline/doc.broxygen.comment_retrieval_bifs/out rename to testing/btest/Baseline/doc.zeexygen.comment_retrieval_bifs/out diff --git a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst b/testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst similarity index 51% rename from testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst rename to testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst index c98d2792df..1cc82fbbe7 100644 --- a/testing/btest/Baseline/doc.broxygen.enums/autogen-reST-enums.rst +++ b/testing/btest/Baseline/doc.zeexygen.enums/autogen-reST-enums.rst @@ -1,47 +1,47 @@ -.. bro:type:: TestEnum1 +.. zeek:type:: TestEnum1 - :Type: :bro:type:`enum` + :Type: :zeek:type:`enum` - .. bro:enum:: ONE TestEnum1 + .. zeek:enum:: ONE TestEnum1 like this - .. bro:enum:: TWO TestEnum1 + .. zeek:enum:: TWO TestEnum1 or like this - .. bro:enum:: THREE TestEnum1 + .. zeek:enum:: THREE TestEnum1 multiple comments and even more comments - .. bro:enum:: FOUR TestEnum1 + .. zeek:enum:: FOUR TestEnum1 adding another value - .. bro:enum:: FIVE TestEnum1 + .. zeek:enum:: FIVE TestEnum1 adding another value There's tons of ways an enum can look... -.. bro:type:: TestEnum2 +.. zeek:type:: TestEnum2 - :Type: :bro:type:`enum` + :Type: :zeek:type:`enum` - .. bro:enum:: A TestEnum2 + .. zeek:enum:: A TestEnum2 like this - .. bro:enum:: B TestEnum2 + .. zeek:enum:: B TestEnum2 or like this - .. bro:enum:: C TestEnum2 + .. zeek:enum:: C TestEnum2 multiple comments @@ -50,10 +50,10 @@ The final comma is optional -.. bro:id:: TestEnumVal +.. zeek:id:: TestEnumVal - :Type: :bro:type:`TestEnum1` - :Attributes: :bro:attr:`&redef` + :Type: :zeek:type:`TestEnum1` + :Attributes: :zeek:attr:`&redef` :Default: ``ONE`` this should reference the TestEnum1 type and not a generic "enum" type diff --git a/testing/btest/Baseline/doc.zeexygen.example/example.rst b/testing/btest/Baseline/doc.zeexygen.example/example.rst new file mode 100644 index 0000000000..4ea8dfe0c3 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.example/example.rst @@ -0,0 +1,248 @@ +:tocdepth: 3 + +zeexygen/example.zeek +===================== +.. zeek:namespace:: ZeexygenExample + +This is an example script that demonstrates Zeexygen-style +documentation. It generally will make most sense when viewing +the script's raw source code and comparing to the HTML-rendered +version. + +Comments in the from ``##!`` are meant to summarize the script's +purpose. They are transferred directly in to the generated +`reStructuredText `_ +(reST) document associated with the script. + +.. tip:: You can embed directives and roles within ``##``-stylized comments. + +There's also a custom role to reference any identifier node in +the Zeek Sphinx domain that's good for "see alsos", e.g. + +See also: :zeek:see:`ZeexygenExample::a_var`, +:zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` + +And a custom directive does the equivalent references: + +.. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info + +:Namespace: ZeexygenExample +:Imports: :doc:`base/frameworks/notice `, :doc:`base/protocols/http `, :doc:`policy/frameworks/software/vulnerable.zeek ` + +Summary +~~~~~~~ +Redefinable Options +################### +======================================================================================= ======================================================= +:zeek:id:`ZeexygenExample::an_option`: :zeek:type:`set` :zeek:attr:`&redef` Add documentation for "an_option" here. +:zeek:id:`ZeexygenExample::option_with_init`: :zeek:type:`interval` :zeek:attr:`&redef` Default initialization will be generated automatically. +======================================================================================= ======================================================= + +State Variables +############### +========================================================================== ======================================================================== +:zeek:id:`ZeexygenExample::a_var`: :zeek:type:`bool` Put some documentation for "a_var" here. +:zeek:id:`ZeexygenExample::summary_test`: :zeek:type:`string` The first sentence for a particular identifier's summary text ends here. +:zeek:id:`ZeexygenExample::var_without_explicit_type`: :zeek:type:`string` Types are inferred, that information is self-documenting. +========================================================================== ======================================================================== + +Types +##### +==================================================================================== =========================================================== +:zeek:type:`ZeexygenExample::ComplexRecord`: :zeek:type:`record` :zeek:attr:`&redef` General documentation for a type "ComplexRecord" goes here. +:zeek:type:`ZeexygenExample::Info`: :zeek:type:`record` An example record to be used with a logging stream. +:zeek:type:`ZeexygenExample::SimpleEnum`: :zeek:type:`enum` Documentation for the "SimpleEnum" type goes here. +:zeek:type:`ZeexygenExample::SimpleRecord`: :zeek:type:`record` General documentation for a type "SimpleRecord" goes here. +==================================================================================== =========================================================== + +Redefinitions +############# +=============================================================== ==================================================================== +:zeek:type:`Log::ID`: :zeek:type:`enum` +:zeek:type:`Notice::Type`: :zeek:type:`enum` +:zeek:type:`ZeexygenExample::SimpleEnum`: :zeek:type:`enum` Document the "SimpleEnum" redef here with any special info regarding + the *redef* itself. +:zeek:type:`ZeexygenExample::SimpleRecord`: :zeek:type:`record` Document the record extension *redef* itself here. +=============================================================== ==================================================================== + +Events +###### +======================================================== ========================== +:zeek:id:`ZeexygenExample::an_event`: :zeek:type:`event` Summarize "an_event" here. +======================================================== ========================== + +Functions +######### +============================================================= ======================================= +:zeek:id:`ZeexygenExample::a_function`: :zeek:type:`function` Summarize purpose of "a_function" here. +============================================================= ======================================= + + +Detailed Interface +~~~~~~~~~~~~~~~~~~ +Redefinable Options +################### +.. zeek:id:: ZeexygenExample::an_option + + :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`addr`, :zeek:type:`string`] + :Attributes: :zeek:attr:`&redef` + :Default: ``{}`` + + Add documentation for "an_option" here. + The type/attribute information is all generated automatically. + +.. zeek:id:: ZeexygenExample::option_with_init + + :Type: :zeek:type:`interval` + :Attributes: :zeek:attr:`&redef` + :Default: ``10.0 msecs`` + + Default initialization will be generated automatically. + More docs can be added here. + +State Variables +############### +.. zeek:id:: ZeexygenExample::a_var + + :Type: :zeek:type:`bool` + + Put some documentation for "a_var" here. Any global/non-const that + isn't a function/event/hook is classified as a "state variable" + in the generated docs. + +.. zeek:id:: ZeexygenExample::summary_test + + :Type: :zeek:type:`string` + + The first sentence for a particular identifier's summary text ends here. + And this second sentence doesn't show in the short description provided + by the table of all identifiers declared by this script. + +.. zeek:id:: ZeexygenExample::var_without_explicit_type + + :Type: :zeek:type:`string` + :Default: ``"this works"`` + + Types are inferred, that information is self-documenting. + +Types +##### +.. zeek:type:: ZeexygenExample::ComplexRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field3: :zeek:type:`ZeexygenExample::SimpleRecord` + Zeexygen automatically tracks types + and cross-references are automatically + inserted in to generated docs. + + msg: :zeek:type:`string` :zeek:attr:`&default` = ``"blah"`` :zeek:attr:`&optional` + Attributes are self-documenting. + :Attributes: :zeek:attr:`&redef` + + General documentation for a type "ComplexRecord" goes here. + +.. zeek:type:: ZeexygenExample::Info + + :Type: :zeek:type:`record` + + ts: :zeek:type:`time` :zeek:attr:`&log` + + uid: :zeek:type:`string` :zeek:attr:`&log` + + status: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional` + + An example record to be used with a logging stream. + Nothing special about it. If another script redefs this type + to add fields, the generated documentation will show all original + fields plus the extensions and the scripts which contributed to it + (provided they are also @load'ed). + +.. zeek:type:: ZeexygenExample::SimpleEnum + + :Type: :zeek:type:`enum` + + .. zeek:enum:: ZeexygenExample::ONE ZeexygenExample::SimpleEnum + + Documentation for particular enum values is added like this. + And can also span multiple lines. + + .. zeek:enum:: ZeexygenExample::TWO ZeexygenExample::SimpleEnum + + Or this style is valid to document the preceding enum value. + + .. zeek:enum:: ZeexygenExample::THREE ZeexygenExample::SimpleEnum + + .. zeek:enum:: ZeexygenExample::FOUR ZeexygenExample::SimpleEnum + + And some documentation for "FOUR". + + .. zeek:enum:: ZeexygenExample::FIVE ZeexygenExample::SimpleEnum + + Also "FIVE". + + Documentation for the "SimpleEnum" type goes here. + It can span multiple lines. + +.. zeek:type:: ZeexygenExample::SimpleRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field_ext: :zeek:type:`string` :zeek:attr:`&optional` + Document the extending field like this. + Or here, like this. + + General documentation for a type "SimpleRecord" goes here. + The way fields can be documented is similar to what's already seen + for enums. + +Events +###### +.. zeek:id:: ZeexygenExample::an_event + + :Type: :zeek:type:`event` (name: :zeek:type:`string`) + + Summarize "an_event" here. + Give more details about "an_event" here. + + ZeexygenExample::a_function should not be confused as a parameter + in the generated docs, but it also doesn't generate a cross-reference + link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. + + + :name: Describe the argument here. + +Functions +######### +.. zeek:id:: ZeexygenExample::a_function + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`string` + + Summarize purpose of "a_function" here. + Give more details about "a_function" here. + Separating the documentation of the params/return values with + empty comments is optional, but improves readability of script. + + + :tag: Function arguments can be described + like this. + + + :msg: Another param. + + + :returns: Describe the return type here. + + diff --git a/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst b/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst new file mode 100644 index 0000000000..cd0b7871d4 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.func-params/autogen-reST-func-params.rst @@ -0,0 +1,30 @@ +.. zeek:id:: test_func_params_func + + :Type: :zeek:type:`function` (i: :zeek:type:`int`, j: :zeek:type:`int`) : :zeek:type:`string` + + This is a global function declaration. + + + :i: First param. + + :j: Second param. + + + :returns: A string. + +.. zeek:type:: test_func_params_rec + + :Type: :zeek:type:`record` + + field_func: :zeek:type:`function` (i: :zeek:type:`int`, j: :zeek:type:`int`) : :zeek:type:`string` + This is a record field function. + + + :i: First param. + + :j: Second param. + + + :returns: A string. + + diff --git a/testing/btest/Baseline/doc.zeexygen.identifier/test.rst b/testing/btest/Baseline/doc.zeexygen.identifier/test.rst new file mode 100644 index 0000000000..128e1c6a5f --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.identifier/test.rst @@ -0,0 +1,230 @@ +.. zeek:id:: ZeexygenExample::Zeexygen_One + + :Type: :zeek:type:`Notice::Type` + + Any number of this type of comment + will document "Zeexygen_One". + +.. zeek:id:: ZeexygenExample::Zeexygen_Two + + :Type: :zeek:type:`Notice::Type` + + Any number of this type of comment + will document "ZEEXYGEN_TWO". + +.. zeek:id:: ZeexygenExample::Zeexygen_Three + + :Type: :zeek:type:`Notice::Type` + + +.. zeek:id:: ZeexygenExample::Zeexygen_Four + + :Type: :zeek:type:`Notice::Type` + + Omitting comments is fine, and so is mixing ``##`` and ``##<``, but + it's probably best to use only one style consistently. + +.. zeek:id:: ZeexygenExample::LOG + + :Type: :zeek:type:`Log::ID` + + +.. zeek:type:: ZeexygenExample::SimpleEnum + + :Type: :zeek:type:`enum` + + .. zeek:enum:: ZeexygenExample::ONE ZeexygenExample::SimpleEnum + + Documentation for particular enum values is added like this. + And can also span multiple lines. + + .. zeek:enum:: ZeexygenExample::TWO ZeexygenExample::SimpleEnum + + Or this style is valid to document the preceding enum value. + + .. zeek:enum:: ZeexygenExample::THREE ZeexygenExample::SimpleEnum + + .. zeek:enum:: ZeexygenExample::FOUR ZeexygenExample::SimpleEnum + + And some documentation for "FOUR". + + .. zeek:enum:: ZeexygenExample::FIVE ZeexygenExample::SimpleEnum + + Also "FIVE". + + Documentation for the "SimpleEnum" type goes here. + It can span multiple lines. + +.. zeek:id:: ZeexygenExample::ONE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Documentation for particular enum values is added like this. + And can also span multiple lines. + +.. zeek:id:: ZeexygenExample::TWO + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Or this style is valid to document the preceding enum value. + +.. zeek:id:: ZeexygenExample::THREE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + +.. zeek:id:: ZeexygenExample::FOUR + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + And some documentation for "FOUR". + +.. zeek:id:: ZeexygenExample::FIVE + + :Type: :zeek:type:`ZeexygenExample::SimpleEnum` + + Also "FIVE". + +.. zeek:type:: ZeexygenExample::SimpleRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field_ext: :zeek:type:`string` :zeek:attr:`&optional` + Document the extending field like this. + Or here, like this. + + General documentation for a type "SimpleRecord" goes here. + The way fields can be documented is similar to what's already seen + for enums. + +.. zeek:type:: ZeexygenExample::ComplexRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`count` + Counts something. + + field2: :zeek:type:`bool` + Toggles something. + + field3: :zeek:type:`ZeexygenExample::SimpleRecord` + Zeexygen automatically tracks types + and cross-references are automatically + inserted in to generated docs. + + msg: :zeek:type:`string` :zeek:attr:`&default` = ``"blah"`` :zeek:attr:`&optional` + Attributes are self-documenting. + :Attributes: :zeek:attr:`&redef` + + General documentation for a type "ComplexRecord" goes here. + +.. zeek:type:: ZeexygenExample::Info + + :Type: :zeek:type:`record` + + ts: :zeek:type:`time` :zeek:attr:`&log` + + uid: :zeek:type:`string` :zeek:attr:`&log` + + status: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional` + + An example record to be used with a logging stream. + Nothing special about it. If another script redefs this type + to add fields, the generated documentation will show all original + fields plus the extensions and the scripts which contributed to it + (provided they are also @load'ed). + +.. zeek:id:: ZeexygenExample::an_option + + :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`addr`, :zeek:type:`string`] + :Attributes: :zeek:attr:`&redef` + :Default: ``{}`` + + Add documentation for "an_option" here. + The type/attribute information is all generated automatically. + +.. zeek:id:: ZeexygenExample::option_with_init + + :Type: :zeek:type:`interval` + :Attributes: :zeek:attr:`&redef` + :Default: ``10.0 msecs`` + + Default initialization will be generated automatically. + More docs can be added here. + +.. zeek:id:: ZeexygenExample::a_var + + :Type: :zeek:type:`bool` + + Put some documentation for "a_var" here. Any global/non-const that + isn't a function/event/hook is classified as a "state variable" + in the generated docs. + +.. zeek:id:: ZeexygenExample::var_without_explicit_type + + :Type: :zeek:type:`string` + :Default: ``"this works"`` + + Types are inferred, that information is self-documenting. + +.. zeek:id:: ZeexygenExample::summary_test + + :Type: :zeek:type:`string` + + The first sentence for a particular identifier's summary text ends here. + And this second sentence doesn't show in the short description provided + by the table of all identifiers declared by this script. + +.. zeek:id:: ZeexygenExample::a_function + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`string` + + Summarize purpose of "a_function" here. + Give more details about "a_function" here. + Separating the documentation of the params/return values with + empty comments is optional, but improves readability of script. + + + :tag: Function arguments can be described + like this. + + + :msg: Another param. + + + :returns: Describe the return type here. + +.. zeek:id:: ZeexygenExample::an_event + + :Type: :zeek:type:`event` (name: :zeek:type:`string`) + + Summarize "an_event" here. + Give more details about "an_event" here. + + ZeexygenExample::a_function should not be confused as a parameter + in the generated docs, but it also doesn't generate a cross-reference + link. Use the see role instead: :zeek:see:`ZeexygenExample::a_function`. + + + :name: Describe the argument here. + +.. zeek:id:: ZeexygenExample::function_without_proto + + :Type: :zeek:type:`function` (tag: :zeek:type:`string`) : :zeek:type:`string` + + +.. zeek:type:: ZeexygenExample::PrivateRecord + + :Type: :zeek:type:`record` + + field1: :zeek:type:`bool` + + field2: :zeek:type:`count` + + diff --git a/testing/btest/Baseline/doc.broxygen.package/test.rst b/testing/btest/Baseline/doc.zeexygen.package/test.rst similarity index 58% rename from testing/btest/Baseline/doc.broxygen.package/test.rst rename to testing/btest/Baseline/doc.zeexygen.package/test.rst index b96de2148b..345b2b6847 100644 --- a/testing/btest/Baseline/doc.broxygen.package/test.rst +++ b/testing/btest/Baseline/doc.zeexygen.package/test.rst @@ -1,19 +1,19 @@ :orphan: -Package: broxygen +Package: zeexygen ================= This package is loaded during the process which automatically generates -reference documentation for all Bro scripts (i.e. "Broxygen"). Its only -purpose is to provide an easy way to load all known Bro scripts plus any +reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only +purpose is to provide an easy way to load all known Zeek scripts plus any extra scripts needed or used by the documentation process. -:doc:`/scripts/broxygen/__load__.bro` +:doc:`/scripts/zeexygen/__load__.zeek` -:doc:`/scripts/broxygen/example.bro` +:doc:`/scripts/zeexygen/example.zeek` - This is an example script that demonstrates Broxygen-style + This is an example script that demonstrates Zeexygen-style documentation. It generally will make most sense when viewing the script's raw source code and comparing to the HTML-rendered version. @@ -26,12 +26,12 @@ extra scripts needed or used by the documentation process. .. tip:: You can embed directives and roles within ``##``-stylized comments. There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. + the Zeek Sphinx domain that's good for "see alsos", e.g. - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` + See also: :zeek:see:`ZeexygenExample::a_var`, + :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` And a custom directive does the equivalent references: - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info + .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info diff --git a/testing/btest/Baseline/doc.zeexygen.package_index/test.rst b/testing/btest/Baseline/doc.zeexygen.package_index/test.rst new file mode 100644 index 0000000000..4a854e9736 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.package_index/test.rst @@ -0,0 +1,7 @@ +:doc:`zeexygen ` + + This package is loaded during the process which automatically generates + reference documentation for all Zeek scripts (i.e. "Zeexygen"). Its only + purpose is to provide an easy way to load all known Zeek scripts plus any + extra scripts needed or used by the documentation process. + diff --git a/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst b/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst new file mode 100644 index 0000000000..a9b671623a --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.records/autogen-reST-records.rst @@ -0,0 +1,28 @@ +.. zeek:type:: TestRecord1 + + :Type: :zeek:type:`record` + + field1: :zeek:type:`bool` + + field2: :zeek:type:`count` + + +.. zeek:type:: TestRecord2 + + :Type: :zeek:type:`record` + + A: :zeek:type:`count` + document ``A`` + + B: :zeek:type:`bool` + document ``B`` + + C: :zeek:type:`TestRecord1` + and now ``C`` + is a declared type + + D: :zeek:type:`set` [:zeek:type:`count`, :zeek:type:`bool`] + sets/tables should show the index types + + Here's the ways records and record fields can be documented. + diff --git a/testing/btest/Baseline/doc.zeexygen.script_index/test.rst b/testing/btest/Baseline/doc.zeexygen.script_index/test.rst new file mode 100644 index 0000000000..eab6c439b2 --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.script_index/test.rst @@ -0,0 +1,5 @@ +.. toctree:: + :maxdepth: 1 + + zeexygen/__load__.zeek + zeexygen/example.zeek diff --git a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst b/testing/btest/Baseline/doc.zeexygen.script_summary/test.rst similarity index 64% rename from testing/btest/Baseline/doc.broxygen.script_summary/test.rst rename to testing/btest/Baseline/doc.zeexygen.script_summary/test.rst index 125a579c81..3dd189ca77 100644 --- a/testing/btest/Baseline/doc.broxygen.script_summary/test.rst +++ b/testing/btest/Baseline/doc.zeexygen.script_summary/test.rst @@ -1,5 +1,5 @@ -:doc:`/scripts/broxygen/example.bro` - This is an example script that demonstrates Broxygen-style +:doc:`/scripts/zeexygen/example.zeek` + This is an example script that demonstrates Zeexygen-style documentation. It generally will make most sense when viewing the script's raw source code and comparing to the HTML-rendered version. @@ -12,12 +12,12 @@ .. tip:: You can embed directives and roles within ``##``-stylized comments. There's also a custom role to reference any identifier node in - the Bro Sphinx domain that's good for "see alsos", e.g. + the Zeek Sphinx domain that's good for "see alsos", e.g. - See also: :bro:see:`BroxygenExample::a_var`, - :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info` + See also: :zeek:see:`ZeexygenExample::a_var`, + :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info` And a custom directive does the equivalent references: - .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info + .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info diff --git a/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst b/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst new file mode 100644 index 0000000000..7f60859a5a --- /dev/null +++ b/testing/btest/Baseline/doc.zeexygen.type-aliases/autogen-reST-type-aliases.rst @@ -0,0 +1,44 @@ +.. zeek:type:: ZeexygenTest::TypeAlias + + :Type: :zeek:type:`bool` + + This is just an alias for a builtin type ``bool``. + +.. zeek:type:: ZeexygenTest::NotTypeAlias + + :Type: :zeek:type:`bool` + + This type should get its own comments, not associated w/ TypeAlias. + +.. zeek:type:: ZeexygenTest::OtherTypeAlias + + :Type: :zeek:type:`bool` + + This cross references ``bool`` in the description of its type + instead of ``TypeAlias`` just because it seems more useful -- + one doesn't have to click through the full type alias chain to + find out what the actual type is... + +.. zeek:id:: ZeexygenTest::a + + :Type: :zeek:type:`ZeexygenTest::TypeAlias` + + But this should reference a type of ``TypeAlias``. + +.. zeek:id:: ZeexygenTest::b + + :Type: :zeek:type:`ZeexygenTest::OtherTypeAlias` + + And this should reference a type of ``OtherTypeAlias``. + +.. zeek:type:: ZeexygenTest::MyRecord + + :Type: :zeek:type:`record` + + f1: :zeek:type:`ZeexygenTest::TypeAlias` + + f2: :zeek:type:`ZeexygenTest::OtherTypeAlias` + + f3: :zeek:type:`bool` + + diff --git a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst b/testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst similarity index 50% rename from testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst rename to testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst index 37eabb9419..48b7204b60 100644 --- a/testing/btest/Baseline/doc.broxygen.vectors/autogen-reST-vectors.rst +++ b/testing/btest/Baseline/doc.zeexygen.vectors/autogen-reST-vectors.rst @@ -1,6 +1,6 @@ -.. bro:id:: test_vector0 +.. zeek:id:: test_vector0 - :Type: :bro:type:`vector` of :bro:type:`string` + :Type: :zeek:type:`vector` of :zeek:type:`string` :Default: :: @@ -9,9 +9,9 @@ Yield type is documented/cross-referenced for primitize types. -.. bro:id:: test_vector1 +.. zeek:id:: test_vector1 - :Type: :bro:type:`vector` of :bro:type:`TestRecord` + :Type: :zeek:type:`vector` of :zeek:type:`TestRecord` :Default: :: @@ -20,9 +20,9 @@ Yield type is documented/cross-referenced for composite types. -.. bro:id:: test_vector2 +.. zeek:id:: test_vector2 - :Type: :bro:type:`vector` of :bro:type:`vector` of :bro:type:`TestRecord` + :Type: :zeek:type:`vector` of :zeek:type:`vector` of :zeek:type:`TestRecord` :Default: :: diff --git a/testing/btest/Baseline/language.at-deprecated/.stderr b/testing/btest/Baseline/language.at-deprecated/.stderr index 4668f2d7bf..97dc7ea331 100644 --- a/testing/btest/Baseline/language.at-deprecated/.stderr +++ b/testing/btest/Baseline/language.at-deprecated/.stderr @@ -1,3 +1,3 @@ -warning in ./foo.bro, line 1: deprecated script loaded from command line arguments -warning in ./bar.bro, line 1: deprecated script loaded from ./foo.bro:2 "Use '@load qux.bro' instead" -warning in ./baz.bro, line 1: deprecated script loaded from ./foo.bro:3 +warning in ./foo.zeek, line 1: deprecated script loaded from command line arguments +warning in ./bar.zeek, line 1: deprecated script loaded from ./foo.zeek:2 "Use '@load qux' instead" +warning in ./baz.zeek, line 1: deprecated script loaded from ./foo.zeek:3 diff --git a/testing/btest/Baseline/language.at-filename/out b/testing/btest/Baseline/language.at-filename/out index 12cfb152d9..23b37ef249 100644 --- a/testing/btest/Baseline/language.at-filename/out +++ b/testing/btest/Baseline/language.at-filename/out @@ -1 +1 @@ -at-filename.bro +at-filename.zeek diff --git a/testing/btest/Baseline/language.at-if-invalid/out b/testing/btest/Baseline/language.at-if-invalid/out index 63b93a3cf8..0214a8d2f8 100644 --- a/testing/btest/Baseline/language.at-if-invalid/out +++ b/testing/btest/Baseline/language.at-if-invalid/out @@ -1,4 +1,4 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 28: referencing a local name in @if (xyz) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 28: invalid expression in @if (F && foo(xyz)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 36: referencing a local name in @if (local_true_condition) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.bro, line 36: invalid expression in @if (T && TRUE_CONDITION && local_true_condition) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 28: referencing a local name in @if (xyz) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 28: invalid expression in @if (F && foo(xyz)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 36: referencing a local name in @if (local_true_condition) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-if-invalid/at-if-invalid.zeek, line 36: invalid expression in @if (T && TRUE_CONDITION && local_true_condition) diff --git a/testing/btest/Baseline/language.attr-default-global-set-error/out b/testing/btest/Baseline/language.attr-default-global-set-error/out index c784bb683b..6f3fd63d4f 100644 --- a/testing/btest/Baseline/language.attr-default-global-set-error/out +++ b/testing/btest/Baseline/language.attr-default-global-set-error/out @@ -1,2 +1,2 @@ -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.bro, line 4: arithmetic mixed with non-arithmetic (set[string] and 0) -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.bro, line 4: &default value has inconsistent type (0 and set[string]) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.zeek, line 4: arithmetic mixed with non-arithmetic (set[string] and 0) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.attr-default-global-set-error/attr-default-global-set-error.zeek, line 4: &default value has inconsistent type (0 and set[string]) diff --git a/testing/btest/Baseline/language.common-mistakes/1.out b/testing/btest/Baseline/language.common-mistakes/1.out index 8070f84644..5371fc266f 100644 --- a/testing/btest/Baseline/language.common-mistakes/1.out +++ b/testing/btest/Baseline/language.common-mistakes/1.out @@ -1,4 +1,4 @@ -expression error in ./1.bro, line 9: field value missing (mr$f) +expression error in ./1.zeek, line 9: field value missing (mr$f) bar start foo start -other bro_init +other zeek_init diff --git a/testing/btest/Baseline/language.common-mistakes/2.out b/testing/btest/Baseline/language.common-mistakes/2.out index dd62af107c..dbf4ed7ae6 100644 --- a/testing/btest/Baseline/language.common-mistakes/2.out +++ b/testing/btest/Baseline/language.common-mistakes/2.out @@ -1,2 +1,2 @@ -expression error in ./2.bro, line 7: no such index (t[nope]) +expression error in ./2.zeek, line 7: no such index (t[nope]) in foo diff --git a/testing/btest/Baseline/language.common-mistakes/3.out b/testing/btest/Baseline/language.common-mistakes/3.out index d914d399a7..62cb349e7d 100644 --- a/testing/btest/Baseline/language.common-mistakes/3.out +++ b/testing/btest/Baseline/language.common-mistakes/3.out @@ -1,2 +1,2 @@ -expression error in ./3.bro, line 5: type-checking failed in vector append (v += ok) +expression error in ./3.zeek, line 5: type-checking failed in vector append (v += ok) in foo diff --git a/testing/btest/Baseline/language.const/invalid.stderr b/testing/btest/Baseline/language.const/invalid.stderr index b08c472708..5b6e120f8e 100644 --- a/testing/btest/Baseline/language.const/invalid.stderr +++ b/testing/btest/Baseline/language.const/invalid.stderr @@ -1,13 +1,13 @@ -error in ./invalid.bro, line 15: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 16: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 17: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 17: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 18: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 19: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 20: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 22: const is not a modifiable lvalue (foo) -error in ./invalid.bro, line 25: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 26: const is not a modifiable lvalue (baz) -error in ./invalid.bro, line 27: const is not a modifiable lvalue (bar) -error in ./invalid.bro, line 28: const is not a modifiable lvalue (baz) -error in ./invalid.bro, line 33: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 15: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 16: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 17: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 17: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 18: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 19: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 20: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 22: const is not a modifiable lvalue (foo) +error in ./invalid.zeek, line 25: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 26: const is not a modifiable lvalue (baz) +error in ./invalid.zeek, line 27: const is not a modifiable lvalue (bar) +error in ./invalid.zeek, line 28: const is not a modifiable lvalue (baz) +error in ./invalid.zeek, line 33: const is not a modifiable lvalue (foo) diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out index 5bdf87a62b..3126b1e78b 100644 --- a/testing/btest/Baseline/language.deprecated/out +++ b/testing/btest/Baseline/language.deprecated/out @@ -1,22 +1,22 @@ -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me) -warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 30: deprecated (ONE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 31: deprecated (TWO) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 33: deprecated (GREEN) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 34: deprecated (BLUE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 36: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 40: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 41: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 42: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 44: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 45: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 46: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 48: deprecated (my_record?$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 49: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 52: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 55: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 60: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 65: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 74: deprecated (dont_use_me) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.zeek, line 79: deprecated (dont_use_me_either) ZERO ONE TWO diff --git a/testing/btest/Baseline/language.eof-parse-errors/output1 b/testing/btest/Baseline/language.eof-parse-errors/output1 index 47a1c328e3..0fd8331175 100644 --- a/testing/btest/Baseline/language.eof-parse-errors/output1 +++ b/testing/btest/Baseline/language.eof-parse-errors/output1 @@ -1 +1 @@ -error: syntax error, at end of file ./a.bro +error: syntax error, at end of file ./a.zeek diff --git a/testing/btest/Baseline/language.eof-parse-errors/output2 b/testing/btest/Baseline/language.eof-parse-errors/output2 index 6f382c2a12..b7a433b9b0 100644 --- a/testing/btest/Baseline/language.eof-parse-errors/output2 +++ b/testing/btest/Baseline/language.eof-parse-errors/output2 @@ -1 +1 @@ -error in ./b.bro, line 1: syntax error, at or near "module" or end of file ./a.bro +error in ./b.zeek, line 1: syntax error, at or near "module" or end of file ./a.zeek diff --git a/testing/btest/Baseline/language.event-local-var/out b/testing/btest/Baseline/language.event-local-var/out index 2802c45d69..465a97d5cf 100644 --- a/testing/btest/Baseline/language.event-local-var/out +++ b/testing/btest/Baseline/language.event-local-var/out @@ -1 +1 @@ -error in /home/jgras/devel/bro/testing/btest/.tmp/language.event-local-var/event-local-var.bro, line 15: local identifier "v" cannot be used to reference an event, at or near ")" +error in /home/jgras/devel/bro/testing/btest/.tmp/language.event-local-var/event-local-var.zeek, line 15: local identifier "v" cannot be used to reference an event, at or near ")" diff --git a/testing/btest/Baseline/language.event/out b/testing/btest/Baseline/language.event/out index 14fa9c1e8a..66f0ada96f 100644 --- a/testing/btest/Baseline/language.event/out +++ b/testing/btest/Baseline/language.event/out @@ -2,6 +2,6 @@ event statement event part1 event part2 assign event variable (6) -schedule statement in bro_init +schedule statement in zeek_init schedule statement in global -schedule statement another in bro_init +schedule statement another in zeek_init diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output index dfa0bf64c3..5bc22b8202 100644 --- a/testing/btest/Baseline/language.expire-expr-error/output +++ b/testing/btest/Baseline/language.expire-expr-error/output @@ -1,2 +1,2 @@ -expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt]) +expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.zeek, line 8: no such index (x[kaputt]) received termination signal diff --git a/testing/btest/Baseline/language.expire-func-undef/output b/testing/btest/Baseline/language.expire-func-undef/output index cf869bbe6b..fb783261be 100644 --- a/testing/btest/Baseline/language.expire-func-undef/output +++ b/testing/btest/Baseline/language.expire-func-undef/output @@ -1,20 +1,20 @@ -1299470395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299470405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299473995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299474005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299477595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299477605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299481195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299481205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299484795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299484805.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299488395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299488405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299491995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299492005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299495595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299495605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299499195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299499205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) -1299502795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.bro, line 12: value used but not set (segfault::scan_summary) +1299470395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299470405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299473995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299474005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299477595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299477605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299481195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299481205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299484795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299484805.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299488395.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299488405.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299491995.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299492005.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299495595.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299495605.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299499195.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299499205.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) +1299502795.000000 expression error in /home/robin/bro/master/testing/btest/.tmp/language.expire-func-undef/expire-func-undef.zeek, line 12: value used but not set (segfault::scan_summary) orig: 10.0.0.2: peers: {\x0a\x0910.0.0.3\x0a} diff --git a/testing/btest/Baseline/language.expire-type-error/out b/testing/btest/Baseline/language.expire-type-error/out index c0987a6341..1050304b06 100644 --- a/testing/btest/Baseline/language.expire-type-error/out +++ b/testing/btest/Baseline/language.expire-type-error/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.expire-type-error/expire-type-error.bro, line 4: expiration interval has wrong type (kaputt) +error in /home/robin/bro/master/testing/btest/.tmp/language.expire-type-error/expire-type-error.zeek, line 4: expiration interval has wrong type (kaputt) diff --git a/testing/btest/Baseline/language.for/out b/testing/btest/Baseline/language.for/out index dccc00ce3e..d7e75c46e1 100644 --- a/testing/btest/Baseline/language.for/out +++ b/testing/btest/Baseline/language.for/out @@ -1,3 +1,4 @@ for loop (PASS) for loop with break (PASS) for loop with next (PASS) +keys that are tuples (PASS) diff --git a/testing/btest/Baseline/language.hook_calls/invalid.out b/testing/btest/Baseline/language.hook_calls/invalid.out index 3412c1900e..fdfd719cd8 100644 --- a/testing/btest/Baseline/language.hook_calls/invalid.out +++ b/testing/btest/Baseline/language.hook_calls/invalid.out @@ -1,10 +1,10 @@ -error in ./invalid.bro, line 9: hook cannot be called directly, use hook operator (myhook) -warning in ./invalid.bro, line 9: expression value ignored (myhook(3)) -error in ./invalid.bro, line 10: hook cannot be called directly, use hook operator (myhook) -error in ./invalid.bro, line 11: hook cannot be called directly, use hook operator (myhook) -error in ./invalid.bro, line 12: not a valid hook call expression (2 + 2) -warning in ./invalid.bro, line 12: expression value ignored (2 + 2) -error in ./invalid.bro, line 13: not a valid hook call expression (2 + 2) -error in ./invalid.bro, line 15: hook cannot be called directly, use hook operator (h) -warning in ./invalid.bro, line 15: expression value ignored (h(3)) -error in ./invalid.bro, line 16: hook cannot be called directly, use hook operator (h) +error in ./invalid.zeek, line 9: hook cannot be called directly, use hook operator (myhook) +warning in ./invalid.zeek, line 9: expression value ignored (myhook(3)) +error in ./invalid.zeek, line 10: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.zeek, line 11: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.zeek, line 12: not a valid hook call expression (2 + 2) +warning in ./invalid.zeek, line 12: expression value ignored (2 + 2) +error in ./invalid.zeek, line 13: not a valid hook call expression (2 + 2) +error in ./invalid.zeek, line 15: hook cannot be called directly, use hook operator (h) +warning in ./invalid.zeek, line 15: expression value ignored (h(3)) +error in ./invalid.zeek, line 16: hook cannot be called directly, use hook operator (h) diff --git a/testing/btest/Baseline/language.index-assignment-invalid/out b/testing/btest/Baseline/language.index-assignment-invalid/out index 3972a9f10e..a30ecf891f 100644 --- a/testing/btest/Baseline/language.index-assignment-invalid/out +++ b/testing/btest/Baseline/language.index-assignment-invalid/out @@ -1,5 +1,5 @@ -runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.bro, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=], expression: Queue::ret[Queue::j], call stack: - #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:19 - #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:27 - #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.bro:39 - #3 bro_init() +runtime error in /home/jon/pro/zeek/zeek/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=], expression: Queue::ret[Queue::j], call stack: + #0 Queue::get_vector([initialized=T, vals={[2] = test,[6] = jkl;,[4] = asdf,[1] = goodbye,[5] = 3,[0] = hello,[3] = [a=T, b=hi, c=]}, settings=[max_len=], top=7, bottom=0, size=0], [hello, goodbye, test]) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:19 + #1 bar(55) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:27 + #2 foo(hi, 13) at /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.index-assignment-invalid/index-assignment-invalid.zeek:39 + #3 zeek_init() diff --git a/testing/btest/Baseline/language.init-in-anon-function/http.log b/testing/btest/Baseline/language.init-in-anon-function/http.log index 343fa1b007..e9a1ff369a 100644 --- a/testing/btest/Baseline/language.init-in-anon-function/http.log +++ b/testing/btest/Baseline/language.init-in-anon-function/http.log @@ -3,21 +3,21 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-13-56 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.0.0 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.0.0 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.0.0 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.918358 Ck51lg1bScffFj34Ri 141.142.0.0 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.0.0 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.952296 CykQaM33ztNt0csB9a 141.142.0.0 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.954820 CLNN1k2QMum1aexUK7 141.142.0.0 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.0.0 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.0.0 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.0.0 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.979264 Ck51lg1bScffFj34Ri 141.142.0.0 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.0.0 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014593 CykQaM33ztNt0csB9a 141.142.0.0 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014927 CLNN1k2QMum1aexUK7 141.142.0.0 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -#close 2016-07-13-16-13-57 +#open 2019-03-13-19-35-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.0.0 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.0.0 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.0.0 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.918358 Ck51lg1bScffFj34Ri 141.142.0.0 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.0.0 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.952296 CykQaM33ztNt0csB9a 141.142.0.0 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.954820 CLNN1k2QMum1aexUK7 141.142.0.0 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.0.0 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.0.0 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.0.0 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.979264 Ck51lg1bScffFj34Ri 141.142.0.0 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.0.0 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014593 CykQaM33ztNt0csB9a 141.142.0.0 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014927 CLNN1k2QMum1aexUK7 141.142.0.0 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +#close 2019-03-13-19-35-28 diff --git a/testing/btest/Baseline/language.invalid_index/out b/testing/btest/Baseline/language.invalid_index/out index 4ba0373e91..aa3784aa3e 100644 --- a/testing/btest/Baseline/language.invalid_index/out +++ b/testing/btest/Baseline/language.invalid_index/out @@ -1,5 +1,5 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 10: no such index (foo[1]) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 16: no such index (foo2[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.zeek, line 10: no such index (foo[1]) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.invalid_index/invalid_index.zeek, line 16: no such index (foo2[1]) foo[0], 42 foo2[0], 13 done diff --git a/testing/btest/Baseline/language.key-value-for/out b/testing/btest/Baseline/language.key-value-for/out new file mode 100644 index 0000000000..43a5609374 --- /dev/null +++ b/testing/btest/Baseline/language.key-value-for/out @@ -0,0 +1,4 @@ +1, hello +55, goodbye +goodbye, world, 55 +hello, world, 1 diff --git a/testing/btest/Baseline/language.outer_param_binding/out b/testing/btest/Baseline/language.outer_param_binding/out index 28ad03c85a..afdc4191cd 100644 --- a/testing/btest/Baseline/language.outer_param_binding/out +++ b/testing/btest/Baseline/language.outer_param_binding/out @@ -1,3 +1,3 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (c) -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (d) -error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 17: referencing outer function IDs not supported (b) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 16: referencing outer function IDs not supported (c) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 16: referencing outer function IDs not supported (d) +error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.zeek, line 17: referencing outer function IDs not supported (b) diff --git a/testing/btest/Baseline/language.record-bad-ctor/out b/testing/btest/Baseline/language.record-bad-ctor/out index d30d0ab9d3..e6ff4a8fd5 100644 --- a/testing/btest/Baseline/language.record-bad-ctor/out +++ b/testing/btest/Baseline/language.record-bad-ctor/out @@ -1,2 +1,2 @@ -error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf) +error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.zeek, line 6: no type given (asdfasdf) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.zeek, line 7: uninitialized list value ($ports=asdfasdf) diff --git a/testing/btest/Baseline/language.record-bad-ctor2/out b/testing/btest/Baseline/language.record-bad-ctor2/out index d5ce540dd8..12b0fe3959 100644 --- a/testing/btest/Baseline/language.record-bad-ctor2/out +++ b/testing/btest/Baseline/language.record-bad-ctor2/out @@ -1 +1 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor2/record-bad-ctor2.bro, line 14: bad type in record constructor ([[$cmd=echo hi]] and [$cmd=echo hi]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor2/record-bad-ctor2.zeek, line 14: bad type in record constructor ([[$cmd=echo hi]] and [$cmd=echo hi]) diff --git a/testing/btest/Baseline/language.record-ceorce-orphan/out b/testing/btest/Baseline/language.record-ceorce-orphan/out index 59df204af2..f848945979 100644 --- a/testing/btest/Baseline/language.record-ceorce-orphan/out +++ b/testing/btest/Baseline/language.record-ceorce-orphan/out @@ -1,2 +1,2 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.bro, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) -error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.bro, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.zeek, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-ceorce-orphan/record-ceorce-orphan.zeek, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec)) diff --git a/testing/btest/Baseline/language.record-coerce-clash/out b/testing/btest/Baseline/language.record-coerce-clash/out index 9ef4116c7e..cb45413c63 100644 --- a/testing/btest/Baseline/language.record-coerce-clash/out +++ b/testing/btest/Baseline/language.record-coerce-clash/out @@ -1 +1 @@ -error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/language.record-coerce-clash/record-coerce-clash.bro, line 13: type clash for field "cid" ((coerce [$cid=[$orig_h=1.2.3.4, $orig_p=0/tcp, $resp_h=0.0.0.0, $resp_p=wrong]] to myrec) and record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:string; }) +error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/language.record-coerce-clash/record-coerce-clash.zeek, line 13: type clash for field "cid" ((coerce [$cid=[$orig_h=1.2.3.4, $orig_p=0/tcp, $resp_h=0.0.0.0, $resp_p=wrong]] to myrec) and record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:string; }) diff --git a/testing/btest/Baseline/language.record-default-set-mismatch/out b/testing/btest/Baseline/language.record-default-set-mismatch/out index c005138c0c..ba40f934f7 100644 --- a/testing/btest/Baseline/language.record-default-set-mismatch/out +++ b/testing/btest/Baseline/language.record-default-set-mismatch/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.record-default-set-mismatch/record-default-set-mismatch.bro, line 5: &default value has inconsistent type (&default=set(1, 2, 3)) +error in /home/robin/bro/master/testing/btest/.tmp/language.record-default-set-mismatch/record-default-set-mismatch.zeek, line 5: &default value has inconsistent type (&default=set(1, 2, 3)) diff --git a/testing/btest/Baseline/language.record-type-checking/out b/testing/btest/Baseline/language.record-type-checking/out index ecd5d7b8bb..50b0db5d8c 100644 --- a/testing/btest/Baseline/language.record-type-checking/out +++ b/testing/btest/Baseline/language.record-type-checking/out @@ -1,11 +1,11 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9 and count: type clash for field "a" ((coerce [$a=0] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9: bad record initializer ((coerce [$a=0] to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12 and count: type clash for field "a" ((coerce [$a=1] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12: bad record initializer ((coerce (coerce [$a=1] to error) to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 18 and count: type clash for field "a" ((coerce [$a=2] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22 and count: type clash for field "a" ((coerce [$a=3] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22: bad record initializer ((coerce [$a=3] to error)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 27 and count: type clash for field "a" ((coerce [$a=1000] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 33 and count: type clash for field "a" ((coerce [$a=1001] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 40 and count: type clash for field "a" ((coerce [$a=1002] to MyRec) and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 46 and count: type clash for field "a" ((coerce [$a=1003] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 9 and count: type clash for field "a" ((coerce [$a=0] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 9: bad record initializer ((coerce [$a=0] to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 12 and count: type clash for field "a" ((coerce [$a=1] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 12: bad record initializer ((coerce (coerce [$a=1] to error) to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 18 and count: type clash for field "a" ((coerce [$a=2] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 22 and count: type clash for field "a" ((coerce [$a=3] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 22: bad record initializer ((coerce [$a=3] to error)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 27 and count: type clash for field "a" ((coerce [$a=1000] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 33 and count: type clash for field "a" ((coerce [$a=1001] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 40 and count: type clash for field "a" ((coerce [$a=1002] to MyRec) and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.zeek, line 46 and count: type clash for field "a" ((coerce [$a=1003] to MyRec) and count) diff --git a/testing/btest/Baseline/language.returnwhen/bro..stdout b/testing/btest/Baseline/language.returnwhen/bro..stdout index d213d7bd02..969b6715af 100644 --- a/testing/btest/Baseline/language.returnwhen/bro..stdout +++ b/testing/btest/Baseline/language.returnwhen/bro..stdout @@ -1,6 +1,6 @@ -dummy from async_func() from bro_init() -async_func() return result in bro_init(), flag in my_set -dummy from bro_init() when block +dummy from async_func() from zeek_init() +async_func() return result in zeek_init(), flag in my_set +dummy from zeek_init() when block hi! dummy from async_func() from do_another() async_func() return result in do_another(), flag in my_set diff --git a/testing/btest/Baseline/language.set-type-checking/out b/testing/btest/Baseline/language.set-type-checking/out index 0387146723..d27da6205a 100644 --- a/testing/btest/Baseline/language.set-type-checking/out +++ b/testing/btest/Baseline/language.set-type-checking/out @@ -1,24 +1,24 @@ -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (port and 0) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7 and port: type mismatch (0 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: inconsistent type in set constructor (set(0)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (port and 1) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10 and port: type mismatch (1 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: inconsistent type in set constructor (set(1)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: arithmetic mixed with non-arithmetic (port and 2) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16 and port: type mismatch (2 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: inconsistent type in set constructor (set(2)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7: arithmetic mixed with non-arithmetic (port and 0) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7 and port: type mismatch (0 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 7: inconsistent type in set constructor (set(0)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10: arithmetic mixed with non-arithmetic (port and 1) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10 and port: type mismatch (1 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 10: inconsistent type in set constructor (set(1)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16: arithmetic mixed with non-arithmetic (port and 2) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16 and port: type mismatch (2 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 16: inconsistent type in set constructor (set(2)) error in port: arithmetic mixed with non-arithmetic (port and 3) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 20: initialization type mismatch in set (set(3) and 3) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: arithmetic mixed with non-arithmetic (port and 1000) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25 and port: type mismatch (1000 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: inconsistent type in set constructor (set(1000)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: arithmetic mixed with non-arithmetic (port and 1001) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31 and port: type mismatch (1001 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: inconsistent type in set constructor (set(1001)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: arithmetic mixed with non-arithmetic (port and 1002) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38 and port: type mismatch (1002 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: inconsistent type in set constructor (set(1002)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: arithmetic mixed with non-arithmetic (port and 1003) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44 and port: type mismatch (1003 and port) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: inconsistent type in set constructor (set(1003)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: type clash in assignment (lea = set(1003)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 20: initialization type mismatch in set (set(3) and 3) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25: arithmetic mixed with non-arithmetic (port and 1000) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25 and port: type mismatch (1000 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 25: inconsistent type in set constructor (set(1000)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31: arithmetic mixed with non-arithmetic (port and 1001) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31 and port: type mismatch (1001 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 31: inconsistent type in set constructor (set(1001)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38: arithmetic mixed with non-arithmetic (port and 1002) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38 and port: type mismatch (1002 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 38: inconsistent type in set constructor (set(1002)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: arithmetic mixed with non-arithmetic (port and 1003) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44 and port: type mismatch (1003 and port) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: inconsistent type in set constructor (set(1003)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.zeek, line 44: type clash in assignment (lea = set(1003)) diff --git a/testing/btest/Baseline/language.subnet-errors/out b/testing/btest/Baseline/language.subnet-errors/out index 5d8e3d76da..97e999ef9b 100644 --- a/testing/btest/Baseline/language.subnet-errors/out +++ b/testing/btest/Baseline/language.subnet-errors/out @@ -1,5 +1,5 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.bro, line 9: bad IPv4 subnet prefix length: 33 (1.2.3.4 / i) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.bro, line 18: bad IPv6 subnet prefix length: 129 (:: / i) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.zeek, line 9: bad IPv4 subnet prefix length: 33 (1.2.3.4 / i) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.subnet-errors/subnet-errors.zeek, line 18: bad IPv6 subnet prefix length: 129 (:: / i) 1.2.3.4/32 ::/128 init last diff --git a/testing/btest/Baseline/language.switch-error-mixed/out b/testing/btest/Baseline/language.switch-error-mixed/out index 75fa1d84c2..679b34f6ef 100644 --- a/testing/btest/Baseline/language.switch-error-mixed/out +++ b/testing/btest/Baseline/language.switch-error-mixed/out @@ -1 +1 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.bro, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.zeek, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}}) diff --git a/testing/btest/Baseline/language.switch-incomplete/out b/testing/btest/Baseline/language.switch-incomplete/out index bfe4429956..4ce7d39a08 100644 --- a/testing/btest/Baseline/language.switch-incomplete/out +++ b/testing/btest/Baseline/language.switch-incomplete/out @@ -1 +1 @@ -error in /home/robin/bro/master/testing/btest/.tmp/language.switch-incomplete/switch-incomplete.bro, lines 7-8: case block must end in break/fallthrough/return statement (case 1:{ print 1}) +error in /home/robin/bro/master/testing/btest/.tmp/language.switch-incomplete/switch-incomplete.zeek, lines 7-8: case block must end in break/fallthrough/return statement (case 1:{ print 1}) diff --git a/testing/btest/Baseline/language.switch-types-error-duplicate/out b/testing/btest/Baseline/language.switch-types-error-duplicate/out index e523b14550..0ab618bc16 100644 --- a/testing/btest/Baseline/language.switch-types-error-duplicate/out +++ b/testing/btest/Baseline/language.switch-types-error-duplicate/out @@ -1 +1 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.bro, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.zeek, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)}) diff --git a/testing/btest/Baseline/language.switch-types-error-unsupported/out b/testing/btest/Baseline/language.switch-types-error-unsupported/out index 133c8653f2..7932073710 100644 --- a/testing/btest/Baseline/language.switch-types-error-unsupported/out +++ b/testing/btest/Baseline/language.switch-types-error-unsupported/out @@ -1,3 +1,3 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)}) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.zeek, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)}) diff --git a/testing/btest/Baseline/language.table-type-checking/out b/testing/btest/Baseline/language.table-type-checking/out index 488cb83ab2..a6307a6155 100644 --- a/testing/btest/Baseline/language.table-type-checking/out +++ b/testing/btest/Baseline/language.table-type-checking/out @@ -1,14 +1,14 @@ -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: type clash (port and zero) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: inconsistent types in table constructor (table(zero = 0)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: type clash (port and one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: inconsistent types in table constructor (table(one = 1)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 17: type clash in assignment (gda = gda2) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21 and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 4: index type doesn't match table (three and list of port) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21: type clash in table assignment (three = 3) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: type clash (port and thousand) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: inconsistent types in table constructor (table(thousand = 1000)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: type clash (port and thousand-one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: inconsistent types in table constructor (table(thousand-one = 1001)) -error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: type clash (port and thousand-two) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: inconsistent types in table constructor (table(thousand-two = 1002)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 45: type clash in assignment (lea = table(thousand-three = 1003)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 7: type clash (port and zero) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 7: inconsistent types in table constructor (table(zero = 0)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 10: type clash (port and one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 10: inconsistent types in table constructor (table(one = 1)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 17: type clash in assignment (gda = gda2) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 21 and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 4: index type doesn't match table (three and list of port) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 21: type clash in table assignment (three = 3) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 26: type clash (port and thousand) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 26: inconsistent types in table constructor (table(thousand = 1000)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 32: type clash (port and thousand-one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 32: inconsistent types in table constructor (table(thousand-one = 1001)) +error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 39: type clash (port and thousand-two) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 39: inconsistent types in table constructor (table(thousand-two = 1002)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.zeek, line 45: type clash in assignment (lea = table(thousand-three = 1003)) diff --git a/testing/btest/Baseline/language.ternary-record-mismatch/out b/testing/btest/Baseline/language.ternary-record-mismatch/out new file mode 100644 index 0000000000..91a3aa2e02 --- /dev/null +++ b/testing/btest/Baseline/language.ternary-record-mismatch/out @@ -0,0 +1 @@ +error in /Users/jon/pro/zeek/zeek/testing/btest/.tmp/language.ternary-record-mismatch/ternary-record-mismatch.zeek, lines 13-14: operands must be of the same type ((F) ? (coerce [$a=a string, $b=6] to MyRecord) : [$a=a different string, $b=7]) diff --git a/testing/btest/Baseline/language.type-cast-error-dynamic/output b/testing/btest/Baseline/language.type-cast-error-dynamic/output index 7c4ec0332f..dfac361f11 100644 --- a/testing/btest/Baseline/language.type-cast-error-dynamic/output +++ b/testing/btest/Baseline/language.type-cast-error-dynamic/output @@ -1,4 +1,4 @@ -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'count' to type 'string' (a as string) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' (a as string) -expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'count' to type 'string' (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' (a as string) +expression error in /home/jon/pro/zeek/zeek/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.zeek, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) (a as string) data is string, F diff --git a/testing/btest/Baseline/language.type-cast-error-static/output b/testing/btest/Baseline/language.type-cast-error-static/output index a93e262f21..bd00361939 100644 --- a/testing/btest/Baseline/language.type-cast-error-static/output +++ b/testing/btest/Baseline/language.type-cast-error-static/output @@ -1,2 +1,2 @@ -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 14: cast not supported (string as count) -error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 15: cast not supported (string as X) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.zeek, line 14: cast not supported (string as count) +error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.zeek, line 15: cast not supported (string as X) diff --git a/testing/btest/Baseline/language.type-type-error/.stderr b/testing/btest/Baseline/language.type-type-error/.stderr index 95cb065ece..b0e0800c72 100644 --- a/testing/btest/Baseline/language.type-type-error/.stderr +++ b/testing/btest/Baseline/language.type-type-error/.stderr @@ -1 +1 @@ -error in /home/jsiwek/bro/testing/btest/.tmp/language.type-type-error/type-type-error.bro, line 13: not a record (r$a) +error in /home/jsiwek/bro/testing/btest/.tmp/language.type-type-error/type-type-error.zeek, line 13: not a record (r$a) diff --git a/testing/btest/Baseline/language.undefined-delete-field/output b/testing/btest/Baseline/language.undefined-delete-field/output index bd0fb99289..99a71b1087 100644 --- a/testing/btest/Baseline/language.undefined-delete-field/output +++ b/testing/btest/Baseline/language.undefined-delete-field/output @@ -1,2 +1,2 @@ -error in /Users/johanna/bro/master/testing/btest/.tmp/language.undefined-delete-field/undefined-delete-field.bro, line 14: no such field in record (x$c) +error in /Users/johanna/bro/master/testing/btest/.tmp/language.undefined-delete-field/undefined-delete-field.zeek, line 14: no such field in record (x$c) 1 diff --git a/testing/btest/Baseline/language.uninitialized-local/out b/testing/btest/Baseline/language.uninitialized-local/out index 24d45d3456..dd6867f524 100644 --- a/testing/btest/Baseline/language.uninitialized-local/out +++ b/testing/btest/Baseline/language.uninitialized-local/out @@ -1 +1 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.uninitialized-local/uninitialized-local.bro, line 16: value used but not set (my_string) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.uninitialized-local/uninitialized-local.zeek, line 16: value used but not set (my_string) diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out index bba567878e..ba668f08ff 100644 --- a/testing/btest/Baseline/language.uninitialized-local2/out +++ b/testing/btest/Baseline/language.uninitialized-local2/out @@ -1,2 +1,2 @@ -expression error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b) +expression error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.zeek, line 19: value used but not set (var_b) var_a is, baz diff --git a/testing/btest/Baseline/language.vector-type-checking/out b/testing/btest/Baseline/language.vector-type-checking/out index e96017082a..33be41836f 100644 --- a/testing/btest/Baseline/language.vector-type-checking/out +++ b/testing/btest/Baseline/language.vector-type-checking/out @@ -1,19 +1,19 @@ -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (count and zero) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7 and count: type mismatch (zero and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: inconsistent types in vector constructor (vector(zero)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (count and one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10 and count: type mismatch (one and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: inconsistent types in vector constructor (vector(one)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 17: type clash in assignment (gda = gda2) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: arithmetic mixed with non-arithmetic (count and three) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: initialization type mismatch at index 0 (vector(three) and three) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: arithmetic mixed with non-arithmetic (count and thousand) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26 and count: type mismatch (thousand and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: inconsistent types in vector constructor (vector(thousand)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: arithmetic mixed with non-arithmetic (count and thousand-one) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32 and count: type mismatch (thousand-one and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: inconsistent types in vector constructor (vector(thousand-one)) -error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: arithmetic mixed with non-arithmetic (count and thousand-two) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39 and count: type mismatch (thousand-two and count) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: inconsistent types in vector constructor (vector(thousand-two)) -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 45: type clash in assignment (lea = vector(thousand-three)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7: arithmetic mixed with non-arithmetic (count and zero) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7 and count: type mismatch (zero and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 7: inconsistent types in vector constructor (vector(zero)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10: arithmetic mixed with non-arithmetic (count and one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10 and count: type mismatch (one and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 10: inconsistent types in vector constructor (vector(one)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 17: type clash in assignment (gda = gda2) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 21: arithmetic mixed with non-arithmetic (count and three) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 21: initialization type mismatch at index 0 (vector(three) and three) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26: arithmetic mixed with non-arithmetic (count and thousand) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26 and count: type mismatch (thousand and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 26: inconsistent types in vector constructor (vector(thousand)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32: arithmetic mixed with non-arithmetic (count and thousand-one) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32 and count: type mismatch (thousand-one and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 32: inconsistent types in vector constructor (vector(thousand-one)) +error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39: arithmetic mixed with non-arithmetic (count and thousand-two) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39 and count: type mismatch (thousand-two and count) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 39: inconsistent types in vector constructor (vector(thousand-two)) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.zeek, line 45: type clash in assignment (lea = vector(thousand-three)) diff --git a/testing/btest/Baseline/language.when-unitialized-rhs/out b/testing/btest/Baseline/language.when-unitialized-rhs/out index 6698887be0..bad1bdbb78 100644 --- a/testing/btest/Baseline/language.when-unitialized-rhs/out +++ b/testing/btest/Baseline/language.when-unitialized-rhs/out @@ -1,5 +1,5 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 9: value used but not set (crashMe) -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 14: value used but not set (x) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.zeek, line 9: value used but not set (crashMe) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.zeek, line 14: value used but not set (x) 1 2 3 diff --git a/testing/btest/Baseline/language.wrong-delete-field/output b/testing/btest/Baseline/language.wrong-delete-field/output index 1eefa1d2fe..1250f03c3d 100644 --- a/testing/btest/Baseline/language.wrong-delete-field/output +++ b/testing/btest/Baseline/language.wrong-delete-field/output @@ -1 +1 @@ -error in /da/home/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a) +error in /da/home/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.zeek, line 10: illegal delete statement (delete x$a) diff --git a/testing/btest/Baseline/language.zeek_init/out b/testing/btest/Baseline/language.zeek_init/out new file mode 100644 index 0000000000..aa17ec8aa8 --- /dev/null +++ b/testing/btest/Baseline/language.zeek_init/out @@ -0,0 +1,8 @@ +zeek_init at priority 10! +bro_init at priority 5! +zeek_init at priority 0! +bro_init at priority -10! +zeek_done at priority 10! +bro_done at priority 5! +zeek_done at priority 0! +bro_done at priority -10! diff --git a/testing/btest/Baseline/language.zeek_script_loaded/out b/testing/btest/Baseline/language.zeek_script_loaded/out new file mode 100644 index 0000000000..cddf509308 --- /dev/null +++ b/testing/btest/Baseline/language.zeek_script_loaded/out @@ -0,0 +1,4 @@ +zeek_script_loaded priority 10 +bro_script_loaded priority 5 +zeek_script_loaded priority 0 +bro_script_loaded priority -10 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..aa27d73819 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -61,6 +61,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> @@ -126,6 +127,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> @@ -154,6 +156,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> @@ -173,15 +176,15 @@ 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) -> 0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> -0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> +0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> @@ -274,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -488,6 +491,8 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> @@ -557,7 +562,6 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::mappings_initialized, , ()) -> 0.000000 MetaHookPost CallFunction(Unified2::start_watching, , ()) -> -0.000000 MetaHookPost CallFunction(bro_init, , ()) -> 0.000000 MetaHookPost CallFunction(current_time, , ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, , ()) -> 0.000000 MetaHookPost CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) -> @@ -569,292 +573,296 @@ 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> +0.000000 MetaHookPost CallFunction(zeek_init, , ()) -> 0.000000 MetaHookPost DrainEvents() -> -0.000000 MetaHookPost LoadFile(0, ..<...>/main.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, ..<...>/plugin.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_File.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_PE.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/acld.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/add-geodata.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/addrs.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/analyzer.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/ascii.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/average.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/benchmark.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/binary.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/bloom-filter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/bro.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/broker.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/broxygen.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/catch-and-release.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/comm.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/config.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/const-dos-error.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/const-nt-status.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/const.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/consts.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/contents.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/ct-list.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/data.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/dcc-send.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/debug.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/drop.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/email_admin.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/entities.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/event.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/exec.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/file_analysis.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/files.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/gridftp.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/hll_unique.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/hooks.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/inactivity.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/info.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/input.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/input.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/last.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/log.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/logging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, ..<...>/main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ..<...>/plugin.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ARP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BackDoor.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BitTorrent.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConfigReader.config.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNP3.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNS.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_File.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileEntropy.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileHash.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Finger.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GSSAPI.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GTPv1.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Gnutella.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ICMP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IMAP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IRC.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Ident.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_InterConn.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.consts.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_PE.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_POP3.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RADIUS.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RFB.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RPC.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RawReader.raw.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SIP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.consts.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SOCKS.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.consts.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SteppingStone.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Syslog.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Teredo.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_VXLAN.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_XMPP.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/acld.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/add-geodata.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/addrs.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/analyzer.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ascii.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/average.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/benchmark.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/binary.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/bloom-filter.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/bro.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/broker.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/cardinality-counter.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/catch-and-release.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/comm.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/config.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const-dos-error.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const-nt-status.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/const.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/consts.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/contents.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ct-list.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/data.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/dcc-send.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/debug.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/drop.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/email_admin.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/entities.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/event.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/exec.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/file_analysis.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/files.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/gridftp.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/hll_unique.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/hooks.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/inactivity.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/info.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/input.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/input.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/last.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/log.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/magic) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/main.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/max.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/messaging.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/min.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/mozilla-ca-list.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/netstats.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/non-cluster.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/none.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/openflow.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/option.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/packetfilter.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/page.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/patterns.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/pcap.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/plugin.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/max.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/messaging.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/min.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/mozilla-ca-list.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/netstats.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/non-cluster.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/none.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/openflow.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/option.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/packetfilter.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/page.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/patterns.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/pcap.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/plugin.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/plugins) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/polling.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/pools.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/polling.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/pools.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/postprocessors) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/pp-alarms.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/raw.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/reporter.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/ryu.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/sample.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/scp.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/sftp.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/shunt.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/site.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/smb1-main.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/smb2-main.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/sqlite.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/stats.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/std-dev.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/store.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/store.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/strings.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/sum.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/thresholds.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/top-k.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/topk.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/types.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/unique.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/utils-commands.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/utils.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/variance.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/weird.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, <...>/__load__.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, <...>/__preload__.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, <...>/hooks.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/active-http.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/addrs.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/pp-alarms.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/raw.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/reporter.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/ryu.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sample.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/scp.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sftp.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/shunt.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/site.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/smb1-main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/smb2-main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sqlite.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/stats.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/std-dev.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/store.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/store.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/strings.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/sum.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/thresholds.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/top-k.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/topk.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/types.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/unique.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/utils-commands.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/utils.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/variance.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/weird.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/zeexygen.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/__load__.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/__preload__.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, <...>/hooks.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Bro_KRB.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/active-http.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/addrs.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/analyzer) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/analyzer.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/analyzer.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/bif) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/bro.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/bro.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/broker) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/cluster) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/comm.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/comm.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/config) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/conn) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/conn-ids.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/const.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/conn-ids.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/const.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/dir.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/dir.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dnp3) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dns) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dpd) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/email.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/event.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/exec.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/email.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/event.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/exec.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/extract) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/file_analysis.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/file_analysis.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/files) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/files.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/find-checksum-offloading.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/find-filtered-trace.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/files.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/find-checksum-offloading.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/find-filtered-trace.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ftp) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/init-default.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/init-default.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/init-frameworks-and-bifs.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/json.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/json.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/main.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/modbus) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/mysql) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/netcontrol) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/notice) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/numbers.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/numbers.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/paths.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/patterns.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/paths.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/patterns.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/pe) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/plugins) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/pop3) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/queue.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/queue.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/radius) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/rdp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/reporter) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/rfb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/signatures) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/sip) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/site.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/site.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/smb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/smtp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/snmp) -> -1 @@ -862,21 +870,21 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/software) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ssh) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ssl) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/stats.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/strings.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/stats.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/strings.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/sumstats) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/syslog) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/thresholds.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/time.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/thresholds.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/time.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/tunnels) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/unified2) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/urls.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/utils.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/version.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/weird.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/urls.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/utils.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/version.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/weird.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/x509) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/xmpp) -> -1 0.000000 MetaHookPost LoadFile(1, .<...>/archive.sig) -> -1 @@ -891,8 +899,8 @@ 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false -0.000000 MetaHookPost QueueEvent(bro_init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false +0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) @@ -956,6 +964,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) @@ -1021,6 +1030,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) @@ -1049,6 +1059,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) @@ -1068,15 +1079,15 @@ 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) 0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) +0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) @@ -1169,7 +1180,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1354,7 +1365,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1383,6 +1394,8 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) @@ -1452,7 +1465,6 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, , ()) 0.000000 MetaHookPre CallFunction(Unified2::mappings_initialized, , ()) 0.000000 MetaHookPre CallFunction(Unified2::start_watching, , ()) -0.000000 MetaHookPre CallFunction(bro_init, , ()) 0.000000 MetaHookPre CallFunction(current_time, , ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, , ()) 0.000000 MetaHookPre CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) @@ -1464,292 +1476,296 @@ 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) +0.000000 MetaHookPre CallFunction(zeek_init, , ()) 0.000000 MetaHookPre DrainEvents() -0.000000 MetaHookPre LoadFile(0, ..<...>/main.bro) -0.000000 MetaHookPre LoadFile(0, ..<...>/plugin.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_File.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_PE.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/acld.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/add-geodata.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/addrs.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/analyzer.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/ascii.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/average.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/benchmark.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/binary.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/bloom-filter.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/bro.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/broker.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/broxygen.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/cardinality-counter.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/catch-and-release.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/comm.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/config.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/const-dos-error.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/const-nt-status.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/const.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/consts.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/contents.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/ct-list.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/data.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/dcc-send.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/debug.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/drop.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/email_admin.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/entities.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/event.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/exec.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/file_analysis.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/files.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/gridftp.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/hll_unique.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/hooks.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/inactivity.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/info.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/input.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/input.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/last.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/log.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/logging.bif.bro) +0.000000 MetaHookPre LoadFile(0, ..<...>/main.zeek) +0.000000 MetaHookPre LoadFile(0, ..<...>/plugin.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ARP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BackDoor.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BitTorrent.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConfigReader.config.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNP3.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNS.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_File.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileEntropy.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileHash.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Finger.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GSSAPI.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GTPv1.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Gnutella.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ICMP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IMAP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IRC.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Ident.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_InterConn.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.consts.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_PE.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_POP3.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RADIUS.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RFB.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RPC.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RawReader.raw.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SIP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.consts.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SOCKS.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.consts.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SteppingStone.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Syslog.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Teredo.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_VXLAN.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_XMPP.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/acld.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/add-geodata.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/addrs.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/analyzer.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/ascii.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/average.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/benchmark.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/binary.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/bloom-filter.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/bro.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/broker.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/cardinality-counter.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/catch-and-release.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/comm.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/config.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/const-dos-error.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/const-nt-status.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/const.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/consts.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/contents.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/ct-list.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/data.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/dcc-send.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/debug.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/drop.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/email_admin.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/entities.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/event.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/exec.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/file_analysis.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/files.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/gridftp.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/hll_unique.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/hooks.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/inactivity.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/info.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/input.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/input.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/last.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/log.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/magic) -0.000000 MetaHookPre LoadFile(0, .<...>/main.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/max.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/messaging.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/min.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/mozilla-ca-list.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/netstats.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/non-cluster.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/none.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/openflow.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/option.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/packetfilter.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/page.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/patterns.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/pcap.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/plugin.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/main.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/max.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/messaging.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/min.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/mozilla-ca-list.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/netstats.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/non-cluster.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/none.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/openflow.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/option.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/packetfilter.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/page.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/patterns.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/pcap.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/plugin.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/plugins) -0.000000 MetaHookPre LoadFile(0, .<...>/polling.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/pools.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/polling.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/pools.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/postprocessors) -0.000000 MetaHookPre LoadFile(0, .<...>/pp-alarms.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/raw.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/reporter.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/ryu.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/sample.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/scp.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/sftp.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/shunt.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/site.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/smb1-main.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/smb2-main.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/sqlite.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/stats.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/std-dev.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/store.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/store.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/strings.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/sum.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/thresholds.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/top-k.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/topk.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/types.bif.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/types.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/unique.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/utils-commands.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/utils.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/variance.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/weird.bro) -0.000000 MetaHookPre LoadFile(0, <...>/__load__.bro) -0.000000 MetaHookPre LoadFile(0, <...>/__preload__.bro) -0.000000 MetaHookPre LoadFile(0, <...>/hooks.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/active-http.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/addrs.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/pp-alarms.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/raw.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/reporter.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/ryu.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/sample.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/scp.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/sftp.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/shunt.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/site.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/smb1-main.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/smb2-main.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/sqlite.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/stats.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/std-dev.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/store.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/store.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/strings.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/sum.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/thresholds.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/top-k.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/topk.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/types.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/unique.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/utils-commands.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/utils.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/variance.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/weird.zeek) +0.000000 MetaHookPre LoadFile(0, .<...>/zeexygen.bif.zeek) +0.000000 MetaHookPre LoadFile(0, <...>/__load__.zeek) +0.000000 MetaHookPre LoadFile(0, <...>/__preload__.zeek) +0.000000 MetaHookPre LoadFile(0, <...>/hooks.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/Bro_KRB.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/active-http.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/addrs.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/analyzer) -0.000000 MetaHookPre LoadFile(0, base<...>/analyzer.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/analyzer.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/bif) -0.000000 MetaHookPre LoadFile(0, base<...>/bro.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/bro.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/broker) 0.000000 MetaHookPre LoadFile(0, base<...>/cluster) -0.000000 MetaHookPre LoadFile(0, base<...>/comm.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/comm.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/config) 0.000000 MetaHookPre LoadFile(0, base<...>/conn) -0.000000 MetaHookPre LoadFile(0, base<...>/conn-ids.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/const.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/conn-ids.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/const.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/control) -0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc) 0.000000 MetaHookPre LoadFile(0, base<...>/dhcp) -0.000000 MetaHookPre LoadFile(0, base<...>/dir.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/dir.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/dnp3) 0.000000 MetaHookPre LoadFile(0, base<...>/dns) 0.000000 MetaHookPre LoadFile(0, base<...>/dpd) -0.000000 MetaHookPre LoadFile(0, base<...>/email.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/event.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/exec.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/email.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/event.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/exec.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/extract) -0.000000 MetaHookPre LoadFile(0, base<...>/file_analysis.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/file_analysis.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/files) -0.000000 MetaHookPre LoadFile(0, base<...>/files.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/find-checksum-offloading.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/find-filtered-trace.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/files.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/find-checksum-offloading.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/find-filtered-trace.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/ftp) -0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/hash) -0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/http) 0.000000 MetaHookPre LoadFile(0, base<...>/imap) -0.000000 MetaHookPre LoadFile(0, base<...>/init-default.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/init-frameworks-and-bifs.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/init-default.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/init-frameworks-and-bifs.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/input) -0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/intel) 0.000000 MetaHookPre LoadFile(0, base<...>/irc) -0.000000 MetaHookPre LoadFile(0, base<...>/json.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/json.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/krb) 0.000000 MetaHookPre LoadFile(0, base<...>/logging) -0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/main.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/modbus) 0.000000 MetaHookPre LoadFile(0, base<...>/mysql) 0.000000 MetaHookPre LoadFile(0, base<...>/netcontrol) 0.000000 MetaHookPre LoadFile(0, base<...>/notice) 0.000000 MetaHookPre LoadFile(0, base<...>/ntlm) -0.000000 MetaHookPre LoadFile(0, base<...>/numbers.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/numbers.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/openflow) -0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter) -0.000000 MetaHookPre LoadFile(0, base<...>/paths.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/patterns.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/paths.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/patterns.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/pe) 0.000000 MetaHookPre LoadFile(0, base<...>/plugins) 0.000000 MetaHookPre LoadFile(0, base<...>/pop3) -0.000000 MetaHookPre LoadFile(0, base<...>/queue.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/queue.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/radius) 0.000000 MetaHookPre LoadFile(0, base<...>/rdp) 0.000000 MetaHookPre LoadFile(0, base<...>/reporter) -0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/rfb) 0.000000 MetaHookPre LoadFile(0, base<...>/signatures) 0.000000 MetaHookPre LoadFile(0, base<...>/sip) -0.000000 MetaHookPre LoadFile(0, base<...>/site.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/site.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/smb) 0.000000 MetaHookPre LoadFile(0, base<...>/smtp) 0.000000 MetaHookPre LoadFile(0, base<...>/snmp) @@ -1757,21 +1773,21 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/software) 0.000000 MetaHookPre LoadFile(0, base<...>/ssh) 0.000000 MetaHookPre LoadFile(0, base<...>/ssl) -0.000000 MetaHookPre LoadFile(0, base<...>/stats.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/strings.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/stats.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/strings.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/sumstats) 0.000000 MetaHookPre LoadFile(0, base<...>/syslog) -0.000000 MetaHookPre LoadFile(0, base<...>/thresholds.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/time.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/thresholds.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/time.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/tunnels) -0.000000 MetaHookPre LoadFile(0, base<...>/types.bif.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/unified2) -0.000000 MetaHookPre LoadFile(0, base<...>/urls.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/utils.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/version.bro) -0.000000 MetaHookPre LoadFile(0, base<...>/weird.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/urls.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/utils.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/version.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/weird.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/x509) 0.000000 MetaHookPre LoadFile(0, base<...>/xmpp) 0.000000 MetaHookPre LoadFile(1, .<...>/archive.sig) @@ -1786,8 +1802,8 @@ 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) -0.000000 MetaHookPre QueueEvent(bro_init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) +0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) @@ -1851,6 +1867,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) @@ -1916,6 +1933,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp}) @@ -1944,6 +1962,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Cluster::local_node_type() @@ -1962,15 +1981,15 @@ 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert) 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert) 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec}) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]) -0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]) +0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) 0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) @@ -2063,7 +2082,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2248,7 +2267,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2277,6 +2296,8 @@ 0.000000 | HookCallFunction Option::set_change_handler(GridFTP::skip_data, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::default_capture_password, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::http_methods, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_orig, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(HTTP::proxy_headers, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Input::default_mode, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Input::default_reader, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) @@ -2346,7 +2367,6 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugins() 0.000000 | HookCallFunction Unified2::mappings_initialized() 0.000000 | HookCallFunction Unified2::start_watching() -0.000000 | HookCallFunction bro_init() 0.000000 | HookCallFunction current_time() 0.000000 | HookCallFunction filter_change_tracking() 0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS) @@ -2358,301 +2378,305 @@ 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) +0.000000 | HookCallFunction zeek_init() 0.000000 | HookDrainEvents -0.000000 | HookLoadFile ..<...>/main.bro -0.000000 | HookLoadFile ..<...>/plugin.bro -0.000000 | HookLoadFile .<...>/Bro_ARP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_AsciiReader.ascii.bif.bro -0.000000 | HookLoadFile .<...>/Bro_AsciiWriter.ascii.bif.bro -0.000000 | HookLoadFile .<...>/Bro_BackDoor.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_BenchmarkReader.benchmark.bif.bro -0.000000 | HookLoadFile .<...>/Bro_BinaryReader.binary.bif.bro -0.000000 | HookLoadFile .<...>/Bro_BitTorrent.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_ConfigReader.config.bif.bro -0.000000 | HookLoadFile .<...>/Bro_ConnSize.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_ConnSize.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.consts.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DHCP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DHCP.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DNP3.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_DNS.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FTP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FTP.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_File.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FileEntropy.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FileExtract.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FileExtract.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_FileHash.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Finger.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_GSSAPI.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_GTPv1.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Gnutella.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_HTTP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_HTTP.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_ICMP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_IMAP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_IRC.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Ident.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_InterConn.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_KRB.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_KRB.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Login.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Login.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NCP.consts.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NTP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NetBIOS.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NetBIOS.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_NoneWriter.none.bif.bro -0.000000 | HookLoadFile .<...>/Bro_PE.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_POP3.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RADIUS.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RDP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RDP.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RFB.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RPC.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_RawReader.raw.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SIP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.consts.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_check_directory.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_close.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_create_directory.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_echo.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_negotiate.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_query_information.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_read_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_write_andx.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_close.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_create.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_negotiate.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMB.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMTP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SMTP.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SNMP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SNMP.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SOCKS.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SQLiteReader.sqlite.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SQLiteWriter.sqlite.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SSH.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SSH.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SSL.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SSL.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SSL.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_SteppingStone.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Syslog.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_TCP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_TCP.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Teredo.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro -0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro -0.000000 | HookLoadFile .<...>/Bro_X509.types.bif.bro -0.000000 | HookLoadFile .<...>/Bro_XMPP.events.bif.bro -0.000000 | HookLoadFile .<...>/acld.bro -0.000000 | HookLoadFile .<...>/add-geodata.bro -0.000000 | HookLoadFile .<...>/addrs.bro -0.000000 | HookLoadFile .<...>/analyzer.bif.bro +0.000000 | HookLoadFile ..<...>/main.zeek +0.000000 | HookLoadFile ..<...>/plugin.zeek +0.000000 | HookLoadFile .<...>/Bro_ARP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_AsciiReader.ascii.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_AsciiWriter.ascii.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_BackDoor.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_BenchmarkReader.benchmark.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_BinaryReader.binary.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_BitTorrent.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_ConfigReader.config.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_ConnSize.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_ConnSize.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.consts.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DHCP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DHCP.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DNP3.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_DNS.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FTP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FTP.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_File.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FileEntropy.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FileExtract.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FileExtract.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_FileHash.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Finger.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_GSSAPI.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_GTPv1.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Gnutella.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_HTTP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_HTTP.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_ICMP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_IMAP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_IRC.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Ident.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_InterConn.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_KRB.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_KRB.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Login.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Login.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NCP.consts.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NTP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NetBIOS.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NetBIOS.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_NoneWriter.none.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_PE.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_POP3.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RADIUS.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RDP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RDP.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RFB.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RPC.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_RawReader.raw.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SIP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.consts.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_close.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_echo.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_query_information.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_close.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_create.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMB.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMTP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SMTP.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SNMP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SNMP.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SOCKS.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SQLiteReader.sqlite.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SQLiteWriter.sqlite.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSH.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSH.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSL.consts.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSL.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSL.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SSL.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_SteppingStone.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Syslog.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_TCP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_TCP.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Teredo.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_VXLAN.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_X509.types.bif.zeek +0.000000 | HookLoadFile .<...>/Bro_XMPP.events.bif.zeek +0.000000 | HookLoadFile .<...>/acld.zeek +0.000000 | HookLoadFile .<...>/add-geodata.zeek +0.000000 | HookLoadFile .<...>/addrs.zeek +0.000000 | HookLoadFile .<...>/analyzer.bif.zeek 0.000000 | HookLoadFile .<...>/archive.sig -0.000000 | HookLoadFile .<...>/ascii.bro +0.000000 | HookLoadFile .<...>/ascii.zeek 0.000000 | HookLoadFile .<...>/audio.sig -0.000000 | HookLoadFile .<...>/average.bro -0.000000 | HookLoadFile .<...>/benchmark.bro -0.000000 | HookLoadFile .<...>/binary.bro -0.000000 | HookLoadFile .<...>/bloom-filter.bif.bro -0.000000 | HookLoadFile .<...>/bro.bif.bro -0.000000 | HookLoadFile .<...>/broker.bro -0.000000 | HookLoadFile .<...>/broxygen.bif.bro -0.000000 | HookLoadFile .<...>/cardinality-counter.bif.bro -0.000000 | HookLoadFile .<...>/catch-and-release.bro -0.000000 | HookLoadFile .<...>/comm.bif.bro -0.000000 | HookLoadFile .<...>/config.bro -0.000000 | HookLoadFile .<...>/const-dos-error.bro -0.000000 | HookLoadFile .<...>/const-nt-status.bro -0.000000 | HookLoadFile .<...>/const.bif.bro -0.000000 | HookLoadFile .<...>/consts.bro -0.000000 | HookLoadFile .<...>/contents.bro -0.000000 | HookLoadFile .<...>/ct-list.bro -0.000000 | HookLoadFile .<...>/data.bif.bro -0.000000 | HookLoadFile .<...>/dcc-send.bro -0.000000 | HookLoadFile .<...>/debug.bro +0.000000 | HookLoadFile .<...>/average.zeek +0.000000 | HookLoadFile .<...>/benchmark.zeek +0.000000 | HookLoadFile .<...>/binary.zeek +0.000000 | HookLoadFile .<...>/bloom-filter.bif.zeek +0.000000 | HookLoadFile .<...>/bro.bif.zeek +0.000000 | HookLoadFile .<...>/broker.zeek +0.000000 | HookLoadFile .<...>/cardinality-counter.bif.zeek +0.000000 | HookLoadFile .<...>/catch-and-release.zeek +0.000000 | HookLoadFile .<...>/comm.bif.zeek +0.000000 | HookLoadFile .<...>/config.zeek +0.000000 | HookLoadFile .<...>/const-dos-error.zeek +0.000000 | HookLoadFile .<...>/const-nt-status.zeek +0.000000 | HookLoadFile .<...>/const.bif.zeek +0.000000 | HookLoadFile .<...>/consts.zeek +0.000000 | HookLoadFile .<...>/contents.zeek +0.000000 | HookLoadFile .<...>/ct-list.zeek +0.000000 | HookLoadFile .<...>/data.bif.zeek +0.000000 | HookLoadFile .<...>/dcc-send.zeek +0.000000 | HookLoadFile .<...>/debug.zeek 0.000000 | HookLoadFile .<...>/dpd.sig -0.000000 | HookLoadFile .<...>/drop.bro -0.000000 | HookLoadFile .<...>/email_admin.bro -0.000000 | HookLoadFile .<...>/entities.bro -0.000000 | HookLoadFile .<...>/event.bif.bro -0.000000 | HookLoadFile .<...>/exec.bro -0.000000 | HookLoadFile .<...>/file_analysis.bif.bro -0.000000 | HookLoadFile .<...>/files.bro +0.000000 | HookLoadFile .<...>/drop.zeek +0.000000 | HookLoadFile .<...>/email_admin.zeek +0.000000 | HookLoadFile .<...>/entities.zeek +0.000000 | HookLoadFile .<...>/event.bif.zeek +0.000000 | HookLoadFile .<...>/exec.zeek +0.000000 | HookLoadFile .<...>/file_analysis.bif.zeek +0.000000 | HookLoadFile .<...>/files.zeek 0.000000 | HookLoadFile .<...>/font.sig 0.000000 | HookLoadFile .<...>/general.sig -0.000000 | HookLoadFile .<...>/gridftp.bro -0.000000 | HookLoadFile .<...>/hll_unique.bro -0.000000 | HookLoadFile .<...>/hooks.bif.bro +0.000000 | HookLoadFile .<...>/gridftp.zeek +0.000000 | HookLoadFile .<...>/hll_unique.zeek +0.000000 | HookLoadFile .<...>/hooks.bif.zeek 0.000000 | HookLoadFile .<...>/image.sig -0.000000 | HookLoadFile .<...>/inactivity.bro -0.000000 | HookLoadFile .<...>/info.bro -0.000000 | HookLoadFile .<...>/input.bif.bro -0.000000 | HookLoadFile .<...>/input.bro -0.000000 | HookLoadFile .<...>/last.bro +0.000000 | HookLoadFile .<...>/inactivity.zeek +0.000000 | HookLoadFile .<...>/info.zeek +0.000000 | HookLoadFile .<...>/input.bif.zeek +0.000000 | HookLoadFile .<...>/input.zeek +0.000000 | HookLoadFile .<...>/last.zeek 0.000000 | HookLoadFile .<...>/libmagic.sig -0.000000 | HookLoadFile .<...>/log.bro -0.000000 | HookLoadFile .<...>/logging.bif.bro +0.000000 | HookLoadFile .<...>/log.zeek +0.000000 | HookLoadFile .<...>/logging.bif.zeek 0.000000 | HookLoadFile .<...>/magic -0.000000 | HookLoadFile .<...>/main.bro -0.000000 | HookLoadFile .<...>/max.bro -0.000000 | HookLoadFile .<...>/messaging.bif.bro -0.000000 | HookLoadFile .<...>/min.bro -0.000000 | HookLoadFile .<...>/mozilla-ca-list.bro +0.000000 | HookLoadFile .<...>/main.zeek +0.000000 | HookLoadFile .<...>/max.zeek +0.000000 | HookLoadFile .<...>/messaging.bif.zeek +0.000000 | HookLoadFile .<...>/min.zeek +0.000000 | HookLoadFile .<...>/mozilla-ca-list.zeek 0.000000 | HookLoadFile .<...>/msoffice.sig -0.000000 | HookLoadFile .<...>/netstats.bro -0.000000 | HookLoadFile .<...>/non-cluster.bro -0.000000 | HookLoadFile .<...>/none.bro -0.000000 | HookLoadFile .<...>/openflow.bro -0.000000 | HookLoadFile .<...>/option.bif.bro -0.000000 | HookLoadFile .<...>/packetfilter.bro -0.000000 | HookLoadFile .<...>/page.bro -0.000000 | HookLoadFile .<...>/patterns.bro -0.000000 | HookLoadFile .<...>/pcap.bif.bro -0.000000 | HookLoadFile .<...>/plugin.bro +0.000000 | HookLoadFile .<...>/netstats.zeek +0.000000 | HookLoadFile .<...>/non-cluster.zeek +0.000000 | HookLoadFile .<...>/none.zeek +0.000000 | HookLoadFile .<...>/openflow.zeek +0.000000 | HookLoadFile .<...>/option.bif.zeek +0.000000 | HookLoadFile .<...>/packetfilter.zeek +0.000000 | HookLoadFile .<...>/page.zeek +0.000000 | HookLoadFile .<...>/patterns.zeek +0.000000 | HookLoadFile .<...>/pcap.bif.zeek +0.000000 | HookLoadFile .<...>/plugin.zeek 0.000000 | HookLoadFile .<...>/plugins -0.000000 | HookLoadFile .<...>/polling.bro -0.000000 | HookLoadFile .<...>/pools.bro +0.000000 | HookLoadFile .<...>/polling.zeek +0.000000 | HookLoadFile .<...>/pools.zeek 0.000000 | HookLoadFile .<...>/postprocessors -0.000000 | HookLoadFile .<...>/pp-alarms.bro -0.000000 | HookLoadFile .<...>/raw.bro -0.000000 | HookLoadFile .<...>/reporter.bif.bro -0.000000 | HookLoadFile .<...>/ryu.bro -0.000000 | HookLoadFile .<...>/sample.bro -0.000000 | HookLoadFile .<...>/scp.bro -0.000000 | HookLoadFile .<...>/sftp.bro -0.000000 | HookLoadFile .<...>/shunt.bro -0.000000 | HookLoadFile .<...>/site.bro -0.000000 | HookLoadFile .<...>/smb1-main.bro -0.000000 | HookLoadFile .<...>/smb2-main.bro -0.000000 | HookLoadFile .<...>/sqlite.bro -0.000000 | HookLoadFile .<...>/stats.bif.bro -0.000000 | HookLoadFile .<...>/std-dev.bro -0.000000 | HookLoadFile .<...>/store.bif.bro -0.000000 | HookLoadFile .<...>/store.bro -0.000000 | HookLoadFile .<...>/strings.bif.bro -0.000000 | HookLoadFile .<...>/sum.bro -0.000000 | HookLoadFile .<...>/thresholds.bro -0.000000 | HookLoadFile .<...>/top-k.bif.bro -0.000000 | HookLoadFile .<...>/topk.bro -0.000000 | HookLoadFile .<...>/types.bif.bro -0.000000 | HookLoadFile .<...>/types.bro -0.000000 | HookLoadFile .<...>/unique.bro -0.000000 | HookLoadFile .<...>/utils-commands.bro -0.000000 | HookLoadFile .<...>/utils.bro -0.000000 | HookLoadFile .<...>/variance.bro +0.000000 | HookLoadFile .<...>/pp-alarms.zeek +0.000000 | HookLoadFile .<...>/raw.zeek +0.000000 | HookLoadFile .<...>/reporter.bif.zeek +0.000000 | HookLoadFile .<...>/ryu.zeek +0.000000 | HookLoadFile .<...>/sample.zeek +0.000000 | HookLoadFile .<...>/scp.zeek +0.000000 | HookLoadFile .<...>/sftp.zeek +0.000000 | HookLoadFile .<...>/shunt.zeek +0.000000 | HookLoadFile .<...>/site.zeek +0.000000 | HookLoadFile .<...>/smb1-main.zeek +0.000000 | HookLoadFile .<...>/smb2-main.zeek +0.000000 | HookLoadFile .<...>/sqlite.zeek +0.000000 | HookLoadFile .<...>/stats.bif.zeek +0.000000 | HookLoadFile .<...>/std-dev.zeek +0.000000 | HookLoadFile .<...>/store.bif.zeek +0.000000 | HookLoadFile .<...>/store.zeek +0.000000 | HookLoadFile .<...>/strings.bif.zeek +0.000000 | HookLoadFile .<...>/sum.zeek +0.000000 | HookLoadFile .<...>/thresholds.zeek +0.000000 | HookLoadFile .<...>/top-k.bif.zeek +0.000000 | HookLoadFile .<...>/topk.zeek +0.000000 | HookLoadFile .<...>/types.bif.zeek +0.000000 | HookLoadFile .<...>/types.zeek +0.000000 | HookLoadFile .<...>/unique.zeek +0.000000 | HookLoadFile .<...>/utils-commands.zeek +0.000000 | HookLoadFile .<...>/utils.zeek +0.000000 | HookLoadFile .<...>/variance.zeek 0.000000 | HookLoadFile .<...>/video.sig -0.000000 | HookLoadFile .<...>/weird.bro -0.000000 | HookLoadFile <...>/__load__.bro -0.000000 | HookLoadFile <...>/__preload__.bro -0.000000 | HookLoadFile <...>/hooks.bro -0.000000 | HookLoadFile base<...>/Bro_KRB.types.bif.bro -0.000000 | HookLoadFile base<...>/Bro_SNMP.types.bif.bro -0.000000 | HookLoadFile base<...>/active-http.bro -0.000000 | HookLoadFile base<...>/addrs.bro +0.000000 | HookLoadFile .<...>/weird.zeek +0.000000 | HookLoadFile .<...>/zeexygen.bif.zeek +0.000000 | HookLoadFile <...>/__load__.zeek +0.000000 | HookLoadFile <...>/__preload__.zeek +0.000000 | HookLoadFile <...>/hooks.zeek +0.000000 | HookLoadFile base<...>/Bro_KRB.types.bif.zeek +0.000000 | HookLoadFile base<...>/Bro_SNMP.types.bif.zeek +0.000000 | HookLoadFile base<...>/active-http.zeek +0.000000 | HookLoadFile base<...>/addrs.zeek 0.000000 | HookLoadFile base<...>/analyzer -0.000000 | HookLoadFile base<...>/analyzer.bif.bro +0.000000 | HookLoadFile base<...>/analyzer.bif.zeek 0.000000 | HookLoadFile base<...>/bif -0.000000 | HookLoadFile base<...>/bro.bif.bro +0.000000 | HookLoadFile base<...>/bro.bif.zeek 0.000000 | HookLoadFile base<...>/broker 0.000000 | HookLoadFile base<...>/cluster -0.000000 | HookLoadFile base<...>/comm.bif.bro +0.000000 | HookLoadFile base<...>/comm.bif.zeek 0.000000 | HookLoadFile base<...>/config 0.000000 | HookLoadFile base<...>/conn -0.000000 | HookLoadFile base<...>/conn-ids.bro -0.000000 | HookLoadFile base<...>/const.bif.bro +0.000000 | HookLoadFile base<...>/conn-ids.zeek +0.000000 | HookLoadFile base<...>/const.bif.zeek 0.000000 | HookLoadFile base<...>/control -0.000000 | HookLoadFile base<...>/data.bif.bro +0.000000 | HookLoadFile base<...>/data.bif.zeek 0.000000 | HookLoadFile base<...>/dce-rpc 0.000000 | HookLoadFile base<...>/dhcp -0.000000 | HookLoadFile base<...>/dir.bro -0.000000 | HookLoadFile base<...>/directions-and-hosts.bro +0.000000 | HookLoadFile base<...>/dir.zeek +0.000000 | HookLoadFile base<...>/directions-and-hosts.zeek 0.000000 | HookLoadFile base<...>/dnp3 0.000000 | HookLoadFile base<...>/dns 0.000000 | HookLoadFile base<...>/dpd -0.000000 | HookLoadFile base<...>/email.bro -0.000000 | HookLoadFile base<...>/event.bif.bro -0.000000 | HookLoadFile base<...>/exec.bro +0.000000 | HookLoadFile base<...>/email.zeek +0.000000 | HookLoadFile base<...>/event.bif.zeek +0.000000 | HookLoadFile base<...>/exec.zeek 0.000000 | HookLoadFile base<...>/extract -0.000000 | HookLoadFile base<...>/file_analysis.bif.bro +0.000000 | HookLoadFile base<...>/file_analysis.bif.zeek 0.000000 | HookLoadFile base<...>/files -0.000000 | HookLoadFile base<...>/files.bro -0.000000 | HookLoadFile base<...>/find-checksum-offloading.bro -0.000000 | HookLoadFile base<...>/find-filtered-trace.bro +0.000000 | HookLoadFile base<...>/files.zeek +0.000000 | HookLoadFile base<...>/find-checksum-offloading.zeek +0.000000 | HookLoadFile base<...>/find-filtered-trace.zeek 0.000000 | HookLoadFile base<...>/ftp -0.000000 | HookLoadFile base<...>/geoip-distance.bro +0.000000 | HookLoadFile base<...>/geoip-distance.zeek 0.000000 | HookLoadFile base<...>/hash -0.000000 | HookLoadFile base<...>/hash_hrw.bro +0.000000 | HookLoadFile base<...>/hash_hrw.zeek 0.000000 | HookLoadFile base<...>/http 0.000000 | HookLoadFile base<...>/imap -0.000000 | HookLoadFile base<...>/init-default.bro -0.000000 | HookLoadFile base<...>/init-frameworks-and-bifs.bro +0.000000 | HookLoadFile base<...>/init-default.zeek +0.000000 | HookLoadFile base<...>/init-frameworks-and-bifs.zeek 0.000000 | HookLoadFile base<...>/input -0.000000 | HookLoadFile base<...>/input.bif.bro +0.000000 | HookLoadFile base<...>/input.bif.zeek 0.000000 | HookLoadFile base<...>/intel 0.000000 | HookLoadFile base<...>/irc -0.000000 | HookLoadFile base<...>/json.bro +0.000000 | HookLoadFile base<...>/json.zeek 0.000000 | HookLoadFile base<...>/krb 0.000000 | HookLoadFile base<...>/logging -0.000000 | HookLoadFile base<...>/logging.bif.bro -0.000000 | HookLoadFile base<...>/main.bro -0.000000 | HookLoadFile base<...>/messaging.bif.bro +0.000000 | HookLoadFile base<...>/logging.bif.zeek +0.000000 | HookLoadFile base<...>/main.zeek +0.000000 | HookLoadFile base<...>/messaging.bif.zeek 0.000000 | HookLoadFile base<...>/modbus 0.000000 | HookLoadFile base<...>/mysql 0.000000 | HookLoadFile base<...>/netcontrol 0.000000 | HookLoadFile base<...>/notice 0.000000 | HookLoadFile base<...>/ntlm -0.000000 | HookLoadFile base<...>/numbers.bro +0.000000 | HookLoadFile base<...>/numbers.zeek 0.000000 | HookLoadFile base<...>/openflow -0.000000 | HookLoadFile base<...>/option.bif.bro +0.000000 | HookLoadFile base<...>/option.bif.zeek 0.000000 | HookLoadFile base<...>/packet-filter -0.000000 | HookLoadFile base<...>/paths.bro -0.000000 | HookLoadFile base<...>/patterns.bro +0.000000 | HookLoadFile base<...>/paths.zeek +0.000000 | HookLoadFile base<...>/patterns.zeek 0.000000 | HookLoadFile base<...>/pe 0.000000 | HookLoadFile base<...>/plugins 0.000000 | HookLoadFile base<...>/pop3 -0.000000 | HookLoadFile base<...>/queue.bro +0.000000 | HookLoadFile base<...>/queue.zeek 0.000000 | HookLoadFile base<...>/radius 0.000000 | HookLoadFile base<...>/rdp 0.000000 | HookLoadFile base<...>/reporter -0.000000 | HookLoadFile base<...>/reporter.bif.bro +0.000000 | HookLoadFile base<...>/reporter.bif.zeek 0.000000 | HookLoadFile base<...>/rfb 0.000000 | HookLoadFile base<...>/signatures 0.000000 | HookLoadFile base<...>/sip -0.000000 | HookLoadFile base<...>/site.bro +0.000000 | HookLoadFile base<...>/site.zeek 0.000000 | HookLoadFile base<...>/smb 0.000000 | HookLoadFile base<...>/smtp 0.000000 | HookLoadFile base<...>/snmp @@ -2660,28 +2684,28 @@ 0.000000 | HookLoadFile base<...>/software 0.000000 | HookLoadFile base<...>/ssh 0.000000 | HookLoadFile base<...>/ssl -0.000000 | HookLoadFile base<...>/stats.bif.bro -0.000000 | HookLoadFile base<...>/store.bif.bro -0.000000 | HookLoadFile base<...>/strings.bif.bro -0.000000 | HookLoadFile base<...>/strings.bro +0.000000 | HookLoadFile base<...>/stats.bif.zeek +0.000000 | HookLoadFile base<...>/store.bif.zeek +0.000000 | HookLoadFile base<...>/strings.bif.zeek +0.000000 | HookLoadFile base<...>/strings.zeek 0.000000 | HookLoadFile base<...>/sumstats 0.000000 | HookLoadFile base<...>/syslog -0.000000 | HookLoadFile base<...>/thresholds.bro -0.000000 | HookLoadFile base<...>/time.bro +0.000000 | HookLoadFile base<...>/thresholds.zeek +0.000000 | HookLoadFile base<...>/time.zeek 0.000000 | HookLoadFile base<...>/tunnels -0.000000 | HookLoadFile base<...>/types.bif.bro +0.000000 | HookLoadFile base<...>/types.bif.zeek 0.000000 | HookLoadFile base<...>/unified2 -0.000000 | HookLoadFile base<...>/urls.bro -0.000000 | HookLoadFile base<...>/utils.bro -0.000000 | HookLoadFile base<...>/version.bro -0.000000 | HookLoadFile base<...>/weird.bro +0.000000 | HookLoadFile base<...>/urls.zeek +0.000000 | HookLoadFile base<...>/utils.zeek +0.000000 | HookLoadFile base<...>/version.zeek +0.000000 | HookLoadFile base<...>/weird.zeek 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() -0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() +0.000000 | HookQueueEvent zeek_init() 1362692526.869344 MetaHookPost BroObjDtor() -> 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, , ()) -> 1362692526.869344 MetaHookPost CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) -> @@ -2742,24 +2766,24 @@ 1362692526.939378 | HookDrainEvents 1362692526.939527 MetaHookPost CallFunction(Analyzer::__name, , (Analyzer::ANALYZER_HTTP)) -> 1362692526.939527 MetaHookPost CallFunction(Analyzer::name, , (Analyzer::ANALYZER_HTTP)) -> -1362692526.939527 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692526.939527 MetaHookPost CallFunction(HTTP::new_http_session, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> -1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> -1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> -1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> -1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692526.939527 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692526.939527 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692526.939527 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692526.939527 MetaHookPost CallFunction(fmt, , (-%s, HTTP)) -> -1362692526.939527 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> -1362692526.939527 MetaHookPost CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> -1362692526.939527 MetaHookPost CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> +1362692526.939527 MetaHookPost CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> 1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> 1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> -1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) -> -1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) -> -1362692526.939527 MetaHookPost CallFunction(http_message_done, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> +1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) -> +1362692526.939527 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) -> +1362692526.939527 MetaHookPost CallFunction(http_message_done, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> 1362692526.939527 MetaHookPost CallFunction(http_request, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> 1362692526.939527 MetaHookPost CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692526.939527 MetaHookPost CallFunction(network_time, , ()) -> @@ -2774,30 +2798,30 @@ 1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false 1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) -> false 1362692526.939527 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) -> false -1362692526.939527 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false +1362692526.939527 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false 1362692526.939527 MetaHookPost QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false 1362692526.939527 MetaHookPost QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) -> false 1362692526.939527 MetaHookPost UpdateNetworkTime(1362692526.939527) -> 1362692526.939527 MetaHookPre CallFunction(Analyzer::__name, , (Analyzer::ANALYZER_HTTP)) 1362692526.939527 MetaHookPre CallFunction(Analyzer::name, , (Analyzer::ANALYZER_HTTP)) -1362692526.939527 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre CallFunction(HTTP::new_http_session, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) 1362692526.939527 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692526.939527 MetaHookPre CallFunction(fmt, , (-%s, HTTP)) -1362692526.939527 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -1362692526.939527 MetaHookPre CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -1362692526.939527 MetaHookPre CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692526.939527 MetaHookPre CallFunction(http_end_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) 1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) -1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) -1362692526.939527 MetaHookPre CallFunction(http_message_done, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) +1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) +1362692526.939527 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) +1362692526.939527 MetaHookPre CallFunction(http_message_done, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) 1362692526.939527 MetaHookPre CallFunction(http_request, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) 1362692526.939527 MetaHookPre CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692526.939527 MetaHookPre CallFunction(network_time, , ()) @@ -2812,31 +2836,31 @@ 1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) 1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive)) 1362692526.939527 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org)) -1362692526.939527 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) +1362692526.939527 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) 1362692526.939527 MetaHookPre QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) 1362692526.939527 MetaHookPre QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) 1362692526.939527 MetaHookPre UpdateNetworkTime(1362692526.939527) 1362692526.939527 | HookUpdateNetworkTime 1362692526.939527 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP) 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP) -1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) -1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) -1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) -1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) -1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692526.939527 | HookCallFunction fmt(-%s, HTTP) -1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) -1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) -1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=, version=, user_agent=, origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*) 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)) -1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive) -1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org) -1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]) +1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive) +1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org) +1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]) 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1) 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692526.939527 | HookCallFunction network_time() @@ -2851,7 +2875,7 @@ 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)) 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, CONNECTION, Keep-Alive) 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, HOST, bro.org) -1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]) +1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]) 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1) 1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3) 1362692527.008509 MetaHookPost DrainEvents() -> @@ -2862,142 +2886,142 @@ 1362692527.008509 | HookDrainEvents 1362692527.009512 MetaHookPost CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) -> 1362692527.009512 MetaHookPost CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 524288)) -> -1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) -> +1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> -1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> -1362692527.009512 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009512 MetaHookPost CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -> -1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> +1362692527.009512 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -> +1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> 1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> 1362692527.009512 MetaHookPost CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> -1362692527.009512 MetaHookPost CallFunction(http_reply, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> +1362692527.009512 MetaHookPost CallFunction(http_reply, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> 1362692527.009512 MetaHookPost CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009512 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009512 MetaHookPost CallFunction(split_string_all, , (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> -1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> false -1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false -1362692527.009512 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false +1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -> false +1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false +1362692527.009512 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false 1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false -1362692527.009512 MetaHookPost QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> false +1362692527.009512 MetaHookPost QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> false 1362692527.009512 MetaHookPost UpdateNetworkTime(1362692527.009512) -> 1362692527.009512 MetaHookPre CallFunction(Files::__enable_reassembly, , (FakNcS1Jfe01uljb3)) 1362692527.009512 MetaHookPre CallFunction(Files::__set_reassembly_buffer, , (FakNcS1Jfe01uljb3, 524288)) -1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) +1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288)) 1362692527.009512 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) -1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(file_new, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(file_over_new_connection, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -1362692527.009512 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) +1362692527.009512 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(http_begin_entity, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) +1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) 1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) 1362692527.009512 MetaHookPre CallFunction(http_header, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -1362692527.009512 MetaHookPre CallFunction(http_reply, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) +1362692527.009512 MetaHookPre CallFunction(http_reply, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre CallFunction(id_string, , ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009512 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009512 MetaHookPre CallFunction(split_string_all, , (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() -1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) -1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) -1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) +1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=])) +1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0")) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100)) +1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) 1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) 1362692527.009512 MetaHookPre QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -1362692527.009512 MetaHookPre QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) +1362692527.009512 MetaHookPre QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre UpdateNetworkTime(1362692527.009512) 1362692527.009512 | HookUpdateNetworkTime 1362692527.009512 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3) 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288) -1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288) +1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=], ftp=, http=, irc=, pe=, u2_events=], 524288) 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199) -1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) -1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0") -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100) -1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT) +1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0") +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100) +1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT) 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)) 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8) -1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) +1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents -1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) -1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0") -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100) -1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT) +1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, pe=, u2_events=]) +1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ACCEPT-RANGES, bytes) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONNECTION, Keep-Alive) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, CONTENT-LENGTH, 4705) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, ETAG, "1261-4c870358a6fc0") +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, KEEP-ALIVE, timeout=5, max=100) +1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT) 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)) 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8) -1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) +1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=, resp_filenames=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) 1362692527.009721 MetaHookPost DrainEvents() -> 1362692527.009721 MetaHookPost UpdateNetworkTime(1362692527.009721) -> 1362692527.009721 MetaHookPre DrainEvents() @@ -3010,7 +3034,7 @@ 1362692527.009765 MetaHookPre UpdateNetworkTime(1362692527.009765) 1362692527.009765 | HookUpdateNetworkTime 1362692527.009765 1362692527.009765 | HookDrainEvents -1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::code_in_range, , (200, 100, 199)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -3030,16 +3054,16 @@ 1362692527.009775 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009775 MetaHookPost DrainEvents() -> 1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> -1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> +1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> 1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, ) -> true -1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) -> true +1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) -> true 1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false 1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false 1362692527.009775 MetaHookPost UpdateNetworkTime(1362692527.009775) -> -1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(Files::set_info, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(HTTP::code_in_range, , (200, 100, 199)) 1362692527.009775 MetaHookPre CallFunction(HTTP::get_file_handle, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -3059,9 +3083,9 @@ 1362692527.009775 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009775 MetaHookPre DrainEvents() 1362692527.009775 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -1362692527.009775 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) +1362692527.009775 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) 1362692527.009775 MetaHookPre LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, ) -1362692527.009775 MetaHookPre LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) +1362692527.009775 MetaHookPre LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) 1362692527.009775 MetaHookPre QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) 1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -3069,7 +3093,7 @@ 1362692527.009775 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre UpdateNetworkTime(1362692527.009775) 1362692527.009775 | HookUpdateNetworkTime 1362692527.009775 -1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]) 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -3089,7 +3113,7 @@ 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009775 | HookDrainEvents 1362692527.009775 | HookLogInit files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)} -1362692527.009775 | HookLogInit http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])} +1362692527.009775 | HookLogInit http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])} 1362692527.009775 | HookLogWrite files [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=, duration=0.000263, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, extracted=, extracted_cutoff=, extracted_size=] 1362692527.009775 | HookLogWrite http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain] 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]) @@ -3130,7 +3154,6 @@ 1362692527.080972 MetaHookPost CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> 1362692527.080972 MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> -1362692527.080972 MetaHookPost CallFunction(bro_done, , ()) -> 1362692527.080972 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.080972 MetaHookPost CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692527.080972 MetaHookPost CallFunction(filter_change_tracking, , ()) -> @@ -3145,14 +3168,15 @@ 1362692527.080972 MetaHookPost CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.080972 MetaHookPost CallFunction(sub_bytes, , (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, , (HTTP)) -> +1362692527.080972 MetaHookPost CallFunction(zeek_done, , ()) -> 1362692527.080972 MetaHookPost DrainEvents() -> 1362692527.080972 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> 1362692527.080972 MetaHookPost LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) -> true 1362692527.080972 MetaHookPost QueueEvent(ChecksumOffloading::check()) -> false -1362692527.080972 MetaHookPost QueueEvent(bro_done()) -> false 1362692527.080972 MetaHookPost QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false 1362692527.080972 MetaHookPost QueueEvent(filter_change_tracking()) -> false 1362692527.080972 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false +1362692527.080972 MetaHookPost QueueEvent(zeek_done()) -> false 1362692527.080972 MetaHookPost UpdateNetworkTime(1362692527.080972) -> 1362692527.080972 MetaHookPre CallFunction(ChecksumOffloading::check, , ()) 1362692527.080972 MetaHookPre CallFunction(Conn::conn_state, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], tcp)) @@ -3163,7 +3187,6 @@ 1362692527.080972 MetaHookPre CallFunction(KRB::fill_in_subjects, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) 1362692527.080972 MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -1362692527.080972 MetaHookPre CallFunction(bro_done, , ()) 1362692527.080972 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.080972 MetaHookPre CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre CallFunction(filter_change_tracking, , ()) @@ -3178,14 +3201,15 @@ 1362692527.080972 MetaHookPre CallFunction(set_file_handle, , (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.080972 MetaHookPre CallFunction(sub_bytes, , (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, , (HTTP)) +1362692527.080972 MetaHookPre CallFunction(zeek_done, , ()) 1362692527.080972 MetaHookPre DrainEvents() 1362692527.080972 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) 1362692527.080972 MetaHookPre LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, ) 1362692527.080972 MetaHookPre QueueEvent(ChecksumOffloading::check()) -1362692527.080972 MetaHookPre QueueEvent(bro_done()) 1362692527.080972 MetaHookPre QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692527.080972 MetaHookPre QueueEvent(filter_change_tracking()) 1362692527.080972 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) +1362692527.080972 MetaHookPre QueueEvent(zeek_done()) 1362692527.080972 MetaHookPre UpdateNetworkTime(1362692527.080972) 1362692527.080972 | HookUpdateNetworkTime 1362692527.080972 1362692527.080972 | HookCallFunction ChecksumOffloading::check() @@ -3197,7 +3221,6 @@ 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) -1362692527.080972 | HookCallFunction bro_done() 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookCallFunction filter_change_tracking() @@ -3212,11 +3235,12 @@ 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(HTTP) +1362692527.080972 | HookCallFunction zeek_done() 1362692527.080972 | HookDrainEvents 1362692527.080972 | HookLogInit conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])} 1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=] 1362692527.080972 | HookQueueEvent ChecksumOffloading::check() -1362692527.080972 | HookQueueEvent bro_done() 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692527.080972 | HookQueueEvent filter_change_tracking() 1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) +1362692527.080972 | HookQueueEvent zeek_done() diff --git a/testing/btest/Baseline/plugins.reporter-hook/output b/testing/btest/Baseline/plugins.reporter-hook/output index 8f706ec644..36418d2405 100644 --- a/testing/btest/Baseline/plugins.reporter-hook/output +++ b/testing/btest/Baseline/plugins.reporter-hook/output @@ -1,10 +1,10 @@ - | Hook Some Info <...>/reporter-hook.bro, line 16 - | Hook error An Error <...>/reporter-hook.bro, line 18 - | Hook error An Error that does not show up in the log <...>/reporter-hook.bro, line 19 - | Hook expression error field value missing (b$a) <...>/reporter-hook.bro, line 23 - | Hook warning A warning <...>/reporter-hook.bro, line 17 -<...>/reporter-hook.bro, line 16: Some Info -error in <...>/reporter-hook.bro, line 18: An Error -error in <...>/reporter-hook.bro, line 19: An Error that does not show up in the log -expression error in <...>/reporter-hook.bro, line 23: field value missing (b$a) -warning in <...>/reporter-hook.bro, line 17: A warning + | Hook Some Info <...>/reporter-hook.zeek, line 16 + | Hook error An Error <...>/reporter-hook.zeek, line 18 + | Hook error An Error that does not show up in the log <...>/reporter-hook.zeek, line 19 + | Hook expression error field value missing (b$a) <...>/reporter-hook.zeek, line 23 + | Hook warning A warning <...>/reporter-hook.zeek, line 17 +<...>/reporter-hook.zeek, line 16: Some Info +error in <...>/reporter-hook.zeek, line 18: An Error +error in <...>/reporter-hook.zeek, line 19: An Error that does not show up in the log +expression error in <...>/reporter-hook.zeek, line 23: field value missing (b$a) +warning in <...>/reporter-hook.zeek, line 17: A warning diff --git a/testing/btest/Baseline/plugins.reporter-hook/reporter.log b/testing/btest/Baseline/plugins.reporter-hook/reporter.log index bce2fb909f..fc5a79bc86 100644 --- a/testing/btest/Baseline/plugins.reporter-hook/reporter.log +++ b/testing/btest/Baseline/plugins.reporter-hook/reporter.log @@ -6,8 +6,8 @@ #open 2017-07-26-17-58-52 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Some Info /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 16 -0.000000 Reporter::WARNING A warning /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 17 -0.000000 Reporter::ERROR An Error /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 18 -0.000000 Reporter::ERROR field value missing (b$a) /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 23 +0.000000 Reporter::INFO Some Info /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 16 +0.000000 Reporter::WARNING A warning /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 17 +0.000000 Reporter::ERROR An Error /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 18 +0.000000 Reporter::ERROR field value missing (b$a) /Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.zeek, line 23 #close 2017-07-26-17-58-52 diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index 90cf6f42bf..729887b44d 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -10,13 +10,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0) [conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|- [conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|- [files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|- -[http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[http] 1340213019.580162|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[http] 1340213020.155861|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|4|GET|www.osnews.com|/images/icons/26.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|1368|200|OK|-|-||-|-|-|-|-|-|FBtZ7y1ppK8iIeY622|-|image/gif -[http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- -[packet_filter] 1515793460.485950|bro|ip or not ip|T|T +[http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[http] 1340213019.580162|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[http] 1340213020.155861|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|4|GET|www.osnews.com|/images/icons/26.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|1368|200|OK|-|-||-|-|-|-|-|-|FBtZ7y1ppK8iIeY622|-|image/gif +[http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|- +[packet_filter] 1552509148.042714|bro|ip or not ip|T|T [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output new file mode 100644 index 0000000000..9fa63b93c3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-2/output @@ -0,0 +1,3 @@ +[ip=127.0.3.1, tag=just] +[ip=127.0.3.2, tag=some] +[ip=127.0.3.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output new file mode 100644 index 0000000000..a5d17c8e71 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix-3/output @@ -0,0 +1 @@ +file_hash, md5, ad8f8274b0e9fedb79093b1d1b6d6d73 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output new file mode 100644 index 0000000000..cb63569a66 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-prefix/output @@ -0,0 +1,5 @@ +{ +[127.0.3.2] = some, +[127.0.3.3] = value, +[127.0.3.1] = just +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output new file mode 100644 index 0000000000..6384276457 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-2/output @@ -0,0 +1,3 @@ +[ip=127.0.4.1, tag=just] +[ip=127.0.4.2, tag=some] +[ip=127.0.4.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output new file mode 100644 index 0000000000..884334bf29 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source-3/output @@ -0,0 +1 @@ +file_hash, md5, cacc0ee959be71cbe287c5554b4e83b0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output new file mode 100644 index 0000000000..ebcacaef18 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.absolute-source/output @@ -0,0 +1,5 @@ +{ +[127.0.4.1] = just, +[127.0.4.2] = some, +[127.0.4.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output new file mode 100644 index 0000000000..4ad0a8a25d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-2/output @@ -0,0 +1,3 @@ +[ip=127.0.0.1, tag=just] +[ip=127.0.0.2, tag=some] +[ip=127.0.0.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output new file mode 100644 index 0000000000..afb64f34cc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths-3/output @@ -0,0 +1 @@ +file_hash, md5, f78b90a215f8decb59cf672df57ab134 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output new file mode 100644 index 0000000000..3b186de28f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.no-paths/output @@ -0,0 +1,5 @@ +{ +[127.0.0.2] = some, +[127.0.0.1] = just, +[127.0.0.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output new file mode 100644 index 0000000000..709ed78cb8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-2/output @@ -0,0 +1,3 @@ +[ip=127.0.1.1, tag=just] +[ip=127.0.1.2, tag=some] +[ip=127.0.1.3, tag=value] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output new file mode 100644 index 0000000000..8a10f2127b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix-3/output @@ -0,0 +1 @@ +file_hash, md5, 6a87477e9c8e269ac9cc0cb70464ea1f diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output new file mode 100644 index 0000000000..c2e80a8281 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.path-prefix.relative-prefix/output @@ -0,0 +1,5 @@ +{ +[127.0.1.1] = just, +[127.0.1.2] = some, +[127.0.1.3] = value +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log new file mode 100644 index 0000000000..dfe45974c1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/broproc.intel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2019-03-24-20-29-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +1553459358.205227 - - - - - 1.2.3.42 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +#close 2019-03-24-20-29-18 diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output new file mode 100644 index 0000000000..c9b56b9a7d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-absolute-prefixes/output @@ -0,0 +1,3 @@ +127.0.2.1 Intel::ADDR +127.0.2.2 Intel::ADDR +127.0.2.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output new file mode 100644 index 0000000000..2022340d06 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-intel-relative-prefixes/output @@ -0,0 +1,3 @@ +127.0.1.1 Intel::ADDR +127.0.1.2 Intel::ADDR +127.0.1.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output new file mode 100644 index 0000000000..ff5c709f0d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.input-prefix/output @@ -0,0 +1,3 @@ +127.0.0.1 Intel::ADDR +127.0.0.2 Intel::ADDR +127.0.0.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output new file mode 100644 index 0000000000..ff5c709f0d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.path-prefix.no-paths/output @@ -0,0 +1,3 @@ +127.0.0.1 Intel::ADDR +127.0.0.2 Intel::ADDR +127.0.0.3 Intel::ADDR diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output index 03dcf582e9..c6dec0f9aa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path reporter -#open 2018-02-27-17-25-30 +#open 2019-03-24-20-20-10 #fields ts level message location #types time enum string string -0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 547-548 +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/zeek/scripts/base/frameworks/intel/./main.zeek, lines 563-564 0.000000 Reporter::INFO received termination signal (empty) -#close 2018-02-27-17-25-30 +#close 2019-03-24-20-20-10 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log index 5cdb4f1779..bfb1dc107a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-15-13 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1315799856.264750 CHhAvVGS1DHFjwGM9 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - 1.1 Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - (empty) - - - - - - FGNm7b3eXjhJLfvOWl - text/html -#close 2016-07-13-16-15-13 +#open 2019-03-13-19-36-10 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1315799856.264750 CHhAvVGS1DHFjwGM9 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - 1.1 Wget/1.12 (darwin10.8.0) - 0 346 404 Not Found - - (empty) - - - - - - FGNm7b3eXjhJLfvOWl - text/html +#close 2019-03-13-19-36-10 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log index f4b240d619..a58380f26c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log @@ -1,2 +1,2 @@ -1535139819.649067 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX -1535139821.906059 bah manager-1 0.000000 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX +1535139819.649067 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.zeek, line XX +1535139821.906059 bah manager-1 0.000000 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.zeek, line XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster/manager-1.http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster/manager-1.http.log index 1d1e9c5637..290cb64967 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster/manager-1.http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster/manager-1.http.log @@ -3,21 +3,21 @@ #empty_field (empty) #unset_field - #path http -#open 2016-09-22-22-00-07 -#fields _write_ts _stream _system_name ts uid id_orig_h id_orig_p id_resp_h id_resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string string time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1474581606.495669 http worker-1 1474581606.435795 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.627575 http worker-1 1474581606.567793 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.628102 http worker-1 1474581606.567958 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.630935 http worker-1 1474581606.570133 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.664441 http worker-1 1474581606.604082 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.664505 http worker-1 1474581606.604071 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.666635 http worker-1 1474581606.606595 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.674440 http worker-1 1474581606.614462 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.688069 http worker-1 1474581606.627709 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.688573 http worker-1 1474581606.628211 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.691698 http worker-1 1474581606.631039 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.726568 http worker-1 1474581606.666394 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.726713 http worker-1 1474581606.666368 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1474581606.726840 http worker-1 1474581606.666702 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -#close 2016-09-22-22-00-12 +#open 2019-03-13-19-36-14 +#fields _write_ts _stream _system_name ts uid id_orig_h id_orig_p id_resp_h id_resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string string time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1552505774.404160 http worker-1 1552505774.344286 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.536066 http worker-1 1552505774.476284 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.536593 http worker-1 1552505774.476449 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.539426 http worker-1 1552505774.478624 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.572932 http worker-1 1552505774.512573 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.572996 http worker-1 1552505774.512562 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.575126 http worker-1 1552505774.515086 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.582931 http worker-1 1552505774.522953 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.596560 http worker-1 1552505774.536200 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.597064 http worker-1 1552505774.536702 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.600189 http worker-1 1552505774.539530 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.635059 http worker-1 1552505774.574885 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.635204 http worker-1 1552505774.574859 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1552505774.635331 http worker-1 1552505774.575193 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +#close 2019-03-13-19-36-19 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr index ff76d4ea54..5efd4bac43 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-table/.stderr @@ -1,2 +1,2 @@ -error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.bro, line 9: &log applied to a type that cannot be logged (&log) -error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.bro, line 18: syntax error, at or near "{" +error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.zeek, line 9: &log applied to a type that cannot be logged (&log) +error in /testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-table/field-extension-table.zeek, line 18: syntax error, at or near "{" diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select index 9465afa854..8b2f3258c0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select @@ -1,14 +1,14 @@ -1300475168.78402|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|1.1|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.91602|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.91618|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.91836|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.9523|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.95231|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.95482|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.96269|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.97593|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.97644|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475168.97926|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475169.01459|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475169.01462|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| -1300475169.01493|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||(empty)||||||||| +1300475168.78402|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|1.1|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.91602|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.91618|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.91836|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.9523|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.95231|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.95482|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.96269|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.97593|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.97644|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475168.97926|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475169.01459|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475169.01462|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| +1300475169.01493|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|1.0|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15||0|0|304|Not Modified|||(empty)||||||||| diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log index ea61a9ed06..7885bfc74f 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log @@ -3,21 +3,21 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-15-30 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.918358 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.952296 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.954820 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475168.979264 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014593 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -1300475169.014927 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - -#close 2016-07-13-16-15-30 +#open 2019-03-13-19-36-13 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.918358 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.952296 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.954820 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475168.979264 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014593 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +1300475169.014927 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - +#close 2019-03-13-19-36-13 diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log index 9a673f80e2..614a90a0f7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log +++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log @@ -3,13 +3,13 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-15-38 +#open 2019-04-17-21-00-04 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1254722767.492060 CHhAvVGS1DHFjwGM9 10.10.1.4 56166 10.10.1.1 53 udp dns 0.034025 34 100 SF - - 0 Dd 1 62 1 128 - 1254722776.690444 C4J4Th3PJpwUYZZ6gc 10.10.1.20 138 10.10.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 - 1254722767.529046 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 tcp - 0.346950 0 0 S1 - - 0 Sh 1 48 1 48 - 1437831776.764391 CtPZjS20MLrsMUOJi2 192.168.133.100 49285 66.196.121.26 5050 tcp - 0.343008 41 0 OTH - - 0 Da 1 93 1 52 - -1437831787.856895 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 tcp - 0.048043 162 154 S1 - - 154 ShDA 3 192 1 60 - +1437831787.856895 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 tcp - 0.048043 162 154 S1 - - 154 ShDgA 3 192 1 60 - 1437831798.533765 CmES5u32sYpV7JYN 192.168.133.100 49336 74.125.71.189 443 tcp - - - - OTH - - 0 A 1 52 0 0 - -#close 2016-07-13-16-15-38 +#close 2019-04-17-21-00-04 diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log b/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log index 144c094b2f..744f050046 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.disable-stderr/reporter.log @@ -6,5 +6,5 @@ #open 2012-08-10-20-09-16 #fields ts level message location #types time enum string string -0.000000 Reporter::ERROR no such index (test[3]) /da/home/robin/bro/master/testing/btest/.tmp/scripts.base.frameworks.reporter.disable-stderr/disable-stderr.bro, line 12 +0.000000 Reporter::ERROR no such index (test[3]) /da/home/robin/bro/master/testing/btest/.tmp/scripts.base.frameworks.reporter.disable-stderr/disable-stderr.zeek, line 12 #close 2012-08-10-20-09-16 diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr index ed161b2409..b01cfa1e84 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/.stderr @@ -1 +1 @@ -expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.bro, line 9: no such index (test[3]) +expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.zeek, line 9: no such index (test[3]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log index 391cf77a00..705bb357fa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log +++ b/testing/btest/Baseline/scripts.base.frameworks.reporter.stderr/reporter.log @@ -6,5 +6,5 @@ #open 2013-01-18-18-29-30 #fields ts level message location #types time enum string string -0.000000 Reporter::ERROR no such index (test[3]) /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.bro, line 9 +0.000000 Reporter::ERROR no such index (test[3]) /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.reporter.stderr/stderr.zeek, line 9 #close 2013-01-18-18-29-30 diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output index 6f59b224b3..a9715483b1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output @@ -1,38 +1,33 @@ -success on: Flash/10,2,153,1 -success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4 -success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) -success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64) -success on: Java1.2.2-JDeveloper -success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown -success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9 -success on: ProFTPD 1.2.5rc1 Server (Debian) -success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64) -success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5 -success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00 -success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) -success on: Apple Mail (2.1084) -success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 -success on: Apache/1.3.19 (Unix) -success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko success on: Wget/1.11.4 (Red Hat modified) success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US) success on: wu-2.6.2(1) success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0 success on: The Bat! (3.0.1 RC3) Professional +success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5 success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7 +success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00 success on: The Bat! (v2.00.9) Personal success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) +success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64) +success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown +success on: A/8.1.0/Google/Pixel#2/walleye/unknown/QCX3/l10660929675510745862/-/104360422/-/google/3606/3607/- success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1) +success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4 success on: wu-2.4.2-academ[BETA-18-VR14](1) success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02) success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2) +success on: A/8.0.0/Google/Pixel#XL/marlin/unknown/QCX3/l8100358318783302904/-/1456904160/-/google/662107/662098/- +success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 +success on: Apache/1.3.19 (Unix) success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063 +success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) success on: Total Commander success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) success on: libwww-perl/5.820 success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: Java/1.6.0_13 +success on: A/9/Google/Pixel#2/walleye/unknown/QCX3/l17463753539612639959/-/2406658516/-/google/724998/724992/- success on: Python-urllib/3.1 success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00 success on: CacheFlyServe v26b @@ -41,7 +36,11 @@ success on: OpenSSH_5.2 success on: (vsFTPd 2.0.5) success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3) +success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64) success on: Apache +success on: Flash/10,2,153,1 +success on: A/9/Google/Pixel#2/walleye/unknown/QCX3/l9335055540778241916/-/1576068601/-/google/63672/63666/00:BOOT.XF.1.2.2.c1-00036-M8998LZB-2+01:TZ.BF.4.0.6-00152+03:RPM.BF.1.7-00128+11:MPSS.AT.2.0.c4.5-00253-8998_GEN_PACK-1.172723.1.178350.2+12:ADSP.HT.3.0-00372-CB8998-1+14:VIDEO.VE.4.4-00033+15:SLPI.HB.2.0.c3-00016-M8998AZL-1 +success on: Java1.2.2-JDeveloper success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5 success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18 @@ -51,5 +50,11 @@ success on: OpenSSH_4.4 success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731 success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54 success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01 +success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9 +success on: ProFTPD 1.2.5rc1 Server (Debian) +success on: Apple Mail (2.1084) +success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) +success on: A/9/Google/Pixel#2#XL/taimen/unknown/QCX3/l2640039522761750592/-/1061307257/-/google/1199700/1199701/- success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15 success on: Wget/1.9+cvs-stable (Red Hat modified) +success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 index c2f791ba82..2f84ca097a 100644 --- a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 +++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 @@ -1 +1 @@ -1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. +1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.zeek, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. diff --git a/testing/btest/Baseline/scripts.base.misc.version/.stderr b/testing/btest/Baseline/scripts.base.misc.version/.stderr index bfae6163df..28da0b203a 100644 --- a/testing/btest/Baseline/scripts.base.misc.version/.stderr +++ b/testing/btest/Baseline/scripts.base.misc.version/.stderr @@ -1,4 +1,4 @@ -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 1 cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 12.5 cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string 1.12-beta-drunk cannot be parsed -error in /home/robin/bro/master/scripts/base/misc/version.bro, line 54: Version string JustARandomString cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 1 cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 12.5 cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string 1.12-beta-drunk cannot be parsed +error in /home/robin/bro/master/scripts/base/misc/version.zeek, line 54: Version string JustARandomString cannot be parsed diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log index 8990518008..2559f88db2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-15 +#open 2019-04-17-21-00-49 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1464385864.999633 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 tcp ftp 600.931043 41420 159830 S1 - - 233 ShAdDa 4139 206914 4178 326799 - -#close 2016-07-13-16-16-15 +1464385864.999633 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 tcp ftp 600.931043 41420 159830 S1 - - 233 ShAdDaGg 4139 206914 4178 326799 - +#close 2019-04-17-21-00-50 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log index 4516886e52..8a2d00a6c7 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/ftp.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path ftp -#open 2016-07-13-16-16-15 +#open 2019-04-17-21-00-48 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid #types time string addr port addr port string string string string string count count string bool addr addr port string 1464385865.669674 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ PASV - - - 227 Entering Passive Mode (205,167,25,101,243,251). T 10.3.22.91 205.167.25.101 62459 - @@ -1381,4 +1381,4 @@ 1464386464.737901 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ RETR ftp://10.167.25.101/./pub/data/1993/722024-99999-1993.gz - 30171 226 Transfer complete - - - - - 1464386465.294490 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ PASV - - - 227 Entering Passive Mode (205,167,25,101,251,88). T 10.3.22.91 205.167.25.101 64344 - 1464386465.471708 CHhAvVGS1DHFjwGM9 10.3.22.91 58218 10.167.25.101 21 anonymous anonymous@ RETR ftp://10.167.25.101/./pub/data/1994/722024-99999-1994.gz - 29736 226 Transfer complete - - - - - -#close 2016-07-13-16-16-15 +#close 2019-04-17-21-00-50 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log index 20467e0627..c6019881d0 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1237440095.634312 CHhAvVGS1DHFjwGM9 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - 1.1 curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue (empty) - - - F7Wq2D1IW7Cp2nfZMa - text/plain FFhC1T3ieHHQqVBLpc - text/html -#close 2016-07-13-16-16-19 +#open 2019-03-13-19-36-28 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1237440095.634312 CHhAvVGS1DHFjwGM9 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - 1.1 curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 - 2001 60731 200 OK 100 Continue (empty) - - - F7Wq2D1IW7Cp2nfZMa - text/plain FFhC1T3ieHHQqVBLpc - text/html +#close 2019-03-13-19-36-28 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log index a1e96de25e..6e880fd573 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2017-08-04-00-45-31 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1501770877.501001 CHhAvVGS1DHFjwGM9 192.168.0.5 50798 54.148.114.85 80 1 GET sandbox.kaazing.net /echo?.kl=Y - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 0 101 Web Socket Protocol Handshake 101 Web Socket Protocol Handshake (empty) - - - - - - - - - -#close 2017-08-04-00-45-31 +#open 2019-03-13-19-36-28 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1501770877.501001 CHhAvVGS1DHFjwGM9 192.168.0.5 50798 54.148.114.85 80 1 GET sandbox.kaazing.net /echo?.kl=Y - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 http://kaazing.org 0 0 101 Web Socket Protocol Handshake 101 Web Socket Protocol Handshake (empty) - - - - - - - - - +#close 2019-03-13-19-36-28 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log index 5ff9ffc319..8f9d9fa96f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2018-05-08-20-04-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1523627611.747988 CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 0 33 206 ok - - (empty) - - - - - - FE5OS23mJkGTBhF8ig - text/plain -#close 2018-05-08-20-04-17 +#open 2019-03-13-19-36-28 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1523627611.747988 CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 - 0 33 206 ok - - (empty) - - - - - - FE5OS23mJkGTBhF8ig - text/plain +#close 2019-03-13-19-36-28 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log index aa9c61af96..8785072bae 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2018-05-08-20-10-35 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1523631796.315381 CHhAvVGS1DHFjwGM9 127.0.0.1 58176 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 0 14 200 ok - - (empty) - - - - - - FCcRXl1oyxVr6ipJA8 - text/plain -#close 2018-05-08-20-10-35 +#open 2019-03-13-19-36-28 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1523631796.315381 CHhAvVGS1DHFjwGM9 127.0.0.1 58176 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 - 0 14 200 ok - - (empty) - - - - - - FCcRXl1oyxVr6ipJA8 - text/plain +#close 2019-03-13-19-36-28 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log index bb5eff7bb7..8091416b0e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1452204358.910557 CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 1 - - - - 1.1 - 0 14 200 OK - - (empty) - - - - - - FGec0Miu9FfcsYUT4 - text/plain -#close 2016-07-13-16-16-20 +#open 2019-03-13-19-36-28 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1452204358.910557 CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 1 - - - - 1.1 - - 0 14 200 OK - - (empty) - - - - - - FGec0Miu9FfcsYUT4 - text/plain +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log index 4980974be2..c90700bd51 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-21 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1443732977.728092 CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 1 CONNECT secure.newegg.com secure.newegg.com:443 - 1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0 0 0 200 Connection Established - - (empty) - - PROXY-CONNECTION -> keep-alive - - - - - - -#close 2016-07-13-16-16-21 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1443732977.728092 CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 1 CONNECT secure.newegg.com secure.newegg.com:443 - 1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0 - 0 0 200 Connection Established - - (empty) - - PROXY-CONNECTION -> keep-alive - - - - - - +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log index 8bd8c2aef3..dfbd02b9ce 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-21 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1078232252.284420 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 1 CONNECT - mailin03.sul.t-online.de:25 / - 1.0 - 0 0 200 Connection established - - (empty) - - - - - - - - - -#close 2016-07-13-16-16-21 +#open 2019-03-13-20-27-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1078232252.284420 CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 1 CONNECT - mailin03.sul.t-online.de:25 / - 1.0 - - 0 0 200 Connection established - - (empty) - - - - - - - - - +#close 2019-03-13-20-27-17 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log index f75b84b9c2..05ed50b11e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-filename/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-22 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1445000735.104954 CHhAvVGS1DHFjwGM9 10.1.9.63 63526 54.175.222.246 80 1 GET httpbin.org /response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json" - 1.1 curl/7.45.0 0 191 200 OK - - (empty) - - - - - - FygKthZCYFLgVzwY8 test.json text/json -#close 2016-07-13-16-16-22 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1445000735.104954 CHhAvVGS1DHFjwGM9 10.1.9.63 63526 54.175.222.246 80 1 GET httpbin.org /response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json" - 1.1 curl/7.45.0 - 0 191 200 OK - - (empty) - - - - - - FygKthZCYFLgVzwY8 test.json text/json +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log index 07aa430c4d..d1a34f1b71 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log @@ -3,56 +3,56 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1354328870.191989 CHhAvVGS1DHFjwGM9 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - 1.1 - 0 962 405 Method Not Allowed - - (empty) - - - - - - FKgccv1sOsIPuN3b73 - text/html -1354328874.237327 ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com (empty) - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FWUdF12OgqGLhf3NPl - text/html -1354328874.299063 C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FrYoRN2EwpZyXbyvF8 - text/html -1354328874.342591 CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FJPouz1lbXUsa4Ef1 - text/html -1354328874.364020 CUM0KZ3MLUfNB0cl11 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43911 200 OK - - (empty) - - - - - - FbONWS332vB7QP1sDi - text/html -1354328878.470424 CmES5u32sYpV7JYN 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43983 200 OK - - (empty) - - - - - - Fw8xGD2taqNAOVvI88 - text/html -1354328882.575456 CP5puj4I8PtEU4qzYg 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - 1.0 - 0 1207 403 Forbidden - - (empty) - - - - - - FdEQPY3H4Z608y5yq1 - text/html -1354328882.928027 C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FcNjaW3kDUju84cG3 - text/html -1354328882.968948 C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - Fe8v8c49yLvORp3zva - text/html -1354328882.990373 CwjjYJ2WqgTbAqiHl6 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - 1.1 - 0 43913 200 OK - - (empty) - - - - - - FAbDo7c8yz5wducYb - text/html -1354328887.114613 C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 1 - - - - 1.1 - 0 961 405 Method Not Allowed - - (empty) - - - - - - F7zifu3d5nGrdGffO4 - text/html -1354328891.161077 CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FNf9mc2b0BWWP1UxWe - text/html -1354328891.204740 C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FG2K813sKEZvZ2TNY4 - text/html -1354328891.245592 Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FOOeqs4Vg0Zs3rcVYi - text/html -1354328891.287655 C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - F2wfYn1yFdeOeHFYA8 - text/html -1354328891.309065 CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - 0 963 405 Method Not Allowed - - (empty) - - - - - - F1d9bG11AdUoYIAPna - text/html -1354328895.355012 C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - F73Xpt400aDAjp1tOj - text/html -1354328895.416133 CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FANgwp2fEJblWfGtqk - text/html -1354328895.459490 CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FUelQv4zC3B2JEWwQ6 - text/html -1354328895.480865 CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - 0 963 405 Method Not Allowed - - (empty) - - - - - - FodlEg40uUijFetJb9 - text/html -1354328899.526682 C1Xkzz2MaGtLrc1Tla 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - 0 925 400 Bad Request - - (empty) - - - - - - FgQlB81dSyLHN5T8Q4 - text/html -1354328903.572533 CqlVyW1YwZ15RhTBc4 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FW2UCD2e0jxAndsTK3 - text/html -1354328903.634196 CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FKANAL2sLvMgJdaEKa - text/html -1354328903.676395 CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FNRuYy4eahAmiehFvd - text/html -1354328903.697693 CGLPPc35OzDQij1XX8 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - 0 925 400 Bad Request - - (empty) - - - - - - FAVGIL2N6x9nLyfGHh - text/html -1354328907.743696 CiyBAq1bBLNaTiTAc 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - 0 960 405 Method Not Allowed - - (empty) - - - - - - FKbiICMAvCsO6CFjk - text/html -1354328911.790590 CFSwNi4CNGxcuffo49 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FD5riIpYe5BLR0aok - text/html -1354328911.853464 Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FUzHwP1gT2UJYnUpUi - text/html -1354328911.897044 CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FfLe59279TLFl2hHKc - text/html -1354328911.918511 CPhDKt12KQPUVbQz06 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - 0 960 405 Method Not Allowed - - (empty) - - - - - - FQrvtP3qpKeKPxn5Gf - text/html -1354328915.964678 CAnFrb2Cvxr5T7quOc 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - 0 961 405 Method Not Allowed - - (empty) - - - - - - Fs5qiV3XoBOExKLdi4 - text/html -1354328920.010458 C8rquZ3DjgNW06JGLl 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FpkucFbcGcM4CNkZf - text/html -1354328920.072101 CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FBu6A04t7ZjbY0dCi8 - text/html -1354328920.114526 CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - Fk7Se84fbLvbZEfBCd - text/html -1354328920.136714 CNdne23ox8SQTgPoy3 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - 0 961 405 Method Not Allowed - - (empty) - - - - - - FNb8ZY2Zvw0MpF1qU4 - text/html -1354328924.183211 CeGt004UBsXLoZSeCg 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - 1.0 - 0 934 411 Length Required - - (empty) - - - - - - Fo23U03XCMamm7QQWe - text/html -1354328924.224567 CTrywc2ra7tcWn2af 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - 1.0 - 0 934 411 Length Required - - (empty) - - - - - - FqyVeZqSV8Tz7hfT1 - text/html -1354328924.287402 CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - Ft15j5I9xSpfcA7Fh - text/html -1354328924.328257 CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FyF5ac1kxwCDvXZKz7 - text/html -1354328924.350343 Cgc67J2CpHIVN7HAw4 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - 1.0 - 0 934 411 Length Required - - (empty) - - - - - - FuGiTK15gnR7f8Uti2 - text/html -1354328924.391728 CgwPkWkJfuBIJsNi4 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - 1.0 - 0 934 411 Length Required - - (empty) - - - - - - F93zuy2MGUDDPwg0xl - text/html -1354328924.433150 CImWJ03GsvPvA0P67i 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - 1.0 - 0 934 411 Length Required - - (empty) - - - - - - FRJvy31aqXlFemaBfc - text/html -1354328924.496732 CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - Fcnnrf1A8AgOFzLHM - text/html -1354328924.537671 CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FI3I73110YtFWCuaG3 - text/html -1354328924.559704 CWhRtK3eXodviHmbo7 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - 0 0 200 OK - - (empty) - - - - - - - - - -1354328928.625437 CqVUM4vyqCacqFiud 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - 0 0 200 OK - - (empty) - - - - - - - - - -1354328932.692706 CudMuD3jKHCaCU5CE 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - 1.0 - 0 0 400 Bad Request - - (empty) - - - - - - - - - -1354328932.754657 CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FaVAsywxxOtGAzel8 - text/html -1354328932.796568 CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 1 - - - - 1.0 - 0 925 400 Bad Request - - (empty) - - - - - - FmzgEKnyfPnyZqmh - text/html -#close 2016-07-13-16-16-23 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1354328870.191989 CHhAvVGS1DHFjwGM9 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - 1.1 - - 0 962 405 Method Not Allowed - - (empty) - - - - - - FKgccv1sOsIPuN3b73 - text/html +1354328874.237327 ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com (empty) - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FWUdF12OgqGLhf3NPl - text/html +1354328874.299063 C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FrYoRN2EwpZyXbyvF8 - text/html +1354328874.342591 CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FJPouz1lbXUsa4Ef1 - text/html +1354328874.364020 CUM0KZ3MLUfNB0cl11 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - 1.1 - - 0 43911 200 OK - - (empty) - - - - - - FbONWS332vB7QP1sDi - text/html +1354328878.470424 CmES5u32sYpV7JYN 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - 1.1 - - 0 43983 200 OK - - (empty) - - - - - - Fw8xGD2taqNAOVvI88 - text/html +1354328882.575456 CP5puj4I8PtEU4qzYg 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - 1.0 - - 0 1207 403 Forbidden - - (empty) - - - - - - FdEQPY3H4Z608y5yq1 - text/html +1354328882.928027 C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FcNjaW3kDUju84cG3 - text/html +1354328882.968948 C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - Fe8v8c49yLvORp3zva - text/html +1354328882.990373 CwjjYJ2WqgTbAqiHl6 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - 1.1 - - 0 43913 200 OK - - (empty) - - - - - - FAbDo7c8yz5wducYb - text/html +1354328887.114613 C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 1 - - - - 1.1 - - 0 961 405 Method Not Allowed - - (empty) - - - - - - F7zifu3d5nGrdGffO4 - text/html +1354328891.161077 CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FNf9mc2b0BWWP1UxWe - text/html +1354328891.204740 C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FG2K813sKEZvZ2TNY4 - text/html +1354328891.245592 Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FOOeqs4Vg0Zs3rcVYi - text/html +1354328891.287655 C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - F2wfYn1yFdeOeHFYA8 - text/html +1354328891.309065 CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - - 0 963 405 Method Not Allowed - - (empty) - - - - - - F1d9bG11AdUoYIAPna - text/html +1354328895.355012 C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - F73Xpt400aDAjp1tOj - text/html +1354328895.416133 CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FANgwp2fEJblWfGtqk - text/html +1354328895.459490 CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FUelQv4zC3B2JEWwQ6 - text/html +1354328895.480865 CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - 1.1 - - 0 963 405 Method Not Allowed - - (empty) - - - - - - FodlEg40uUijFetJb9 - text/html +1354328899.526682 C1Xkzz2MaGtLrc1Tla 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - - 0 925 400 Bad Request - - (empty) - - - - - - FgQlB81dSyLHN5T8Q4 - text/html +1354328903.572533 CqlVyW1YwZ15RhTBc4 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FW2UCD2e0jxAndsTK3 - text/html +1354328903.634196 CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FKANAL2sLvMgJdaEKa - text/html +1354328903.676395 CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FNRuYy4eahAmiehFvd - text/html +1354328903.697693 CGLPPc35OzDQij1XX8 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - 1.1 - - 0 925 400 Bad Request - - (empty) - - - - - - FAVGIL2N6x9nLyfGHh - text/html +1354328907.743696 CiyBAq1bBLNaTiTAc 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - - 0 960 405 Method Not Allowed - - (empty) - - - - - - FKbiICMAvCsO6CFjk - text/html +1354328911.790590 CFSwNi4CNGxcuffo49 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FD5riIpYe5BLR0aok - text/html +1354328911.853464 Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FUzHwP1gT2UJYnUpUi - text/html +1354328911.897044 CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FfLe59279TLFl2hHKc - text/html +1354328911.918511 CPhDKt12KQPUVbQz06 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - 1.1 - - 0 960 405 Method Not Allowed - - (empty) - - - - - - FQrvtP3qpKeKPxn5Gf - text/html +1354328915.964678 CAnFrb2Cvxr5T7quOc 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - - 0 961 405 Method Not Allowed - - (empty) - - - - - - Fs5qiV3XoBOExKLdi4 - text/html +1354328920.010458 C8rquZ3DjgNW06JGLl 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FpkucFbcGcM4CNkZf - text/html +1354328920.072101 CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FBu6A04t7ZjbY0dCi8 - text/html +1354328920.114526 CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - Fk7Se84fbLvbZEfBCd - text/html +1354328920.136714 CNdne23ox8SQTgPoy3 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - 1.1 - - 0 961 405 Method Not Allowed - - (empty) - - - - - - FNb8ZY2Zvw0MpF1qU4 - text/html +1354328924.183211 CeGt004UBsXLoZSeCg 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - 1.0 - - 0 934 411 Length Required - - (empty) - - - - - - Fo23U03XCMamm7QQWe - text/html +1354328924.224567 CTrywc2ra7tcWn2af 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - 1.0 - - 0 934 411 Length Required - - (empty) - - - - - - FqyVeZqSV8Tz7hfT1 - text/html +1354328924.287402 CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - Ft15j5I9xSpfcA7Fh - text/html +1354328924.328257 CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FyF5ac1kxwCDvXZKz7 - text/html +1354328924.350343 Cgc67J2CpHIVN7HAw4 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - 1.0 - - 0 934 411 Length Required - - (empty) - - - - - - FuGiTK15gnR7f8Uti2 - text/html +1354328924.391728 CgwPkWkJfuBIJsNi4 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - 1.0 - - 0 934 411 Length Required - - (empty) - - - - - - F93zuy2MGUDDPwg0xl - text/html +1354328924.433150 CImWJ03GsvPvA0P67i 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - 1.0 - - 0 934 411 Length Required - - (empty) - - - - - - FRJvy31aqXlFemaBfc - text/html +1354328924.496732 CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - Fcnnrf1A8AgOFzLHM - text/html +1354328924.537671 CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FI3I73110YtFWCuaG3 - text/html +1354328924.559704 CWhRtK3eXodviHmbo7 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - - 0 0 200 OK - - (empty) - - - - - - - - - +1354328928.625437 CqVUM4vyqCacqFiud 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - 1.1 - - 0 0 200 OK - - (empty) - - - - - - - - - +1354328932.692706 CudMuD3jKHCaCU5CE 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - 1.0 - - 0 0 400 Bad Request - - (empty) - - - - - - - - - +1354328932.754657 CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FaVAsywxxOtGAzel8 - text/html +1354328932.796568 CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 1 - - - - 1.0 - - 0 925 400 Bad Request - - (empty) - - - - - - FmzgEKnyfPnyZqmh - text/html +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log index 57f03e8ee0..dd1802a5ed 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1258577884.844956 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - (empty) - - - - - - Fa7DPI2ItmEOoVqyYj - text/plain -1258577884.960135 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - (empty) - - - - - - FnBh5P1KP0SnMzl3Qj - text/plain -1258577885.317160 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - (empty) - - - - - - F2TV5w2Kwn3G7doSk5 - image/gif -1258577885.349639 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - (empty) - - - - - - F4kk4T3Unyqtkczzue - image/png -1258577885.394612 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - (empty) - - - - - - FcB26G4nL7jRheOyA8 - image/png -#close 2016-07-13-16-16-24 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1258577884.844956 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 2675 200 OK - - (empty) - - - - - - Fa7DPI2ItmEOoVqyYj - text/plain +1258577884.960135 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 21421 200 OK - - (empty) - - - - - - FnBh5P1KP0SnMzl3Qj - text/plain +1258577885.317160 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 94 200 OK - - (empty) - - - - - - F2TV5w2Kwn3G7doSk5 - image/gif +1258577885.349639 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 2349 200 OK - - (empty) - - - - - - F4kk4T3Unyqtkczzue - image/png +1258577885.394612 CHhAvVGS1DHFjwGM9 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 27579 200 OK - - (empty) - - - - - - FcB26G4nL7jRheOyA8 - image/png +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log b/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log index a3379232e8..9f74d7a0d6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.missing-zlib-header/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1232039472.314927 CHhAvVGS1DHFjwGM9 237.244.174.255 1905 79.218.110.244 80 1 GET ads1.msn.com /library/dap.js http://zone.msn.com/en/root/default.htm 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) 0 13249 200 OK - - (empty) - - - - - - FBcNS3RwceOxW15xg - text/plain -1232039472.446194 CHhAvVGS1DHFjwGM9 237.244.174.255 1905 79.218.110.244 80 2 GET ads1.msn.com /library/dap.js http://zone.msn.com/en/root/default.htm 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) 0 13249 200 OK - - (empty) - - - - - - FDWU85N0DpedJPh93 - text/plain -#close 2016-07-13-16-16-24 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1232039472.314927 CHhAvVGS1DHFjwGM9 237.244.174.255 1905 79.218.110.244 80 1 GET ads1.msn.com /library/dap.js http://zone.msn.com/en/root/default.htm 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) - 0 13249 200 OK - - (empty) - - - - - - FBcNS3RwceOxW15xg - text/plain +1232039472.446194 CHhAvVGS1DHFjwGM9 237.244.174.255 1905 79.218.110.244 80 2 GET ads1.msn.com /library/dap.js http://zone.msn.com/en/root/default.htm 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727) - 0 13249 200 OK - - (empty) - - - - - - FDWU85N0DpedJPh93 - text/plain +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log index 1cf735374e..d4d218b736 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-25 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json -#close 2016-07-13-16-16-25 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 - 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log new file mode 100644 index 0000000000..3afeb77a1f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limit-ignored.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-03-13-20-30-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 - 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-03-13-20-30-39 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log new file mode 100644 index 0000000000..eab9c7af32 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http-limited.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-03-13-20-29-04 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 - 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12 - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-03-13-20-29-04 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log new file mode 100644 index 0000000000..d4d218b736 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1369159408.455878 CHhAvVGS1DHFjwGM9 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - 1.1 curl/7.30.0 - 370 465 200 OK - - (empty) - - - F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg - - FjeopJ2lRk9U1CNNb5 - text/json +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored new file mode 100644 index 0000000000..a73a00eeca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limit-ignored @@ -0,0 +1,2 @@ +max_files reached +max_files reached diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited new file mode 100644 index 0000000000..a73a00eeca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-file-limit/out-limited @@ -0,0 +1,2 @@ +max_files reached +max_files reached diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log index 44ecea3402..4fe4329b9c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-26 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1362692526.939527 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 1 GET bro.org (empty) - 1.1 - 0 4705 200 OK - - (empty) - - - - - - FakNcS1Jfe01uljb3 - text/plain -#close 2016-07-13-16-16-26 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1362692526.939527 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 1 GET bro.org (empty) - 1.1 - - 0 4705 200 OK - - (empty) - - - - - - FakNcS1Jfe01uljb3 - text/plain +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log index 768f6131a9..22cf4fde98 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.no-version/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-16-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1036020209.801685 CHhAvVGS1DHFjwGM9 131.243.1.23 1035 131.243.1.10 80 1 GET - /cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t - - - 0 0 - - - - (empty) - - - - - - - - - -#close 2016-07-13-16-16-27 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1036020209.801685 CHhAvVGS1DHFjwGM9 131.243.1.23 1035 131.243.1.10 80 1 GET - /cgi-bin/formmail.pl?email=f2@aol.com&subject=www-nrg.ee/cgi-bin/formmail.pl&recipient=unknownz@buy2save.com&msg=w00t - - - - 0 0 - - - - (empty) - - - - - - - - - +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log index 8b2f960d80..19cde01f60 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2017-07-28-05-03-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 1 GET icir.org /% - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - Fp16kg2g0K5oCDByh2 - text/html -1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 1 GET icir.org /%5 - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 0 300 400 Bad Request - - (empty) - - - - - - FAjakt4YvddFQlySjk - text/html -#close 2017-07-28-05-03-01 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 1 GET icir.org /% - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 - 0 300 400 Bad Request - - (empty) - - - - - - Fp16kg2g0K5oCDByh2 - text/html +1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 1 GET icir.org /%5 - 1.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 - 0 300 400 Bad Request - - (empty) - - - - - - FAjakt4YvddFQlySjk - text/html +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log index c90eb3315a..34e5cdd16c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2018-05-08-19-59-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1473086764.095192 CHhAvVGS1DHFjwGM9 127.0.0.1 54890 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0 0 19 200 ok - - (empty) - - - - - - FLWf9w4QphGhQ5XQRa - text/plain -#close 2018-05-08-19-59-11 +#open 2019-03-13-19-36-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1473086764.095192 CHhAvVGS1DHFjwGM9 127.0.0.1 54890 127.0.0.1 80 1 GET localhost / - 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0 - 0 19 200 ok - - (empty) - - - - - - FLWf9w4QphGhQ5XQRa - text/plain +#close 2019-03-13-19-36-29 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log index dbdf6b2bef..964ae1dede 100644 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-16-30 +#open 2019-04-02-01-01-40 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1093521678.945447 CHhAvVGS1DHFjwGM9 10.0.0.57 2387 10.0.0.3 502 tcp - 0.000493 0 0 SF - - 0 FafA 2 80 2 80 - @@ -13,6 +13,6 @@ 1093522946.554059 CUM0KZ3MLUfNB0cl11 10.0.0.57 2585 10.0.0.8 502 tcp - 76.561880 926 0 SF - - 0 ShADafF 8 1254 7 288 - 1093523065.562221 CmES5u32sYpV7JYN 10.0.0.8 502 10.0.0.57 4446 tcp - 155.114237 128 0 SF - - 0 ShADaFf 16 776 15 608 - 1153491879.610371 CP5puj4I8PtEU4qzYg 192.168.66.235 2582 166.161.16.230 502 tcp - 2.905078 0 0 S0 - - 0 S 2 96 0 0 - -1153491888.530306 C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 tcp modbus 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 - +1153491888.530306 C37jN32gN3y3AZzyf6 192.168.66.235 2582 166.161.16.230 502 tcp - 85.560847 1692 1278 S1 - - 0 ShADad 167 8380 181 8522 - 1342774499.588269 C3eiCBGOLw3VtHfOj 10.1.1.234 51411 10.10.5.85 502 tcp modbus 2100.811351 237936 4121200 S2 - - 0 ShADdaF 39659 2300216 20100 5166412 - -#close 2016-07-13-16-16-33 +#close 2019-04-02-01-01-42 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log deleted file mode 100644 index 00c668fb27..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log +++ /dev/null @@ -1,13 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2016-07-13-16-16-39 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1153491909.414066 - - - - - truncated_IP - F bro -1153491912.529443 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 binpac exception: out_of_bound: WriteSingleRegisterRequest: 4 > 0 - F bro -1153491920.661039 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 TCP_ack_underflow_or_misorder - F bro -1153491929.715910 CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 TCP_seq_underflow_or_misorder - F bro -#close 2016-07-13-16-16-39 diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log deleted file mode 100644 index 800b9ec4eb..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2018-08-30-14-12-39 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1445502056.228889 CHhAvVGS1DHFjwGM9 192.168.2.166 1987 192.168.88.95 502 binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 16932 > 191 - F bro -#close 2018-08-30-14-12-39 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log new file mode 100644 index 0000000000..7704087a53 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/files.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2019-02-14-15-17-09 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count +1549644186.691869 FG403EpKSkh5CwCre 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - - +1549644186.699376 FLCGB5TxPTWKKeQf4 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - - +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log new file mode 100644 index 0000000000..197ad14bca --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-write/smb_files.log @@ -0,0 +1,16 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_files +#open 2019-02-14-15-17-09 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid action path name size prev_name times.modified times.accessed times.created times.changed +#types time string addr port addr port string enum string string count string time time time time +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.686127 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FG403EpKSkh5CwCre SMB::FILE_READ - pythonfile 16 - 1549643138.282481 1549643183.156000 1549643138.280000 1549643138.282481 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644186.692584 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 FLCGB5TxPTWKKeQf4 SMB::FILE_WRITE - pythonfile2 0 - 1549644186.688000 1549644186.688000 1549644186.688000 1549644186.688000 +1549644187.702245 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 - SMB::FILE_OPEN - 0 - 1549644186.688000 1549644187.700000 1549644186.688000 1549644186.688000 +#close 2019-02-14-15-17-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout new file mode 100644 index 0000000000..87e558461b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-write-response/.stdout @@ -0,0 +1,2 @@ +smb2_write_response 169.254.128.18 -> 169.254.128.15:445, length: 7000 +[credit_charge=1, status=0, command=9, credits=1, flags=1, message_id=1238, process_id=65279, tree_id=1394175098, session_id=1008934080, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout new file mode 100644 index 0000000000..155317d262 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/.stdout @@ -0,0 +1,44 @@ +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=v\x17k\x19V\xed,\x9cZ\xcf\x00\xa3\x0c\x04\x85\xbc, nonce=:\xaa\x96\x8f\x18\xaea\xe6\xe7o\x1f\x00\x00\x00\x00\x00, orig_msg_size=146, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xec\xbf\xd2v\x00\xd6["R\xf6?\xc8\xf95\xd6\xe7, nonce=]\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=136, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9ah^\xb0y\xca\xcc\xc00\xb7\x0f\x0e.6\xd8l, nonce=\x91yv\x16z\xfa\x18V<\xd4\xbd\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa4\x8a\xcf\xab\xe3\x97\x1fy\xb1??\x12\xed\x01U\xa8, nonce=^\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xafq\xe0B3?a(J\xa9\x94\xd7\x98\x83\xeb\xca, nonce=\xe9of$\xde\s\xa4\x9e\x96\x8e\x00\x00\x00\x00\x00, orig_msg_size=121, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc3w\x8c\xc7\x9e\xe9\x98@:\x13\xa2\x1d\xcfz\xaa\xcb, nonce=_\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=720, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x18\x8d9\xce\xa4\xb1\xe3\xf6@\xaf\xf5\xd0\xb1V\x98R, nonce=\xc0\xbdfU\x16\xdb\xb4\xb4\x99P\x7f\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x9c\xd4:\x8b\xbe\xecS\xe4\x013\x18t\x7fb\x90\xaf, nonce=`\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=92, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=T\x80\xd9\x08\xf7>\xe9\xde8;\xa0\x89\x9a\x0f}[, nonce=\x11\xde\xf2n\x84P\x0b,+\x1f\xce\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xcfX\xd9\x1f\xa4\x11\x06\xbd\x89\xa7blz5[\xa3, nonce=a\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=80, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x8f\xa7u\xda\x0c\xe8f=)o\x13\xa8\xab\xa8"\xf6, nonce=Eq!\xd9D\xdc1B\x01J\x80\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=8l\xb2\xecl\xa8\x1f~e\xf4\xbfB\x08\x0e\x83\x0f, nonce=b\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=100, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=+\xed\xaf_\xdc\x12\xc4\xb1\x0f\xfa\xf2\xc2\xdfs\xe5w, nonce=\xff\xbe\xf8\xe1\xce~2\xf3\xd0\x1d5\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6d~\xf8\xd2\xffs\xc9/\xad\x17jz\x008\xd1, nonce=c\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xc6F\x1b\x19\x07\xa7\xf0\xc9E\xbd\xd2a\xdb\xb6\x1b\xc8, nonce=G\x10mh\x09\xb5\x1b\xed\x9d\x03\x0f\x00\x00\x00\x00\x00, orig_msg_size=158, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0e\xf8\xbb\xfbB'\x83\x9b\xa3\x98\xa5K\xa4,pO, nonce=d\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6\xdc\x0e\x9c\x06\xd2V\xf5\xf5za\xd3[\xfb\xde|, nonce=\xa2\x15\x19\xce~\xee \x16\x15\x9a\xe8\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xfc\xfbM9\xa6\xfb\xb8\xcc"\xd8\xc3S\xbcX#\x16, nonce=e\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xbe\x85\xe3\xdeX\xda\x89\x87\x8e\xd6\x0aq\x7f\xf7\xff\xb5, nonce=\x9a\xae\x1f\x88M\x09W#\x18\x1a\x9d\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x83ime\x91/8f\x13\x9f\x16Qa\xd3\x00\x8a, nonce=f\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x91\x8d[\x18\x9d*\x97\xc2\x0bK\xdb\x94dbB\xae, nonce=\x97\x9f\xd7\xc4,?u\xf1\xcf\x1f\x0f\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=R\x96KU\x95\xfc\x05\x17\xe5\xbd\xed\x16\x12}\x8e\x81, nonce=g\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf4RBG}\xd0i\x0f\xcbdP\xe7n\xd9\xc0W, nonce="\xda\xcdU@;<\x09\x0a\x14\xa0\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=t\xb9p\xb1\xec\xbfm%\xfc\x8d\x0e\xacR\xe1/J, nonce=h\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x98\xbc\xb1|\x9d,EK%\x9b\x0d\xec\xcdF\xde\xcb, nonce=\xd8\xa5V:\xeaQM:\xe9V\xca\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xf2\x8f\xc9U\x8c)\x12\xb8\xcc<\xb9\xa6Ni\xe9\xcf, nonce=i\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=UY\x80\xef\xe4Jw,\xb95E!\xa1I\x9fM, nonce=\xf0\xe60Q\xc4\x15\xaf\xab\x8a)\xe9\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=y-8dk\x8dKH\xf3\xdd\xb3\xbf%n\xfa3, nonce=j\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x0by\xe8l\x11\xdbm\x90K\xcc\x11wd\xdb\xd8\xe6, nonce=\xd2V"\xa9C\xac0\x15\xf2Pe\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xef%\xd6\x89\x095\xba\xc8P\xd2\x85\xb0\x00\xd2\x07?, nonce=k\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xdeR\xf3J\xde\x13n5\x86P]\x13\xb8\x02|\xcd, nonce=u\x81\xc63\x06\x1f\xda\xd1\x03\xaa!\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=_\xaarMl\x89l$\x7f\xe9\xfb\x11E\xa6\xb5F, nonce=l\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xee\x9aE\xbc%\xe9\xee\xc0)\x1f\x85\x86\xf5\xb16\xaa, nonce=\x9f_\xed\xaa\xd53\xd4y\xe3\xbc\xdb\x00\x00\x00\x00\x00, orig_msg_size=105, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=N\x9d.\xf1\x01\xe0\xa82\xa4\x8dg\x8ek\xbb\x9d., nonce=m\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=176, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x098_IU\x1d\xc1\x14?\xebwC\x1aje\xbc, nonce=\xf51\xbb\x95\xc6\x98B\xf9\x82\xab\x8a\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xa6!\x0c\xe0\xe35\xfd\x0e\x82\xd3\x0a\xfbE\xaa\x85\x06, nonce=n\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=m\x98z\x98Hq\x12L\x85v\x17\xec\xa4\xb7A\x95, nonce=\x04\xa7}z\xb4&\xf7B\xaa\x983\x00\x00\x00\x00\x00, orig_msg_size=128, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd8\xcf>8!\xcfZ6\x04@\x9f\x86a\xfe\xee\xda, nonce=o\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=152, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=9\x00\xe0\x00\xb8%\xddH\xbf\xa9M\xf1\xed\x0c\xf0\xa5, nonce=I\xf8\x1a_\xf1\x1e0\xca\x0a\x8eU\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=E|\xeb$V\xf4p,\xa8c\xe6\x1d\xd1a\xb2\xfb, nonce=p\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=350, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\xd2U\xd6\xcf!\x94f\xf8&`J\xd4I(\xa7\x0e, nonce=\x06\x1e\x18+ C\xa1P\xb7\x86f\x00\x00\x00\x00\x00, orig_msg_size=98, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=4\xb6\xb2|\x02$\x8bF\xf0\x16\x97\xc3s\xd7(F, nonce=q\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=73, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=1\x9d\xe63DL\x16\xc2\x8bt\x15\xe8\xb4\xf2\xfa\x90, nonce=}\x09FCI\xf9\x09&\x8aEf\x00\x00\x00\x00\x00, orig_msg_size=88, flags=1, session_id=79167320227901] +smb2_transform_header 10.160.64.139 -> 10.160.65.202:445 [signature=\x82\xef\x1e_\xee{\xc2\xack\x05\xbe\x82\x93<\x18\xe7, nonce=r\xf5\xc4\xfcx\xdd\x8e~\x00\x00\x00\x00\x00\x00\x00\x00, orig_msg_size=124, flags=1, session_id=79167320227901] diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log new file mode 100644 index 0000000000..7f4bc10f49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb3/smb_mapping.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path smb_mapping +#open 2019-02-21-09-15-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p path service native_file_system share_type +#types time string addr port addr port string string string string +1495015336.544229 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\WS2016\\encrypted - - DISK +1495015336.569009 CHhAvVGS1DHFjwGM9 10.160.64.139 38166 10.160.65.202 445 \\\\10.160.65.202\\IPC$ - - PIPE +#close 2019-02-21-09-15-32 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout new file mode 100644 index 0000000000..9245b4307a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb311/.stdout @@ -0,0 +1 @@ +smb2_negotiate_response 192.168.100.168 -> 10.160.67.244:445 [dialect_revision=785, security_mode=3, server_guid=[persistent=5167561042355431755, volatile=7583560952700542861], system_time=1547145849.626981, server_start_time=1540586308.948775, negotiate_context_count=2, negotiate_context_values=[[context_type=1, data_length=38, preauth_info=[hash_alg_count=1, salt_length=32, hash_alg=[1], salt=\x17\xa3\x95(\x0d\x0dt\xecZ\xe5\x0e\x1a\xef\x85\x07]U\x99\x86B\xd0\xeb\xc8\x08\xe0\x0a\xad\x01p\x9a/\xb7], encryption_info=, compression_info=, netname=], [context_type=2, data_length=4, preauth_info=, encryption_info=[cipher_count=1, ciphers=[1]], compression_info=, netname=]]] diff --git a/testing/btest/Baseline/doc.manual.data_type_const_simple/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-no-dtls/.stdout similarity index 100% rename from testing/btest/Baseline/doc.manual.data_type_const_simple/.stdout rename to testing/btest/Baseline/scripts.base.protocols.ssl.dtls-no-dtls/.stdout diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout index d5ab2cf618..7347ea650f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout @@ -33,9 +33,9 @@ signature_algorithm, 192.168.6.240, 139.162.123.134 sha256, ecdsa sha384, ecdsa sha512, ecdsa -unknown-8, unknown-4 -unknown-8, unknown-5 -unknown-8, unknown-6 +Intrinsic, rsa_pss_sha256 +Intrinsic, rsa_pss_sha384 +Intrinsic, rsa_pss_sha512 sha256, rsa sha384, rsa sha512, rsa @@ -66,9 +66,9 @@ signature_algorithm, 192.168.6.240, 139.162.123.134 sha256, ecdsa sha384, ecdsa sha512, ecdsa -unknown-8, unknown-4 -unknown-8, unknown-5 -unknown-8, unknown-6 +Intrinsic, rsa_pss_sha256 +Intrinsic, rsa_pss_sha384 +Intrinsic, rsa_pss_sha512 sha256, rsa sha384, rsa sha512, rsa diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log new file mode 100644 index 0000000000..2a1faf440e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open 2019-03-15-01-41-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +1552584410.781231 CHhAvVGS1DHFjwGM9 192.168.2.118 60786 192.168.2.21 514 udp UNSPECIFIED UNSPECIFIED This is not really a syslog message #173538 1552584410.781186 +#close 2019-03-15-01-41-39 diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log new file mode 100644 index 0000000000..d43abf187b --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/broproc.intel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2019-03-24-21-15-06 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +1553462106.131323 - - - - - 10.0.0.2 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - - +#close 2019-03-24-21-15-06 diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log new file mode 100644 index 0000000000..fd1dd4749b --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2019-03-25-23-33-09 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +1549644186.691869 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 pythonfile Intel::FILE_NAME SMB::IN_FILE_NAME bro Intel::FILE_NAME source1 FG403EpKSkh5CwCre - pythonfile +#close 2019-03-25-23-33-09 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index b4be2cc92f..44e1435514 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -1,4 +1,4 @@ - 0.000000 bro_init + 0.000000 zeek_init 0.000000 NetControl::init 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check @@ -226,5 +226,5 @@ 1437831800.217854 connection_state_remove 1437831800.217854 connection_pending 1437831800.217854 connection_state_remove -1437831800.217854 bro_done +1437831800.217854 zeek_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 0492d87770..9182b8f999 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -1,4 +1,4 @@ - 0.000000 bro_init + 0.000000 zeek_init 0.000000 NetControl::init 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check @@ -13,41 +13,41 @@ [3] len: count = 34 1254722767.492060 dns_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [2] query: string = mail.patriots.in [3] qtype: count = 1 [4] qclass: count = 1 1254722767.492060 protocol_confirmation - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] atype: enum = Analyzer::ANALYZER_DNS [2] aid: count = 3 1254722767.492060 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] 1254722767.526085 dns_message - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [3] len: count = 100 1254722767.526085 dns_CNAME_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs] [3] name: string = patriots.in 1254722767.526085 dns_A_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs] [3] a: addr = 74.53.140.153 1254722767.526085 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] 1254722767.529046 new_connection @@ -489,7 +489,7 @@ 1437831776.764391 ChecksumOffloading::check 1437831776.764391 connection_state_remove - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=[pending_query=, pending_queries=, pending_replies=], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831776.764391 connection_state_remove [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -1072,5 +1072,5 @@ 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=, extracted_cutoff=, extracted_size=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=, extracted_cutoff=, extracted_size=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=] -1437831800.217854 bro_done +1437831800.217854 zeek_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log b/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log index 3a1b33244a..8a949b95be 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log +++ b/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log @@ -3,21 +3,21 @@ #empty_field (empty) #unset_field - #path http -#open 2016-07-13-16-17-27 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types client_header_names server_header_names -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,VIA,X-VARNISH,LAST-MODIFIED,ETAG,VARY,CONNECTION -1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.918358 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.952296 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.954820 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,EXPIRES,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475168.979264 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475169.014593 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -1300475169.014927 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION -#close 2016-07-13-16-17-27 +#open 2019-03-13-19-36-39 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types client_header_names server_header_names +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +1300475168.784020 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ 1.1 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,VIA,X-VARNISH,LAST-MODIFIED,ETAG,VARY,CONNECTION +1300475168.916018 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.916183 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.918358 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.952307 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.952296 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.954820 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.962687 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,EXPIRES,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.975934 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.976436 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475168.979264 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475169.014619 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475169.014593 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +1300475169.014927 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ 1.0 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 - 0 0 304 Not Modified - - (empty) - - - - - - - - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION +#close 2019-03-13-19-36-39 diff --git a/testing/btest/Traces/nflog-http.pcap b/testing/btest/Traces/nflog-http.pcap new file mode 100644 index 0000000000..5feae68cc2 Binary files /dev/null and b/testing/btest/Traces/nflog-http.pcap differ diff --git a/testing/btest/Traces/smb/smb2readwrite.pcap b/testing/btest/Traces/smb/smb2readwrite.pcap new file mode 100644 index 0000000000..723dd58c25 Binary files /dev/null and b/testing/btest/Traces/smb/smb2readwrite.pcap differ diff --git a/testing/btest/Traces/smb/smb3.pcap b/testing/btest/Traces/smb/smb3.pcap new file mode 100644 index 0000000000..3c1800ea19 Binary files /dev/null and b/testing/btest/Traces/smb/smb3.pcap differ diff --git a/testing/btest/Traces/smb/smb311.pcap b/testing/btest/Traces/smb/smb311.pcap new file mode 100644 index 0000000000..b6f4521676 Binary files /dev/null and b/testing/btest/Traces/smb/smb311.pcap differ diff --git a/testing/btest/Traces/syslog-missing-pri.trace b/testing/btest/Traces/syslog-missing-pri.trace new file mode 100755 index 0000000000..625ecddf74 Binary files /dev/null and b/testing/btest/Traces/syslog-missing-pri.trace differ diff --git a/testing/btest/Traces/tunnels/vxlan.pcap b/testing/btest/Traces/tunnels/vxlan.pcap new file mode 100644 index 0000000000..76c91f7feb Binary files /dev/null and b/testing/btest/Traces/tunnels/vxlan.pcap differ diff --git a/testing/btest/bifs/addr_count_conversion.bro b/testing/btest/bifs/addr_count_conversion.zeek similarity index 100% rename from testing/btest/bifs/addr_count_conversion.bro rename to testing/btest/bifs/addr_count_conversion.zeek diff --git a/testing/btest/bifs/addr_to_ptr_name.bro b/testing/btest/bifs/addr_to_ptr_name.zeek similarity index 100% rename from testing/btest/bifs/addr_to_ptr_name.bro rename to testing/btest/bifs/addr_to_ptr_name.zeek diff --git a/testing/btest/bifs/addr_version.bro b/testing/btest/bifs/addr_version.zeek similarity index 100% rename from testing/btest/bifs/addr_version.bro rename to testing/btest/bifs/addr_version.zeek diff --git a/testing/btest/bifs/all_set.bro b/testing/btest/bifs/all_set.zeek similarity index 92% rename from testing/btest/bifs/all_set.bro rename to testing/btest/bifs/all_set.zeek index 56f7b6e7f2..86a56ed9fa 100644 --- a/testing/btest/bifs/all_set.bro +++ b/testing/btest/bifs/all_set.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( T, F, T ); print all_set(a); diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.zeek similarity index 88% rename from testing/btest/bifs/analyzer_name.bro rename to testing/btest/bifs/analyzer_name.zeek index 266d1c159f..b763aabe08 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = Analyzer::ANALYZER_PIA_TCP; print Analyzer::name(a); diff --git a/testing/btest/bifs/any_set.bro b/testing/btest/bifs/any_set.zeek similarity index 92% rename from testing/btest/bifs/any_set.bro rename to testing/btest/bifs/any_set.zeek index b3e9e3c711..e19a467206 100644 --- a/testing/btest/bifs/any_set.bro +++ b/testing/btest/bifs/any_set.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( F, T, F ); print any_set(a); diff --git a/testing/btest/bifs/bloomfilter-seed.bro b/testing/btest/bifs/bloomfilter-seed.zeek similarity index 98% rename from testing/btest/bifs/bloomfilter-seed.bro rename to testing/btest/bifs/bloomfilter-seed.zeek index 436638e2af..24531de915 100644 --- a/testing/btest/bifs/bloomfilter-seed.bro +++ b/testing/btest/bifs/bloomfilter-seed.zeek @@ -34,7 +34,7 @@ function test_bloom_filter() } -event bro_init() +event zeek_init() { test_bloom_filter(); } diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.zeek similarity index 99% rename from testing/btest/bifs/bloomfilter.bro rename to testing/btest/bifs/bloomfilter.zeek index c0ccc2a552..dbad5acf5a 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.zeek @@ -88,7 +88,7 @@ function test_counting_bloom_filter() print bloomfilter_lookup(bf_merged, "baz"); } -event bro_init() +event zeek_init() { test_basic_bloom_filter(); test_counting_bloom_filter(); diff --git a/testing/btest/bifs/bro_version.bro b/testing/btest/bifs/bro_version.zeek similarity index 83% rename from testing/btest/bifs/bro_version.bro rename to testing/btest/bifs/bro_version.zeek index 35975559a5..f4de22e09d 100644 --- a/testing/btest/bifs/bro_version.bro +++ b/testing/btest/bifs/bro_version.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = bro_version(); if ( |a| == 0 ) diff --git a/testing/btest/bifs/bytestring_to_count.bro b/testing/btest/bifs/bytestring_to_count.zeek similarity index 99% rename from testing/btest/bifs/bytestring_to_count.bro rename to testing/btest/bifs/bytestring_to_count.zeek index db50929cb7..5d15bde38b 100644 --- a/testing/btest/bifs/bytestring_to_count.bro +++ b/testing/btest/bifs/bytestring_to_count.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # unsupported byte lengths diff --git a/testing/btest/bifs/bytestring_to_double.bro b/testing/btest/bifs/bytestring_to_double.zeek similarity index 98% rename from testing/btest/bifs/bytestring_to_double.bro rename to testing/btest/bifs/bytestring_to_double.zeek index 78820b207c..6ebcbe503b 100644 --- a/testing/btest/bifs/bytestring_to_double.bro +++ b/testing/btest/bifs/bytestring_to_double.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local s1 = "\x43\x26\x4f\xa0\x71\x30\x80\x00"; # 3.14e15 local s2 = "\xc3\x26\x4f\xa0\x71\x30\x80\x00"; #-3.14e15 diff --git a/testing/btest/bifs/bytestring_to_hexstr.bro b/testing/btest/bifs/bytestring_to_hexstr.zeek similarity index 90% rename from testing/btest/bifs/bytestring_to_hexstr.bro rename to testing/btest/bifs/bytestring_to_hexstr.zeek index 4087047f40..0b3e8154ab 100644 --- a/testing/btest/bifs/bytestring_to_hexstr.bro +++ b/testing/btest/bifs/bytestring_to_hexstr.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print bytestring_to_hexstr("04"); print bytestring_to_hexstr(""); diff --git a/testing/btest/bifs/capture_state_updates.bro b/testing/btest/bifs/capture_state_updates.zeek similarity index 88% rename from testing/btest/bifs/capture_state_updates.bro rename to testing/btest/bifs/capture_state_updates.zeek index 6a44e0f86f..17d015a661 100644 --- a/testing/btest/bifs/capture_state_updates.bro +++ b/testing/btest/bifs/capture_state_updates.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: test -f testfile -event bro_init() +event zeek_init() { print capture_state_updates("testfile"); } diff --git a/testing/btest/bifs/cat.bro b/testing/btest/bifs/cat.zeek similarity index 94% rename from testing/btest/bifs/cat.bro rename to testing/btest/bifs/cat.zeek index e923d5d066..5e811f147e 100644 --- a/testing/btest/bifs/cat.bro +++ b/testing/btest/bifs/cat.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "foo"; local b = 3; diff --git a/testing/btest/bifs/cat_string_array.bro b/testing/btest/bifs/cat_string_array.zeek similarity index 93% rename from testing/btest/bifs/cat_string_array.bro rename to testing/btest/bifs/cat_string_array.zeek index e799f4b282..f9aa3f266d 100644 --- a/testing/btest/bifs/cat_string_array.bro +++ b/testing/btest/bifs/cat_string_array.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [0] = "this", [1] = "is", [2] = "a", [3] = "test" diff --git a/testing/btest/bifs/check_subnet.bro b/testing/btest/bifs/check_subnet.zeek similarity index 97% rename from testing/btest/bifs/check_subnet.bro rename to testing/btest/bifs/check_subnet.zeek index b725cae73c..d476be1bc8 100644 --- a/testing/btest/bifs/check_subnet.bro +++ b/testing/btest/bifs/check_subnet.zeek @@ -30,7 +30,7 @@ function check_member(s: subnet) } -event bro_init() +event zeek_init() { check_member(10.2.0.2/32); check_member(10.2.0.2/31); diff --git a/testing/btest/bifs/checkpoint_state.bro b/testing/btest/bifs/checkpoint_state.zeek similarity index 88% rename from testing/btest/bifs/checkpoint_state.bro rename to testing/btest/bifs/checkpoint_state.zeek index 7a46516ba0..e9eeeccb75 100644 --- a/testing/btest/bifs/checkpoint_state.bro +++ b/testing/btest/bifs/checkpoint_state.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: test -f .state/state.bst -event bro_init() +event zeek_init() { local a = checkpoint_state(); if ( a != T ) diff --git a/testing/btest/bifs/clear_table.bro b/testing/btest/bifs/clear_table.zeek similarity index 91% rename from testing/btest/bifs/clear_table.bro rename to testing/btest/bifs/clear_table.zeek index 9485eba1f5..a6c2e67341 100644 --- a/testing/btest/bifs/clear_table.bro +++ b/testing/btest/bifs/clear_table.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT > out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local mytable: table[string] of string = { ["key1"] = "val1" }; diff --git a/testing/btest/bifs/convert_for_pattern.bro b/testing/btest/bifs/convert_for_pattern.zeek similarity index 90% rename from testing/btest/bifs/convert_for_pattern.bro rename to testing/btest/bifs/convert_for_pattern.zeek index b99b010f97..1828284f37 100644 --- a/testing/btest/bifs/convert_for_pattern.bro +++ b/testing/btest/bifs/convert_for_pattern.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print convert_for_pattern("foo"); print convert_for_pattern(""); diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.zeek similarity index 95% rename from testing/btest/bifs/count_to_addr.bro rename to testing/btest/bifs/count_to_addr.zeek index 993a701bc8..4abbaf8d1e 100644 --- a/testing/btest/bifs/count_to_addr.bro +++ b/testing/btest/bifs/count_to_addr.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "1"; print count_to_v4_addr(to_count(a)); diff --git a/testing/btest/bifs/create_file.bro b/testing/btest/bifs/create_file.zeek similarity index 98% rename from testing/btest/bifs/create_file.bro rename to testing/btest/bifs/create_file.zeek index af2cfb4979..db7d38d087 100644 --- a/testing/btest/bifs/create_file.bro +++ b/testing/btest/bifs/create_file.zeek @@ -5,7 +5,7 @@ # @TEST-EXEC: btest-diff testfile2 # @TEST-EXEC: test -f testdir/testfile4 -event bro_init() +event zeek_init() { # Test that creating a file works as expected local a = open("testfile"); diff --git a/testing/btest/bifs/current_analyzer.bro b/testing/btest/bifs/current_analyzer.zeek similarity index 88% rename from testing/btest/bifs/current_analyzer.bro rename to testing/btest/bifs/current_analyzer.zeek index e221d7aed0..8678907320 100644 --- a/testing/btest/bifs/current_analyzer.bro +++ b/testing/btest/bifs/current_analyzer.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = current_analyzer(); if ( a != 0 ) diff --git a/testing/btest/bifs/current_time.bro b/testing/btest/bifs/current_time.zeek similarity index 85% rename from testing/btest/bifs/current_time.bro rename to testing/btest/bifs/current_time.zeek index 9d4899aa06..4d2712ae98 100644 --- a/testing/btest/bifs/current_time.bro +++ b/testing/btest/bifs/current_time.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = current_time(); if ( a <= double_to_time(0) ) diff --git a/testing/btest/bifs/decode_base64.bro b/testing/btest/bifs/decode_base64.zeek similarity index 100% rename from testing/btest/bifs/decode_base64.bro rename to testing/btest/bifs/decode_base64.zeek diff --git a/testing/btest/bifs/decode_base64_conn.bro b/testing/btest/bifs/decode_base64_conn.zeek similarity index 100% rename from testing/btest/bifs/decode_base64_conn.bro rename to testing/btest/bifs/decode_base64_conn.zeek diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.zeek similarity index 96% rename from testing/btest/bifs/directory_operations.bro rename to testing/btest/bifs/directory_operations.zeek index 9db34511b2..0a5a8b0413 100644 --- a/testing/btest/bifs/directory_operations.bro +++ b/testing/btest/bifs/directory_operations.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # Test succesful operations... print mkdir("testdir"); diff --git a/testing/btest/bifs/dump_current_packet.bro b/testing/btest/bifs/dump_current_packet.zeek similarity index 100% rename from testing/btest/bifs/dump_current_packet.bro rename to testing/btest/bifs/dump_current_packet.zeek diff --git a/testing/btest/bifs/edit.bro b/testing/btest/bifs/edit.zeek similarity index 86% rename from testing/btest/bifs/edit.bro rename to testing/btest/bifs/edit.zeek index 346c0bdbf7..ba6ebdef38 100644 --- a/testing/btest/bifs/edit.bro +++ b/testing/btest/bifs/edit.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "hello there"; diff --git a/testing/btest/bifs/enable_raw_output.test b/testing/btest/bifs/enable_raw_output.test index ebaff36c8f..14bd2110ee 100644 --- a/testing/btest/bifs/enable_raw_output.test +++ b/testing/btest/bifs/enable_raw_output.test @@ -6,7 +6,7 @@ # @TEST-EXEC: btest-diff output # @TEST-EXEC: cmp myfile hookfile -event bro_init() +event zeek_init() { local myfile: file; myfile = open("myfile"); diff --git a/testing/btest/bifs/encode_base64.bro b/testing/btest/bifs/encode_base64.zeek similarity index 100% rename from testing/btest/bifs/encode_base64.bro rename to testing/btest/bifs/encode_base64.zeek diff --git a/testing/btest/bifs/entropy_test.bro b/testing/btest/bifs/entropy_test.zeek similarity index 96% rename from testing/btest/bifs/entropy_test.bro rename to testing/btest/bifs/entropy_test.zeek index 2a2dd422d1..11effd1159 100644 --- a/testing/btest/bifs/entropy_test.bro +++ b/testing/btest/bifs/entropy_test.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"; local handle = entropy_test_init(); diff --git a/testing/btest/bifs/enum_to_int.bro b/testing/btest/bifs/enum_to_int.zeek similarity index 95% rename from testing/btest/bifs/enum_to_int.bro rename to testing/btest/bifs/enum_to_int.zeek index 3d577d2920..b48c925c8f 100644 --- a/testing/btest/bifs/enum_to_int.bro +++ b/testing/btest/bifs/enum_to_int.zeek @@ -16,7 +16,7 @@ export { }; } -event bro_init() +event zeek_init() { diff --git a/testing/btest/bifs/escape_string.bro b/testing/btest/bifs/escape_string.zeek similarity index 94% rename from testing/btest/bifs/escape_string.bro rename to testing/btest/bifs/escape_string.zeek index fd796497be..4ae79a869a 100644 --- a/testing/btest/bifs/escape_string.bro +++ b/testing/btest/bifs/escape_string.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "Test \0string"; diff --git a/testing/btest/bifs/exit.bro b/testing/btest/bifs/exit.zeek similarity index 86% rename from testing/btest/bifs/exit.bro rename to testing/btest/bifs/exit.zeek index b942a5e81c..03ea13efd3 100644 --- a/testing/btest/bifs/exit.bro +++ b/testing/btest/bifs/exit.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out || test $? -eq 7 # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print "hello"; exit(7); diff --git a/testing/btest/bifs/file_mode.bro b/testing/btest/bifs/file_mode.zeek similarity index 96% rename from testing/btest/bifs/file_mode.bro rename to testing/btest/bifs/file_mode.zeek index 62bee05c6c..de43439080 100644 --- a/testing/btest/bifs/file_mode.bro +++ b/testing/btest/bifs/file_mode.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 420; # octal: 0644 print file_mode(a); diff --git a/testing/btest/bifs/filter_subnet_table.bro b/testing/btest/bifs/filter_subnet_table.zeek similarity index 98% rename from testing/btest/bifs/filter_subnet_table.bro rename to testing/btest/bifs/filter_subnet_table.zeek index 7659096a71..79829bc252 100644 --- a/testing/btest/bifs/filter_subnet_table.bro +++ b/testing/btest/bifs/filter_subnet_table.zeek @@ -32,7 +32,7 @@ global testb: table[subnet] of string = { }; -event bro_init() +event zeek_init() { local c = filter_subnet_table(10.2.0.2/32, testa); print c; diff --git a/testing/btest/bifs/find_all.bro b/testing/btest/bifs/find_all.zeek similarity index 93% rename from testing/btest/bifs/find_all.bro rename to testing/btest/bifs/find_all.zeek index 4fe451a9d4..cb7e7b35d0 100644 --- a/testing/btest/bifs/find_all.bro +++ b/testing/btest/bifs/find_all.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/find_entropy.bro b/testing/btest/bifs/find_entropy.zeek similarity index 93% rename from testing/btest/bifs/find_entropy.bro rename to testing/btest/bifs/find_entropy.zeek index 2eb24fe118..771a6221f7 100644 --- a/testing/btest/bifs/find_entropy.bro +++ b/testing/btest/bifs/find_entropy.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"; local b = "0011000aaabbbbcccc000011111000000000aaaabbbbcccc0000000"; diff --git a/testing/btest/bifs/find_last.bro b/testing/btest/bifs/find_last.zeek similarity index 93% rename from testing/btest/bifs/find_last.bro rename to testing/btest/bifs/find_last.zeek index 00ae2a874d..0eab201464 100644 --- a/testing/btest/bifs/find_last.bro +++ b/testing/btest/bifs/find_last.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/fmt.bro b/testing/btest/bifs/fmt.zeek similarity index 99% rename from testing/btest/bifs/fmt.bro rename to testing/btest/bifs/fmt.zeek index 7fc4dc38d7..979dbafe67 100644 --- a/testing/btest/bifs/fmt.bro +++ b/testing/btest/bifs/fmt.zeek @@ -4,7 +4,7 @@ type color: enum { Red, Blue }; -event bro_init() +event zeek_init() { local a = Blue; local b = vector( 1, 2, 3); diff --git a/testing/btest/bifs/fmt_ftp_port.bro b/testing/btest/bifs/fmt_ftp_port.zeek similarity index 91% rename from testing/btest/bifs/fmt_ftp_port.bro rename to testing/btest/bifs/fmt_ftp_port.zeek index 6a7b4d20c7..b265c0ad67 100644 --- a/testing/btest/bifs/fmt_ftp_port.bro +++ b/testing/btest/bifs/fmt_ftp_port.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 192.168.0.2; local b = 257/tcp; diff --git a/testing/btest/bifs/get_current_packet_header.bro b/testing/btest/bifs/get_current_packet_header.zeek similarity index 100% rename from testing/btest/bifs/get_current_packet_header.bro rename to testing/btest/bifs/get_current_packet_header.zeek diff --git a/testing/btest/bifs/get_matcher_stats.bro b/testing/btest/bifs/get_matcher_stats.zeek similarity index 94% rename from testing/btest/bifs/get_matcher_stats.bro rename to testing/btest/bifs/get_matcher_stats.zeek index eeaa8cb86a..76d019caca 100644 --- a/testing/btest/bifs/get_matcher_stats.bro +++ b/testing/btest/bifs/get_matcher_stats.zeek @@ -10,7 +10,7 @@ signature my_ftp_client { } @TEST-END-FILE -event bro_init() +event zeek_init() { local a = get_matcher_stats(); if ( a$matchers == 0 ) diff --git a/testing/btest/bifs/get_port_transport_proto.bro b/testing/btest/bifs/get_port_transport_proto.zeek similarity index 93% rename from testing/btest/bifs/get_port_transport_proto.bro rename to testing/btest/bifs/get_port_transport_proto.zeek index ae3c496d88..18dfdd4974 100644 --- a/testing/btest/bifs/get_port_transport_proto.bro +++ b/testing/btest/bifs/get_port_transport_proto.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 123/tcp; local b = 123/udp; diff --git a/testing/btest/bifs/gethostname.bro b/testing/btest/bifs/gethostname.zeek similarity index 83% rename from testing/btest/bifs/gethostname.bro rename to testing/btest/bifs/gethostname.zeek index 1d760525cb..b30407190d 100644 --- a/testing/btest/bifs/gethostname.bro +++ b/testing/btest/bifs/gethostname.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = gethostname(); if ( |a| == 0 ) diff --git a/testing/btest/bifs/getpid.bro b/testing/btest/bifs/getpid.zeek similarity index 82% rename from testing/btest/bifs/getpid.bro rename to testing/btest/bifs/getpid.zeek index 1852b1287e..a7348d4743 100644 --- a/testing/btest/bifs/getpid.bro +++ b/testing/btest/bifs/getpid.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = getpid(); if ( a == 0 ) diff --git a/testing/btest/bifs/getsetenv.bro b/testing/btest/bifs/getsetenv.zeek similarity index 95% rename from testing/btest/bifs/getsetenv.bro rename to testing/btest/bifs/getsetenv.zeek index d217a14ea9..24fecb7800 100644 --- a/testing/btest/bifs/getsetenv.bro +++ b/testing/btest/bifs/getsetenv.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: TESTBRO=testvalue bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = getenv("NOTDEFINED"); local b = getenv("TESTBRO"); diff --git a/testing/btest/bifs/global_ids.bro b/testing/btest/bifs/global_ids.zeek similarity index 82% rename from testing/btest/bifs/global_ids.bro rename to testing/btest/bifs/global_ids.zeek index 2dcb6e844d..8875065b3b 100644 --- a/testing/btest/bifs/global_ids.bro +++ b/testing/btest/bifs/global_ids.zeek @@ -2,13 +2,13 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = global_ids(); for ( i in a ) { # the table is quite large, so just print one item we expect - if ( i == "bro_init" ) + if ( i == "zeek_init" ) print a[i]$type_name; } diff --git a/testing/btest/bifs/global_sizes.bro b/testing/btest/bifs/global_sizes.zeek similarity index 72% rename from testing/btest/bifs/global_sizes.bro rename to testing/btest/bifs/global_sizes.zeek index 4b0805172c..5705ae5e95 100644 --- a/testing/btest/bifs/global_sizes.bro +++ b/testing/btest/bifs/global_sizes.zeek @@ -2,14 +2,14 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = global_sizes(); for ( i in a ) { # the table is quite large, so just look for one item we expect - if ( i == "bro_init" ) - print "found bro_init"; + if ( i == "zeek_init" ) + print "found zeek_init"; } diff --git a/testing/btest/bifs/haversine_distance.bro b/testing/btest/bifs/haversine_distance.zeek similarity index 97% rename from testing/btest/bifs/haversine_distance.bro rename to testing/btest/bifs/haversine_distance.zeek index b0a87a2c2d..0d2e7891c0 100644 --- a/testing/btest/bifs/haversine_distance.bro +++ b/testing/btest/bifs/haversine_distance.zeek @@ -7,7 +7,7 @@ function test(la1: double, lo1: double, la2: double, lo2: double) print fmt("%.4e", haversine_distance(la1, lo1, la2, lo2)); } -event bro_init() +event zeek_init() { # Test two arbitrary locations. test(37.866798, -122.253601, 48.25, 11.65); diff --git a/testing/btest/bifs/hexdump.bro b/testing/btest/bifs/hexdump.zeek similarity index 88% rename from testing/btest/bifs/hexdump.bro rename to testing/btest/bifs/hexdump.zeek index 1c86ce0db8..10e1855a19 100644 --- a/testing/btest/bifs/hexdump.bro +++ b/testing/btest/bifs/hexdump.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "abc\xffdefghijklmnopqrstuvwxyz"; diff --git a/testing/btest/bifs/hexstr_to_bytestring.bro b/testing/btest/bifs/hexstr_to_bytestring.zeek similarity index 93% rename from testing/btest/bifs/hexstr_to_bytestring.bro rename to testing/btest/bifs/hexstr_to_bytestring.zeek index f0815a6269..0d41ca00a1 100644 --- a/testing/btest/bifs/hexstr_to_bytestring.bro +++ b/testing/btest/bifs/hexstr_to_bytestring.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { print hexstr_to_bytestring("3034"); print hexstr_to_bytestring(""); diff --git a/testing/btest/bifs/hll_cardinality.bro b/testing/btest/bifs/hll_cardinality.zeek similarity index 99% rename from testing/btest/bifs/hll_cardinality.bro rename to testing/btest/bifs/hll_cardinality.zeek index d1b0807416..6bb9c83708 100644 --- a/testing/btest/bifs/hll_cardinality.bro +++ b/testing/btest/bifs/hll_cardinality.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { local c1 = hll_cardinality_init(0.01, 0.95); local c2 = hll_cardinality_init(0.01, 0.95); diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.zeek similarity index 97% rename from testing/btest/bifs/hll_large_estimate.bro rename to testing/btest/bifs/hll_large_estimate.zeek index b17b50678d..520b9633e3 100644 --- a/testing/btest/bifs/hll_large_estimate.bro +++ b/testing/btest/bifs/hll_large_estimate.zeek @@ -6,7 +6,7 @@ # @TEST-EXEC: head -n1 out2 >> out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local cp: opaque of cardinality = hll_cardinality_init(0.1, 1.0); local base: count = 2130706432; # 127.0.0.0 diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.zeek similarity index 94% rename from testing/btest/bifs/identify_data.bro rename to testing/btest/bifs/identify_data.zeek index 048c409553..283c50fc86 100644 --- a/testing/btest/bifs/identify_data.bro +++ b/testing/btest/bifs/identify_data.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT | sed 's/; charset=.*//g' >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { # plain text local a = "This is a test"; diff --git a/testing/btest/bifs/install_src_addr_filter.test b/testing/btest/bifs/install_src_addr_filter.test index 5b387832de..0ee0c85c43 100644 --- a/testing/btest/bifs/install_src_addr_filter.test +++ b/testing/btest/bifs/install_src_addr_filter.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output # @TEST-EXEC: btest-diff output -event bro_init() +event zeek_init() { install_src_addr_filter(141.142.220.118, TH_SYN, 100.0); } diff --git a/testing/btest/bifs/is_ascii.bro b/testing/btest/bifs/is_ascii.zeek similarity index 90% rename from testing/btest/bifs/is_ascii.bro rename to testing/btest/bifs/is_ascii.zeek index fa2d39d2d8..7930dafa58 100644 --- a/testing/btest/bifs/is_ascii.bro +++ b/testing/btest/bifs/is_ascii.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test\xfe"; local b = "this is a test\x7f"; diff --git a/testing/btest/bifs/is_local_interface.bro b/testing/btest/bifs/is_local_interface.zeek similarity index 92% rename from testing/btest/bifs/is_local_interface.bro rename to testing/btest/bifs/is_local_interface.zeek index ac21b04bd3..8667babb85 100644 --- a/testing/btest/bifs/is_local_interface.bro +++ b/testing/btest/bifs/is_local_interface.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print is_local_interface(127.0.0.1); print is_local_interface(1.2.3.4); diff --git a/testing/btest/bifs/is_port.bro b/testing/btest/bifs/is_port.zeek similarity index 95% rename from testing/btest/bifs/is_port.bro rename to testing/btest/bifs/is_port.zeek index 2fe4964913..709c142070 100644 --- a/testing/btest/bifs/is_port.bro +++ b/testing/btest/bifs/is_port.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 123/tcp; local b = 123/udp; diff --git a/testing/btest/bifs/join_string.bro b/testing/btest/bifs/join_string.zeek similarity index 97% rename from testing/btest/bifs/join_string.bro rename to testing/btest/bifs/join_string.zeek index 0b2d94029a..1ea1afa5c2 100644 --- a/testing/btest/bifs/join_string.bro +++ b/testing/btest/bifs/join_string.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [1] = "this", [2] = "is", [3] = "a", [4] = "test" diff --git a/testing/btest/bifs/levenshtein_distance.bro b/testing/btest/bifs/levenshtein_distance.zeek similarity index 97% rename from testing/btest/bifs/levenshtein_distance.bro rename to testing/btest/bifs/levenshtein_distance.zeek index 86d5e386f4..b877a68a22 100644 --- a/testing/btest/bifs/levenshtein_distance.bro +++ b/testing/btest/bifs/levenshtein_distance.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a string"; local b = "this is a tring"; diff --git a/testing/btest/bifs/lookup_ID.bro b/testing/btest/bifs/lookup_ID.zeek similarity index 77% rename from testing/btest/bifs/lookup_ID.bro rename to testing/btest/bifs/lookup_ID.zeek index e263c192da..1d11d1a8cb 100644 --- a/testing/btest/bifs/lookup_ID.bro +++ b/testing/btest/bifs/lookup_ID.zeek @@ -4,7 +4,7 @@ global a = "bro test"; -event bro_init() +event zeek_init() { local b = "local value"; @@ -12,5 +12,5 @@ event bro_init() print lookup_ID(""); print lookup_ID("xyz"); print lookup_ID("b"); - print type_name( lookup_ID("bro_init") ); + print type_name( lookup_ID("zeek_init") ); } diff --git a/testing/btest/bifs/lowerupper.bro b/testing/btest/bifs/lowerupper.zeek similarity index 88% rename from testing/btest/bifs/lowerupper.bro rename to testing/btest/bifs/lowerupper.zeek index 77e6b1c9d1..2cb04bfdaa 100644 --- a/testing/btest/bifs/lowerupper.bro +++ b/testing/btest/bifs/lowerupper.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a Test"; diff --git a/testing/btest/bifs/lstrip.bro b/testing/btest/bifs/lstrip.zeek similarity index 95% rename from testing/btest/bifs/lstrip.bro rename to testing/btest/bifs/lstrip.zeek index f382b06e23..850ec90d3f 100644 --- a/testing/btest/bifs/lstrip.bro +++ b/testing/btest/bifs/lstrip.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local link_test = "https://www.zeek.org"; local one_side = "abcdcab"; diff --git a/testing/btest/bifs/mask_addr.bro b/testing/btest/bifs/mask_addr.zeek similarity index 100% rename from testing/btest/bifs/mask_addr.bro rename to testing/btest/bifs/mask_addr.zeek diff --git a/testing/btest/bifs/matching_subnets.bro b/testing/btest/bifs/matching_subnets.zeek similarity index 96% rename from testing/btest/bifs/matching_subnets.bro rename to testing/btest/bifs/matching_subnets.zeek index 87effed19f..3d38d32182 100644 --- a/testing/btest/bifs/matching_subnets.bro +++ b/testing/btest/bifs/matching_subnets.zeek @@ -16,7 +16,7 @@ global testt: set[subnet] = { [2607:f8b0:4007:807::200e]/128 }; -event bro_init() +event zeek_init() { print testt; local c = matching_subnets(10.2.0.2/32, testt); diff --git a/testing/btest/bifs/math.bro b/testing/btest/bifs/math.zeek similarity index 93% rename from testing/btest/bifs/math.bro rename to testing/btest/bifs/math.zeek index 84ace8620c..288838ffc1 100644 --- a/testing/btest/bifs/math.bro +++ b/testing/btest/bifs/math.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 3.14; local b = 2.71; diff --git a/testing/btest/bifs/merge_pattern.bro b/testing/btest/bifs/merge_pattern.zeek similarity index 92% rename from testing/btest/bifs/merge_pattern.bro rename to testing/btest/bifs/merge_pattern.zeek index de4a3afd6a..2d99137b56 100644 --- a/testing/btest/bifs/merge_pattern.bro +++ b/testing/btest/bifs/merge_pattern.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = /foo/; local b = /b[a-z]+/; diff --git a/testing/btest/bifs/net_stats_trace.test b/testing/btest/bifs/net_stats_trace.test index cd9ee52a27..1cc1ba5567 100644 --- a/testing/btest/bifs/net_stats_trace.test +++ b/testing/btest/bifs/net_stats_trace.test @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -r $TRACES/wikipedia.trace >output %INPUT # @TEST-EXEC: btest-diff output -event bro_done() +event zeek_done() { print get_net_stats(); } diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.zeek similarity index 95% rename from testing/btest/bifs/netbios-functions.bro rename to testing/btest/bifs/netbios-functions.zeek index 9b075e8729..8e65f1d5ec 100644 --- a/testing/btest/bifs/netbios-functions.bro +++ b/testing/btest/bifs/netbios-functions.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local names_to_decode = set( "ejfdebfeebfacacacacacacacacacaaa", # ISATAP diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.zeek similarity index 98% rename from testing/btest/bifs/order.bro rename to testing/btest/bifs/order.zeek index cb4b050686..34c8e8c101 100644 --- a/testing/btest/bifs/order.bro +++ b/testing/btest/bifs/order.zeek @@ -20,7 +20,7 @@ function myfunc2(a: double, b: double): int return 1; } -event bro_init() +event zeek_init() { # Tests without supplying a comparison function diff --git a/testing/btest/bifs/parse_ftp.bro b/testing/btest/bifs/parse_ftp.zeek similarity index 95% rename from testing/btest/bifs/parse_ftp.bro rename to testing/btest/bifs/parse_ftp.zeek index a8993fa6e0..1e982def27 100644 --- a/testing/btest/bifs/parse_ftp.bro +++ b/testing/btest/bifs/parse_ftp.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print parse_ftp_port("192,168,0,2,1,1"); diff --git a/testing/btest/bifs/piped_exec.bro b/testing/btest/bifs/piped_exec.zeek similarity index 100% rename from testing/btest/bifs/piped_exec.bro rename to testing/btest/bifs/piped_exec.zeek diff --git a/testing/btest/bifs/ptr_name_to_addr.bro b/testing/btest/bifs/ptr_name_to_addr.zeek similarity index 100% rename from testing/btest/bifs/ptr_name_to_addr.bro rename to testing/btest/bifs/ptr_name_to_addr.zeek diff --git a/testing/btest/bifs/rand.bro b/testing/btest/bifs/rand.zeek similarity index 95% rename from testing/btest/bifs/rand.bro rename to testing/btest/bifs/rand.zeek index caf3f16031..591f0bf035 100644 --- a/testing/btest/bifs/rand.bro +++ b/testing/btest/bifs/rand.zeek @@ -6,7 +6,7 @@ const do_seed = T &redef; -event bro_init() +event zeek_init() { local a = rand(1000); local b = rand(1000); diff --git a/testing/btest/bifs/raw_bytes_to_v4_addr.bro b/testing/btest/bifs/raw_bytes_to_v4_addr.zeek similarity index 88% rename from testing/btest/bifs/raw_bytes_to_v4_addr.bro rename to testing/btest/bifs/raw_bytes_to_v4_addr.zeek index bd685216ef..9ac266a0bd 100644 --- a/testing/btest/bifs/raw_bytes_to_v4_addr.bro +++ b/testing/btest/bifs/raw_bytes_to_v4_addr.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print raw_bytes_to_v4_addr("ABCD"); print raw_bytes_to_v4_addr("ABC"); diff --git a/testing/btest/bifs/reading_traces.bro b/testing/btest/bifs/reading_traces.zeek similarity index 90% rename from testing/btest/bifs/reading_traces.bro rename to testing/btest/bifs/reading_traces.zeek index 46ad04c25f..e6fa21999e 100644 --- a/testing/btest/bifs/reading_traces.bro +++ b/testing/btest/bifs/reading_traces.zeek @@ -4,7 +4,7 @@ # @TEST-EXEC: bro -r $TRACES/web.trace %INPUT >out2 # @TEST-EXEC: btest-diff out2 -event bro_init() +event zeek_init() { print reading_traces(); } diff --git a/testing/btest/bifs/record_type_to_vector.bro b/testing/btest/bifs/record_type_to_vector.zeek similarity index 90% rename from testing/btest/bifs/record_type_to_vector.bro rename to testing/btest/bifs/record_type_to_vector.zeek index 9795ce886b..e5e79a4f49 100644 --- a/testing/btest/bifs/record_type_to_vector.bro +++ b/testing/btest/bifs/record_type_to_vector.zeek @@ -7,7 +7,7 @@ type myrecord: record { str1: string; }; -event bro_init() +event zeek_init() { print record_type_to_vector("myrecord"); } diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.zeek similarity index 97% rename from testing/btest/bifs/records_fields.bro rename to testing/btest/bifs/records_fields.zeek index 88df239b57..a130a63267 100644 --- a/testing/btest/bifs/records_fields.bro +++ b/testing/btest/bifs/records_fields.zeek @@ -24,7 +24,7 @@ type r: record { type mystring: string; -event bro_init() +event zeek_init() { local x: r = [$a=42, $d="Bar", $e=tt]; print x; diff --git a/testing/btest/bifs/remask_addr.bro b/testing/btest/bifs/remask_addr.zeek similarity index 100% rename from testing/btest/bifs/remask_addr.bro rename to testing/btest/bifs/remask_addr.zeek diff --git a/testing/btest/bifs/resize.bro b/testing/btest/bifs/resize.zeek similarity index 93% rename from testing/btest/bifs/resize.bro rename to testing/btest/bifs/resize.zeek index f4067f31c7..97c3b8c20b 100644 --- a/testing/btest/bifs/resize.bro +++ b/testing/btest/bifs/resize.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = vector( 5, 3, 8 ); diff --git a/testing/btest/bifs/reverse.bro b/testing/btest/bifs/reverse.zeek similarity index 96% rename from testing/btest/bifs/reverse.bro rename to testing/btest/bifs/reverse.zeek index bbb386bb80..b6831ef3a7 100644 --- a/testing/btest/bifs/reverse.bro +++ b/testing/btest/bifs/reverse.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local s1 = "hello world!"; local s2 = "rise to vote sir"; diff --git a/testing/btest/bifs/rotate_file.bro b/testing/btest/bifs/rotate_file.zeek similarity index 93% rename from testing/btest/bifs/rotate_file.bro rename to testing/btest/bifs/rotate_file.zeek index a6109ff677..a7c3bf3971 100644 --- a/testing/btest/bifs/rotate_file.bro +++ b/testing/btest/bifs/rotate_file.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = open("testfile"); write_file(a, "this is a test\n"); diff --git a/testing/btest/bifs/rotate_file_by_name.bro b/testing/btest/bifs/rotate_file_by_name.zeek similarity index 94% rename from testing/btest/bifs/rotate_file_by_name.bro rename to testing/btest/bifs/rotate_file_by_name.zeek index f647edefe2..b02d4011be 100644 --- a/testing/btest/bifs/rotate_file_by_name.bro +++ b/testing/btest/bifs/rotate_file_by_name.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = open("testfile"); write_file(a, "this is a test\n"); diff --git a/testing/btest/bifs/rstrip.bro b/testing/btest/bifs/rstrip.zeek similarity index 96% rename from testing/btest/bifs/rstrip.bro rename to testing/btest/bifs/rstrip.zeek index a0695b8107..f99ebd5f8d 100644 --- a/testing/btest/bifs/rstrip.bro +++ b/testing/btest/bifs/rstrip.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local link_test = "https://www.zeek.org"; local one_side = "abcdcab"; diff --git a/testing/btest/bifs/safe_shell_quote.zeek b/testing/btest/bifs/safe_shell_quote.zeek new file mode 100644 index 0000000000..9f43fe4089 --- /dev/null +++ b/testing/btest/bifs/safe_shell_quote.zeek @@ -0,0 +1,12 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + local a = "echo `pwd` ${TEST} > \"my file\"; echo -e \"\\n\""; + print a; + + local b = safe_shell_quote(a); + print b; + } diff --git a/testing/btest/bifs/same_object.bro b/testing/btest/bifs/same_object.zeek similarity index 93% rename from testing/btest/bifs/same_object.bro rename to testing/btest/bifs/same_object.zeek index dddfd80d3d..8e38912f58 100644 --- a/testing/btest/bifs/same_object.bro +++ b/testing/btest/bifs/same_object.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "This is a test"; local b: string; diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.zeek similarity index 98% rename from testing/btest/bifs/sort.bro rename to testing/btest/bifs/sort.zeek index 2ddb44b8be..2f3789c8a9 100644 --- a/testing/btest/bifs/sort.bro +++ b/testing/btest/bifs/sort.zeek @@ -20,7 +20,7 @@ function myfunc2(a: double, b: double): int return 1; } -event bro_init() +event zeek_init() { # Tests without supplying a comparison function diff --git a/testing/btest/bifs/sort_string_array.bro b/testing/btest/bifs/sort_string_array.zeek similarity index 93% rename from testing/btest/bifs/sort_string_array.bro rename to testing/btest/bifs/sort_string_array.zeek index 1916f93d0c..3d3949d89b 100644 --- a/testing/btest/bifs/sort_string_array.bro +++ b/testing/btest/bifs/sort_string_array.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: string_array = { [1] = "this", [2] = "is", [3] = "a", [4] = "test" diff --git a/testing/btest/bifs/split.bro b/testing/btest/bifs/split.zeek similarity index 98% rename from testing/btest/bifs/split.bro rename to testing/btest/bifs/split.zeek index b117844645..2485c3af1f 100644 --- a/testing/btest/bifs/split.bro +++ b/testing/btest/bifs/split.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.zeek similarity index 98% rename from testing/btest/bifs/split_string.bro rename to testing/btest/bifs/split_string.zeek index e4d32b7f73..2f67921a04 100644 --- a/testing/btest/bifs/split_string.bro +++ b/testing/btest/bifs/split_string.zeek @@ -8,7 +8,7 @@ function print_string_vector(v: string_vec) print v[i]; } -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /hi|es/; diff --git a/testing/btest/bifs/str_shell_escape.bro b/testing/btest/bifs/str_shell_escape.zeek similarity index 91% rename from testing/btest/bifs/str_shell_escape.bro rename to testing/btest/bifs/str_shell_escape.zeek index e631458bc1..9079ef3953 100644 --- a/testing/btest/bifs/str_shell_escape.bro +++ b/testing/btest/bifs/str_shell_escape.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "echo ${TEST} > \"my file\""; diff --git a/testing/btest/bifs/strcmp.bro b/testing/btest/bifs/strcmp.zeek similarity index 91% rename from testing/btest/bifs/strcmp.bro rename to testing/btest/bifs/strcmp.zeek index 92d0430f1d..6893656e69 100644 --- a/testing/btest/bifs/strcmp.bro +++ b/testing/btest/bifs/strcmp.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this"; local b = "testing"; diff --git a/testing/btest/bifs/strftime.bro b/testing/btest/bifs/strftime.zeek similarity index 94% rename from testing/btest/bifs/strftime.bro rename to testing/btest/bifs/strftime.zeek index 3d9e388c90..8a9f42d8b3 100644 --- a/testing/btest/bifs/strftime.bro +++ b/testing/btest/bifs/strftime.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local f1 = "%Y-%m-%d %H:%M:%S"; local f2 = "%H%M%S %Y%m%d"; diff --git a/testing/btest/bifs/string_fill.bro b/testing/btest/bifs/string_fill.zeek similarity index 93% rename from testing/btest/bifs/string_fill.bro rename to testing/btest/bifs/string_fill.zeek index 0968215cc0..81a447ed47 100644 --- a/testing/btest/bifs/string_fill.bro +++ b/testing/btest/bifs/string_fill.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "test "; diff --git a/testing/btest/bifs/string_to_pattern.bro b/testing/btest/bifs/string_to_pattern.zeek similarity index 94% rename from testing/btest/bifs/string_to_pattern.bro rename to testing/btest/bifs/string_to_pattern.zeek index 4bd04bbcea..089cc3c557 100644 --- a/testing/btest/bifs/string_to_pattern.bro +++ b/testing/btest/bifs/string_to_pattern.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print string_to_pattern("foo", F); print string_to_pattern("", F); diff --git a/testing/btest/bifs/strip.bro b/testing/btest/bifs/strip.zeek similarity index 94% rename from testing/btest/bifs/strip.bro rename to testing/btest/bifs/strip.zeek index e508f20e3d..ae80811a30 100644 --- a/testing/btest/bifs/strip.bro +++ b/testing/btest/bifs/strip.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = " this is a test "; local b = ""; diff --git a/testing/btest/bifs/strptime.bro b/testing/btest/bifs/strptime.zeek similarity index 89% rename from testing/btest/bifs/strptime.bro rename to testing/btest/bifs/strptime.zeek index 215299b300..c8f57b1dfc 100644 --- a/testing/btest/bifs/strptime.bro +++ b/testing/btest/bifs/strptime.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out 2>&1 # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print strptime("%Y-%m-%d", "2012-10-19"); print strptime("%m", "1980-10-24"); diff --git a/testing/btest/bifs/strstr.bro b/testing/btest/bifs/strstr.zeek similarity index 90% rename from testing/btest/bifs/strstr.bro rename to testing/btest/bifs/strstr.zeek index 40cd8aa5fd..75a362375a 100644 --- a/testing/btest/bifs/strstr.bro +++ b/testing/btest/bifs/strstr.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local b = "his"; diff --git a/testing/btest/bifs/sub.bro b/testing/btest/bifs/sub.zeek similarity index 90% rename from testing/btest/bifs/sub.bro rename to testing/btest/bifs/sub.zeek index 773530ac74..f83113ad19 100644 --- a/testing/btest/bifs/sub.bro +++ b/testing/btest/bifs/sub.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is a test"; local pat = /is|ss/; diff --git a/testing/btest/bifs/subnet_to_addr.bro b/testing/btest/bifs/subnet_to_addr.zeek similarity index 100% rename from testing/btest/bifs/subnet_to_addr.bro rename to testing/btest/bifs/subnet_to_addr.zeek diff --git a/testing/btest/bifs/subnet_version.bro b/testing/btest/bifs/subnet_version.zeek similarity index 100% rename from testing/btest/bifs/subnet_version.bro rename to testing/btest/bifs/subnet_version.zeek diff --git a/testing/btest/bifs/subst_string.bro b/testing/btest/bifs/subst_string.zeek similarity index 90% rename from testing/btest/bifs/subst_string.bro rename to testing/btest/bifs/subst_string.zeek index 6ebed72321..186ca7f921 100644 --- a/testing/btest/bifs/subst_string.bro +++ b/testing/btest/bifs/subst_string.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "this is another test"; local b = "is"; diff --git a/testing/btest/bifs/system.bro b/testing/btest/bifs/system.zeek similarity index 88% rename from testing/btest/bifs/system.bro rename to testing/btest/bifs/system.zeek index bd27fc3db5..e488601ee5 100644 --- a/testing/btest/bifs/system.bro +++ b/testing/btest/bifs/system.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = system("echo thistest > out"); if ( a != 0 ) diff --git a/testing/btest/bifs/system_env.bro b/testing/btest/bifs/system_env.zeek similarity index 96% rename from testing/btest/bifs/system_env.bro rename to testing/btest/bifs/system_env.zeek index cfe4e7dd2a..beece2e2c6 100644 --- a/testing/btest/bifs/system_env.bro +++ b/testing/btest/bifs/system_env.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff testfile -event bro_init() +event zeek_init() { local vars: table[string] of string = { ["TESTBRO"] = "helloworld" }; diff --git a/testing/btest/bifs/to_addr.bro b/testing/btest/bifs/to_addr.zeek similarity index 100% rename from testing/btest/bifs/to_addr.bro rename to testing/btest/bifs/to_addr.zeek diff --git a/testing/btest/bifs/to_count.bro b/testing/btest/bifs/to_count.zeek similarity index 97% rename from testing/btest/bifs/to_count.bro rename to testing/btest/bifs/to_count.zeek index 8de8c5c674..dc87fe94b9 100644 --- a/testing/btest/bifs/to_count.bro +++ b/testing/btest/bifs/to_count.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a: int = -2; print int_to_count(a); diff --git a/testing/btest/bifs/to_double.bro b/testing/btest/bifs/to_double.zeek similarity index 95% rename from testing/btest/bifs/to_double.bro rename to testing/btest/bifs/to_double.zeek index b6fb9917a7..b2d2d65f4d 100644 --- a/testing/btest/bifs/to_double.bro +++ b/testing/btest/bifs/to_double.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1 usec; print interval_to_double(a); diff --git a/testing/btest/bifs/to_double_from_string.bro b/testing/btest/bifs/to_double_from_string.zeek similarity index 100% rename from testing/btest/bifs/to_double_from_string.bro rename to testing/btest/bifs/to_double_from_string.zeek diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.zeek similarity index 90% rename from testing/btest/bifs/to_int.bro rename to testing/btest/bifs/to_int.zeek index e65a555cc4..fe7d530835 100644 --- a/testing/btest/bifs/to_int.bro +++ b/testing/btest/bifs/to_int.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print to_int("1"); print to_int("-1"); diff --git a/testing/btest/bifs/to_interval.bro b/testing/btest/bifs/to_interval.zeek similarity index 90% rename from testing/btest/bifs/to_interval.bro rename to testing/btest/bifs/to_interval.zeek index 71d73fed62..b877cedacc 100644 --- a/testing/btest/bifs/to_interval.bro +++ b/testing/btest/bifs/to_interval.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1234563.14; print double_to_interval(a); diff --git a/testing/btest/bifs/to_port.bro b/testing/btest/bifs/to_port.zeek similarity index 96% rename from testing/btest/bifs/to_port.bro rename to testing/btest/bifs/to_port.zeek index b2289b8a21..9c53de7297 100644 --- a/testing/btest/bifs/to_port.bro +++ b/testing/btest/bifs/to_port.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { print to_port("123/tcp"); print to_port("123/udp"); diff --git a/testing/btest/bifs/to_subnet.bro b/testing/btest/bifs/to_subnet.zeek similarity index 100% rename from testing/btest/bifs/to_subnet.bro rename to testing/btest/bifs/to_subnet.zeek diff --git a/testing/btest/bifs/to_time.bro b/testing/btest/bifs/to_time.zeek similarity index 90% rename from testing/btest/bifs/to_time.bro rename to testing/btest/bifs/to_time.zeek index d5a81b0934..b286d92ea4 100644 --- a/testing/btest/bifs/to_time.bro +++ b/testing/btest/bifs/to_time.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = 1234563.14; print double_to_time(a); diff --git a/testing/btest/bifs/topk.bro b/testing/btest/bifs/topk.zeek similarity index 99% rename from testing/btest/bifs/topk.bro rename to testing/btest/bifs/topk.zeek index 1e650335a7..06246da4ac 100644 --- a/testing/btest/bifs/topk.bro +++ b/testing/btest/bifs/topk.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff .stderr -event bro_init() +event zeek_init() { local k1 = topk_init(2); diff --git a/testing/btest/bifs/type_name.bro b/testing/btest/bifs/type_name.zeek similarity index 97% rename from testing/btest/bifs/type_name.bro rename to testing/btest/bifs/type_name.zeek index f331fe6aa9..6f9f9c6f32 100644 --- a/testing/btest/bifs/type_name.bro +++ b/testing/btest/bifs/type_name.zeek @@ -9,7 +9,7 @@ type myrecord: record { s: string; }; -event bro_init() +event zeek_init() { local a = "foo"; local b = 3; @@ -69,5 +69,5 @@ event bro_init() print type_name(y); # result is "file of string" which is a bit odd; # we should remove the (apparently unused) type argument # from files. - print type_name(bro_init); + print type_name(zeek_init); } diff --git a/testing/btest/bifs/unique_id-pools.bro b/testing/btest/bifs/unique_id-pools.zeek similarity index 87% rename from testing/btest/bifs/unique_id-pools.bro rename to testing/btest/bifs/unique_id-pools.zeek index abdc4b22ba..ba31485dc3 100644 --- a/testing/btest/bifs/unique_id-pools.bro +++ b/testing/btest/bifs/unique_id-pools.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: bro order_base | sort >out.2 # @TEST-EXEC: cmp out.1 out.2 -@TEST-START-FILE order_rand.bro +@TEST-START-FILE order_rand.zeek print unique_id("A-"); print unique_id_from(5, "E-"); @@ -14,7 +14,7 @@ print unique_id_from(5, "F-"); @TEST-END-FILE -@TEST-START-FILE order_base.bro +@TEST-START-FILE order_base.zeek print unique_id("A-"); print unique_id("B-"); diff --git a/testing/btest/bifs/unique_id-rnd.bro b/testing/btest/bifs/unique_id-rnd.zeek similarity index 100% rename from testing/btest/bifs/unique_id-rnd.bro rename to testing/btest/bifs/unique_id-rnd.zeek diff --git a/testing/btest/bifs/unique_id.bro b/testing/btest/bifs/unique_id.zeek similarity index 100% rename from testing/btest/bifs/unique_id.bro rename to testing/btest/bifs/unique_id.zeek diff --git a/testing/btest/bifs/uuid_to_string.bro b/testing/btest/bifs/uuid_to_string.zeek similarity index 89% rename from testing/btest/bifs/uuid_to_string.bro rename to testing/btest/bifs/uuid_to_string.zeek index dc84f349fa..2df9d2f0f0 100644 --- a/testing/btest/bifs/uuid_to_string.bro +++ b/testing/btest/bifs/uuid_to_string.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local a = "\xfe\x80abcdefg0123456"; print uuid_to_string(a); diff --git a/testing/btest/bifs/val_size.bro b/testing/btest/bifs/val_size.zeek similarity index 92% rename from testing/btest/bifs/val_size.bro rename to testing/btest/bifs/val_size.zeek index 57b512b776..8757bde285 100644 --- a/testing/btest/bifs/val_size.bro +++ b/testing/btest/bifs/val_size.zeek @@ -1,7 +1,7 @@ # # @TEST-EXEC: bro -b %INPUT -event bro_init() +event zeek_init() { local a = T; local b = 12; diff --git a/testing/btest/bifs/x509_verify.bro b/testing/btest/bifs/x509_verify.zeek similarity index 100% rename from testing/btest/bifs/x509_verify.bro rename to testing/btest/bifs/x509_verify.zeek diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.zeek similarity index 90% rename from testing/btest/broker/connect-on-retry.bro rename to testing/btest/broker/connect-on-retry.zeek index 56e479b7ea..ac5caffb69 100644 --- a/testing/btest/broker/connect-on-retry.bro +++ b/testing/btest/broker/connect-on-retry.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek # Using btest's environment settings for connect/listen retry of 1sec. redef exit_only_after_terminate = T; @@ -16,7 +16,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", ping); @@ -49,7 +49,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -65,7 +65,7 @@ event delayed_listen() Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", pong); diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.zeek similarity index 80% rename from testing/btest/broker/disconnect.bro rename to testing/btest/broker/disconnect.zeek index 08d80f0441..7b4d2f7540 100644 --- a/testing/btest/broker/disconnect.bro +++ b/testing/btest/broker/disconnect.zeek @@ -1,18 +1,18 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 45 || (btest-bg-wait -k 1 && false) -# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out" +# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.zeek >recv2.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff recv2/recv2.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -24,7 +24,7 @@ event my_event(i: count) print "sender got event", i; } -event bro_init() +event zeek_init() { Broker::subscribe(test_topic); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -48,7 +48,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -60,7 +60,7 @@ event my_event(i: count) terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe(test_topic); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.zeek similarity index 85% rename from testing/btest/broker/error.bro rename to testing/btest/broker/error.zeek index aa413ea2ac..e6b902e6bb 100644 --- a/testing/btest/broker/error.bro +++ b/testing/btest/broker/error.zeek @@ -1,8 +1,8 @@ -# @TEST-EXEC: bro -B main-loop,broker -b send.bro >send.out +# @TEST-EXEC: bro -B main-loop,broker -b send.zeek >send.out # @TEST-EXEC: btest-diff send.out # -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -27,7 +27,7 @@ event Broker::error(code: Broker::ErrorCode, msg: string) print "error", code, msg; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.zeek similarity index 90% rename from testing/btest/broker/remote_event.bro rename to testing/btest/broker/remote_event.zeek index a9e22ec25f..b160506f8f 100644 --- a/testing/btest/broker/remote_event.bro +++ b/testing/btest/broker/remote_event.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -53,7 +53,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -64,7 +64,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.zeek similarity index 91% rename from testing/btest/broker/remote_event_any.bro rename to testing/btest/broker/remote_event_any.zeek index b45e5017ef..b4df830195 100644 --- a/testing/btest/broker/remote_event_any.bro +++ b/testing/btest/broker/remote_event_any.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: any); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -56,7 +56,7 @@ event pong(msg: string, n: any) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -67,7 +67,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: any); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.zeek similarity index 90% rename from testing/btest/broker/remote_event_auto.bro rename to testing/btest/broker/remote_event_auto.zeek index 04570b9e6d..dde153d2ad 100644 --- a/testing/btest/broker/remote_event_auto.bro +++ b/testing/btest/broker/remote_event_auto.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -15,7 +15,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", ping); @@ -48,7 +48,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -59,7 +59,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", pong); diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.zeek similarity index 97% rename from testing/btest/broker/remote_event_ssl_auth.bro rename to testing/btest/broker/remote_event_ssl_auth.zeek index 2422638416..3e80a98b1e 100644 --- a/testing/btest/broker/remote_event_ssl_auth.bro +++ b/testing/btest/broker/remote_event_ssl_auth.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -162,7 +162,7 @@ vq+Zqu15QV9T4BVWKHv0 -----END CERTIFICATE----- @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -174,7 +174,7 @@ global event_count = 0; global ping: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -210,7 +210,7 @@ event pong(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -225,7 +225,7 @@ global auto_handler: event(msg: string, c: count); global pong: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_event_vector_any.bro b/testing/btest/broker/remote_event_vector_any.zeek similarity index 86% rename from testing/btest/broker/remote_event_vector_any.bro rename to testing/btest/broker/remote_event_vector_any.zeek index 6f03d97c56..93f667791d 100644 --- a/testing/btest/broker/remote_event_vector_any.bro +++ b/testing/btest/broker/remote_event_vector_any.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -20,7 +20,7 @@ type myrec: record { global bar: event(x: any); -event bro_init() +event zeek_init() { Broker::subscribe("test"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -41,7 +41,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -91,7 +91,7 @@ event bar(x: any) process(x); } -event bro_init() +event zeek_init() { Broker::subscribe("test"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.zeek similarity index 80% rename from testing/btest/broker/remote_id.bro rename to testing/btest/broker/remote_id.zeek index 62cddb9f25..a41675e5e8 100644 --- a/testing/btest/broker/remote_id.bro +++ b/testing/btest/broker/remote_id.zeek @@ -1,16 +1,16 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro test_var=newval >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek test_var=newval >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek const test_var = "init" &redef; -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } @@ -29,7 +29,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek const test_var = "init" &redef; @@ -44,7 +44,7 @@ event check_var() } } -event bro_init() +event zeek_init() { print "intial val", test_var; Broker::subscribe("bro/ids"); diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.zeek similarity index 79% rename from testing/btest/broker/remote_log.bro rename to testing/btest/broker/remote_log.zeek index dae89d42b2..2ab5d71343 100644 --- a/testing/btest/broker/remote_log.bro +++ b/testing/btest/broker/remote_log.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -25,7 +25,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -37,12 +37,12 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -55,13 +55,13 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.zeek similarity index 82% rename from testing/btest/broker/remote_log_late_join.bro rename to testing/btest/broker/remote_log_late_join.zeek index aea7846996..c199c19dcf 100644 --- a/testing/btest/broker/remote_log_late_join.bro +++ b/testing/btest/broker/remote_log_late_join.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -25,7 +25,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -37,12 +37,12 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -55,11 +55,11 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common event doconnect() { @@ -68,7 +68,7 @@ event doconnect() global n = 0; -event bro_init() +event zeek_init() { schedule 2secs { doconnect() }; Log::write(Test::LOG, [$msg = "ping", $num = n]); diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.zeek similarity index 87% rename from testing/btest/broker/remote_log_types.bro rename to testing/btest/broker/remote_log_types.zeek index 8bbc66eaa2..153c1c27b3 100644 --- a/testing/btest/broker/remote_log_types.bro +++ b/testing/btest/broker/remote_log_types.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -12,7 +12,7 @@ # @TEST-EXEC: cat recv/test.log | grep -v '#close' | grep -v '#open' >recv/test.log.filtered # @TEST-EXEC: diff -u send/test.log.filtered recv/test.log.filtered -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -47,18 +47,18 @@ export { } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -71,13 +71,13 @@ event quit_receiver() @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.zeek similarity index 96% rename from testing/btest/broker/ssl_auth_failure.bro rename to testing/btest/broker/ssl_auth_failure.zeek index bc90d86298..737a8deccc 100644 --- a/testing/btest/broker/ssl_auth_failure.bro +++ b/testing/btest/broker/ssl_auth_failure.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -86,7 +86,7 @@ BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI= -----END RSA PRIVATE KEY----- @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -103,7 +103,7 @@ event do_terminate() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -130,7 +130,7 @@ event Broker::error(code: Broker::ErrorCode, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -145,7 +145,7 @@ event do_terminate() terminate(); } -event bro_init() +event zeek_init() { Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); schedule 10secs { do_terminate() }; diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.zeek similarity index 95% rename from testing/btest/broker/store/clone.bro rename to testing/btest/broker/store/clone.zeek index 5620303410..2d68380ba1 100644 --- a/testing/btest/broker/store/clone.bro +++ b/testing/btest/broker/store/clone.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run clone "bro -B broker -b ../clone-main.bro >clone.out" -# @TEST-EXEC: btest-bg-run master "bro -B broker -b ../master-main.bro >master.out" +# @TEST-EXEC: btest-bg-run clone "bro -B broker -b ../clone-main.zeek >clone.out" +# @TEST-EXEC: btest-bg-run master "bro -B broker -b ../master-main.zeek >master.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff clone/clone.out # @TEST-EXEC: btest-diff master/master.out -@TEST-START-FILE master-main.bro +@TEST-START-FILE master-main.zeek redef exit_only_after_terminate = T; global query_timeout = 1sec; @@ -48,7 +48,7 @@ event inserted() schedule 6secs { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", done); Broker::subscribe("bro/"); @@ -75,7 +75,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE clone-main.bro +@TEST-START-FILE clone-main.zeek redef exit_only_after_terminate = T; @@ -129,7 +129,7 @@ event lookup(stage: count) schedule 4sec { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", inserted); Broker::subscribe("bro/"); diff --git a/testing/btest/broker/store/local.bro b/testing/btest/broker/store/local.zeek similarity index 97% rename from testing/btest/broker/store/local.bro rename to testing/btest/broker/store/local.zeek index b352df93f2..1846d8c2c3 100644 --- a/testing/btest/broker/store/local.bro +++ b/testing/btest/broker/store/local.zeek @@ -13,7 +13,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/broker/store/ops.bro b/testing/btest/broker/store/ops.zeek similarity index 99% rename from testing/btest/broker/store/ops.bro rename to testing/btest/broker/store/ops.zeek index 070a0f2ed3..4e89f365bf 100644 --- a/testing/btest/broker/store/ops.bro +++ b/testing/btest/broker/store/ops.zeek @@ -83,7 +83,7 @@ event pk1() schedule 1sec { pk2() }; } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/broker/store/record.bro b/testing/btest/broker/store/record.zeek similarity index 98% rename from testing/btest/broker/store/record.bro rename to testing/btest/broker/store/record.zeek index ab862012a6..62ee4735ba 100644 --- a/testing/btest/broker/store/record.bro +++ b/testing/btest/broker/store/record.zeek @@ -8,7 +8,7 @@ type R: record { c: count; }; -event bro_init() +event zeek_init() { local cr = Broker::record_create(3); print Broker::record_size(cr); diff --git a/testing/btest/broker/store/set.bro b/testing/btest/broker/store/set.zeek similarity index 98% rename from testing/btest/broker/store/set.bro rename to testing/btest/broker/store/set.zeek index 056b46e221..c2524cec6a 100644 --- a/testing/btest/broker/store/set.bro +++ b/testing/btest/broker/store/set.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local cs = Broker::set_create(); diff --git a/testing/btest/broker/store/sqlite.bro b/testing/btest/broker/store/sqlite.zeek similarity index 98% rename from testing/btest/broker/store/sqlite.bro rename to testing/btest/broker/store/sqlite.zeek index fbce1a693a..8adde597f5 100644 --- a/testing/btest/broker/store/sqlite.bro +++ b/testing/btest/broker/store/sqlite.zeek @@ -27,7 +27,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { h = Broker::create_master("master", Broker::SQLITE); diff --git a/testing/btest/broker/store/table.bro b/testing/btest/broker/store/table.zeek similarity index 98% rename from testing/btest/broker/store/table.bro rename to testing/btest/broker/store/table.zeek index 11bd00028b..6fdf7615a6 100644 --- a/testing/btest/broker/store/table.bro +++ b/testing/btest/broker/store/table.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local ct = Broker::table_create(); diff --git a/testing/btest/broker/store/type-conversion.bro b/testing/btest/broker/store/type-conversion.zeek similarity index 99% rename from testing/btest/broker/store/type-conversion.bro rename to testing/btest/broker/store/type-conversion.zeek index c92c1ea4c9..fa9e16d587 100644 --- a/testing/btest/broker/store/type-conversion.bro +++ b/testing/btest/broker/store/type-conversion.zeek @@ -11,7 +11,7 @@ type R2: record { r1: R1; }; -event bro_init() +event zeek_init() { ### Print every broker data type print Broker::data_type(Broker::data(T)); diff --git a/testing/btest/broker/store/vector.bro b/testing/btest/broker/store/vector.zeek similarity index 98% rename from testing/btest/broker/store/vector.bro rename to testing/btest/broker/store/vector.zeek index 7edc4ba050..7c44640334 100644 --- a/testing/btest/broker/store/vector.bro +++ b/testing/btest/broker/store/vector.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out -event bro_init() +event zeek_init() { local cv = Broker::vector_create(); print Broker::vector_size(cv); diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.zeek similarity index 87% rename from testing/btest/broker/unpeer.bro rename to testing/btest/broker/unpeer.zeek index b591815955..b03d53925e 100644 --- a/testing/btest/broker/unpeer.bro +++ b/testing/btest/broker/unpeer.zeek @@ -1,7 +1,7 @@ # @TEST-PORT: BROKER_PORT # -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b ../send.zeek >send.out" # # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -12,7 +12,7 @@ # @TEST-EXEC: btest-diff recv/broker.filtered.log # @TEST-EXEC: btest-diff send/broker.filtered.log -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; @@ -34,7 +34,7 @@ event unpeer(endpoint: Broker::EndpointInfo) schedule 4secs { do_terminate() }; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::auto_publish("bro/event/my_topic", print_something); @@ -51,7 +51,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; @@ -65,7 +65,7 @@ event print_something(i: int) print "Something receiver", i; } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/core/bits_per_uid.bro b/testing/btest/core/bits_per_uid.zeek similarity index 100% rename from testing/btest/core/bits_per_uid.bro rename to testing/btest/core/bits_per_uid.zeek diff --git a/testing/btest/core/cisco-fabric-path.bro b/testing/btest/core/cisco-fabric-path.zeek similarity index 100% rename from testing/btest/core/cisco-fabric-path.bro rename to testing/btest/core/cisco-fabric-path.zeek diff --git a/testing/btest/core/conn-size-threshold.bro b/testing/btest/core/conn-size-threshold.zeek similarity index 100% rename from testing/btest/core/conn-size-threshold.bro rename to testing/btest/core/conn-size-threshold.zeek diff --git a/testing/btest/core/conn-uid.bro b/testing/btest/core/conn-uid.zeek similarity index 100% rename from testing/btest/core/conn-uid.bro rename to testing/btest/core/conn-uid.zeek diff --git a/testing/btest/core/connection_flip_roles.bro b/testing/btest/core/connection_flip_roles.zeek similarity index 100% rename from testing/btest/core/connection_flip_roles.bro rename to testing/btest/core/connection_flip_roles.zeek diff --git a/testing/btest/core/discarder.bro b/testing/btest/core/discarder.zeek similarity index 84% rename from testing/btest/core/discarder.bro rename to testing/btest/core/discarder.zeek index 9e8f5e7a2f..454d5a0de1 100644 --- a/testing/btest/core/discarder.bro +++ b/testing/btest/core/discarder.zeek @@ -1,12 +1,12 @@ -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-ip.bro >output -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output -# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output -# @TEST-EXEC: bro -b -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.bro >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-ip.zeek >output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-tcp.zeek >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-udp.zeek >>output +# @TEST-EXEC: bro -b -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.zeek >>output # @TEST-EXEC: btest-diff output -@TEST-START-FILE discarder-ip.bro +@TEST-START-FILE discarder-ip.zeek -event bro_init() +event zeek_init() { print "################ IP Discarder ################"; } @@ -26,9 +26,9 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-tcp.bro +@TEST-START-FILE discarder-tcp.zeek -event bro_init() +event zeek_init() { print "################ TCP Discarder ################"; } @@ -48,9 +48,9 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-udp.bro +@TEST-START-FILE discarder-udp.zeek -event bro_init() +event zeek_init() { print "################ UDP Discarder ################"; } @@ -70,9 +70,9 @@ event new_packet(c: connection, p: pkt_hdr) @TEST-END-FILE -@TEST-START-FILE discarder-icmp.bro +@TEST-START-FILE discarder-icmp.zeek -event bro_init() +event zeek_init() { print "################ ICMP Discarder ################"; } diff --git a/testing/btest/core/div-by-zero.bro b/testing/btest/core/div-by-zero.zeek similarity index 96% rename from testing/btest/core/div-by-zero.bro rename to testing/btest/core/div-by-zero.zeek index d1221638d6..da06569c2f 100644 --- a/testing/btest/core/div-by-zero.bro +++ b/testing/btest/core/div-by-zero.zeek @@ -26,7 +26,7 @@ event mod_count(a: count, b: count) print a % b; } -event bro_init() +event zeek_init() { event div_int(10, 0); event div_count(10, 0); diff --git a/testing/btest/core/dns-init.bro b/testing/btest/core/dns-init.zeek similarity index 100% rename from testing/btest/core/dns-init.bro rename to testing/btest/core/dns-init.zeek diff --git a/testing/btest/core/embedded-null.bro b/testing/btest/core/embedded-null.zeek similarity index 86% rename from testing/btest/core/embedded-null.bro rename to testing/btest/core/embedded-null.zeek index 95a4c965a9..c85da21541 100644 --- a/testing/btest/core/embedded-null.bro +++ b/testing/btest/core/embedded-null.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -b %INPUT 2>&1 # @TEST-EXEC: btest-diff .stdout -event bro_init() +event zeek_init() { local a = "hi\x00there"; unique_id(a); diff --git a/testing/btest/core/enum-redef-exists.bro b/testing/btest/core/enum-redef-exists.zeek similarity index 100% rename from testing/btest/core/enum-redef-exists.bro rename to testing/btest/core/enum-redef-exists.zeek diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.zeek similarity index 100% rename from testing/btest/core/erspan.bro rename to testing/btest/core/erspan.zeek diff --git a/testing/btest/core/erspanII.bro b/testing/btest/core/erspanII.zeek similarity index 100% rename from testing/btest/core/erspanII.bro rename to testing/btest/core/erspanII.zeek diff --git a/testing/btest/core/erspanIII.bro b/testing/btest/core/erspanIII.zeek similarity index 100% rename from testing/btest/core/erspanIII.bro rename to testing/btest/core/erspanIII.zeek diff --git a/testing/btest/core/ether-addrs.bro b/testing/btest/core/ether-addrs.zeek similarity index 100% rename from testing/btest/core/ether-addrs.bro rename to testing/btest/core/ether-addrs.zeek diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.zeek similarity index 94% rename from testing/btest/core/event-arg-reuse.bro rename to testing/btest/core/event-arg-reuse.zeek index ba8e0f0677..3ad5f82cab 100644 --- a/testing/btest/core/event-arg-reuse.bro +++ b/testing/btest/core/event-arg-reuse.zeek @@ -14,7 +14,7 @@ event f(a: int) &priority=-5 print "f2", a; } -event bro_init() +event zeek_init() { event f(1); } diff --git a/testing/btest/core/expr-exception.bro b/testing/btest/core/expr-exception.zeek similarity index 100% rename from testing/btest/core/expr-exception.bro rename to testing/btest/core/expr-exception.zeek diff --git a/testing/btest/core/fake_dns.bro b/testing/btest/core/fake_dns.zeek similarity index 97% rename from testing/btest/core/fake_dns.bro rename to testing/btest/core/fake_dns.zeek index f4d8c46777..f5cd4d2067 100644 --- a/testing/btest/core/fake_dns.bro +++ b/testing/btest/core/fake_dns.zeek @@ -19,7 +19,7 @@ function check_terminate() terminate(); } -event bro_init() +event zeek_init() { print addrs; diff --git a/testing/btest/core/file-caching-serialization.test b/testing/btest/core/file-caching-serialization.test index 7ff1d8be8d..c6edeb55c2 100644 --- a/testing/btest/core/file-caching-serialization.test +++ b/testing/btest/core/file-caching-serialization.test @@ -42,7 +42,7 @@ event file_opened(f: file) print f, "opened"; } -event bro_init() +event zeek_init() { for ( i in iterations ) write_to_file(iterations[i]); diff --git a/testing/btest/core/global_opaque_val.bro b/testing/btest/core/global_opaque_val.zeek similarity index 92% rename from testing/btest/core/global_opaque_val.bro rename to testing/btest/core/global_opaque_val.zeek index 84087d8295..0232271ced 100644 --- a/testing/btest/core/global_opaque_val.bro +++ b/testing/btest/core/global_opaque_val.zeek @@ -3,7 +3,7 @@ global test = md5_hash_init(); -event bro_init() +event zeek_init() { md5_hash_update(test, "one"); md5_hash_update(test, "two"); diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.zeek similarity index 100% rename from testing/btest/core/history-flip.bro rename to testing/btest/core/history-flip.zeek diff --git a/testing/btest/core/icmp/icmp_sent.bro b/testing/btest/core/icmp/icmp_sent.zeek similarity index 100% rename from testing/btest/core/icmp/icmp_sent.bro rename to testing/btest/core/icmp/icmp_sent.zeek diff --git a/testing/btest/core/init-error.bro b/testing/btest/core/init-error.zeek similarity index 78% rename from testing/btest/core/init-error.bro rename to testing/btest/core/init-error.zeek index c415ca16b1..858fad4eb1 100644 --- a/testing/btest/core/init-error.bro +++ b/testing/btest/core/init-error.zeek @@ -3,19 +3,19 @@ # @TEST-EXEC-FAIL: unset ZEEK_ALLOW_INIT_ERRORS && bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() &priority=10 +event zeek_init() &priority=10 { print "1st event"; } -event bro_init() &priority=10 +event zeek_init() &priority=10 { print "2nd event"; local v = vector(1, 2, 3); print v[10]; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { print "3rd event"; } diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.zeek similarity index 87% rename from testing/btest/core/ip-broken-header.bro rename to testing/btest/core/ip-broken-header.zeek index 426e7a7bc0..a539628829 100644 --- a/testing/btest/core/ip-broken-header.bro +++ b/testing/btest/core/ip-broken-header.zeek @@ -4,4 +4,4 @@ # @TEST-EXEC: gunzip -c $TRACES/trunc/mpls-6in6-broken.pcap.gz | bro -C -b -r - %INPUT # @TEST-EXEC: btest-diff weird.log -@load base/frameworks/notice/weird.bro +@load base/frameworks/notice/weird diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.zeek similarity index 97% rename from testing/btest/core/leaks/basic-cluster.bro rename to testing/btest/core/leaks/basic-cluster.zeek index fa73fb9a96..e186b7aa43 100644 --- a/testing/btest/core/leaks/basic-cluster.bro +++ b/testing/btest/core/leaks/basic-cluster.zeek @@ -12,7 +12,7 @@ # @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT # @TEST-EXEC: btest-bg-wait 60 -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -24,7 +24,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)]; SumStats::create([$name="test", @@ -48,7 +48,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/core/leaks/bloomfilter.bro b/testing/btest/core/leaks/bloomfilter.zeek similarity index 100% rename from testing/btest/core/leaks/bloomfilter.bro rename to testing/btest/core/leaks/bloomfilter.zeek diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.zeek similarity index 92% rename from testing/btest/core/leaks/broker/clone_store.bro rename to testing/btest/core/leaks/broker/clone_store.zeek index 68235c7bab..a1f1256551 100644 --- a/testing/btest/core/leaks/broker/clone_store.bro +++ b/testing/btest/core/leaks/broker/clone_store.zeek @@ -2,13 +2,13 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro >clone.out" -# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.zeek >clone.out" +# @TEST-EXEC: btest-bg-run master "bro -b ../master.zeek >master.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out -@TEST-START-FILE master.bro +@TEST-START-FILE master.zeek redef exit_only_after_terminate = T; global query_timeout = 1sec; @@ -49,7 +49,7 @@ event inserted() schedule 2secs { done() }; } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", done); Broker::subscribe("bro/"); @@ -76,7 +76,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE clone.bro +@TEST-START-FILE clone.zeek redef exit_only_after_terminate = T; @@ -127,7 +127,7 @@ event done() terminate(); } -event bro_init() +event zeek_init() { Broker::auto_publish("bro/events", inserted); Broker::subscribe("bro/"); diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.zeek similarity index 100% rename from testing/btest/core/leaks/broker/data.bro rename to testing/btest/core/leaks/broker/data.zeek diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.zeek similarity index 99% rename from testing/btest/core/leaks/broker/master_store.bro rename to testing/btest/core/leaks/broker/master_store.zeek index 583f80413b..08919bb461 100644 --- a/testing/btest/core/leaks/broker/master_store.bro +++ b/testing/btest/core/leaks/broker/master_store.zeek @@ -85,7 +85,7 @@ event pk1() schedule 1sec { pk2() }; } -event bro_init() +event zeek_init() { h = Broker::create_master("master"); Broker::put(h, "one", "110"); diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test index 5000bd98d7..9983f7871d 100644 --- a/testing/btest/core/leaks/broker/remote_event.test +++ b/testing/btest/core/leaks/broker/remote_event.test @@ -2,21 +2,21 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out" -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.zeek >recv.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek redef exit_only_after_terminate = T; global event_handler: event(msg: string, c: count); global auto_event_handler: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/"); Broker::auto_publish("bro/event/my_topic", auto_event_handler); @@ -43,14 +43,14 @@ event event_handler(msg: string, n: count) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek redef exit_only_after_terminate = T; global event_handler: event(msg: string, c: count); global auto_event_handler: event(msg: string, c: count); -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/my_topic"); Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")), 1secs); diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test index 12abc1a313..21d387b15f 100644 --- a/testing/btest/core/leaks/broker/remote_log.test +++ b/testing/btest/core/leaks/broker/remote_log.test @@ -2,8 +2,8 @@ # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # @TEST-GROUP: leaks -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out" -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.zeek >recv.out" +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @@ -11,7 +11,7 @@ # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff send/test.log -@TEST-START-FILE common.bro +@TEST-START-FILE common.zeek redef exit_only_after_terminate = T; @@ -27,7 +27,7 @@ export { }; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(Test::LOG, [$columns=Test::Info]); } @@ -39,11 +39,11 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::subscribe("bro/"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); @@ -56,11 +56,11 @@ event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string) @TEST-END-FILE -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek -@load ./common.bro +@load ./common -event bro_init() +event zeek_init() { Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT"))); } diff --git a/testing/btest/core/leaks/dns-nsec3.bro b/testing/btest/core/leaks/dns-nsec3.zeek similarity index 100% rename from testing/btest/core/leaks/dns-nsec3.bro rename to testing/btest/core/leaks/dns-nsec3.zeek diff --git a/testing/btest/core/leaks/dns-txt.bro b/testing/btest/core/leaks/dns-txt.zeek similarity index 100% rename from testing/btest/core/leaks/dns-txt.bro rename to testing/btest/core/leaks/dns-txt.zeek diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.zeek similarity index 100% rename from testing/btest/core/leaks/dns.bro rename to testing/btest/core/leaks/dns.zeek diff --git a/testing/btest/core/leaks/dtls.bro b/testing/btest/core/leaks/dtls.zeek similarity index 100% rename from testing/btest/core/leaks/dtls.bro rename to testing/btest/core/leaks/dtls.zeek diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test index 4cc8240012..ec4eb0d75f 100644 --- a/testing/btest/core/leaks/exec.test +++ b/testing/btest/core/leaks/exec.test @@ -4,10 +4,10 @@ # # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b ../exectest.bro +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b ../exectest.zeek # @TEST-EXEC: btest-bg-wait 60 -@TEST-START-FILE exectest.bro +@TEST-START-FILE exectest.zeek @load base/utils/exec redef exit_only_after_terminate = T; @@ -31,7 +31,7 @@ function test_cmd(label: string, cmd: Exec::Command) } } -event bro_init() +event zeek_init() { test_cmd("test1", [$cmd="bash ../somescript.sh", $read_files=set("out1", "out2")]); diff --git a/testing/btest/core/leaks/file-analysis-http-get.bro b/testing/btest/core/leaks/file-analysis-http-get.zeek similarity index 95% rename from testing/btest/core/leaks/file-analysis-http-get.bro rename to testing/btest/core/leaks/file-analysis-http-get.zeek index 29aa6535a3..960a510137 100644 --- a/testing/btest/core/leaks/file-analysis-http-get.bro +++ b/testing/btest/core/leaks/file-analysis-http-get.zeek @@ -4,7 +4,7 @@ # # @TEST-GROUP: leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 60 redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.zeek similarity index 97% rename from testing/btest/core/leaks/hll_cluster.bro rename to testing/btest/core/leaks/hll_cluster.zeek index e565778fbc..40f964ad3a 100644 --- a/testing/btest/core/leaks/hll_cluster.bro +++ b/testing/btest/core/leaks/hll_cluster.zeek @@ -17,7 +17,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], @@ -31,7 +31,7 @@ global hll_data: event(data: opaque of cardinality); @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::manager_topic, hll_data); } @@ -94,7 +94,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) global result_count = 0; global hll: opaque of cardinality; -event bro_init() +event zeek_init() { hll = hll_cardinality_init(0.01, 0.95); } diff --git a/testing/btest/core/leaks/hook.bro b/testing/btest/core/leaks/hook.zeek similarity index 100% rename from testing/btest/core/leaks/hook.bro rename to testing/btest/core/leaks/hook.zeek diff --git a/testing/btest/core/leaks/http-connect.bro b/testing/btest/core/leaks/http-connect.zeek similarity index 100% rename from testing/btest/core/leaks/http-connect.bro rename to testing/btest/core/leaks/http-connect.zeek diff --git a/testing/btest/core/leaks/input-basic.bro b/testing/btest/core/leaks/input-basic.zeek similarity index 98% rename from testing/btest/core/leaks/input-basic.bro rename to testing/btest/core/leaks/input-basic.zeek index 2f2ecf802d..177cbc5e26 100644 --- a/testing/btest/core/leaks/input-basic.bro +++ b/testing/btest/core/leaks/input-basic.zeek @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-errors.bro b/testing/btest/core/leaks/input-errors.zeek similarity index 99% rename from testing/btest/core/leaks/input-errors.bro rename to testing/btest/core/leaks/input-errors.zeek index 589579779f..93a143c8d5 100644 --- a/testing/btest/core/leaks/input-errors.bro +++ b/testing/btest/core/leaks/input-errors.zeek @@ -152,7 +152,7 @@ event kill_me() terminate(); } -event bro_init() +event zeek_init() { outfile = open("out"); Input::add_event([$source="input.log", $name="file", $fields=FileVal, $ev=line_file, $want_record=T]); diff --git a/testing/btest/core/leaks/input-missing-enum.bro b/testing/btest/core/leaks/input-missing-enum.zeek similarity index 97% rename from testing/btest/core/leaks/input-missing-enum.bro rename to testing/btest/core/leaks/input-missing-enum.zeek index 9037e15ed0..5f931a35f3 100644 --- a/testing/btest/core/leaks/input-missing-enum.bro +++ b/testing/btest/core/leaks/input-missing-enum.zeek @@ -26,7 +26,7 @@ type Val: record { global etable: table[int] of Log::ID = table(); -event bro_init() +event zeek_init() { # first read in the old stuff into the table... Input::add_table([$source="../input.log", $name="enum", $idx=Idx, $val=Val, $destination=etable, $want_record=F]); diff --git a/testing/btest/core/leaks/input-optional-event.bro b/testing/btest/core/leaks/input-optional-event.zeek similarity index 98% rename from testing/btest/core/leaks/input-optional-event.bro rename to testing/btest/core/leaks/input-optional-event.zeek index ca141e1c4e..df8d591769 100644 --- a/testing/btest/core/leaks/input-optional-event.bro +++ b/testing/btest/core/leaks/input-optional-event.zeek @@ -50,7 +50,7 @@ event servers(desc: Input::EventDescription, tpe: Input::Event, item: Val) print outfile, item; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-optional-table.bro b/testing/btest/core/leaks/input-optional-table.zeek similarity index 98% rename from testing/btest/core/leaks/input-optional-table.bro rename to testing/btest/core/leaks/input-optional-table.zeek index 95871b1516..f3e4c05fb4 100644 --- a/testing/btest/core/leaks/input-optional-table.bro +++ b/testing/btest/core/leaks/input-optional-table.zeek @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.zeek similarity index 98% rename from testing/btest/core/leaks/input-raw.bro rename to testing/btest/core/leaks/input-raw.zeek index 608ea25030..39ab13adfd 100644 --- a/testing/btest/core/leaks/input-raw.bro +++ b/testing/btest/core/leaks/input-raw.zeek @@ -63,7 +63,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.zeek similarity index 99% rename from testing/btest/core/leaks/input-reread.bro rename to testing/btest/core/leaks/input-reread.zeek index 8b6295c15d..c15a91a6aa 100644 --- a/testing/btest/core/leaks/input-reread.bro +++ b/testing/btest/core/leaks/input-reread.zeek @@ -118,7 +118,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/core/leaks/input-sqlite.bro b/testing/btest/core/leaks/input-sqlite.zeek similarity index 99% rename from testing/btest/core/leaks/input-sqlite.bro rename to testing/btest/core/leaks/input-sqlite.zeek index ae1df163c8..d278a00533 100644 --- a/testing/btest/core/leaks/input-sqlite.bro +++ b/testing/btest/core/leaks/input-sqlite.zeek @@ -87,7 +87,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Inf print outfile, |r$tunnel_parents|; # to make sure I got empty right } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from conn;", diff --git a/testing/btest/core/leaks/input-with-remove.bro b/testing/btest/core/leaks/input-with-remove.zeek similarity index 98% rename from testing/btest/core/leaks/input-with-remove.bro rename to testing/btest/core/leaks/input-with-remove.zeek index ba58d7b2f6..59e3f28c0a 100644 --- a/testing/btest/core/leaks/input-with-remove.bro +++ b/testing/btest/core/leaks/input-with-remove.zeek @@ -52,7 +52,7 @@ event do_term() { terminate(); } -event bro_init() { +event zeek_init() { schedule 1sec { do() }; diff --git a/testing/btest/core/leaks/kv-iteration.zeek b/testing/btest/core/leaks/kv-iteration.zeek new file mode 100644 index 0000000000..5c7a9f1f62 --- /dev/null +++ b/testing/btest/core/leaks/kv-iteration.zeek @@ -0,0 +1,22 @@ +# @TEST-GROUP: leaks +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks + +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: btest-bg-wait 60 + +event new_connection(c: connection) + { + local t: table[count] of string = table(); + t[1] = "hello"; + t[55] = "goodbye"; + + for (key, value in t) + print key, value; + + local tkk: table[string, string] of count = table(); + tkk["hello", "world"] = 1; + tkk["goodbye", "world"] = 55; + + for ([k1, k2], val in tkk) + print k1, k2, val; + } diff --git a/testing/btest/core/leaks/pattern.bro b/testing/btest/core/leaks/pattern.zeek similarity index 100% rename from testing/btest/core/leaks/pattern.bro rename to testing/btest/core/leaks/pattern.zeek diff --git a/testing/btest/core/leaks/returnwhen.bro b/testing/btest/core/leaks/returnwhen.zeek similarity index 88% rename from testing/btest/core/leaks/returnwhen.bro rename to testing/btest/core/leaks/returnwhen.zeek index f5160ef250..1220a3c371 100644 --- a/testing/btest/core/leaks/returnwhen.bro +++ b/testing/btest/core/leaks/returnwhen.zeek @@ -63,7 +63,7 @@ event do_another() } } -event bro_init() +event zeek_init() { local local_dummy = dummyfunc; @@ -71,10 +71,10 @@ event bro_init() schedule 1sec { set_flag() }; - when ( local result = async_func("from bro_init()") ) + when ( local result = async_func("from zeek_init()") ) { - print "async_func() return result in bro_init()", result; - print local_dummy("from bro_init() when block"); + print "async_func() return result in zeek_init()", result; + print local_dummy("from zeek_init() when block"); print anon("hi"); if ( result == "timeout" ) terminate(); schedule 10msec { do_another() }; diff --git a/testing/btest/core/leaks/set.bro b/testing/btest/core/leaks/set.zeek similarity index 100% rename from testing/btest/core/leaks/set.bro rename to testing/btest/core/leaks/set.zeek diff --git a/testing/btest/core/leaks/snmp.test b/testing/btest/core/leaks/snmp.test index 4f212d2699..43112eb9bf 100644 --- a/testing/btest/core/leaks/snmp.test +++ b/testing/btest/core/leaks/snmp.test @@ -4,7 +4,7 @@ # # @TEST-GROUP: leaks # -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/snmp/snmpv1_get.pcap -r $TRACES/snmp/snmpv1_get_short.pcap -r $TRACES/snmp/snmpv1_set.pcap -r $TRACES/snmp/snmpv1_trap.pcap -r $TRACES/snmp/snmpv2_get_bulk.pcap -r $TRACES/snmp/snmpv2_get_next.pcap -r $TRACES/snmp/snmpv2_get.pcap -r $TRACES/snmp/snmpv3_get_next.pcap $SCRIPTS/snmp-test.bro %INPUT +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/snmp/snmpv1_get.pcap -r $TRACES/snmp/snmpv1_get_short.pcap -r $TRACES/snmp/snmpv1_set.pcap -r $TRACES/snmp/snmpv1_trap.pcap -r $TRACES/snmp/snmpv2_get_bulk.pcap -r $TRACES/snmp/snmpv2_get_next.pcap -r $TRACES/snmp/snmpv2_get.pcap -r $TRACES/snmp/snmpv3_get_next.pcap $SCRIPTS/snmp-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 60 @load base/protocols/snmp diff --git a/testing/btest/core/leaks/stats.bro b/testing/btest/core/leaks/stats.zeek similarity index 92% rename from testing/btest/core/leaks/stats.bro rename to testing/btest/core/leaks/stats.zeek index a3459fdc93..7df104be95 100644 --- a/testing/btest/core/leaks/stats.bro +++ b/testing/btest/core/leaks/stats.zeek @@ -7,7 +7,7 @@ # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace %INPUT # @TEST-EXEC: btest-bg-wait 60 -@load policy/misc/stats.bro +@load policy/misc/stats event load_sample(samples: load_sample_info, CPU: interval, dmem: int) { diff --git a/testing/btest/core/leaks/string-indexing.bro b/testing/btest/core/leaks/string-indexing.zeek similarity index 100% rename from testing/btest/core/leaks/string-indexing.bro rename to testing/btest/core/leaks/string-indexing.zeek diff --git a/testing/btest/core/leaks/switch-statement.bro b/testing/btest/core/leaks/switch-statement.zeek similarity index 100% rename from testing/btest/core/leaks/switch-statement.bro rename to testing/btest/core/leaks/switch-statement.zeek diff --git a/testing/btest/core/leaks/teredo.bro b/testing/btest/core/leaks/teredo.zeek similarity index 100% rename from testing/btest/core/leaks/teredo.bro rename to testing/btest/core/leaks/teredo.zeek diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.zeek similarity index 100% rename from testing/btest/core/leaks/test-all.bro rename to testing/btest/core/leaks/test-all.zeek diff --git a/testing/btest/core/leaks/while.bro b/testing/btest/core/leaks/while.zeek similarity index 100% rename from testing/btest/core/leaks/while.bro rename to testing/btest/core/leaks/while.zeek diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.zeek similarity index 100% rename from testing/btest/core/leaks/x509_ocsp_verify.bro rename to testing/btest/core/leaks/x509_ocsp_verify.zeek diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.zeek similarity index 100% rename from testing/btest/core/leaks/x509_verify.bro rename to testing/btest/core/leaks/x509_verify.zeek diff --git a/testing/btest/core/load-duplicates.bro b/testing/btest/core/load-duplicates.zeek similarity index 80% rename from testing/btest/core/load-duplicates.bro rename to testing/btest/core/load-duplicates.zeek index 8c86fbc272..9b3810d40d 100644 --- a/testing/btest/core/load-duplicates.bro +++ b/testing/btest/core/load-duplicates.zeek @@ -3,12 +3,13 @@ # @TEST-EXEC: mkdir -p foo/bar # @TEST-EXEC: echo "@load bar/test" >loader.bro # @TEST-EXEC: cp %INPUT foo/bar/test.bro +# @TEST-EXEC: cp %INPUT foo/bar/test2.bro +# # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test.bro # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test.bro # @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader `pwd`/foo/bar/test.bro +# @TEST-EXEC-FAIL: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test2 -type Test: enum { - TEST, -}; +global pi = 3.14; diff --git a/testing/btest/core/load-explicit-bro-suffix-fallback.zeek b/testing/btest/core/load-explicit-bro-suffix-fallback.zeek new file mode 100644 index 0000000000..689be5bc03 --- /dev/null +++ b/testing/btest/core/load-explicit-bro-suffix-fallback.zeek @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +# We don't have a foo.bro, but we'll accept foo.zeek. +@load foo.bro + +@TEST-START-FILE foo.zeek +event zeek_init() + { + print "loaded foo.zeek"; + } +@TEST-END-FILE diff --git a/testing/btest/core/load-file-extension.zeek b/testing/btest/core/load-file-extension.zeek new file mode 100644 index 0000000000..1b5520c873 --- /dev/null +++ b/testing/btest/core/load-file-extension.zeek @@ -0,0 +1,89 @@ +# Test loading scripts with different file extensions. +# +# Test that either ".zeek" or ".bro" can be loaded without specifying extension +# @TEST-EXEC: cp x/foo.bro . +# @TEST-EXEC: bro -b load_foo > bro_only +# @TEST-EXEC: btest-diff bro_only +# @TEST-EXEC: rm foo.bro +# +# @TEST-EXEC: cp x/foo.zeek . +# @TEST-EXEC: bro -b load_foo > zeek_only +# @TEST-EXEC: btest-diff zeek_only +# @TEST-EXEC: rm foo.zeek +# +# Test that ".zeek" is the preferred file extension, unless ".bro" is specified +# @TEST-EXEC: cp x/foo.* . +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > zeek_preferred +# @TEST-EXEC: btest-diff zeek_preferred +# +# @TEST-EXEC: bro -b load_foo_bro > bro_preferred +# @TEST-EXEC: btest-diff bro_preferred +# @TEST-EXEC: rm foo* +# +# Test that ".bro" is preferred over a script with no file extension (when +# there is no ".zeek" script) +# @TEST-EXEC: cp x/foo.bro . +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > bro_preferred_2 +# @TEST-EXEC: btest-diff bro_preferred_2 +# @TEST-EXEC: rm foo* +# +# Test that a script with no file extension can be loaded +# @TEST-EXEC: cp x2/foo . +# @TEST-EXEC: bro -b load_foo > no_extension +# @TEST-EXEC: btest-diff no_extension +# @TEST-EXEC: rm foo +# +# Test that a ".zeek" script is preferred over a script package of same name +# @TEST-EXEC: cp -r x/foo* . +# @TEST-EXEC: bro -b load_foo > zeek_script_preferred +# @TEST-EXEC: btest-diff zeek_script_preferred +# @TEST-EXEC: rm -r foo* +# +# Test that unrecognized file extensions can be loaded explicitly +# @TEST-EXEC: cp x/foo.* . +# @TEST-EXEC: bro -b load_foo_xyz > xyz_preferred +# @TEST-EXEC: btest-diff xyz_preferred +# @TEST-EXEC: rm foo.* +# +# @TEST-EXEC: cp x/foo.xyz . +# @TEST-EXEC-FAIL: bro -b load_foo +# @TEST-EXEC: rm foo.xyz + +@TEST-START-FILE load_foo +@load foo +@TEST-END-FILE + +@TEST-START-FILE load_foo_bro +@load foo.bro +@TEST-END-FILE + +@TEST-START-FILE load_foo_xyz +@load foo.xyz +@TEST-END-FILE + + +@TEST-START-FILE x/foo.bro +print "Bro script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo.zeek +print "Zeek script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo.xyz +print "Non-standard file extension script loaded"; +@TEST-END-FILE + +@TEST-START-FILE x/foo/__load__.zeek +@load ./main +@TEST-END-FILE + +@TEST-START-FILE x/foo/main.zeek +print "Script package loaded"; +@TEST-END-FILE + +@TEST-START-FILE x2/foo +print "No file extension script loaded"; +@TEST-END-FILE diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.bro deleted file mode 100644 index e6671e038d..0000000000 --- a/testing/btest/core/load-pkg.bro +++ /dev/null @@ -1,10 +0,0 @@ -# @TEST-EXEC: bro -b foo >output -# @TEST-EXEC: btest-diff output - -@TEST-START-FILE foo/__load__.bro -@load ./test.bro -@TEST-END-FILE - -@TEST-START-FILE foo/test.bro -print "Foo loaded"; -@TEST-END-FILE diff --git a/testing/btest/core/load-pkg.zeek b/testing/btest/core/load-pkg.zeek new file mode 100644 index 0000000000..8c861f7982 --- /dev/null +++ b/testing/btest/core/load-pkg.zeek @@ -0,0 +1,28 @@ +# Test that package loading works when a package loader script is present. +# +# Test that ".zeek" is loaded when there is also a ".bro" +# @TEST-EXEC: bro -b foo >output +# @TEST-EXEC: btest-diff output +# +# Test that ".bro" is loaded when there is no ".zeek" +# @TEST-EXEC: rm foo/__load__.zeek +# @TEST-EXEC: bro -b foo >output2 +# @TEST-EXEC: btest-diff output2 +# +# Test that package cannot be loaded when no package loader script exists. +# @TEST-EXEC: rm foo/__load__.bro +# @TEST-EXEC-FAIL: bro -b foo + +@TEST-START-FILE foo/__load__.bro +@load ./test +print "__load__.bro loaded"; +@TEST-END-FILE + +@TEST-START-FILE foo/__load__.zeek +@load ./test +print "__load__.zeek loaded"; +@TEST-END-FILE + +@TEST-START-FILE foo/test.zeek +print "test.zeek loaded"; +@TEST-END-FILE diff --git a/testing/btest/core/load-prefixes.bro b/testing/btest/core/load-prefixes.bro deleted file mode 100644 index 1dfc3ac5dd..0000000000 --- a/testing/btest/core/load-prefixes.bro +++ /dev/null @@ -1,25 +0,0 @@ -# A test of prefix-based @load'ing - -# @TEST-EXEC: bro addprefixes >output -# @TEST-EXEC: btest-diff output - -@TEST-START-FILE addprefixes.bro -@prefixes += lcl -@prefixes += lcl2 -@TEST-END-FILE - -@TEST-START-FILE lcl.base.utils.site.bro -print "loaded lcl.base.utils.site.bro"; -@TEST-END-FILE - -@TEST-START-FILE lcl2.base.utils.site.bro -print "loaded lcl2.base.utils.site.bro"; -@TEST-END-FILE - -@TEST-START-FILE lcl.base.protocols.http.bro -print "loaded lcl.base.protocols.http.bro"; -@TEST-END-FILE - -@TEST-START-FILE lcl2.base.protocols.http.bro -print "loaded lcl2.base.protocols.http.bro"; -@TEST-END-FILE diff --git a/testing/btest/core/load-prefixes.zeek b/testing/btest/core/load-prefixes.zeek new file mode 100644 index 0000000000..c91f278a65 --- /dev/null +++ b/testing/btest/core/load-prefixes.zeek @@ -0,0 +1,29 @@ +# A test of prefix-based @load'ing + +# @TEST-EXEC: bro addprefixes >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE addprefixes.zeek +@prefixes += lcl +@prefixes += lcl2 +@TEST-END-FILE + +# Since base/utils/site.zeek is a script, only a script with the original file +# extension can be loaded here. +@TEST-START-FILE lcl.base.utils.site.zeek +print "loaded lcl.base.utils.site.zeek"; +@TEST-END-FILE + +@TEST-START-FILE lcl2.base.utils.site.zeek +print "loaded lcl2.base.utils.site.zeek"; +@TEST-END-FILE + +# For a script package like base/protocols/http/, either of the recognized +# file extensions can be loaded here. +@TEST-START-FILE lcl.base.protocols.http.zeek +print "loaded lcl.base.protocols.http.zeek"; +@TEST-END-FILE + +@TEST-START-FILE lcl2.base.protocols.http.bro +print "loaded lcl2.base.protocols.http.bro"; +@TEST-END-FILE diff --git a/testing/btest/core/load-relative.bro b/testing/btest/core/load-relative.zeek similarity index 74% rename from testing/btest/core/load-relative.bro rename to testing/btest/core/load-relative.zeek index 3bd082cf8a..439563c201 100644 --- a/testing/btest/core/load-relative.bro +++ b/testing/btest/core/load-relative.zeek @@ -3,16 +3,16 @@ # @TEST-EXEC: bro -b foo/foo >output # @TEST-EXEC: btest-diff output -@TEST-START-FILE foo/foo.bro +@TEST-START-FILE foo/foo.zeek @load ./bar @load ../baz print "foo loaded"; @TEST-END-FILE -@TEST-START-FILE foo/bar.bro +@TEST-START-FILE foo/bar.zeek print "bar loaded"; @TEST-END-FILE -@TEST-START-FILE baz.bro +@TEST-START-FILE baz.zeek print "baz loaded"; @TEST-END-FILE diff --git a/testing/btest/core/load-unload.bro b/testing/btest/core/load-unload.bro deleted file mode 100644 index 6525a8e8ea..0000000000 --- a/testing/btest/core/load-unload.bro +++ /dev/null @@ -1,11 +0,0 @@ -# This tests the @unload directive -# -# @TEST-EXEC: bro -b %INPUT misc/loaded-scripts dontloadmebro > output -# @TEST-EXEC: btest-diff output -# @TEST-EXEC: grep -q dontloadmebro loaded_scripts.log && exit 1 || exit 0 - -@unload dontloadmebro - -@TEST-START-FILE dontloadmebro.bro -print "FAIL"; -@TEST-END-FILE diff --git a/testing/btest/core/load-unload.zeek b/testing/btest/core/load-unload.zeek new file mode 100644 index 0000000000..6b2614a50c --- /dev/null +++ b/testing/btest/core/load-unload.zeek @@ -0,0 +1,32 @@ +# This tests the @unload directive +# +# Test that @unload works with ".bro" when there is no ".zeek" script +# @TEST-EXEC: bro -b unloadbro misc/loaded-scripts dontloadmebro > output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: grep dontloadmebro loaded_scripts.log && exit 1 || exit 0 +# +# Test that @unload looks for ".zeek" first (assuming no file extension is +# specified in the @unload) +# @TEST-EXEC: bro -b unload misc/loaded-scripts dontloadme.zeek dontloadme.bro > output2 +# @TEST-EXEC: btest-diff output2 +# @TEST-EXEC: grep dontloadme.bro loaded_scripts.log + +@TEST-START-FILE unloadbro.bro +@unload dontloadmebro +@TEST-END-FILE + +@TEST-START-FILE dontloadmebro.bro +print "Loaded: dontloadmebro.bro"; +@TEST-END-FILE + +@TEST-START-FILE unload.zeek +@unload dontloadme +@TEST-END-FILE + +@TEST-START-FILE dontloadme.zeek +print "Loaded: dontloadme.zeek"; +@TEST-END-FILE + +@TEST-START-FILE dontloadme.bro +print "Loaded: dontloadme.bro"; +@TEST-END-FILE diff --git a/testing/btest/core/mpls-in-vlan.bro b/testing/btest/core/mpls-in-vlan.zeek similarity index 100% rename from testing/btest/core/mpls-in-vlan.bro rename to testing/btest/core/mpls-in-vlan.zeek diff --git a/testing/btest/core/nflog.zeek b/testing/btest/core/nflog.zeek new file mode 100644 index 0000000000..39186bbbea --- /dev/null +++ b/testing/btest/core/nflog.zeek @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -C -r $TRACES/nflog-http.pcap %INPUT +# @TEST-EXEC: btest-diff http.log + +@load base/protocols/http diff --git a/testing/btest/core/nop.bro b/testing/btest/core/nop.zeek similarity index 100% rename from testing/btest/core/nop.bro rename to testing/btest/core/nop.zeek diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.zeek similarity index 89% rename from testing/btest/core/old_comm_usage.bro rename to testing/btest/core/old_comm_usage.zeek index 0e9ae2f1f6..8f4e3854aa 100644 --- a/testing/btest/core/old_comm_usage.bro +++ b/testing/btest/core/old_comm_usage.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { terminate_communication(); } diff --git a/testing/btest/core/option-errors.bro b/testing/btest/core/option-errors.zeek similarity index 100% rename from testing/btest/core/option-errors.bro rename to testing/btest/core/option-errors.zeek diff --git a/testing/btest/core/option-priorities.bro b/testing/btest/core/option-priorities.zeek similarity index 97% rename from testing/btest/core/option-priorities.bro rename to testing/btest/core/option-priorities.zeek index fd352a5459..088d82ea9f 100644 --- a/testing/btest/core/option-priorities.bro +++ b/testing/btest/core/option-priorities.zeek @@ -16,7 +16,7 @@ function option_changed_two(ID: string, new_value: bool, location: string): bool return T; } -event bro_init() +event zeek_init() { print "Old value", testbool; Option::set_change_handler("testbool", option_changed); diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.zeek similarity index 93% rename from testing/btest/core/option-redef.bro rename to testing/btest/core/option-redef.zeek index 3d67a9a755..30d381306a 100644 --- a/testing/btest/core/option-redef.bro +++ b/testing/btest/core/option-redef.zeek @@ -9,7 +9,7 @@ redef testopt = 6; option anotheropt = 6; redef anotheropt = 7; -event bro_init() { +event zeek_init() { print testopt; print anotheropt; } diff --git a/testing/btest/core/option-runtime-errors.bro b/testing/btest/core/option-runtime-errors.zeek similarity index 100% rename from testing/btest/core/option-runtime-errors.bro rename to testing/btest/core/option-runtime-errors.zeek diff --git a/testing/btest/core/pcap/dumper.bro b/testing/btest/core/pcap/dumper.zeek similarity index 100% rename from testing/btest/core/pcap/dumper.bro rename to testing/btest/core/pcap/dumper.zeek diff --git a/testing/btest/core/pcap/dynamic-filter.bro b/testing/btest/core/pcap/dynamic-filter.zeek similarity index 96% rename from testing/btest/core/pcap/dynamic-filter.bro rename to testing/btest/core/pcap/dynamic-filter.zeek index c1b48155c1..caebaf0558 100644 --- a/testing/btest/core/pcap/dynamic-filter.bro +++ b/testing/btest/core/pcap/dynamic-filter.zeek @@ -21,7 +21,7 @@ event new_packet(c: connection, p: pkt_hdr) print "error 4"; } -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "port 80") ) print "error 1"; diff --git a/testing/btest/core/pcap/filter-error.bro b/testing/btest/core/pcap/filter-error.zeek similarity index 96% rename from testing/btest/core/pcap/filter-error.bro rename to testing/btest/core/pcap/filter-error.zeek index 10270ed53f..b83b8879a0 100644 --- a/testing/btest/core/pcap/filter-error.bro +++ b/testing/btest/core/pcap/filter-error.zeek @@ -7,7 +7,7 @@ redef enum PcapFilterID += { A }; -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) print "error", Pcap::error(); diff --git a/testing/btest/core/pcap/input-error.bro b/testing/btest/core/pcap/input-error.zeek similarity index 95% rename from testing/btest/core/pcap/input-error.bro rename to testing/btest/core/pcap/input-error.zeek index 44788b3391..5e469e08e8 100644 --- a/testing/btest/core/pcap/input-error.bro +++ b/testing/btest/core/pcap/input-error.zeek @@ -5,7 +5,7 @@ redef enum PcapFilterID += { A }; -event bro_init() +event zeek_init() { if ( ! Pcap::precompile_pcap_filter(A, "kaputt, too") ) print "error", Pcap::error(); diff --git a/testing/btest/core/pcap/pseudo-realtime.bro b/testing/btest/core/pcap/pseudo-realtime.zeek similarity index 97% rename from testing/btest/core/pcap/pseudo-realtime.bro rename to testing/btest/core/pcap/pseudo-realtime.zeek index 625706f321..c51b5cc32b 100644 --- a/testing/btest/core/pcap/pseudo-realtime.bro +++ b/testing/btest/core/pcap/pseudo-realtime.zeek @@ -31,7 +31,7 @@ event new_packet(c: connection, p: pkt_hdr) # print fmt("num=%d agg_delta_network=%.1f agg_delta_real=%.1f", cnt, an, ac); } -event bro_done() +event zeek_done() { local d = (an - ac); if ( d < 0 secs) diff --git a/testing/btest/core/pcap/read-trace-with-filter.bro b/testing/btest/core/pcap/read-trace-with-filter.zeek similarity index 100% rename from testing/btest/core/pcap/read-trace-with-filter.bro rename to testing/btest/core/pcap/read-trace-with-filter.zeek diff --git a/testing/btest/core/pppoe-over-qinq.bro b/testing/btest/core/pppoe-over-qinq.zeek similarity index 100% rename from testing/btest/core/pppoe-over-qinq.bro rename to testing/btest/core/pppoe-over-qinq.zeek diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.zeek similarity index 100% rename from testing/btest/core/print-bpf-filters.bro rename to testing/btest/core/print-bpf-filters.zeek diff --git a/testing/btest/core/q-in-q.bro b/testing/btest/core/q-in-q.zeek similarity index 100% rename from testing/btest/core/q-in-q.bro rename to testing/btest/core/q-in-q.zeek diff --git a/testing/btest/core/radiotap.bro b/testing/btest/core/radiotap.zeek similarity index 100% rename from testing/btest/core/radiotap.bro rename to testing/btest/core/radiotap.zeek diff --git a/testing/btest/core/raw_packet.bro b/testing/btest/core/raw_packet.zeek similarity index 100% rename from testing/btest/core/raw_packet.bro rename to testing/btest/core/raw_packet.zeek diff --git a/testing/btest/core/reassembly.bro b/testing/btest/core/reassembly.zeek similarity index 97% rename from testing/btest/core/reassembly.bro rename to testing/btest/core/reassembly.zeek index 30cfaa727e..53489008de 100644 --- a/testing/btest/core/reassembly.bro +++ b/testing/btest/core/reassembly.zeek @@ -5,7 +5,7 @@ # @TEST-EXEC: bro -C -r $TRACES/tcp/reassembly.pcap %INPUT >>output # @TEST-EXEC: btest-diff output -event bro_init() +event zeek_init() { print "----------------------"; } diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.zeek similarity index 97% rename from testing/btest/core/recursive-event.bro rename to testing/btest/core/recursive-event.zeek index 245e994cd6..63cb05eb6f 100644 --- a/testing/btest/core/recursive-event.bro +++ b/testing/btest/core/recursive-event.zeek @@ -26,7 +26,7 @@ event test() event test(); } -event bro_init() +event zeek_init() { event test(); } diff --git a/testing/btest/core/reporter-error-in-handler.bro b/testing/btest/core/reporter-error-in-handler.zeek similarity index 97% rename from testing/btest/core/reporter-error-in-handler.bro rename to testing/btest/core/reporter-error-in-handler.zeek index c4a21d5902..fc0517ab2a 100644 --- a/testing/btest/core/reporter-error-in-handler.bro +++ b/testing/btest/core/reporter-error-in-handler.zeek @@ -23,7 +23,7 @@ event reporter_error(t: time, msg: string, location: string) } } -event bro_init() +event zeek_init() { print a[1]; } diff --git a/testing/btest/core/reporter-fmt-strings.bro b/testing/btest/core/reporter-fmt-strings.zeek similarity index 94% rename from testing/btest/core/reporter-fmt-strings.bro rename to testing/btest/core/reporter-fmt-strings.zeek index 0e0be77844..09c03cf721 100644 --- a/testing/btest/core/reporter-fmt-strings.bro +++ b/testing/btest/core/reporter-fmt-strings.zeek @@ -4,7 +4,7 @@ # @TEST-EXEC-FAIL: bro %INPUT >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output -event bro_init() +event zeek_init() { event dont_interpret_this("%s"); } diff --git a/testing/btest/core/reporter-parse-error.bro b/testing/btest/core/reporter-parse-error.zeek similarity index 89% rename from testing/btest/core/reporter-parse-error.bro rename to testing/btest/core/reporter-parse-error.zeek index 25f33e2785..d57917ff26 100644 --- a/testing/btest/core/reporter-parse-error.bro +++ b/testing/btest/core/reporter-parse-error.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC-FAIL: bro %INPUT >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output -event bro_init() +event zeek_init() { print TESTFAILURE; } diff --git a/testing/btest/core/reporter-runtime-error.bro b/testing/btest/core/reporter-runtime-error.zeek similarity index 91% rename from testing/btest/core/reporter-runtime-error.bro rename to testing/btest/core/reporter-runtime-error.zeek index f8dd8c504c..9caeddb258 100644 --- a/testing/btest/core/reporter-runtime-error.bro +++ b/testing/btest/core/reporter-runtime-error.zeek @@ -4,7 +4,7 @@ global a: table[count] of count; -event bro_init() +event zeek_init() { print a[2]; } diff --git a/testing/btest/core/reporter-shutdown-order-errors.bro b/testing/btest/core/reporter-shutdown-order-errors.zeek similarity index 100% rename from testing/btest/core/reporter-shutdown-order-errors.bro rename to testing/btest/core/reporter-shutdown-order-errors.zeek diff --git a/testing/btest/core/reporter-type-mismatch.bro b/testing/btest/core/reporter-type-mismatch.zeek similarity index 91% rename from testing/btest/core/reporter-type-mismatch.bro rename to testing/btest/core/reporter-type-mismatch.zeek index 0faa9b85e2..1a375ea84b 100644 --- a/testing/btest/core/reporter-type-mismatch.bro +++ b/testing/btest/core/reporter-type-mismatch.zeek @@ -6,7 +6,7 @@ event foo(a: string) { } -event bro_init() +event zeek_init() { event foo(42); } diff --git a/testing/btest/core/reporter-weird-sampling-disable.bro b/testing/btest/core/reporter-weird-sampling-disable.zeek similarity index 100% rename from testing/btest/core/reporter-weird-sampling-disable.bro rename to testing/btest/core/reporter-weird-sampling-disable.zeek diff --git a/testing/btest/core/reporter-weird-sampling.bro b/testing/btest/core/reporter-weird-sampling.zeek similarity index 100% rename from testing/btest/core/reporter-weird-sampling.bro rename to testing/btest/core/reporter-weird-sampling.zeek diff --git a/testing/btest/core/reporter.bro b/testing/btest/core/reporter.zeek similarity index 97% rename from testing/btest/core/reporter.bro rename to testing/btest/core/reporter.zeek index aa660ef495..bc79ca73d8 100644 --- a/testing/btest/core/reporter.bro +++ b/testing/btest/core/reporter.zeek @@ -3,14 +3,14 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff logger-test.log -event bro_init() +event zeek_init() { Reporter::info("init test-info"); Reporter::warning("init test-warning"); Reporter::error("init test-error"); } -event bro_done() +event zeek_done() { Reporter::info("done test-info"); Reporter::warning("done test-warning"); diff --git a/testing/btest/core/tcp/fin-retransmit.bro b/testing/btest/core/tcp/fin-retransmit.zeek similarity index 100% rename from testing/btest/core/tcp/fin-retransmit.bro rename to testing/btest/core/tcp/fin-retransmit.zeek diff --git a/testing/btest/core/tcp/large-file-reassembly.bro b/testing/btest/core/tcp/large-file-reassembly.zeek similarity index 100% rename from testing/btest/core/tcp/large-file-reassembly.bro rename to testing/btest/core/tcp/large-file-reassembly.zeek diff --git a/testing/btest/core/tcp/miss-end-data.bro b/testing/btest/core/tcp/miss-end-data.zeek similarity index 100% rename from testing/btest/core/tcp/miss-end-data.bro rename to testing/btest/core/tcp/miss-end-data.zeek diff --git a/testing/btest/core/tcp/missing-syn.bro b/testing/btest/core/tcp/missing-syn.zeek similarity index 100% rename from testing/btest/core/tcp/missing-syn.bro rename to testing/btest/core/tcp/missing-syn.zeek diff --git a/testing/btest/core/tcp/quantum-insert.bro b/testing/btest/core/tcp/quantum-insert.zeek similarity index 100% rename from testing/btest/core/tcp/quantum-insert.bro rename to testing/btest/core/tcp/quantum-insert.zeek diff --git a/testing/btest/core/tcp/rst-after-syn.bro b/testing/btest/core/tcp/rst-after-syn.zeek similarity index 100% rename from testing/btest/core/tcp/rst-after-syn.bro rename to testing/btest/core/tcp/rst-after-syn.zeek diff --git a/testing/btest/core/tcp/rxmit-history.bro b/testing/btest/core/tcp/rxmit-history.zeek similarity index 100% rename from testing/btest/core/tcp/rxmit-history.bro rename to testing/btest/core/tcp/rxmit-history.zeek diff --git a/testing/btest/core/tcp/truncated-header.bro b/testing/btest/core/tcp/truncated-header.zeek similarity index 100% rename from testing/btest/core/tcp/truncated-header.bro rename to testing/btest/core/tcp/truncated-header.zeek diff --git a/testing/btest/core/tunnels/false-teredo.bro b/testing/btest/core/tunnels/false-teredo.zeek similarity index 100% rename from testing/btest/core/tunnels/false-teredo.bro rename to testing/btest/core/tunnels/false-teredo.zeek diff --git a/testing/btest/core/tunnels/ip-in-ip-version.bro b/testing/btest/core/tunnels/ip-in-ip-version.zeek similarity index 100% rename from testing/btest/core/tunnels/ip-in-ip-version.bro rename to testing/btest/core/tunnels/ip-in-ip-version.zeek diff --git a/testing/btest/core/tunnels/teredo.bro b/testing/btest/core/tunnels/teredo.zeek similarity index 100% rename from testing/btest/core/tunnels/teredo.bro rename to testing/btest/core/tunnels/teredo.zeek diff --git a/testing/btest/core/tunnels/vxlan.zeek b/testing/btest/core/tunnels/vxlan.zeek new file mode 100644 index 0000000000..50a7b1a24a --- /dev/null +++ b/testing/btest/core/tunnels/vxlan.zeek @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +event vxlan_packet(c: connection, inner: pkt_hdr, vni: count) + { + print "vxlan_packet", c$id, inner, vni; + } diff --git a/testing/btest/core/vector-assignment.bro b/testing/btest/core/vector-assignment.zeek similarity index 94% rename from testing/btest/core/vector-assignment.bro rename to testing/btest/core/vector-assignment.zeek index d1f02c124f..9c5cc4e0f6 100644 --- a/testing/btest/core/vector-assignment.bro +++ b/testing/btest/core/vector-assignment.zeek @@ -13,7 +13,7 @@ function set_me(val: any) { print a; } -event bro_init() { +event zeek_init() { local b: vector of count = {1, 2, 3}; set_me(b); } diff --git a/testing/btest/core/vlan-mpls.bro b/testing/btest/core/vlan-mpls.zeek similarity index 100% rename from testing/btest/core/vlan-mpls.bro rename to testing/btest/core/vlan-mpls.zeek diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.zeek similarity index 96% rename from testing/btest/core/when-interpreter-exceptions.bro rename to testing/btest/core/when-interpreter-exceptions.zeek index f259a46bda..41f2374c2f 100644 --- a/testing/btest/core/when-interpreter-exceptions.bro +++ b/testing/btest/core/when-interpreter-exceptions.zeek @@ -79,9 +79,9 @@ function g(do_exception: bool): bool return F; } -event bro_init() +event zeek_init() { - local cmd = Exec::Command($cmd="echo 'bro_init()'"); + local cmd = Exec::Command($cmd="echo 'zeek_init()'"); local stall = Exec::Command($cmd="sleep 30"); when ( local result = Exec::run(cmd) ) diff --git a/testing/btest/core/wlanmon.bro b/testing/btest/core/wlanmon.zeek similarity index 100% rename from testing/btest/core/wlanmon.bro rename to testing/btest/core/wlanmon.zeek diff --git a/testing/btest/core/x509-generalizedtime.bro b/testing/btest/core/x509-generalizedtime.zeek similarity index 100% rename from testing/btest/core/x509-generalizedtime.bro rename to testing/btest/core/x509-generalizedtime.zeek diff --git a/testing/btest/coverage/bare-load-baseline.test b/testing/btest/coverage/bare-load-baseline.test index e518e703fb..98ce72e4b8 100644 --- a/testing/btest/coverage/bare-load-baseline.test +++ b/testing/btest/coverage/bare-load-baseline.test @@ -1,6 +1,6 @@ # This test is meant to cover whether the set of scripts that get loaded by # default in bare mode matches a baseline of known defaults. The baseline -# should only need updating if something new is @load'd from init-bare.bro +# should only need updating if something new is @load'd from init-bare.zeek # (or from an @load'd descendent of it). # # As the output has absolute paths in it, we need to remove the common diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index 2310b66b4b..6f5e6983f6 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -5,5 +5,5 @@ # when writing a new bro scripts. # # @TEST-EXEC: test -d $DIST/scripts -# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro`; do bro -b --parse-only $script >>errors 2>&1; done +# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.zeek`; do bro -b --parse-only $script >>errors 2>&1; done # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-sort" btest-diff errors diff --git a/testing/btest/coverage/broxygen.sh b/testing/btest/coverage/broxygen.sh index 13bf24bce3..4dd12f27fe 100644 --- a/testing/btest/coverage/broxygen.sh +++ b/testing/btest/coverage/broxygen.sh @@ -1,12 +1,12 @@ -# This check piggy-backs on the test-all-policy.bro test, assuming that every +# This check piggy-backs on the test-all-policy.zeek test, assuming that every # loadable script is referenced there. The only additional check here is -# that the broxygen package should even load scripts that are commented -# out in test-all-policy.bro because the broxygen package is only loaded -# when generated documentation and will terminate has soon as bro_init -# is handled, even if a script will e.g. put Bro into listen mode or otherwise +# that the zeexygen package should even load scripts that are commented +# out in test-all-policy.zeek because the zeexygen package is only loaded +# when generated documentation and will terminate has soon as zeek_init +# is handled, even if a script will e.g. put Zeek into listen mode or otherwise # cause it to not terminate after scripts are parsed. -# @TEST-EXEC: bash %INPUT $DIST/scripts/test-all-policy.bro $DIST/scripts/broxygen/__load__.bro +# @TEST-EXEC: bash %INPUT $DIST/scripts/test-all-policy.zeek $DIST/scripts/zeexygen/__load__.zeek error_count=0 @@ -22,10 +22,10 @@ if [ $# -ne 2 ]; then fi all_loads=$(egrep "#[[:space:]]*@load.*" $1 | sed 's/#[[:space:]]*@load[[:space:]]*//g') -broxygen_loads=$(egrep "@load.*" $2 | sed 's/@load[[:space:]]*//g') +zeexygen_loads=$(egrep "@load.*" $2 | sed 's/@load[[:space:]]*//g') for f in $all_loads; do - echo "$broxygen_loads" | grep -q $f || error_msg "$f not loaded in broxygen/__load__.bro" + echo "$zeexygen_loads" | grep -q $f || error_msg "$f not loaded in zeexygen/__load__.zeek" done if [ $error_count -gt 0 ]; then diff --git a/testing/btest/coverage/coverage-blacklist.bro b/testing/btest/coverage/coverage-blacklist.zeek similarity index 100% rename from testing/btest/coverage/coverage-blacklist.bro rename to testing/btest/coverage/coverage-blacklist.zeek diff --git a/testing/btest/coverage/find-bro-logs.test b/testing/btest/coverage/find-bro-logs.test index e7bcf0578f..ee0e45262b 100644 --- a/testing/btest/coverage/find-bro-logs.test +++ b/testing/btest/coverage/find-bro-logs.test @@ -28,7 +28,7 @@ def find_scripts(): for r, d, f in os.walk(scriptdir): for fname in f: - if fname.endswith(".bro"): + if fname.endswith(".zeek") or fname.endswith(".bro"): scripts.append(os.path.join(r, fname)) return scripts diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test index 537b5ca77d..edc0012ef1 100644 --- a/testing/btest/coverage/init-default.test +++ b/testing/btest/coverage/init-default.test @@ -1,19 +1,19 @@ -# Makes sure that all base/* scripts are loaded by default via init-default.bro; -# and that all scripts loaded there in there actually exist. +# Makes sure that all base/* scripts are loaded by default via +# init-default.zeek; and that all scripts loaded there actually exist. # # This test will fail if a new bro script is added under the scripts/base/ -# directory and it is not also added as an @load in base/init-default.bro. +# directory and it is not also added as an @load in base/init-default.zeek. # In some cases, a script in base is loaded based on the bro configuration # (e.g. cluster operation), and in such cases, the missing_loads baseline # can be adjusted to tolerate that. #@TEST-EXEC: test -d $DIST/scripts/base -#@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro -#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found" +#@TEST-EXEC: test -e $DIST/scripts/base/init-default.zeek +#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.zeek' ) | sort >"all scripts found" #@TEST-EXEC: bro misc/loaded-scripts #@TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix -#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g' >loaded_scripts.log.tmp +#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.zeek|#" | sed 's#/./#/#g' >loaded_scripts.log.tmp #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix -#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro -#@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads +#@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.zeek +#@TEST-EXEC: diff -u "all scripts found" init-default.zeek | egrep "^-[^-]" > missing_loads #@TEST-EXEC: btest-diff missing_loads diff --git a/testing/btest/coverage/sphinx-broxygen-docs.sh b/testing/btest/coverage/sphinx-broxygen-docs.sh index ab194cb027..d508a8361f 100644 --- a/testing/btest/coverage/sphinx-broxygen-docs.sh +++ b/testing/btest/coverage/sphinx-broxygen-docs.sh @@ -1,11 +1,11 @@ -# This script checks whether the reST docs generated by broxygen are stale. +# This script checks whether the reST docs generated by zeexygen are stale. # If this test fails when testing the master branch, then simply run: # -# testing/scripts/gen-broxygen-docs.sh +# testing/scripts/gen-zeexygen-docs.sh # # and then commit the changes. # -# @TEST-EXEC: bash $SCRIPTS/gen-broxygen-docs.sh ./doc +# @TEST-EXEC: bash $SCRIPTS/gen-zeexygen-docs.sh ./doc # @TEST-EXEC: bash %INPUT if [ -n "$TRAVIS_PULL_REQUEST" ]; then @@ -33,7 +33,7 @@ function check_diff echo "If this fails in the master branch or when merging to master," 1>&2 echo "re-run the following command:" 1>&2 echo "" 1>&2 - echo " $SCRIPTS/gen-broxygen-docs.sh" 1>&2 + echo " $SCRIPTS/gen-zeexygen-docs.sh" 1>&2 echo "" 1>&2 echo "Then commit/push the changes in the zeek-docs repo" 1>&2 echo "(the doc/ directory in the zeek repo)." 1>&2 diff --git a/testing/btest/coverage/test-all-policy.test b/testing/btest/coverage/test-all-policy.test index 3a545a02af..61e4297f83 100644 --- a/testing/btest/coverage/test-all-policy.test +++ b/testing/btest/coverage/test-all-policy.test @@ -1,12 +1,12 @@ # Makes sure that all policy/* scripts are loaded in -# scripts/test-all-policy.bro and that all scripts loaded there actually exist. +# scripts/test-all-policy.zeek and that all scripts loaded there actually exist. # # This test will fail if new bro scripts are added to the scripts/policy/ -# directory. Correcting that just involves updating scripts/test-all-policy.bro -# to @load the new bro scripts. +# directory. Correcting that just involves updating +# scripts/test-all-policy.zeek to @load the new bro scripts. -@TEST-EXEC: test -e $DIST/scripts/test-all-policy.bro +@TEST-EXEC: test -e $DIST/scripts/test-all-policy.zeek @TEST-EXEC: test -d $DIST/scripts -@TEST-EXEC: ( cd $DIST/scripts/policy && find . -name '*.bro' ) | sort >"all scripts found" -@TEST-EXEC: cat $DIST/scripts/test-all-policy.bro | grep '@load' | sed 'sm^\( *# *\)\{0,\}@load *m./mg' | sort >test-all-policy.bro -@TEST-EXEC: diff -u "all scripts found" test-all-policy.bro 1>&2 +@TEST-EXEC: ( cd $DIST/scripts/policy && find . -name '*.zeek' ) | sort >"all scripts found" +@TEST-EXEC: cat $DIST/scripts/test-all-policy.zeek | grep '@load' | sed 'sm^\( *# *\)\{0,\}@load *m./mg' | sort >test-all-policy.zeek +@TEST-EXEC: diff -u "all scripts found" test-all-policy.zeek 1>&2 diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test deleted file mode 100644 index 238ba3a4f3..0000000000 --- a/testing/btest/doc/broxygen/all_scripts.test +++ /dev/null @@ -1,14 +0,0 @@ -# This test is mostly just checking that there's no errors that result -# from loading all scripts and generated docs for each. - -# This must be serialized with communication tests because it does load -# listen.bro in order to document it. - -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/ Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff .stdout -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr - -@TEST-START-FILE broxygen.config -script * scripts/ -@TEST-END-FILE diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro deleted file mode 100644 index 22a6fc7418..0000000000 --- a/testing/btest/doc/broxygen/example.bro +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT -# @TEST-EXEC: btest-diff example.rst - -@TEST-START-FILE broxygen.config -script broxygen/example.bro example.rst -@TEST-END-FILE - -@load broxygen/example.bro diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro deleted file mode 100644 index ae49d812a0..0000000000 --- a/testing/btest/doc/broxygen/identifier.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -identifier BroxygenExample::* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro deleted file mode 100644 index 6a9957804a..0000000000 --- a/testing/btest/doc/broxygen/package.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro deleted file mode 100644 index 49c367aa48..0000000000 --- a/testing/btest/doc/broxygen/package_index.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -package_index broxygen test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro deleted file mode 100644 index ab257ad35d..0000000000 --- a/testing/btest/doc/broxygen/script_index.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_index broxygen/* test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro deleted file mode 100644 index a517a08072..0000000000 --- a/testing/btest/doc/broxygen/script_summary.bro +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-PORT: BROKER_PORT -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT Broker::default_port=$BROKER_PORT -# @TEST-EXEC: btest-diff test.rst - -@TEST-START-FILE broxygen.config -script_summary broxygen/example.bro test.rst -@TEST-END-FILE - -@load broxygen diff --git a/testing/btest/doc/record-add.bro b/testing/btest/doc/record-add.zeek similarity index 100% rename from testing/btest/doc/record-add.bro rename to testing/btest/doc/record-add.zeek diff --git a/testing/btest/doc/record-attr-check.bro b/testing/btest/doc/record-attr-check.zeek similarity index 100% rename from testing/btest/doc/record-attr-check.bro rename to testing/btest/doc/record-attr-check.zeek diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/zeexygen/command_line.zeek similarity index 100% rename from testing/btest/doc/broxygen/command_line.bro rename to testing/btest/doc/zeexygen/command_line.zeek diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/zeexygen/comment_retrieval_bifs.zeek similarity index 100% rename from testing/btest/doc/broxygen/comment_retrieval_bifs.bro rename to testing/btest/doc/zeexygen/comment_retrieval_bifs.zeek diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/zeexygen/enums.zeek similarity index 89% rename from testing/btest/doc/broxygen/enums.bro rename to testing/btest/doc/zeexygen/enums.zeek index 8fbdb11ab6..a385a36a6c 100644 --- a/testing/btest/doc/broxygen/enums.bro +++ b/testing/btest/doc/zeexygen/enums.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-enums.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier TestEnum* autogen-reST-enums.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/example.zeek b/testing/btest/doc/zeexygen/example.zeek new file mode 100644 index 0000000000..53179dac39 --- /dev/null +++ b/testing/btest/doc/zeexygen/example.zeek @@ -0,0 +1,8 @@ +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X zeexygen.config %INPUT +# @TEST-EXEC: btest-diff example.rst + +@TEST-START-FILE zeexygen.config +script zeexygen/example.zeek example.rst +@TEST-END-FILE + +@load zeexygen/example diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/zeexygen/func-params.zeek similarity index 83% rename from testing/btest/doc/broxygen/func-params.bro rename to testing/btest/doc/zeexygen/func-params.zeek index e53ca475f1..5facba3e05 100644 --- a/testing/btest/doc/broxygen/func-params.bro +++ b/testing/btest/doc/zeexygen/func-params.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-func-params.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier test_func_params* autogen-reST-func-params.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/identifier.zeek b/testing/btest/doc/zeexygen/identifier.zeek new file mode 100644 index 0000000000..38a4f274ad --- /dev/null +++ b/testing/btest/doc/zeexygen/identifier.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +identifier ZeexygenExample::* test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/package.zeek b/testing/btest/doc/zeexygen/package.zeek new file mode 100644 index 0000000000..7038b5b50a --- /dev/null +++ b/testing/btest/doc/zeexygen/package.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +package zeexygen test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/package_index.zeek b/testing/btest/doc/zeexygen/package_index.zeek new file mode 100644 index 0000000000..3a0c92ca71 --- /dev/null +++ b/testing/btest/doc/zeexygen/package_index.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +package_index zeexygen test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/zeexygen/records.zeek similarity index 84% rename from testing/btest/doc/broxygen/records.bro rename to testing/btest/doc/zeexygen/records.zeek index fbaa957a9f..0c1f668df9 100644 --- a/testing/btest/doc/broxygen/records.bro +++ b/testing/btest/doc/zeexygen/records.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-records.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier TestRecord* autogen-reST-records.rst @TEST-END-FILE diff --git a/testing/btest/doc/zeexygen/script_index.zeek b/testing/btest/doc/zeexygen/script_index.zeek new file mode 100644 index 0000000000..f92513d632 --- /dev/null +++ b/testing/btest/doc/zeexygen/script_index.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +script_index zeexygen/* test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/zeexygen/script_summary.zeek b/testing/btest/doc/zeexygen/script_summary.zeek new file mode 100644 index 0000000000..9378417f08 --- /dev/null +++ b/testing/btest/doc/zeexygen/script_summary.zeek @@ -0,0 +1,9 @@ +# @TEST-PORT: BROKER_PORT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT Broker::default_port=$BROKER_PORT +# @TEST-EXEC: btest-diff test.rst + +@TEST-START-FILE zeexygen.config +script_summary zeexygen/example.zeek test.rst +@TEST-END-FILE + +@load zeexygen diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/zeexygen/type-aliases.zeek similarity index 81% rename from testing/btest/doc/broxygen/type-aliases.bro rename to testing/btest/doc/zeexygen/type-aliases.zeek index 0971327c2b..40a6e24417 100644 --- a/testing/btest/doc/broxygen/type-aliases.bro +++ b/testing/btest/doc/zeexygen/type-aliases.zeek @@ -1,11 +1,11 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst -@TEST-START-FILE broxygen.config -identifier BroxygenTest::* autogen-reST-type-aliases.rst +@TEST-START-FILE zeexygen.config +identifier ZeexygenTest::* autogen-reST-type-aliases.rst @TEST-END-FILE -module BroxygenTest; +module ZeexygenTest; export { ## This is just an alias for a builtin type ``bool``. diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/zeexygen/vectors.zeek similarity index 83% rename from testing/btest/doc/broxygen/vectors.bro rename to testing/btest/doc/zeexygen/vectors.zeek index 7c18225357..8a16a58149 100644 --- a/testing/btest/doc/broxygen/vectors.bro +++ b/testing/btest/doc/zeexygen/vectors.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X zeexygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-vectors.rst -@TEST-START-FILE broxygen.config +@TEST-START-FILE zeexygen.config identifier test_vector* autogen-reST-vectors.rst @TEST-END-FILE diff --git a/testing/btest/language/addr.bro b/testing/btest/language/addr.zeek similarity index 96% rename from testing/btest/language/addr.bro rename to testing/btest/language/addr.zeek index dd7e5e1dff..8829c20da2 100644 --- a/testing/btest/language/addr.bro +++ b/testing/btest/language/addr.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { # IPv4 addresses local a1: addr = 0.0.0.0; @@ -31,6 +31,7 @@ event bro_init() local b6: addr = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]; local b7: addr = [AAAA:BBBB:CCCC:DDDD:EEEE:FFFF:1111:2222]; local b8 = [a::b]; + local b9 = [2001:db8:0:0:0:FFFF:192.168.0.5]; test_case( "IPv6 address inequality", b1 != b2 ); test_case( "IPv6 address equality", b1 == b5 ); diff --git a/testing/btest/language/any.bro b/testing/btest/language/any.zeek similarity index 97% rename from testing/btest/language/any.bro rename to testing/btest/language/any.zeek index fca23f6db8..32daa36903 100644 --- a/testing/btest/language/any.bro +++ b/testing/btest/language/any.zeek @@ -11,7 +11,7 @@ function anyarg(arg1: any, arg1type: string) test_case( arg1type, type_name(arg1) == arg1type ); } -event bro_init() +event zeek_init() { local any1: any = 5; local any2: any = "bar"; diff --git a/testing/btest/language/at-deprecated.bro b/testing/btest/language/at-deprecated.zeek similarity index 63% rename from testing/btest/language/at-deprecated.bro rename to testing/btest/language/at-deprecated.zeek index dd0f746658..271a918e5e 100644 --- a/testing/btest/language/at-deprecated.bro +++ b/testing/btest/language/at-deprecated.zeek @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -b foo # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr -@TEST-START-FILE foo.bro +@TEST-START-FILE foo.zeek @deprecated @load bar @load baz @TEST-END-FILE -@TEST-START-FILE bar.bro -@deprecated "Use '@load qux.bro' instead" +@TEST-START-FILE bar.zeek +@deprecated "Use '@load qux' instead" @TEST-END-FILE -@TEST-START-FILE baz.bro +@TEST-START-FILE baz.zeek @deprecated @TEST-END-FILE diff --git a/testing/btest/language/at-dir.bro b/testing/btest/language/at-dir.zeek similarity index 75% rename from testing/btest/language/at-dir.bro rename to testing/btest/language/at-dir.zeek index b826e3a5da..a366285a5b 100644 --- a/testing/btest/language/at-dir.bro +++ b/testing/btest/language/at-dir.zeek @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -# @TEST-EXEC: bro -b ./pathtest.bro >out2 +# @TEST-EXEC: bro -b ./pathtest.zeek >out2 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 print @DIR; -@TEST-START-FILE pathtest.bro +@TEST-START-FILE pathtest.zeek print @DIR; @TEST-END-FILE diff --git a/testing/btest/language/at-filename.bro b/testing/btest/language/at-filename.zeek similarity index 100% rename from testing/btest/language/at-filename.bro rename to testing/btest/language/at-filename.zeek diff --git a/testing/btest/language/at-if-event.bro b/testing/btest/language/at-if-event.zeek similarity index 84% rename from testing/btest/language/at-if-event.bro rename to testing/btest/language/at-if-event.zeek index 0dd9815908..2ac757810d 100644 --- a/testing/btest/language/at-if-event.bro +++ b/testing/btest/language/at-if-event.zeek @@ -12,7 +12,7 @@ lalala } @if ( 1==1 ) -event bro_init() +event zeek_init() @else lalala @endif @@ -24,7 +24,7 @@ lalala @if ( 1==0 ) lalala @else -event bro_init() +event zeek_init() @endif { print "3"; @@ -32,7 +32,7 @@ event bro_init() @if ( 1==1 ) @if ( 1==1 ) -event bro_init() +event zeek_init() @endif @else lalala @@ -42,7 +42,7 @@ lalala } @if ( 1==1 ) -event bro_init() &priority=10 +event zeek_init() &priority=10 @else lalala @endif diff --git a/testing/btest/language/at-if-invalid.bro b/testing/btest/language/at-if-invalid.zeek similarity index 96% rename from testing/btest/language/at-if-invalid.bro rename to testing/btest/language/at-if-invalid.zeek index 1be2b94304..e2e5e2c699 100644 --- a/testing/btest/language/at-if-invalid.bro +++ b/testing/btest/language/at-if-invalid.zeek @@ -6,7 +6,7 @@ function foo(c: count): bool global TRUE_CONDITION = T; -event bro_init() +event zeek_init() { local xyz = 0; local local_true_condition = T; diff --git a/testing/btest/language/at-if.bro b/testing/btest/language/at-if.zeek similarity index 97% rename from testing/btest/language/at-if.bro rename to testing/btest/language/at-if.zeek index dddf9a22a5..1aba7b9ded 100644 --- a/testing/btest/language/at-if.bro +++ b/testing/btest/language/at-if.zeek @@ -11,7 +11,7 @@ function foo(c: count): bool global TRUE_CONDITION = T; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-ifdef.bro b/testing/btest/language/at-ifdef.zeek similarity index 97% rename from testing/btest/language/at-ifdef.bro rename to testing/btest/language/at-ifdef.zeek index e7bb961833..ebc59f7056 100644 --- a/testing/btest/language/at-ifdef.bro +++ b/testing/btest/language/at-ifdef.zeek @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) global thisisdefined = 123; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-ifndef.bro b/testing/btest/language/at-ifndef.zeek similarity index 97% rename from testing/btest/language/at-ifndef.bro rename to testing/btest/language/at-ifndef.zeek index 8bff0c456b..6e4df4dd86 100644 --- a/testing/btest/language/at-ifndef.bro +++ b/testing/btest/language/at-ifndef.zeek @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) global thisisdefined = 123; -event bro_init() +event zeek_init() { local xyz = 0; diff --git a/testing/btest/language/at-load.bro b/testing/btest/language/at-load.zeek similarity index 98% rename from testing/btest/language/at-load.bro rename to testing/btest/language/at-load.zeek index 7427cd639a..ae14eba436 100644 --- a/testing/btest/language/at-load.bro +++ b/testing/btest/language/at-load.zeek @@ -5,7 +5,7 @@ @load secondtestfile -event bro_init() +event zeek_init() { test_case( "function", T ); test_case( "global variable", num == 123 ); diff --git a/testing/btest/language/attr-default-coercion.bro b/testing/btest/language/attr-default-coercion.zeek similarity index 95% rename from testing/btest/language/attr-default-coercion.bro rename to testing/btest/language/attr-default-coercion.zeek index 14590d0033..8304169cfb 100644 --- a/testing/btest/language/attr-default-coercion.bro +++ b/testing/btest/language/attr-default-coercion.zeek @@ -16,7 +16,7 @@ function foo(i: int &default = 237, d: double &default = 101) print i, d; } -event bro_init() +event zeek_init() { print t["nope"]; print r; diff --git a/testing/btest/language/attr-default-global-set-error.bro b/testing/btest/language/attr-default-global-set-error.zeek similarity index 100% rename from testing/btest/language/attr-default-global-set-error.bro rename to testing/btest/language/attr-default-global-set-error.zeek diff --git a/testing/btest/language/bool.bro b/testing/btest/language/bool.zeek similarity index 97% rename from testing/btest/language/bool.bro rename to testing/btest/language/bool.zeek index 8a1404459c..be54a442d9 100644 --- a/testing/btest/language/bool.bro +++ b/testing/btest/language/bool.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local b1: bool = T; local b2: bool = F; diff --git a/testing/btest/language/common-mistakes.bro b/testing/btest/language/common-mistakes.zeek similarity index 75% rename from testing/btest/language/common-mistakes.bro rename to testing/btest/language/common-mistakes.zeek index 361aae0ff4..4e9e017fda 100644 --- a/testing/btest/language/common-mistakes.bro +++ b/testing/btest/language/common-mistakes.zeek @@ -2,16 +2,16 @@ # handled internally by way of throwing an exception to unwind out # of the current event handler body. -# @TEST-EXEC: bro -b 1.bro >1.out 2>&1 +# @TEST-EXEC: bro -b 1.zeek >1.out 2>&1 # @TEST-EXEC: btest-diff 1.out -# @TEST-EXEC: bro -b 2.bro >2.out 2>&1 +# @TEST-EXEC: bro -b 2.zeek >2.out 2>&1 # @TEST-EXEC: btest-diff 2.out -# @TEST-EXEC: bro -b 3.bro >3.out 2>&1 +# @TEST-EXEC: bro -b 3.zeek >3.out 2>&1 # @TEST-EXEC: btest-diff 3.out -@TEST-START-FILE 1.bro +@TEST-START-FILE 1.zeek type myrec: record { f: string &optional; }; @@ -33,21 +33,21 @@ function bar() print "bar done"; } -event bro_init() +event zeek_init() { bar(); # Unreachable - print "bro_init done"; + print "zeek_init done"; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { # Reachable - print "other bro_init"; + print "other zeek_init"; } @TEST-END-FILE -@TEST-START-FILE 2.bro +@TEST-START-FILE 2.zeek function foo() { print "in foo"; @@ -65,16 +65,16 @@ function foo() print "foo done"; } -event bro_init() +event zeek_init() { foo(); # Unreachable - print "bro_init done"; + print "zeek_init done"; } @TEST-END-FILE -@TEST-START-FILE 3.bro +@TEST-START-FILE 3.zeek function foo(v: vector of any) { print "in foo"; @@ -84,12 +84,12 @@ function foo(v: vector of any) print "foo done"; } -event bro_init() +event zeek_init() { local v: vector of count; v += 1; foo(v); # Unreachable - print "bro_init done", v; + print "zeek_init done", v; } @TEST-END-FILE diff --git a/testing/btest/language/conditional-expression.bro b/testing/btest/language/conditional-expression.zeek similarity index 98% rename from testing/btest/language/conditional-expression.bro rename to testing/btest/language/conditional-expression.zeek index ea0acf009f..4938b87b4d 100644 --- a/testing/btest/language/conditional-expression.bro +++ b/testing/btest/language/conditional-expression.zeek @@ -21,7 +21,7 @@ function f2(): bool } -event bro_init() +event zeek_init() { local a: count; local b: count; diff --git a/testing/btest/language/const.bro b/testing/btest/language/const.zeek similarity index 81% rename from testing/btest/language/const.bro rename to testing/btest/language/const.zeek index ee938e8d45..6d7b3fe527 100644 --- a/testing/btest/language/const.bro +++ b/testing/btest/language/const.zeek @@ -1,12 +1,12 @@ -# @TEST-EXEC: bro -b valid.bro 2>valid.stderr 1>valid.stdout +# @TEST-EXEC: bro -b valid.zeek 2>valid.stderr 1>valid.stdout # @TEST-EXEC: btest-diff valid.stderr # @TEST-EXEC: btest-diff valid.stdout -# @TEST-EXEC-FAIL: bro -b invalid.bro 2>invalid.stderr 1>invalid.stdout +# @TEST-EXEC-FAIL: bro -b invalid.zeek 2>invalid.stderr 1>invalid.stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.stderr # @TEST-EXEC: btest-diff invalid.stdout -@TEST-START-FILE valid.bro +@TEST-START-FILE valid.zeek # First some simple code that should be valid and error-free. function f(c: count) @@ -21,7 +21,7 @@ redef foo = 10; const bar = 9; -event bro_init() +event zeek_init() { const baz = 7; local i = foo; @@ -40,7 +40,7 @@ event bro_init() @TEST-END-FILE -@TEST-START-FILE invalid.bro +@TEST-START-FILE invalid.zeek # Now some const assignments that should generate errors at parse-time. const foo = 0 &redef; @@ -48,7 +48,7 @@ redef foo = 10; const bar = 9; -event bro_init() +event zeek_init() { const baz = 7; local s = 0; diff --git a/testing/btest/language/container-ctor-scope.bro b/testing/btest/language/container-ctor-scope.zeek similarity index 100% rename from testing/btest/language/container-ctor-scope.bro rename to testing/btest/language/container-ctor-scope.zeek diff --git a/testing/btest/language/copy.bro b/testing/btest/language/copy.zeek similarity index 96% rename from testing/btest/language/copy.bro rename to testing/btest/language/copy.zeek index 3ddbc15e23..e3d6b80d5b 100644 --- a/testing/btest/language/copy.bro +++ b/testing/btest/language/copy.zeek @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { # "b" is not a copy of "a" local a: set[string] = set("this", "test"); diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.zeek similarity index 99% rename from testing/btest/language/count.bro rename to testing/btest/language/count.zeek index 39a3786dfb..6e5dca8bc2 100644 --- a/testing/btest/language/count.bro +++ b/testing/btest/language/count.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local c1: count = 0; local c2: count = 5; diff --git a/testing/btest/language/cross-product-init.bro b/testing/btest/language/cross-product-init.zeek similarity index 100% rename from testing/btest/language/cross-product-init.bro rename to testing/btest/language/cross-product-init.zeek diff --git a/testing/btest/language/default-params.bro b/testing/btest/language/default-params.zeek similarity index 100% rename from testing/btest/language/default-params.bro rename to testing/btest/language/default-params.zeek diff --git a/testing/btest/language/delete-field-set.bro b/testing/btest/language/delete-field-set.zeek similarity index 100% rename from testing/btest/language/delete-field-set.bro rename to testing/btest/language/delete-field-set.zeek diff --git a/testing/btest/language/delete-field.bro b/testing/btest/language/delete-field.zeek similarity index 100% rename from testing/btest/language/delete-field.bro rename to testing/btest/language/delete-field.zeek diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.zeek similarity index 98% rename from testing/btest/language/deprecated.bro rename to testing/btest/language/deprecated.zeek index ec9c3c9e1e..9ac6996145 100644 --- a/testing/btest/language/deprecated.bro +++ b/testing/btest/language/deprecated.zeek @@ -24,7 +24,7 @@ type my_other_enum: enum { TWO = 2 &deprecated }; -event bro_init() +event zeek_init() { print ZERO; print ONE; diff --git a/testing/btest/language/double.bro b/testing/btest/language/double.zeek similarity index 99% rename from testing/btest/language/double.bro rename to testing/btest/language/double.zeek index f85b216828..f1338ca16d 100644 --- a/testing/btest/language/double.bro +++ b/testing/btest/language/double.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local d1: double = 3; local d2: double = +3; diff --git a/testing/btest/language/enum-desc.bro b/testing/btest/language/enum-desc.zeek similarity index 100% rename from testing/btest/language/enum-desc.bro rename to testing/btest/language/enum-desc.zeek diff --git a/testing/btest/language/enum-scope.bro b/testing/btest/language/enum-scope.zeek similarity index 100% rename from testing/btest/language/enum-scope.bro rename to testing/btest/language/enum-scope.zeek diff --git a/testing/btest/language/enum.bro b/testing/btest/language/enum.zeek similarity index 97% rename from testing/btest/language/enum.bro rename to testing/btest/language/enum.zeek index 6de7d345da..c4aa2d71a1 100644 --- a/testing/btest/language/enum.bro +++ b/testing/btest/language/enum.zeek @@ -14,7 +14,7 @@ type color: enum { Red, White, Blue, }; type city: enum { Rome, Paris }; -event bro_init() +event zeek_init() { local e1: color = Blue; local e2: color = White; diff --git a/testing/btest/language/eof-parse-errors.bro b/testing/btest/language/eof-parse-errors.bro deleted file mode 100644 index a2c6edc66d..0000000000 --- a/testing/btest/language/eof-parse-errors.bro +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC-FAIL: bro -b a.bro >output1 2>&1 -# @TEST-EXEC-FAIL: bro -b a.bro b.bro >output2 2>&1 -# @TEST-EXEC: btest-diff output1 -# @TEST-EXEC: btest-diff output2 - -@TEST-START-FILE a.bro -module A; - -event bro_init() - { - print "a"; -@TEST-END-FILE - -@TEST-START-FILE b.bro -module B; - -event bro_init() - { - print "b"; - } -@TEST-END-FILE diff --git a/testing/btest/language/eof-parse-errors.zeek b/testing/btest/language/eof-parse-errors.zeek new file mode 100644 index 0000000000..3b6ba8faf5 --- /dev/null +++ b/testing/btest/language/eof-parse-errors.zeek @@ -0,0 +1,21 @@ +# @TEST-EXEC-FAIL: bro -b a.zeek >output1 2>&1 +# @TEST-EXEC-FAIL: bro -b a.zeek b.zeek >output2 2>&1 +# @TEST-EXEC: btest-diff output1 +# @TEST-EXEC: btest-diff output2 + +@TEST-START-FILE a.zeek +module A; + +event zeek_init() + { + print "a"; +@TEST-END-FILE + +@TEST-START-FILE b.zeek +module B; + +event zeek_init() + { + print "b"; + } +@TEST-END-FILE diff --git a/testing/btest/language/event-local-var.bro b/testing/btest/language/event-local-var.zeek similarity index 94% rename from testing/btest/language/event-local-var.bro rename to testing/btest/language/event-local-var.zeek index d4dd9d19a5..337cd37bac 100644 --- a/testing/btest/language/event-local-var.bro +++ b/testing/btest/language/event-local-var.zeek @@ -7,7 +7,7 @@ event e1(num: count) print fmt("event 1: %s", num); } -event bro_init() +event zeek_init() { # Test assigning a local event variable to an event local v: event(num: count); diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.zeek similarity index 89% rename from testing/btest/language/event.bro rename to testing/btest/language/event.zeek index d4eef24731..664bff49ef 100644 --- a/testing/btest/language/event.bro +++ b/testing/btest/language/event.zeek @@ -32,14 +32,14 @@ event e3(test: string) global e5: event(num: count); -event bro_init() +event zeek_init() { # Test calling an event with "event" statement event e1(); # Test calling an event with "schedule" statement - schedule 1 sec { e2("in bro_init") }; - schedule 3 sec { e2("another in bro_init") }; + schedule 1 sec { e2("in zeek_init") }; + schedule 3 sec { e2("another in zeek_init") }; # Test calling an event that has two separate definitions event e3("foo"); diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.zeek similarity index 93% rename from testing/btest/language/expire-expr-error.bro rename to testing/btest/language/expire-expr-error.zeek index 7c9a3aa318..b2ac4d7c55 100644 --- a/testing/btest/language/expire-expr-error.bro +++ b/testing/btest/language/expire-expr-error.zeek @@ -20,7 +20,7 @@ event do_it() } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { data[0] = "some data"; schedule 1sec { do_it() }; diff --git a/testing/btest/language/expire-func-undef.bro b/testing/btest/language/expire-func-undef.zeek similarity index 97% rename from testing/btest/language/expire-func-undef.bro rename to testing/btest/language/expire-func-undef.zeek index eb864d2390..2da735a9be 100644 --- a/testing/btest/language/expire-func-undef.bro +++ b/testing/btest/language/expire-func-undef.zeek @@ -29,7 +29,7 @@ event new_connection(c: connection) } -event bro_done() +event zeek_done() { for (o in distinct_peers) diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.zeek similarity index 95% rename from testing/btest/language/expire-redef.bro rename to testing/btest/language/expire-redef.zeek index 5cbb00f313..552e26cce0 100644 --- a/testing/btest/language/expire-redef.bro +++ b/testing/btest/language/expire-redef.zeek @@ -30,7 +30,7 @@ function expired(tbl: table[int] of string, idx: int): interval return 0sec; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { data[0] = "some data"; schedule 4sec { do_it() }; diff --git a/testing/btest/language/expire-type-error.bro b/testing/btest/language/expire-type-error.zeek similarity index 100% rename from testing/btest/language/expire-type-error.bro rename to testing/btest/language/expire-type-error.zeek diff --git a/testing/btest/language/expire_func.test b/testing/btest/language/expire_func.test index 653a4d9a86..c66a901a4f 100644 --- a/testing/btest/language/expire_func.test +++ b/testing/btest/language/expire_func.test @@ -9,7 +9,7 @@ function inform_me(s: set[string], idx: string): interval global s: set[string] &create_expire=1secs &expire_func=inform_me; -event bro_init() +event zeek_init() { add s["i"]; add s["am"]; diff --git a/testing/btest/language/expire_func_mod.bro b/testing/btest/language/expire_func_mod.zeek similarity index 97% rename from testing/btest/language/expire_func_mod.bro rename to testing/btest/language/expire_func_mod.zeek index 4790a9650e..8b14dad74c 100644 --- a/testing/btest/language/expire_func_mod.bro +++ b/testing/btest/language/expire_func_mod.zeek @@ -33,7 +33,7 @@ function table_expire_func(t: table[string] of count, s: string): interval return 0 secs; } -event bro_init() +event zeek_init() { local s="ashish"; t[s] = 1 ; diff --git a/testing/btest/language/expire_subnet.test b/testing/btest/language/expire_subnet.test index 12d5e56b5a..f0bf388ad0 100644 --- a/testing/btest/language/expire_subnet.test +++ b/testing/btest/language/expire_subnet.test @@ -55,7 +55,7 @@ function execute_test() ### Events ### -event bro_init() +event zeek_init() { step = 0; diff --git a/testing/btest/language/file.bro b/testing/btest/language/file.zeek similarity index 93% rename from testing/btest/language/file.bro rename to testing/btest/language/file.zeek index 47430b6813..80d10a4d1f 100644 --- a/testing/btest/language/file.bro +++ b/testing/btest/language/file.zeek @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-diff out2 -event bro_init() +event zeek_init() { local f1: file = open( "out1" ); print f1, 20; diff --git a/testing/btest/language/for.bro b/testing/btest/language/for.zeek similarity index 65% rename from testing/btest/language/for.bro rename to testing/btest/language/for.zeek index eb99a2705d..acf9612927 100644 --- a/testing/btest/language/for.bro +++ b/testing/btest/language/for.zeek @@ -8,12 +8,12 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { local vv: vector of string = vector( "a", "b", "c" ); local ct: count = 0; - # Test a "for" loop without "break" or "next" + # Test a "for" loop without "break" or "next" ct = 0; for ( i in vv ) ++ct; @@ -40,5 +40,18 @@ event bro_init() test_case("Error: this should not happen", F); } test_case("for loop with next", ct == 3 ); -} + # Test keys that are tuples + + local t: table[count, count] of string = table(); + t[1, 2] = "hi"; + + local s1: string = ""; + + for ( [i, j] in t ) + s1 = fmt("%d %d %s", i, j, t[i,j]); + + test_case("keys that are tuples", s1 == "1 2 hi"); + + # Tests for key value for loop are in key-value-for.bro +} diff --git a/testing/btest/language/func-assignment.bro b/testing/btest/language/func-assignment.zeek similarity index 97% rename from testing/btest/language/func-assignment.bro rename to testing/btest/language/func-assignment.zeek index 576d7f3270..724eac38ae 100644 --- a/testing/btest/language/func-assignment.bro +++ b/testing/btest/language/func-assignment.zeek @@ -16,7 +16,7 @@ type sample_function: record { f: function(str: string): string; }; -event bro_init() +event zeek_init() { local test_sf: sample_function; test_sf$s = "Brogrammers, like bowties, are cool."; diff --git a/testing/btest/language/function.bro b/testing/btest/language/function.zeek similarity index 98% rename from testing/btest/language/function.bro rename to testing/btest/language/function.zeek index ab60c4fa62..db2ac675b0 100644 --- a/testing/btest/language/function.bro +++ b/testing/btest/language/function.zeek @@ -45,7 +45,7 @@ function f7(test: string): bool return F; } -event bro_init() +event zeek_init() { f1(); f2(); diff --git a/testing/btest/language/hook.bro b/testing/btest/language/hook.zeek similarity index 99% rename from testing/btest/language/hook.bro rename to testing/btest/language/hook.zeek index 3edfd9556c..c14e153577 100644 --- a/testing/btest/language/hook.bro +++ b/testing/btest/language/hook.zeek @@ -91,7 +91,7 @@ function printMe(s: string): bool return T; } -event bro_init() +event zeek_init() { print hook myhook([$a=1156, $b="hello world"]); diff --git a/testing/btest/language/hook_calls.bro b/testing/btest/language/hook_calls.zeek similarity index 87% rename from testing/btest/language/hook_calls.bro rename to testing/btest/language/hook_calls.zeek index 41ef6f52ae..d465510a34 100644 --- a/testing/btest/language/hook_calls.bro +++ b/testing/btest/language/hook_calls.zeek @@ -1,11 +1,11 @@ -# @TEST-EXEC: bro -b valid.bro >valid.out +# @TEST-EXEC: bro -b valid.zeek >valid.out # @TEST-EXEC: btest-diff valid.out -# @TEST-EXEC-FAIL: bro -b invalid.bro > invalid.out 2>&1 +# @TEST-EXEC-FAIL: bro -b invalid.zeek > invalid.out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.out # hook functions must be called using the "hook" keyword as an operator... -@TEST-START-FILE valid.bro +@TEST-START-FILE valid.zeek hook myhook(i: count) { print "myhook()", i; @@ -33,7 +33,7 @@ global t: table[count] of hook(i: count) = { [0] = myhook, }; -event bro_init() +event zeek_init() { hook myhook(3); print hook myhook(3); @@ -59,14 +59,14 @@ event bro_init() @TEST-END-FILE -@TEST-START-FILE invalid.bro +@TEST-START-FILE invalid.zeek hook myhook(i: count) { print "myhook()", i; if ( i == 0 ) break; } -event bro_init() +event zeek_init() { myhook(3); print myhook(3); diff --git a/testing/btest/language/if.bro b/testing/btest/language/if.zeek similarity index 99% rename from testing/btest/language/if.bro rename to testing/btest/language/if.zeek index 785030a012..9f3be4dd1b 100644 --- a/testing/btest/language/if.bro +++ b/testing/btest/language/if.zeek @@ -8,7 +8,7 @@ function test_case(msg: string, expect: bool) -event bro_init() +event zeek_init() { # Test "if" without "else" diff --git a/testing/btest/language/index-assignment-invalid.bro b/testing/btest/language/index-assignment-invalid.zeek similarity index 97% rename from testing/btest/language/index-assignment-invalid.bro rename to testing/btest/language/index-assignment-invalid.zeek index 68458eb149..662b73ff91 100644 --- a/testing/btest/language/index-assignment-invalid.bro +++ b/testing/btest/language/index-assignment-invalid.zeek @@ -27,7 +27,7 @@ function foo(s: string, c: count) bar(c + 42); } -event bro_init() +event zeek_init() { Queue::put(q, "hello"); Queue::put(q, "goodbye"); diff --git a/testing/btest/language/init-in-anon-function.bro b/testing/btest/language/init-in-anon-function.zeek similarity index 96% rename from testing/btest/language/init-in-anon-function.bro rename to testing/btest/language/init-in-anon-function.zeek index 45f5f09f09..4da70dd2f4 100644 --- a/testing/btest/language/init-in-anon-function.bro +++ b/testing/btest/language/init-in-anon-function.zeek @@ -3,7 +3,7 @@ module Foo; -event bro_init() { +event zeek_init() { Log::remove_default_filter(HTTP::LOG); diff --git a/testing/btest/language/int.bro b/testing/btest/language/int.zeek similarity index 99% rename from testing/btest/language/int.bro rename to testing/btest/language/int.zeek index f511d82bbb..d4314c8367 100644 --- a/testing/btest/language/int.bro +++ b/testing/btest/language/int.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local i1: int = 3; local i2: int = +3; diff --git a/testing/btest/language/interval.bro b/testing/btest/language/interval.zeek similarity index 94% rename from testing/btest/language/interval.bro rename to testing/btest/language/interval.zeek index c567d0af02..c8b975e637 100644 --- a/testing/btest/language/interval.bro +++ b/testing/btest/language/interval.zeek @@ -12,7 +12,7 @@ function approx_equal(x: double, y: double): bool return |(x - y)/x| < 1e-6 ? T : F; } -event bro_init() +event zeek_init() { # Constants without space and no letter "s" @@ -70,9 +70,9 @@ event bro_init() test_case( "compare different time units", in13 >= in35 ); test_case( "add different time units", in13 + in14 == 4min ); test_case( "subtract different time units", in24 - in23 == 0sec ); - test_case( "absolute value", |in25| == 2hr ); - test_case( "absolute value", |in36| == 2.5day ); - test_case( "absolute value", |5sec - 9sec| == 4sec ); + test_case( "absolute value", |in25| == 2.0*3600 ); + test_case( "absolute value", |in36| == 2.5*86400 ); + test_case( "absolute value", |5sec - 9sec| == 4.0 ); in34 += 2hr; test_case( "assignment operator", in34 == 122min ); in34 -= 2hr; diff --git a/testing/btest/language/invalid_index.bro b/testing/btest/language/invalid_index.zeek similarity index 86% rename from testing/btest/language/invalid_index.bro rename to testing/btest/language/invalid_index.zeek index 23fdb50d06..399865ba23 100644 --- a/testing/btest/language/invalid_index.bro +++ b/testing/btest/language/invalid_index.zeek @@ -4,19 +4,19 @@ global foo: vector of count = { 42 }; global foo2: table[count] of count = { [0] = 13 }; -event bro_init() +event zeek_init() { print "foo[0]", foo[0]; print "foo[1]", foo[1]; } -event bro_init() +event zeek_init() { print "foo2[0]", foo2[0]; print "foo2[1]", foo2[1]; } -event bro_done() +event zeek_done() { print "done"; } diff --git a/testing/btest/language/ipv6-literals.bro b/testing/btest/language/ipv6-literals.zeek similarity index 100% rename from testing/btest/language/ipv6-literals.bro rename to testing/btest/language/ipv6-literals.zeek diff --git a/testing/btest/language/key-value-for.zeek b/testing/btest/language/key-value-for.zeek new file mode 100644 index 0000000000..396c1d0bab --- /dev/null +++ b/testing/btest/language/key-value-for.zeek @@ -0,0 +1,22 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + + +event zeek_init() + { + # Test single keys + + local t: table[count] of string = table(); + t[1] = "hello"; + t[55] = "goodbye"; + for (key, value in t) + print key, value; + + # Test multiple keys + + local tkk: table[string, string] of count = table(); + tkk["hello", "world"] = 1; + tkk["goodbye", "world"] = 55; + for ([k1, k2], val in tkk) + print k1, k2, val; + } diff --git a/testing/btest/language/module.bro b/testing/btest/language/module.zeek similarity index 98% rename from testing/btest/language/module.bro rename to testing/btest/language/module.zeek index 3278697a8d..7f2512741f 100644 --- a/testing/btest/language/module.bro +++ b/testing/btest/language/module.zeek @@ -30,7 +30,7 @@ event testevent(msg: string) # In this source file, we try to access each exported object from the module -event bro_init() +event zeek_init() { thisisatest::test_case( "function", T ); thisisatest::test_case( "global variable", thisisatest::num == 123 ); diff --git a/testing/btest/language/named-record-ctors.bro b/testing/btest/language/named-record-ctors.zeek similarity index 100% rename from testing/btest/language/named-record-ctors.bro rename to testing/btest/language/named-record-ctors.zeek diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.zeek similarity index 100% rename from testing/btest/language/named-set-ctors.bro rename to testing/btest/language/named-set-ctors.zeek diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.zeek similarity index 97% rename from testing/btest/language/named-table-ctors.bro rename to testing/btest/language/named-table-ctors.zeek index 1fad56e30f..45d0974832 100644 --- a/testing/btest/language/named-table-ctors.bro +++ b/testing/btest/language/named-table-ctors.zeek @@ -17,7 +17,7 @@ global mytablecomp: FooTableComp = FooTableComp(["test", 1] = "test1", ["cool", 2] = "cool2"); global mytabley: FooTableY = FooTableY(["one"] = 1, ["two"] = 2, ["three"] = 3) &default=0; -event bro_init() +event zeek_init() { print mytable; print mytablerec; diff --git a/testing/btest/language/named-vector-ctors.bro b/testing/btest/language/named-vector-ctors.zeek similarity index 100% rename from testing/btest/language/named-vector-ctors.bro rename to testing/btest/language/named-vector-ctors.zeek diff --git a/testing/btest/language/nested-sets.bro b/testing/btest/language/nested-sets.zeek similarity index 100% rename from testing/btest/language/nested-sets.bro rename to testing/btest/language/nested-sets.zeek diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.zeek similarity index 97% rename from testing/btest/language/next-test.bro rename to testing/btest/language/next-test.zeek index d46ad187c4..83523dd59b 100644 --- a/testing/btest/language/next-test.bro +++ b/testing/btest/language/next-test.zeek @@ -4,7 +4,7 @@ # This script tests "next" being called during the last iteration of a # for loop -event bro_done() +event zeek_done() { local number_set: set[count]; diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.zeek similarity index 97% rename from testing/btest/language/no-module.bro rename to testing/btest/language/no-module.zeek index fff55d3854..4d1372f10c 100644 --- a/testing/btest/language/no-module.bro +++ b/testing/btest/language/no-module.zeek @@ -23,7 +23,7 @@ event testevent(msg: string) # In this script, we try to access each object defined in the other script -event bro_init() +event zeek_init() { test_case( "function", T ); test_case( "global variable", num == 123 ); diff --git a/testing/btest/language/null-statement.bro b/testing/btest/language/null-statement.zeek similarity index 96% rename from testing/btest/language/null-statement.bro rename to testing/btest/language/null-statement.zeek index 20c70f4876..69861ce96e 100644 --- a/testing/btest/language/null-statement.bro +++ b/testing/btest/language/null-statement.zeek @@ -7,7 +7,7 @@ function f1(test: string) ; # null statement in function } -event bro_init() +event zeek_init() { local s1: set[string] = set( "this", "test" ); diff --git a/testing/btest/language/outer_param_binding.bro b/testing/btest/language/outer_param_binding.zeek similarity index 95% rename from testing/btest/language/outer_param_binding.bro rename to testing/btest/language/outer_param_binding.zeek index fb37fd4712..a197cb87fb 100644 --- a/testing/btest/language/outer_param_binding.bro +++ b/testing/btest/language/outer_param_binding.zeek @@ -21,7 +21,7 @@ function bar(b: string, c: string) print f$x("2"); } -event bro_init() +event zeek_init() { bar("1", "20"); } diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.zeek similarity index 99% rename from testing/btest/language/pattern.bro rename to testing/btest/language/pattern.zeek index e427b70e80..ae9cb15bf7 100644 --- a/testing/btest/language/pattern.bro +++ b/testing/btest/language/pattern.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local p1: pattern = /foo|bar/; local p2: pattern = /oob/; diff --git a/testing/btest/language/port.bro b/testing/btest/language/port.zeek similarity index 98% rename from testing/btest/language/port.bro rename to testing/btest/language/port.zeek index a9c7fd33e7..81d7704c14 100644 --- a/testing/btest/language/port.bro +++ b/testing/btest/language/port.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local p1: port = 1/icmp; local p2: port = 2/udp; diff --git a/testing/btest/language/precedence.bro b/testing/btest/language/precedence.zeek similarity index 99% rename from testing/btest/language/precedence.bro rename to testing/btest/language/precedence.zeek index 27fc1e024a..9d74c67262 100644 --- a/testing/btest/language/precedence.bro +++ b/testing/btest/language/precedence.zeek @@ -9,7 +9,7 @@ function test_case(msg: string, expect: bool) # This is an incomplete set of tests to demonstrate the order of precedence # of bro script operators -event bro_init() +event zeek_init() { local n1: int; local n2: int; diff --git a/testing/btest/language/raw_output_attr.test b/testing/btest/language/raw_output_attr.test index 8bcd479fbf..3af94dc727 100644 --- a/testing/btest/language/raw_output_attr.test +++ b/testing/btest/language/raw_output_attr.test @@ -8,7 +8,7 @@ # first check local variable of file type w/ &raw_output -event bro_init() +event zeek_init() { local myfile: file; myfile = open("myfile"); diff --git a/testing/btest/language/rec-comp-init.bro b/testing/btest/language/rec-comp-init.zeek similarity index 100% rename from testing/btest/language/rec-comp-init.bro rename to testing/btest/language/rec-comp-init.zeek diff --git a/testing/btest/language/rec-nested-opt.bro b/testing/btest/language/rec-nested-opt.zeek similarity index 100% rename from testing/btest/language/rec-nested-opt.bro rename to testing/btest/language/rec-nested-opt.zeek diff --git a/testing/btest/language/rec-of-tbl.bro b/testing/btest/language/rec-of-tbl.zeek similarity index 100% rename from testing/btest/language/rec-of-tbl.bro rename to testing/btest/language/rec-of-tbl.zeek diff --git a/testing/btest/language/rec-table-default.bro b/testing/btest/language/rec-table-default.zeek similarity index 100% rename from testing/btest/language/rec-table-default.bro rename to testing/btest/language/rec-table-default.zeek diff --git a/testing/btest/language/record-bad-ctor.bro b/testing/btest/language/record-bad-ctor.zeek similarity index 100% rename from testing/btest/language/record-bad-ctor.bro rename to testing/btest/language/record-bad-ctor.zeek diff --git a/testing/btest/language/record-bad-ctor2.bro b/testing/btest/language/record-bad-ctor2.zeek similarity index 100% rename from testing/btest/language/record-bad-ctor2.bro rename to testing/btest/language/record-bad-ctor2.zeek diff --git a/testing/btest/language/record-ceorce-orphan.bro b/testing/btest/language/record-ceorce-orphan.zeek similarity index 96% rename from testing/btest/language/record-ceorce-orphan.bro rename to testing/btest/language/record-ceorce-orphan.zeek index 126b99d5ff..d72f447a12 100644 --- a/testing/btest/language/record-ceorce-orphan.bro +++ b/testing/btest/language/record-ceorce-orphan.zeek @@ -12,7 +12,7 @@ function myfunc(rec: myrec) print rec; } -event bro_init() +event zeek_init() { # Orhpaned fields in a record coercion reflect a programming error, like a typo, so should # be reported at parse-time to prevent unexpected run-time behavior. diff --git a/testing/btest/language/record-coerce-clash.bro b/testing/btest/language/record-coerce-clash.zeek similarity index 95% rename from testing/btest/language/record-coerce-clash.bro rename to testing/btest/language/record-coerce-clash.zeek index a0bd6f21ad..5dab9ded8a 100644 --- a/testing/btest/language/record-coerce-clash.bro +++ b/testing/btest/language/record-coerce-clash.zeek @@ -7,7 +7,7 @@ type myrec: record { cid: conn_id; }; -event bro_init() +event zeek_init() { local mr: myrec; mr = [$cid = [$orig_h=1.2.3.4,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=wrong]]; diff --git a/testing/btest/language/record-default-coercion.bro b/testing/btest/language/record-default-coercion.zeek similarity index 100% rename from testing/btest/language/record-default-coercion.bro rename to testing/btest/language/record-default-coercion.zeek diff --git a/testing/btest/language/record-default-set-mismatch.bro b/testing/btest/language/record-default-set-mismatch.zeek similarity index 100% rename from testing/btest/language/record-default-set-mismatch.bro rename to testing/btest/language/record-default-set-mismatch.zeek diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.zeek similarity index 100% rename from testing/btest/language/record-extension.bro rename to testing/btest/language/record-extension.zeek diff --git a/testing/btest/language/record-function-recursion.bro b/testing/btest/language/record-function-recursion.zeek similarity index 93% rename from testing/btest/language/record-function-recursion.bro rename to testing/btest/language/record-function-recursion.zeek index 90832bfa69..d6a1587962 100644 --- a/testing/btest/language/record-function-recursion.bro +++ b/testing/btest/language/record-function-recursion.zeek @@ -13,7 +13,7 @@ redef record Outer += { inner: Inner &optional; }; -event bro_init() { +event zeek_init() { local o = Outer(); print o; print type_name(o); diff --git a/testing/btest/language/record-index-complex-fields.bro b/testing/btest/language/record-index-complex-fields.zeek similarity index 100% rename from testing/btest/language/record-index-complex-fields.bro rename to testing/btest/language/record-index-complex-fields.zeek diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.zeek similarity index 97% rename from testing/btest/language/record-recursive-coercion.bro rename to testing/btest/language/record-recursive-coercion.zeek index 0eb24a70d9..4d17c0dee3 100644 --- a/testing/btest/language/record-recursive-coercion.bro +++ b/testing/btest/language/record-recursive-coercion.zeek @@ -32,7 +32,7 @@ function foo_func(fc: FooContainer) print fc; } -event bro_init() +event zeek_init() { for ( sw in matched_software ) print matched_software[sw]$version; diff --git a/testing/btest/language/record-redef-after-init.bro b/testing/btest/language/record-redef-after-init.zeek similarity index 100% rename from testing/btest/language/record-redef-after-init.bro rename to testing/btest/language/record-redef-after-init.zeek diff --git a/testing/btest/language/record-ref-assign.bro b/testing/btest/language/record-ref-assign.zeek similarity index 100% rename from testing/btest/language/record-ref-assign.bro rename to testing/btest/language/record-ref-assign.zeek diff --git a/testing/btest/language/record-type-checking.bro b/testing/btest/language/record-type-checking.zeek similarity index 91% rename from testing/btest/language/record-type-checking.bro rename to testing/btest/language/record-type-checking.zeek index d58937d577..5e50a4d8bc 100644 --- a/testing/btest/language/record-type-checking.bro +++ b/testing/btest/language/record-type-checking.zeek @@ -13,7 +13,7 @@ global gren: MyRec = MyRec($a = 1); # type clash in init # global, type deduction, anon ctor global grda = [$a = 2]; # fine -event bro_init() +event zeek_init() { grda = MyRec($a = 2); # type clash in assignment } @@ -22,26 +22,26 @@ event bro_init() global grea: MyRec = [$a = 3]; # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local lrdn = MyRec($a = 1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local lren: MyRec = MyRec($a = 1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lrda = [$a = 1002]; # fine lrda = MyRec($a = 1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lrea: MyRec = [$a = 1003]; # type clash } diff --git a/testing/btest/language/redef-same-prefixtable-idx.bro b/testing/btest/language/redef-same-prefixtable-idx.zeek similarity index 95% rename from testing/btest/language/redef-same-prefixtable-idx.bro rename to testing/btest/language/redef-same-prefixtable-idx.zeek index 13cf27cc0f..e0e16060f4 100644 --- a/testing/btest/language/redef-same-prefixtable-idx.bro +++ b/testing/btest/language/redef-same-prefixtable-idx.zeek @@ -10,7 +10,7 @@ redef my_table[3.0.0.0/8] = 2.0.0.0/8; # redef my_table += { [3.0.0.0/8] = 1.0.0.0/8 }; # redef my_table += { [3.0.0.0/8] = 2.0.0.0/8 }; -event bro_init() +event zeek_init() { print my_table; print my_table[3.0.0.0/8]; diff --git a/testing/btest/language/redef-vector.bro b/testing/btest/language/redef-vector.zeek similarity index 100% rename from testing/btest/language/redef-vector.bro rename to testing/btest/language/redef-vector.zeek diff --git a/testing/btest/language/returnwhen.bro b/testing/btest/language/returnwhen.zeek similarity index 87% rename from testing/btest/language/returnwhen.bro rename to testing/btest/language/returnwhen.zeek index 593841eb7e..c3d5f17661 100644 --- a/testing/btest/language/returnwhen.bro +++ b/testing/btest/language/returnwhen.zeek @@ -58,7 +58,7 @@ event do_another() } } -event bro_init() +event zeek_init() { local local_dummy = dummyfunc; @@ -66,10 +66,10 @@ event bro_init() schedule 1sec { set_flag() }; - when ( local result = async_func("from bro_init()") ) + when ( local result = async_func("from zeek_init()") ) { - print "async_func() return result in bro_init()", result; - print local_dummy("from bro_init() when block"); + print "async_func() return result in zeek_init()", result; + print local_dummy("from zeek_init() when block"); print anon("hi"); if ( result == "timeout" ) terminate(); schedule 10msec { do_another() }; diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.zeek similarity index 98% rename from testing/btest/language/set-opt-record-index.bro rename to testing/btest/language/set-opt-record-index.zeek index d42de8b041..f22c144595 100644 --- a/testing/btest/language/set-opt-record-index.bro +++ b/testing/btest/language/set-opt-record-index.zeek @@ -8,7 +8,7 @@ type FOO: record { b: count &optional; }; -event bro_init() +event zeek_init() { local set_of_foo: set[FOO] = set(); diff --git a/testing/btest/language/set-type-checking.bro b/testing/btest/language/set-type-checking.zeek similarity index 91% rename from testing/btest/language/set-type-checking.bro rename to testing/btest/language/set-type-checking.zeek index 3c82a29730..3518b8a02d 100644 --- a/testing/btest/language/set-type-checking.bro +++ b/testing/btest/language/set-type-checking.zeek @@ -11,7 +11,7 @@ global gen: MySet = MySet(1); # type clash in init # global, type deduction, anon ctor global gda = set(2); # fine -event bro_init() +event zeek_init() { gda = MySet(2); # type clash in assignment } @@ -20,26 +20,26 @@ event bro_init() global gea: MySet = set(3); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MySet(1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MySet = MySet(1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = set(1002); # fine lda = MySet(1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MySet = set(1003); # type clash } @@ -53,7 +53,7 @@ type MyRecord: record { global set_of_records: set[MyRecord]; -event bro_init() +event zeek_init() { # Set ctor w/ anonymous record ctor should coerce. set_of_records = set([$user="testuser", $host="testhost", $path="testpath"]); diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.zeek similarity index 99% rename from testing/btest/language/set.bro rename to testing/btest/language/set.zeek index 56cd649b49..53cf400795 100644 --- a/testing/btest/language/set.bro +++ b/testing/btest/language/set.zeek @@ -13,7 +13,7 @@ global sg2: set[port, string, bool] = { [10/udp, "curly", F], [11/udp, "braces", T] }; global sg3 = { "more", "curly", "braces" }; -event bro_init() +event zeek_init() { local s1: set[string] = set( "test", "example" ); local s2: set[string] = set(); diff --git a/testing/btest/language/short-circuit.bro b/testing/btest/language/short-circuit.zeek similarity index 98% rename from testing/btest/language/short-circuit.bro rename to testing/btest/language/short-circuit.zeek index 598ac8da35..70928f6441 100644 --- a/testing/btest/language/short-circuit.bro +++ b/testing/btest/language/short-circuit.zeek @@ -21,7 +21,7 @@ function f_func(): bool } -event bro_init() +event zeek_init() { local res: bool; diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.zeek similarity index 100% rename from testing/btest/language/sizeof.bro rename to testing/btest/language/sizeof.zeek diff --git a/testing/btest/language/smith-waterman-test.bro b/testing/btest/language/smith-waterman-test.zeek similarity index 100% rename from testing/btest/language/smith-waterman-test.bro rename to testing/btest/language/smith-waterman-test.zeek diff --git a/testing/btest/language/string-indexing.bro b/testing/btest/language/string-indexing.zeek similarity index 100% rename from testing/btest/language/string-indexing.bro rename to testing/btest/language/string-indexing.zeek diff --git a/testing/btest/language/string.bro b/testing/btest/language/string.zeek similarity index 99% rename from testing/btest/language/string.bro rename to testing/btest/language/string.zeek index abaa556b26..936ac3e493 100644 --- a/testing/btest/language/string.bro +++ b/testing/btest/language/string.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local s1: string = "a\ty"; # tab local s2: string = "a\nb"; # newline diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.zeek similarity index 98% rename from testing/btest/language/strings.bro rename to testing/btest/language/strings.zeek index f601797978..992fb2c5b3 100644 --- a/testing/btest/language/strings.bro +++ b/testing/btest/language/strings.zeek @@ -4,7 +4,7 @@ # Demo policy for string functions # -event bro_init() +event zeek_init() { local s1: string = "broisaveryneatids"; diff --git a/testing/btest/language/subnet-errors.bro b/testing/btest/language/subnet-errors.zeek similarity index 81% rename from testing/btest/language/subnet-errors.bro rename to testing/btest/language/subnet-errors.zeek index fa98dcec48..499a6fb552 100644 --- a/testing/btest/language/subnet-errors.bro +++ b/testing/btest/language/subnet-errors.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { local i = 32; print 1.2.3.4/i; @@ -10,7 +10,7 @@ event bro_init() print "init 1"; } -event bro_init() +event zeek_init() { local i = 128; print [::]/i; @@ -19,7 +19,7 @@ event bro_init() print "init 1"; } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { print "init last"; } diff --git a/testing/btest/language/subnet.bro b/testing/btest/language/subnet.zeek similarity index 99% rename from testing/btest/language/subnet.bro rename to testing/btest/language/subnet.zeek index b3b50e085f..32cf11701e 100644 --- a/testing/btest/language/subnet.bro +++ b/testing/btest/language/subnet.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { # IPv4 addr local a1: addr = 192.1.2.3; diff --git a/testing/btest/language/switch-error-mixed.bro b/testing/btest/language/switch-error-mixed.zeek similarity index 100% rename from testing/btest/language/switch-error-mixed.bro rename to testing/btest/language/switch-error-mixed.zeek diff --git a/testing/btest/language/switch-incomplete.bro b/testing/btest/language/switch-incomplete.zeek similarity index 92% rename from testing/btest/language/switch-incomplete.bro rename to testing/btest/language/switch-incomplete.zeek index 7ee800b274..dedf529ccb 100644 --- a/testing/btest/language/switch-incomplete.bro +++ b/testing/btest/language/switch-incomplete.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out -event bro_init() +event zeek_init() { switch ( 1 ) { case 1: diff --git a/testing/btest/language/switch-statement.bro b/testing/btest/language/switch-statement.zeek similarity index 99% rename from testing/btest/language/switch-statement.bro rename to testing/btest/language/switch-statement.zeek index 152b14f87d..1035cb4b2e 100644 --- a/testing/btest/language/switch-statement.bro +++ b/testing/btest/language/switch-statement.zeek @@ -219,7 +219,7 @@ function test_switch(actual: string, expect: string) print fmt("%s != %s", actual, expect); } -event bro_init() +event zeek_init() { test_switch( switch_bool(T) , "true" ); test_switch( switch_bool(F) , "false" ); diff --git a/testing/btest/language/switch-types-error-duplicate.bro b/testing/btest/language/switch-types-error-duplicate.zeek similarity index 100% rename from testing/btest/language/switch-types-error-duplicate.bro rename to testing/btest/language/switch-types-error-duplicate.zeek diff --git a/testing/btest/language/switch-types-error-unsupported.bro b/testing/btest/language/switch-types-error-unsupported.zeek similarity index 100% rename from testing/btest/language/switch-types-error-unsupported.bro rename to testing/btest/language/switch-types-error-unsupported.zeek diff --git a/testing/btest/language/switch-types-vars.bro b/testing/btest/language/switch-types-vars.zeek similarity index 97% rename from testing/btest/language/switch-types-vars.bro rename to testing/btest/language/switch-types-vars.zeek index 1b0ca5591b..3e33e1c17f 100644 --- a/testing/btest/language/switch-types-vars.bro +++ b/testing/btest/language/switch-types-vars.zeek @@ -36,7 +36,7 @@ function switch_one(v: any) } } -event bro_init() +event zeek_init() { switch_one("My StrIng"); switch_one(42); diff --git a/testing/btest/language/switch-types.bro b/testing/btest/language/switch-types.zeek similarity index 97% rename from testing/btest/language/switch-types.bro rename to testing/btest/language/switch-types.zeek index 468ba93922..2ebddea6f0 100644 --- a/testing/btest/language/switch-types.bro +++ b/testing/btest/language/switch-types.zeek @@ -30,7 +30,7 @@ function switch_one_no_default(v: any): string } -event bro_init() +event zeek_init() { print switch_one("string"); print switch_one(42); diff --git a/testing/btest/language/table-default-record.bro b/testing/btest/language/table-default-record.zeek similarity index 100% rename from testing/btest/language/table-default-record.bro rename to testing/btest/language/table-default-record.zeek diff --git a/testing/btest/language/table-init-attrs.bro b/testing/btest/language/table-init-attrs.zeek similarity index 99% rename from testing/btest/language/table-init-attrs.bro rename to testing/btest/language/table-init-attrs.zeek index 76d98b9fed..9d3403642a 100644 --- a/testing/btest/language/table-init-attrs.bro +++ b/testing/btest/language/table-init-attrs.zeek @@ -51,7 +51,7 @@ global inception_table2: table[count] of table[count] of string = { [0] = table([13] = "bar") &default="forty-two", } &default=table() &default="we need to go deeper"; -event bro_init() +event zeek_init() { print "my_set_ctor_init"; print my_set_ctor_init; diff --git a/testing/btest/language/table-init-container-ctors.bro b/testing/btest/language/table-init-container-ctors.zeek similarity index 100% rename from testing/btest/language/table-init-container-ctors.bro rename to testing/btest/language/table-init-container-ctors.zeek diff --git a/testing/btest/language/table-init-record-idx.bro b/testing/btest/language/table-init-record-idx.zeek similarity index 100% rename from testing/btest/language/table-init-record-idx.bro rename to testing/btest/language/table-init-record-idx.zeek diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.zeek similarity index 95% rename from testing/btest/language/table-init.bro rename to testing/btest/language/table-init.zeek index 7419a50879..cc94589974 100644 --- a/testing/btest/language/table-init.bro +++ b/testing/btest/language/table-init.zeek @@ -6,7 +6,7 @@ global global_table: table[count] of string = { [2] = "two" } &default = "global table default"; -event bro_init() +event zeek_init() { local local_table: table[count] of string = { [3] = "three", diff --git a/testing/btest/language/table-redef.bro b/testing/btest/language/table-redef.zeek similarity index 100% rename from testing/btest/language/table-redef.bro rename to testing/btest/language/table-redef.zeek diff --git a/testing/btest/language/table-type-checking.bro b/testing/btest/language/table-type-checking.zeek similarity index 92% rename from testing/btest/language/table-type-checking.bro rename to testing/btest/language/table-type-checking.zeek index f579a83d37..639a2d021d 100644 --- a/testing/btest/language/table-type-checking.bro +++ b/testing/btest/language/table-type-checking.zeek @@ -12,7 +12,7 @@ global gen: MyTable = MyTable(["one"] = 1); # type clash in init # global, type deduction, anon ctor global gda = table(["two"] = 2); # fine global gda2 = MyTable([2/tcp] = 2); # fine -event bro_init() +event zeek_init() { gda = gda2; # type clash } @@ -21,26 +21,26 @@ event bro_init() global gea: MyTable = table(["three"] = 3); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MyTable(["thousand"] = 1000); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MyTable = MyTable(["thousand-one"] = 1001); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = table(["thousand-two"] = 1002); # fine lda = MyTable(["thousand-two"] = 1002); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MyTable = table(["thousand-three"] = 1003); # type clash } diff --git a/testing/btest/language/table.bro b/testing/btest/language/table.zeek similarity index 99% rename from testing/btest/language/table.bro rename to testing/btest/language/table.zeek index 3c8e8db280..98f7daa8e3 100644 --- a/testing/btest/language/table.bro +++ b/testing/btest/language/table.zeek @@ -10,7 +10,7 @@ function test_case(msg: string, expect: bool) # type is not explicitly specified global tg1 = { [1] = "type", [2] = "inference", [3] = "test" }; -event bro_init() +event zeek_init() { local t1: table[count] of string = table( [5] = "test", [0] = "example" ); local t2: table[count] of string = table(); diff --git a/testing/btest/language/ternary-record-mismatch.zeek b/testing/btest/language/ternary-record-mismatch.zeek new file mode 100644 index 0000000000..3c0c4ab95e --- /dev/null +++ b/testing/btest/language/ternary-record-mismatch.zeek @@ -0,0 +1,16 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath" btest-diff out + +type MyRecord: record { + a: string; + b: count; + c: bool &default = T; +}; + +event zeek_init() + { + local rec: MyRecord = record($a = "a string", $b = 6); + local rec2: MyRecord = (F) ? MyRecord($a = "a string", $b = 6) : + record($a = "a different string", $b = 7); + rec2$c = F; + } diff --git a/testing/btest/language/time.bro b/testing/btest/language/time.zeek similarity index 90% rename from testing/btest/language/time.bro rename to testing/btest/language/time.zeek index 3310c3a3f7..e8b71219ca 100644 --- a/testing/btest/language/time.bro +++ b/testing/btest/language/time.zeek @@ -7,7 +7,7 @@ function test_case(msg: string, expect: bool) } -event bro_init() +event zeek_init() { local t1: time = current_time(); local t2: time = t1 + 3 sec; @@ -27,7 +27,7 @@ event bro_init() test_case( "inequality", t1 != t3 ); test_case( "equality", t1 == t4 ); test_case( "subtract time", t2 - t1 == 3sec); - test_case( "size operator", |t5| == t5 ); + test_case( "size operator", |t5| == 1234567890.0 ); } diff --git a/testing/btest/language/timeout.bro b/testing/btest/language/timeout.zeek similarity index 93% rename from testing/btest/language/timeout.bro rename to testing/btest/language/timeout.zeek index 632ab18b5f..47906b35fb 100644 --- a/testing/btest/language/timeout.bro +++ b/testing/btest/language/timeout.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff out -event bro_init() +event zeek_init() { local h1: addr = 1.2.3.4; diff --git a/testing/btest/language/type-cast-any.bro b/testing/btest/language/type-cast-any.zeek similarity index 98% rename from testing/btest/language/type-cast-any.bro rename to testing/btest/language/type-cast-any.zeek index ddd4ea2dbe..ad18a28646 100644 --- a/testing/btest/language/type-cast-any.bro +++ b/testing/btest/language/type-cast-any.zeek @@ -27,7 +27,7 @@ function cast_to_X(a: any, b: X) print a, P, P is X, fmt("%s==%s => %s", b, P, Cmp); } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.zeek similarity index 88% rename from testing/btest/language/type-cast-error-dynamic.bro rename to testing/btest/language/type-cast-error-dynamic.zeek index c18548b0c4..21f51bc8d8 100644 --- a/testing/btest/language/type-cast-error-dynamic.bro +++ b/testing/btest/language/type-cast-error-dynamic.zeek @@ -11,19 +11,19 @@ function cast_to_string(a: any) print a as string; } -event bro_init() +event zeek_init() { cast_to_string(42); } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; cast_to_string(x); } -event bro_init() +event zeek_init() { print "data is string", Broker::Data() is string; cast_to_string(Broker::Data()); diff --git a/testing/btest/language/type-cast-error-static.bro b/testing/btest/language/type-cast-error-static.zeek similarity index 93% rename from testing/btest/language/type-cast-error-static.bro rename to testing/btest/language/type-cast-error-static.zeek index 3533fef3cb..3d1afbe095 100644 --- a/testing/btest/language/type-cast-error-static.bro +++ b/testing/btest/language/type-cast-error-static.zeek @@ -6,7 +6,7 @@ type X: record { b: port; }; -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-cast-same.bro b/testing/btest/language/type-cast-same.zeek similarity index 94% rename from testing/btest/language/type-cast-same.bro rename to testing/btest/language/type-cast-same.zeek index 93c3b633fa..58e98bb0c0 100644 --- a/testing/btest/language/type-cast-same.bro +++ b/testing/btest/language/type-cast-same.zeek @@ -6,7 +6,7 @@ type X: record { b: port; }; -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-check-any.bro b/testing/btest/language/type-check-any.zeek similarity index 94% rename from testing/btest/language/type-check-any.bro rename to testing/btest/language/type-check-any.zeek index 5d882c8997..1b681a3420 100644 --- a/testing/btest/language/type-check-any.bro +++ b/testing/btest/language/type-check-any.zeek @@ -11,7 +11,7 @@ function check(a: any) print a, a is string, a is count, a is X; } -event bro_init() +event zeek_init() { local x: X; x = [$a = 1.2.3.4, $b=1947/tcp]; diff --git a/testing/btest/language/type-check-vector.bro b/testing/btest/language/type-check-vector.zeek similarity index 94% rename from testing/btest/language/type-check-vector.bro rename to testing/btest/language/type-check-vector.zeek index 461fb312fb..b92c654fb6 100644 --- a/testing/btest/language/type-check-vector.bro +++ b/testing/btest/language/type-check-vector.zeek @@ -9,7 +9,7 @@ function check(a: any) print a as myvec; } -event bro_init() +event zeek_init() { local v = myvec("one", "two", 3); check(v); diff --git a/testing/btest/language/type-type-error.bro b/testing/btest/language/type-type-error.zeek similarity index 95% rename from testing/btest/language/type-type-error.bro rename to testing/btest/language/type-type-error.zeek index 047e4b34ef..2f3e3913ef 100644 --- a/testing/btest/language/type-type-error.bro +++ b/testing/btest/language/type-type-error.zeek @@ -5,7 +5,7 @@ type r: record { a: string; }; -event bro_init() +event zeek_init() { # This should generate a parse error indicating that the type identifier # is incorrectly used in an expression expecting a real value and not diff --git a/testing/btest/language/undefined-delete-field.bro b/testing/btest/language/undefined-delete-field.zeek similarity index 93% rename from testing/btest/language/undefined-delete-field.bro rename to testing/btest/language/undefined-delete-field.zeek index 8271f016fe..a45e093527 100644 --- a/testing/btest/language/undefined-delete-field.bro +++ b/testing/btest/language/undefined-delete-field.zeek @@ -7,7 +7,7 @@ type MyRecordType: record b: count; }; -event bro_init() +event zeek_init() { local x = MyRecordType($a=1, $b=2); diff --git a/testing/btest/language/uninitialized-local.bro b/testing/btest/language/uninitialized-local.zeek similarity index 96% rename from testing/btest/language/uninitialized-local.bro rename to testing/btest/language/uninitialized-local.zeek index ae486ebf1f..ec4a6e61de 100644 --- a/testing/btest/language/uninitialized-local.bro +++ b/testing/btest/language/uninitialized-local.zeek @@ -16,7 +16,7 @@ event testit() my_vector[0] = my_string; } -event bro_init() +event zeek_init() { event testit(); } diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.zeek similarity index 95% rename from testing/btest/language/uninitialized-local2.bro rename to testing/btest/language/uninitialized-local2.zeek index f11a5fda10..ed4045a1a3 100644 --- a/testing/btest/language/uninitialized-local2.bro +++ b/testing/btest/language/uninitialized-local2.zeek @@ -19,7 +19,7 @@ event test() print "var_b is", var_b; } -event bro_init() +event zeek_init() { event test(); } diff --git a/testing/btest/language/vector-any-append.bro b/testing/btest/language/vector-any-append.zeek similarity index 93% rename from testing/btest/language/vector-any-append.bro rename to testing/btest/language/vector-any-append.zeek index 816627fbf1..d501af6b15 100644 --- a/testing/btest/language/vector-any-append.bro +++ b/testing/btest/language/vector-any-append.zeek @@ -11,7 +11,7 @@ function append(v: vector of any) v += |v|; } -event bro_init() +event zeek_init() { local v: vector of count; assign(v); diff --git a/testing/btest/language/vector-coerce-expr.bro b/testing/btest/language/vector-coerce-expr.zeek similarity index 100% rename from testing/btest/language/vector-coerce-expr.bro rename to testing/btest/language/vector-coerce-expr.zeek diff --git a/testing/btest/language/vector-in-operator.bro b/testing/btest/language/vector-in-operator.zeek similarity index 100% rename from testing/btest/language/vector-in-operator.bro rename to testing/btest/language/vector-in-operator.zeek diff --git a/testing/btest/language/vector-list-init-records.bro b/testing/btest/language/vector-list-init-records.zeek similarity index 100% rename from testing/btest/language/vector-list-init-records.bro rename to testing/btest/language/vector-list-init-records.zeek diff --git a/testing/btest/language/vector-type-checking.bro b/testing/btest/language/vector-type-checking.zeek similarity index 91% rename from testing/btest/language/vector-type-checking.bro rename to testing/btest/language/vector-type-checking.zeek index b4c75118d1..c0003503a4 100644 --- a/testing/btest/language/vector-type-checking.bro +++ b/testing/btest/language/vector-type-checking.zeek @@ -12,7 +12,7 @@ global gen: MyVec = MyVec("one"); # type clash in init # global, type deduction, anon ctor global gda = vector("two"); # fine global gda2 = MyVec(2); # fine -event bro_init() +event zeek_init() { gda = gda2; # type clash } @@ -21,26 +21,26 @@ event bro_init() global gea: MyVec = vector("three"); # type clash # local, type deduction, named ctor -event bro_init() +event zeek_init() { local ldn = MyVec("thousand"); # type clash } # local, type explicit, named ctor -event bro_init() +event zeek_init() { local len: MyVec = MyVec("thousand-one"); # type clash } # local, type deduction, anon ctor -event bro_init() +event zeek_init() { local lda = vector("thousand-two"); # fine lda = MyVec("thousand-two"); # type clash } # local, type explicit, anon ctor -event bro_init() +event zeek_init() { local lea: MyVec = vector("thousand-three"); # type clash } diff --git a/testing/btest/language/vector-unspecified.bro b/testing/btest/language/vector-unspecified.zeek similarity index 100% rename from testing/btest/language/vector-unspecified.bro rename to testing/btest/language/vector-unspecified.zeek diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.zeek similarity index 99% rename from testing/btest/language/vector.bro rename to testing/btest/language/vector.zeek index 0eafd6c60c..36ff7c0267 100644 --- a/testing/btest/language/vector.bro +++ b/testing/btest/language/vector.zeek @@ -10,7 +10,7 @@ function test_case(msg: string, expect: bool) # Note: only global vectors can be initialized with curly braces global vg1: vector of string = { "curly", "braces" }; -event bro_init() +event zeek_init() { local v1: vector of string = vector( "test", "example" ); local v2: vector of string = vector(); diff --git a/testing/btest/language/when-unitialized-rhs.bro b/testing/btest/language/when-unitialized-rhs.zeek similarity index 97% rename from testing/btest/language/when-unitialized-rhs.bro rename to testing/btest/language/when-unitialized-rhs.zeek index 21b94c6e02..196834c2ae 100644 --- a/testing/btest/language/when-unitialized-rhs.bro +++ b/testing/btest/language/when-unitialized-rhs.zeek @@ -4,7 +4,7 @@ global crashMe: function(): string; global x: int; -event bro_init() +event zeek_init() { when( local result = crashMe() ) { diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.zeek similarity index 96% rename from testing/btest/language/when.bro rename to testing/btest/language/when.zeek index a2bad6a620..36914ce993 100644 --- a/testing/btest/language/when.bro +++ b/testing/btest/language/when.zeek @@ -5,7 +5,7 @@ redef exit_only_after_terminate = T; -event bro_init() +event zeek_init() { local h: addr = 127.0.0.1; diff --git a/testing/btest/language/while.bro b/testing/btest/language/while.zeek similarity index 97% rename from testing/btest/language/while.bro rename to testing/btest/language/while.zeek index 6828b00b41..d6588589f7 100644 --- a/testing/btest/language/while.bro +++ b/testing/btest/language/while.zeek @@ -67,7 +67,7 @@ function test_return(): vector of string return rval; } -event bro_init() +event zeek_init() { test_noop(); test_it(); diff --git a/testing/btest/language/wrong-delete-field.bro b/testing/btest/language/wrong-delete-field.zeek similarity index 100% rename from testing/btest/language/wrong-delete-field.bro rename to testing/btest/language/wrong-delete-field.zeek diff --git a/testing/btest/language/wrong-record-extension.bro b/testing/btest/language/wrong-record-extension.zeek similarity index 100% rename from testing/btest/language/wrong-record-extension.bro rename to testing/btest/language/wrong-record-extension.zeek diff --git a/testing/btest/language/zeek_init.zeek b/testing/btest/language/zeek_init.zeek new file mode 100644 index 0000000000..27f82d626c --- /dev/null +++ b/testing/btest/language/zeek_init.zeek @@ -0,0 +1,44 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + + +event zeek_init() &priority=10 + { + print "zeek_init at priority 10!"; + } + +event bro_init() &priority=5 + { + print "bro_init at priority 5!"; + } + +event zeek_init() &priority=0 + { + print "zeek_init at priority 0!"; + } + +event bro_init() &priority=-10 + { + print "bro_init at priority -10!"; + } + + +event zeek_done() &priority=10 + { + print "zeek_done at priority 10!"; + } + +event bro_done() &priority=5 + { + print "bro_done at priority 5!"; + } + +event zeek_done() &priority=0 + { + print "zeek_done at priority 0!"; + } + +event bro_done() &priority=-10 + { + print "bro_done at priority -10!"; + } diff --git a/testing/btest/language/zeek_script_loaded.zeek b/testing/btest/language/zeek_script_loaded.zeek new file mode 100644 index 0000000000..41f43409e6 --- /dev/null +++ b/testing/btest/language/zeek_script_loaded.zeek @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_script_loaded(path: string, level: count) &priority=10 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "zeek_script_loaded priority 10"; + } + +event bro_script_loaded(path: string, level: count) &priority=5 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "bro_script_loaded priority 5"; + } + +event zeek_script_loaded(path: string, level: count) &priority=0 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "zeek_script_loaded priority 0"; + } + +event bro_script_loaded(path: string, level: count) &priority=-10 + { + if ( /zeek_script_loaded.zeek/ in path ) + print "bro_script_loaded priority -10"; + } diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh index 60c754f8ff..f3a60d20b7 100644 --- a/testing/btest/plugins/bifs-and-scripts-install.sh +++ b/testing/btest/plugins/bifs-and-scripts-install.sh @@ -4,29 +4,29 @@ # @TEST-EXEC: make # @TEST-EXEC: make install # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro -NN Demo::Foo >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output -mkdir -p scripts/demo/foo/base/ +mkdir -p scripts/Demo/Foo/base/ -cat >scripts/__load__.bro <scripts/__load__.zeek <scripts/demo/foo/__load__.bro <scripts/Demo/Foo/__load__.zeek <scripts/demo/foo/manually.bro <scripts/Demo/Foo/manually.zeek <scripts/demo/foo/base/at-startup.bro <scripts/Demo/Foo/base/at-startup.zeek <activate.bro <activate.zeek <>output # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo =-= >>output # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b -r $TRACES/empty.trace >>output # @TEST-EXEC: echo =-= >>output -# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -b demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -b Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.bro -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.zeek -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.bro demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b ./activate.zeek Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: echo === >>output -# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b Demo::Foo demo/foo -r $TRACES/empty.trace >>output +# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -b Demo::Foo Demo/Foo -r $TRACES/empty.trace >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output -mkdir -p scripts/demo/foo/base/ +mkdir -p scripts/Demo/Foo/base/ -cat >scripts/__load__.bro <scripts/__load__.zeek <scripts/demo/foo/__load__.bro <scripts/Demo/Foo/__load__.zeek <scripts/demo/foo/manually.bro <scripts/Demo/Foo/manually.zeek <scripts/demo/foo/base/at-startup.bro <scripts/Demo/Foo/base/at-startup.zeek <activate.bro <activate.zeek <out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out redef test_print_file_data_events = T; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek index cba82bbfab..8b61eb45d3 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT 2>&1 # @TEST-EXEC: btest-diff .stdout -event bro_init() +event zeek_init() { print "This should fail but not crash"; print Files::lookup_file("asdf"); diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.zeek similarity index 90% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.zeek index 9b6d11ce0d..df4573e418 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/register_mime_type.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT # @TEST-EXEC: btest-diff files.log -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_MD5, "text/plain"); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek index a3704618bd..2c6f0a3d07 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out # @TEST-EXEC: btest-diff get.out redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek index c9eac4c31d..c44b1ec66b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek similarity index 86% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek index dd40c69684..cfd2e0c67b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: test ! -s Cx92a0ym5R8-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro rename to testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro b/testing/btest/scripts/base/frameworks/file-analysis/byteranges.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/file-analysis/byteranges.bro rename to testing/btest/scripts/base/frameworks/file-analysis/byteranges.zeek diff --git a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro b/testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek similarity index 91% rename from testing/btest/scripts/base/frameworks/file-analysis/ftp.bro rename to testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek index 2c2da188fe..a25fde74e5 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/ftp.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek similarity index 84% rename from testing/btest/scripts/base/frameworks/file-analysis/http/get.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek index f7f4a0395b..d90e08e08b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.zeek @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=1 >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=2 >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out # @TEST-EXEC: btest-diff 1-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek index 57fe2348c2..400b787b52 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek similarity index 87% rename from testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek index 93443f0ca8..bb5ef7f800 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.zeek @@ -1,14 +1,14 @@ -# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >a.out # @TEST-EXEC: btest-diff a.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size # @TEST-EXEC: btest-diff a.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >b.out # @TEST-EXEC: btest-diff b.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size # @TEST-EXEC: btest-diff b.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >c.out # @TEST-EXEC: btest-diff c.out # @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size # @TEST-EXEC: btest-diff c.size diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek similarity index 90% rename from testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek index 36743a8bad..cdd69b84a9 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/http/post.bro rename to testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek index 79ac1cb5c1..75efb27781 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff 1-file # @TEST-EXEC: btest-diff 2-file diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro rename to testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek index 053341c840..9bafa0ca1e 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: diff -q bro/FK8WqY1Q9U1rVxnDge-file input.log @@ -18,7 +18,7 @@ redef test_get_file_name = function(f: fa_file): string T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 @TEST-END-FILE -event bro_init() +event zeek_init() { local source: string = "../input.log"; Input::add_analysis([$source=source, $reader=Input::READER_BINARY, diff --git a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro b/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/irc.bro rename to testing/btest/scripts/base/frameworks/file-analysis/irc.zeek index 9fd8e06613..a1fd1e36d5 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile diff --git a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro b/testing/btest/scripts/base/frameworks/file-analysis/logging.zeek similarity index 92% rename from testing/btest/scripts/base/frameworks/file-analysis/logging.bro rename to testing/btest/scripts/base/frameworks/file-analysis/logging.zeek index 1d1f5fd721..597f8a26bb 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/logging.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT # @TEST-EXEC: btest-diff files.log redef test_file_analysis_source = "HTTP"; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro b/testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/file-analysis/smtp.bro rename to testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek index 79b929c4cd..9edec8abc1 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/smtp.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile0 # @TEST-EXEC: btest-diff thefile1 diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/basic.bro rename to testing/btest/scripts/base/frameworks/input/basic.zeek index 356b87d70b..02c3b4ff79 100644 --- a/testing/btest/scripts/base/frameworks/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/basic.zeek @@ -47,7 +47,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/bignumber.bro b/testing/btest/scripts/base/frameworks/input/bignumber.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/bignumber.bro rename to testing/btest/scripts/base/frameworks/input/bignumber.zeek index 15d711b1c4..b5b9d3fcae 100644 --- a/testing/btest/scripts/base/frameworks/input/bignumber.bro +++ b/testing/btest/scripts/base/frameworks/input/bignumber.zeek @@ -26,7 +26,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/binary.bro b/testing/btest/scripts/base/frameworks/input/binary.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/binary.bro rename to testing/btest/scripts/base/frameworks/input/binary.zeek index 11701fbd8a..072db53e11 100644 --- a/testing/btest/scripts/base/frameworks/input/binary.bro +++ b/testing/btest/scripts/base/frameworks/input/binary.zeek @@ -45,7 +45,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, a: string, b } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/config/basic.bro b/testing/btest/scripts/base/frameworks/input/config/basic.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/config/basic.bro rename to testing/btest/scripts/base/frameworks/input/config/basic.zeek index c8d68fc822..a0a7df017f 100644 --- a/testing/btest/scripts/base/frameworks/input/config/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/config/basic.zeek @@ -67,7 +67,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/config/errors.bro b/testing/btest/scripts/base/frameworks/input/config/errors.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/config/errors.bro rename to testing/btest/scripts/base/frameworks/input/config/errors.zeek index 4f398956dc..262b4ff36d 100644 --- a/testing/btest/scripts/base/frameworks/input/config/errors.bro +++ b/testing/btest/scripts/base/frameworks/input/config/errors.zeek @@ -58,7 +58,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/config/spaces.bro b/testing/btest/scripts/base/frameworks/input/config/spaces.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/config/spaces.bro rename to testing/btest/scripts/base/frameworks/input/config/spaces.zeek index 90afa20b13..00bc64888e 100644 --- a/testing/btest/scripts/base/frameworks/input/config/spaces.bro +++ b/testing/btest/scripts/base/frameworks/input/config/spaces.zeek @@ -51,7 +51,7 @@ event Input::end_of_data(name: string, source:string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/default.bro b/testing/btest/scripts/base/frameworks/input/default.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/default.bro rename to testing/btest/scripts/base/frameworks/input/default.zeek index c5b0e2f967..3c9880696d 100644 --- a/testing/btest/scripts/base/frameworks/input/default.bro +++ b/testing/btest/scripts/base/frameworks/input/default.zeek @@ -33,7 +33,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, val: Val) print outfile, val; } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro rename to testing/btest/scripts/base/frameworks/input/empty-values-hashing.zeek index b46c299c2c..b43044b963 100644 --- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro +++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.zeek @@ -52,7 +52,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/emptyvals.bro rename to testing/btest/scripts/base/frameworks/input/emptyvals.zeek index 57e79dd977..6e45f56e8d 100644 --- a/testing/btest/scripts/base/frameworks/input/emptyvals.bro +++ b/testing/btest/scripts/base/frameworks/input/emptyvals.zeek @@ -29,7 +29,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/errors.bro b/testing/btest/scripts/base/frameworks/input/errors.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/errors.bro rename to testing/btest/scripts/base/frameworks/input/errors.zeek index 0d0376694a..296c43f450 100644 --- a/testing/btest/scripts/base/frameworks/input/errors.bro +++ b/testing/btest/scripts/base/frameworks/input/errors.zeek @@ -148,7 +148,7 @@ event kill_me() terminate(); } -event bro_init() +event zeek_init() { outfile = open("out"); Input::add_event([$source="input.log", $name="file", $fields=FileVal, $ev=line_file, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/event.bro rename to testing/btest/scripts/base/frameworks/input/event.zeek index 6b6a391939..1ac4e38af5 100644 --- a/testing/btest/scripts/base/frameworks/input/event.bro +++ b/testing/btest/scripts/base/frameworks/input/event.zeek @@ -35,7 +35,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: b print outfile, b; } -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/invalid-lines.bro rename to testing/btest/scripts/base/frameworks/input/invalid-lines.zeek index 83be1efd09..2a2e2b1e63 100644 --- a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro +++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.zeek @@ -50,7 +50,7 @@ type Val: record { global servers: table[int] of Val = table(); global servers2: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro b/testing/btest/scripts/base/frameworks/input/invalidnumbers.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/invalidnumbers.bro rename to testing/btest/scripts/base/frameworks/input/invalidnumbers.zeek index f2fefaa5d0..4acaa63ee6 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidnumbers.zeek @@ -30,7 +30,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidset.bro b/testing/btest/scripts/base/frameworks/input/invalidset.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/invalidset.bro rename to testing/btest/scripts/base/frameworks/input/invalidset.zeek index 932060424e..d1ca5e3262 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidset.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidset.zeek @@ -45,7 +45,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, v: Val) print outfile, "Event", v; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/invalidtext.bro rename to testing/btest/scripts/base/frameworks/input/invalidtext.zeek index 3f5b590dec..3a30da30c8 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidtext.zeek @@ -46,7 +46,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, v: Val) print outfile, "Event", v; } -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/missing-enum.bro b/testing/btest/scripts/base/frameworks/input/missing-enum.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/missing-enum.bro rename to testing/btest/scripts/base/frameworks/input/missing-enum.zeek index 0d37aae453..abdc608447 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-enum.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-enum.zeek @@ -22,7 +22,7 @@ type Val: record { global etable: table[int] of Log::ID = table(); -event bro_init() +event zeek_init() { # first read in the old stuff into the table... Input::add_table([$source="../input.log", $name="enum", $idx=Idx, $val=Val, $destination=etable, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/missing-file-initially.bro rename to testing/btest/scripts/base/frameworks/input/missing-file-initially.zeek index 7c9f51994c..0fed78d120 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.zeek @@ -50,7 +50,7 @@ event line2(description: Input::EventDescription, tpe: Input::Event, v: Val) } -event bro_init() +event zeek_init() { Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]); Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]); diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/input/missing-file.bro rename to testing/btest/scripts/base/frameworks/input/missing-file.zeek index 2ec3bb937f..90fbeb175e 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file.zeek @@ -19,7 +19,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: b { } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro rename to testing/btest/scripts/base/frameworks/input/onecolumn-norecord.zeek index c38c4efd85..723227a1c3 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.zeek @@ -28,7 +28,7 @@ type Val: record { global servers: table[int] of bool = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/onecolumn-record.bro rename to testing/btest/scripts/base/frameworks/input/onecolumn-record.zeek index 3ee82983ff..33da194d84 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-record.zeek @@ -28,7 +28,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$name="input", $source="../input.log", $idx=Idx, $val=Val, $destination=servers]); diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/optional.bro rename to testing/btest/scripts/base/frameworks/input/optional.zeek index 56c261999d..9b9d569ffe 100644 --- a/testing/btest/scripts/base/frameworks/input/optional.bro +++ b/testing/btest/scripts/base/frameworks/input/optional.zeek @@ -35,7 +35,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek new file mode 100644 index 0000000000..784be4ca06 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-prefix.zeek @@ -0,0 +1,54 @@ +# These tests set the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that an absolute path prefix gets added correctly +# to relative/path-less input sources. +# +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD/subdir|" >input.bro +# @TEST-EXEC: mkdir -p subdir +# +# Note, in the following we'd ideally use %DIR to express the +# additional path, but there's currently a problem in btest with using +# %DIR after TEST-START-NEXT. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE subdir/input.data +#fields ip tag +127.0.3.1 just +127.0.3.2 some +127.0.3.3 value +@TEST-END-FILE + +@load path-prefix-common-table.zeek +redef InputAscii::path_prefix = "@path_prefix@"; + +event zeek_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.zeek +redef InputAscii::path_prefix = "@path_prefix@"; + +event zeek_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.zeek +redef InputBinary::path_prefix = "@path_prefix@"; + +event zeek_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek new file mode 100644 index 0000000000..747c3d46dd --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/absolute-source.zeek @@ -0,0 +1,48 @@ +# These tests set the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that setting these prefixes has no effect when +# an input file uses an absolute-path source. +# +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD|" >input.bro +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input.data +#fields ip tag +127.0.4.1 just +127.0.4.2 some +127.0.4.3 value +@TEST-END-FILE + +@load path-prefix-common-table.zeek +redef InputAscii::path_prefix = "/this/does/not/exist"; + +event zeek_init() + { + Input::add_table([$source="@path_prefix@/input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.zeek +redef InputAscii::path_prefix = "/this/does/not/exist"; + +event zeek_init() + { + Input::add_event([$source="@path_prefix@/input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.zeek +redef InputBinary::path_prefix = "/this/does/not/exist"; + +event zeek_init() + { + Input::add_analysis([$source="@path_prefix@/input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek new file mode 100644 index 0000000000..02a6e7e104 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/no-paths.zeek @@ -0,0 +1,43 @@ +# These tests verify that when setting neither InputAscii::path_prefix +# nor InputBinary::path_prefix, Zeek correctly locates local input files. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input.data +#fields ip tag +127.0.0.1 just +127.0.0.2 some +127.0.0.3 value +@TEST-END-FILE + +@load path-prefix-common-table.zeek + +event zeek_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.zeek + +event zeek_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.zeek + +event zeek_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.zeek new file mode 100644 index 0000000000..9e57c9e6ba --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-analysis.zeek @@ -0,0 +1,16 @@ +# @TEST-IGNORE +# +# This file contains code used by the file analysis path-prefix tests. + +redef exit_only_after_terminate = T; + +event file_new(f: fa_file) + { + Files::add_analyzer(f, Files::ANALYZER_MD5); + } + +event file_hash(f: fa_file, kind: string, hash: string) + { + print "file_hash", kind, hash; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.zeek new file mode 100644 index 0000000000..e023f5f24b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-event.zeek @@ -0,0 +1,21 @@ +# @TEST-IGNORE +# +# This file contains code used by the event-driven path-prefix tests. + +redef exit_only_after_terminate = T; + +type Val: record { + ip: addr; + tag: string; +}; + +event inputev(description: Input::EventDescription, + t: Input::Event, data: Val) + { + print data; + } + +event Input::end_of_data(name: string, source: string) + { + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.zeek new file mode 100644 index 0000000000..836b746202 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/path-prefix-common-table.zeek @@ -0,0 +1,21 @@ +# @TEST-IGNORE +# +# This file contains code used by the table-driven path-prefix tests. + +redef exit_only_after_terminate = T; + +type Idx: record { + ip: addr; +}; + +type Val: record { + tag: string; +}; + +global destination: table[addr] of string = table(); + +event Input::end_of_data(name: string, source: string) + { + print destination; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek new file mode 100644 index 0000000000..2f24131b6f --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/path-prefix/relative-prefix.zeek @@ -0,0 +1,48 @@ +# This test sets the InputAscii::path_prefix / InputBinary::path_prefix +# variables to verify that a relative path prefix applies correctly +# from the current working directory. +# +# @TEST-EXEC: mkdir -p alternative +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/input/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE alternative/input.data +#fields ip tag +127.0.1.1 just +127.0.1.2 some +127.0.1.3 value +@TEST-END-FILE + +@load path-prefix-common-table.zeek +redef InputAscii::path_prefix = "alternative"; + +event zeek_init() + { + Input::add_table([$source="input.data", $name="input", $idx=Idx, $val=Val, + $destination=destination, $want_record=F]); + } + +# @TEST-START-NEXT +# +# The same test, but using event streams for input. + +@load path-prefix-common-event.zeek +redef InputAscii::path_prefix = "alternative"; + +event zeek_init() + { + Input::add_event([$source="input.data", $name="input", + $fields=Val, $ev=inputev]); + } + +# @TEST-START-NEXT +# +# The same test again, but using file analysis w/ binary readers. + +@load path-prefix-common-analysis.zeek +redef InputBinary::path_prefix = "alternative"; + +event zeek_init() + { + Input::add_analysis([$source="input.data", $name="input"]); + } diff --git a/testing/btest/scripts/base/frameworks/input/port-embedded.bro b/testing/btest/scripts/base/frameworks/input/port-embedded.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/port-embedded.bro rename to testing/btest/scripts/base/frameworks/input/port-embedded.zeek index 8aab733069..32feb47c34 100644 --- a/testing/btest/scripts/base/frameworks/input/port-embedded.bro +++ b/testing/btest/scripts/base/frameworks/input/port-embedded.zeek @@ -32,7 +32,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print left, right; } -event bro_init() +event zeek_init() { Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $ev=line, $destination=servers]); } diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/port.bro rename to testing/btest/scripts/base/frameworks/input/port.zeek index 48571c5ecd..d0bb823b74 100644 --- a/testing/btest/scripts/base/frameworks/input/port.bro +++ b/testing/btest/scripts/base/frameworks/input/port.zeek @@ -27,7 +27,7 @@ type Val: record { global servers: table[addr] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers]); diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/predicate-stream.bro rename to testing/btest/scripts/base/frameworks/input/predicate-stream.zeek index aac44fb8ee..f8e7f8fdf3 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate-stream.zeek @@ -64,7 +64,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out"); ct = 0; diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/predicate.bro rename to testing/btest/scripts/base/frameworks/input/predicate.zeek index 9946e72211..171e1d42de 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate.zeek @@ -34,7 +34,7 @@ type Val: record { global servers: table[int] of bool = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/predicatemodify.bro rename to testing/btest/scripts/base/frameworks/input/predicatemodify.zeek index 13ed38d6ba..80e8c6aac8 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodify.zeek @@ -31,7 +31,7 @@ type Val: record { global servers: table[int, string] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro rename to testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.zeek index 2c6b58ff2d..53708b4fdd 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.zeek @@ -75,7 +75,7 @@ global servers: table[int, string] of Val = table(); global outfile: file; global try: count; -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro rename to testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.zeek index ae756431cd..6d4147ad06 100644 --- a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro +++ b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.zeek @@ -35,7 +35,7 @@ type Val: record { global servers: table[addr] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/raw/basic.bro b/testing/btest/scripts/base/frameworks/input/raw/basic.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/raw/basic.bro rename to testing/btest/scripts/base/frameworks/input/raw/basic.zeek index 377e34aca7..cb9e0269ea 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/basic.zeek @@ -38,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/execute.bro b/testing/btest/scripts/base/frameworks/input/raw/execute.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/raw/execute.bro rename to testing/btest/scripts/base/frameworks/input/raw/execute.zeek index 783b974c0f..018b62d75b 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/execute.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/execute.zeek @@ -32,7 +32,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) terminate(); } -event bro_init() +event zeek_init() { outfile = open("../out.tmp"); Input::add_event([$source="wc -l ../input.log |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F]); diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/raw/executestdin.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestdin.zeek index b78dd4e0e3..1c24c3ab8a 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/executestdin.zeek @@ -72,7 +72,7 @@ function more_input(name_prefix: string) $config=config_strings]); } -event bro_init() +event zeek_init() { outfile = open("../out"); ++total_processes; diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/raw/executestream.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestream.zeek index 240761ee03..ded6588269 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream.zeek @@ -56,7 +56,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/raw/long.bro b/testing/btest/scripts/base/frameworks/input/raw/long.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/raw/long.bro rename to testing/btest/scripts/base/frameworks/input/raw/long.zeek index 266021ae28..40f84c8597 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/long.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/long.zeek @@ -29,7 +29,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/raw/offset.bro rename to testing/btest/scripts/base/frameworks/input/raw/offset.zeek index f37fb9c28a..0fdb6d65e9 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/offset.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/offset.zeek @@ -33,7 +33,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek index f3dfb11ea5..ae977b4b2d 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.zeek @@ -38,7 +38,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/raw/stderr.bro rename to testing/btest/scripts/base/frameworks/input/raw/stderr.zeek index 8ff4cc7f1b..b62b135e43 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.zeek @@ -54,7 +54,7 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s terminate(); } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["read_stderr"] = "1" diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/raw/streamraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/streamraw.zeek index 331db7eeb8..923428717f 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/streamraw.zeek @@ -56,7 +56,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string) } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/repeat.bro rename to testing/btest/scripts/base/frameworks/input/repeat.zeek index 5093e30351..86245ef9f0 100644 --- a/testing/btest/scripts/base/frameworks/input/repeat.bro +++ b/testing/btest/scripts/base/frameworks/input/repeat.zeek @@ -31,7 +31,7 @@ global destination: table[int] of bool = table(); const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32}; -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/reread.bro rename to testing/btest/scripts/base/frameworks/input/reread.zeek index 53cb2a91a8..e34ae0a5ae 100644 --- a/testing/btest/scripts/base/frameworks/input/reread.bro +++ b/testing/btest/scripts/base/frameworks/input/reread.zeek @@ -103,7 +103,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, right; } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/set.bro b/testing/btest/scripts/base/frameworks/input/set.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/set.bro rename to testing/btest/scripts/base/frameworks/input/set.zeek index d79e9ae17a..52c0b8feef 100644 --- a/testing/btest/scripts/base/frameworks/input/set.bro +++ b/testing/btest/scripts/base/frameworks/input/set.zeek @@ -27,7 +27,7 @@ type Idx: record { global servers: set[addr] = set(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/setseparator.bro b/testing/btest/scripts/base/frameworks/input/setseparator.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/input/setseparator.bro rename to testing/btest/scripts/base/frameworks/input/setseparator.zeek index 39a785236a..3e052c4b44 100644 --- a/testing/btest/scripts/base/frameworks/input/setseparator.bro +++ b/testing/btest/scripts/base/frameworks/input/setseparator.zeek @@ -27,7 +27,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro b/testing/btest/scripts/base/frameworks/input/setspecialcases.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/setspecialcases.bro rename to testing/btest/scripts/base/frameworks/input/setspecialcases.zeek index 40a708f772..801a3229c5 100644 --- a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro +++ b/testing/btest/scripts/base/frameworks/input/setspecialcases.zeek @@ -31,7 +31,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/sqlite/basic.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek index eb1411970b..fdb946e02c 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.zeek @@ -86,7 +86,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Inf print outfile, |r$tunnel_parents|; # to make sure I got empty right } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from conn;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/error.bro b/testing/btest/scripts/base/frameworks/input/sqlite/error.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/sqlite/error.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/error.zeek index 08938e6df5..7a46160dc0 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/error.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/error.zeek @@ -79,7 +79,7 @@ event term_me() terminate(); } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from ssh;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/sqlite/port.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/port.zeek index 6fc18139fe..ddf4a844bb 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/port.zeek @@ -35,7 +35,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, p: port) print outfile, p; } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select port as p, proto from port;", diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro b/testing/btest/scripts/base/frameworks/input/sqlite/types.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/sqlite/types.bro rename to testing/btest/scripts/base/frameworks/input/sqlite/types.zeek index 42f8717c12..894db886b5 100644 --- a/testing/btest/scripts/base/frameworks/input/sqlite/types.bro +++ b/testing/btest/scripts/base/frameworks/input/sqlite/types.zeek @@ -73,7 +73,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, p: SSH::Log) print outfile, |p$vs|; } -event bro_init() +event zeek_init() { local config_strings: table[string] of string = { ["query"] = "select * from ssh;", diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/stream.bro rename to testing/btest/scripts/base/frameworks/input/stream.zeek index 8ed498f074..20f1b682fa 100644 --- a/testing/btest/scripts/base/frameworks/input/stream.bro +++ b/testing/btest/scripts/base/frameworks/input/stream.zeek @@ -80,7 +80,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r } } -event bro_init() +event zeek_init() { outfile = open("../out"); try = 0; diff --git a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro b/testing/btest/scripts/base/frameworks/input/subrecord-event.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/subrecord-event.bro rename to testing/btest/scripts/base/frameworks/input/subrecord-event.zeek index ec1cc37efc..fdcef27d68 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord-event.zeek @@ -64,7 +64,7 @@ event line(description: Input::EventDescription, tpe: Input::Event, value: Val) } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/subrecord.bro b/testing/btest/scripts/base/frameworks/input/subrecord.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/subrecord.bro rename to testing/btest/scripts/base/frameworks/input/subrecord.zeek index 0f960c6d3c..797768a7a7 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord.zeek @@ -51,7 +51,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/tableevent.bro rename to testing/btest/scripts/base/frameworks/input/tableevent.zeek index 760b19d24f..370265508d 100644 --- a/testing/btest/scripts/base/frameworks/input/tableevent.bro +++ b/testing/btest/scripts/base/frameworks/input/tableevent.zeek @@ -47,7 +47,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r } } -event bro_init() +event zeek_init() { try = 0; outfile = open("../out"); diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/input/twotables.bro rename to testing/btest/scripts/base/frameworks/input/twotables.zeek index 5b6d833da3..12d5394a54 100644 --- a/testing/btest/scripts/base/frameworks/input/twotables.bro +++ b/testing/btest/scripts/base/frameworks/input/twotables.zeek @@ -81,7 +81,7 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r # print event_out, right; } -event bro_init() +event zeek_init() { event_out = open ("../event.out"); pred1_out = open ("../pred1.out"); diff --git a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro b/testing/btest/scripts/base/frameworks/input/unsupported_types.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/unsupported_types.bro rename to testing/btest/scripts/base/frameworks/input/unsupported_types.zeek index beedc0a633..3090cf10c9 100644 --- a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro +++ b/testing/btest/scripts/base/frameworks/input/unsupported_types.zeek @@ -45,7 +45,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/input/windows.bro b/testing/btest/scripts/base/frameworks/input/windows.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/input/windows.bro rename to testing/btest/scripts/base/frameworks/input/windows.zeek index 275f5e0713..8addf0c6ad 100644 --- a/testing/btest/scripts/base/frameworks/input/windows.bro +++ b/testing/btest/scripts/base/frameworks/input/windows.zeek @@ -7,11 +7,11 @@ redef exit_only_after_terminate = T; @TEST-START-FILE input.log -#separator \x09 -#path ssh -#fields b i e c p sn a d t iv s sc ss se vc ve ns -#types bool int enum count port subnet addr double time interval string table table table vector vector string -T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 +#separator \x09 +#path ssh +#fields b i e c p sn a d t iv s sc ss se vc ve ns +#types bool int enum count port subnet addr double time interval string table table table vector vector string +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 @TEST-END-FILE @load base/protocols/ssh @@ -47,7 +47,7 @@ type Val: record { global servers: table[int] of Val = table(); -event bro_init() +event zeek_init() { outfile = open("../out"); # first read in the old stuff into the table... diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro rename to testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek index b81cac9bac..98fc45c29d 100644 --- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro +++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.zeek @@ -13,7 +13,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro rename to testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek index 5362886cd7..ecec5a0831 100644 --- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro +++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.zeek @@ -11,7 +11,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/expire-item.bro rename to testing/btest/scripts/base/frameworks/intel/expire-item.zeek index 08d80714bc..a3a45cd1c0 100644 --- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro +++ b/testing/btest/scripts/base/frameworks/intel/expire-item.zeek @@ -61,7 +61,7 @@ hook Intel::item_expired(indicator: string, indicator_type: Intel::Type, print fmt("Expired: %s", indicator); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1.5sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/filter-item.zeek b/testing/btest/scripts/base/frameworks/intel/filter-item.zeek new file mode 100644 index 0000000000..81353ce7fc --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/filter-item.zeek @@ -0,0 +1,43 @@ + +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff broproc/intel.log + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +1.2.3.42 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234 +10.0.0.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234 +@TEST-END-FILE + +redef exit_only_after_terminate = T; +redef Site::local_nets += { 10.0.0.0/8 }; +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +hook Intel::filter_item(item: Intel::Item) + { + if ( item$indicator_type == Intel::ADDR && + Site::is_local_addr(to_addr(item$indicator)) ) + break; + } + +event do_it() + { + Intel::seen([$host=10.0.0.1, + $where=SOMEWHERE]); + Intel::seen([$host=1.2.3.42, + $where=SOMEWHERE]); + } + +global log_lines = 0; +event Intel::log_intel(rec: Intel::Info) + { + ++log_lines; + if ( log_lines == 1 ) + terminate(); + } + +event zeek_init() &priority=-10 + { + schedule 1sec { do_it() }; + } diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/intel/input-and-match.bro rename to testing/btest/scripts/base/frameworks/intel/input-and-match.zeek index 8f74117201..bea8abfd88 100644 --- a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro +++ b/testing/btest/scripts/base/frameworks/intel/input-and-match.zeek @@ -32,7 +32,7 @@ event Intel::log_intel(rec: Intel::Info) terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/match-subnet.bro rename to testing/btest/scripts/base/frameworks/intel/match-subnet.zeek index 8e3fe74116..9c46dd7c93 100644 --- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro +++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.zeek @@ -29,7 +29,7 @@ event do_it() $where=SOMEWHERE]); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek new file mode 100644 index 0000000000..e637ebb3c5 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-absolute-prefixes.zeek @@ -0,0 +1,23 @@ +# This test verifies that an absolute Intel::path_prefix overrides any +# set for the Input framework. We still want the Intel framework to +# "break out" of any file system location specified for the input +# framework, e.g. when their paths live side-by-side (/foo/bar/input, +# /foo/bar/intel). +# +# @TEST-EXEC: mkdir -p intel +# @TEST-EXEC: cat %INPUT | sed "s|@path_prefix@|$PWD/intel|" >input.bro +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b input.bro >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE intel/test.data +#fields indicator indicator_type meta.source +127.0.2.1 Intel::ADDR this btest +127.0.2.2 Intel::ADDR this btest +127.0.2.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.zeek + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "/this/does/not/exist"; +redef Intel::path_prefix = "@path_prefix@"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek new file mode 100644 index 0000000000..1e7050aee9 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-intel-relative-prefixes.zeek @@ -0,0 +1,20 @@ +# This test verifies that combining Input::path_prefix and +# Intel::path_prefix works as intended: the intel path gets +# prepended first, then the input framework one. +# +# @TEST-EXEC: mkdir -p input/intel +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE input/intel/test.data +#fields indicator indicator_type meta.source +127.0.1.1 Intel::ADDR this btest +127.0.1.2 Intel::ADDR this btest +127.0.1.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.zeek + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "input"; +redef Intel::path_prefix = "intel"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek new file mode 100644 index 0000000000..2e602752f1 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/input-prefix.zeek @@ -0,0 +1,20 @@ +# This test verifies that specifying an Input::path_prefix +# also affects the Intel framework since it relies on the +# former for loading data. (Note that this also tests the +# Input::REREAD ingestion mode.) +# +# @TEST-EXEC: mkdir -p alternative +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE alternative/test.data +#fields indicator indicator_type meta.source +127.0.0.1 Intel::ADDR this btest +127.0.0.2 Intel::ADDR this btest +127.0.0.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.zeek + +redef Intel::read_files += { "test.data" }; +redef InputAscii::path_prefix = "alternative"; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek new file mode 100644 index 0000000000..7d02a0ac6a --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/no-paths.zeek @@ -0,0 +1,16 @@ +# This test verifies that when setting neither InputAscii::path_prefix +# nor Intel::path_prefix, Zeek correctly locates local intel files. +# +# @TEST-EXEC: BROPATH=$BROPATH:$TEST_BASE/scripts/base/frameworks/intel/path-prefix bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +@TEST-START-FILE test.data +#fields indicator indicator_type meta.source +127.0.0.1 Intel::ADDR this btest +127.0.0.2 Intel::ADDR this btest +127.0.0.3 Intel::ADDR this btest +@TEST-END-FILE + +@load path-prefix-common.zeek + +redef Intel::read_files += { "test.data" }; diff --git a/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.zeek b/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.zeek new file mode 100644 index 0000000000..75e67b8a7c --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/path-prefix/path-prefix-common.zeek @@ -0,0 +1,19 @@ +# @TEST-IGNORE +# +# This file contains code used by the intel framework path-prefix tests. + +@load base/frameworks/intel + +redef exit_only_after_terminate = T; + +module Intel; + +event Intel::new_item(item: Intel::Item) + { + print fmt("%s %s", item$indicator, item$indicator_type); + } + +event Input::end_of_data(name: string, source: string) + { + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro rename to testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek index a4becfb2b3..0914ece60d 100644 --- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro +++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.zeek @@ -11,7 +11,7 @@ # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], @@ -45,7 +45,7 @@ event do_it() Intel::seen([$indicator="e@mail.com", $indicator_type=Intel::EMAIL, $where=Intel::IN_A_TEST]); } -event bro_init() +event zeek_init() { # Delay the workers searching for hits briefly to allow for the data distribution # mechanism to distribute the data to the workers. diff --git a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro rename to testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek index 5241231e1f..16ec0df4a4 100644 --- a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro +++ b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff manager-1/intel.log -# @TEST-START-FILE cluster-layout.bro +# @TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro rename to testing/btest/scripts/base/frameworks/intel/remove-non-existing.zeek index 1885f5bcf8..7bc071c17a 100644 --- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro +++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.zeek @@ -25,7 +25,7 @@ event do_it() terminate(); } -event bro_init() &priority=-10 +event zeek_init() &priority=-10 { schedule 1sec { do_it() }; } diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/intel/updated-match.bro rename to testing/btest/scripts/base/frameworks/intel/updated-match.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/adapt-filter.bro rename to testing/btest/scripts/base/frameworks/logging/adapt-filter.zeek index 2db881deea..d342186ca3 100644 --- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro +++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.zeek @@ -19,7 +19,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Info]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-binary.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/logging/ascii-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-binary.zeek index fcbac3be58..1df620e19b 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-binary.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-binary.zeek @@ -15,7 +15,7 @@ export { redef LogAscii::separator = "|"; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Info]); Log::write(SSH::LOG, [$data="abc\n\xffdef", $data2="DATA2"]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.zeek similarity index 93% rename from testing/btest/scripts/base/frameworks/logging/ascii-double.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-double.zeek index b824d93676..65bffda485 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.zeek @@ -1,6 +1,6 @@ # @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly. # -# @TEST-EXEC: bro -b %INPUT test-json.bro +# @TEST-EXEC: bro -b %INPUT test-json.zeek # @TEST-EXEC: mv test.log json.log # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff test.log @@ -23,7 +23,7 @@ function logwrite(val: double) Log::write(Test::LOG, [$d=val]); } -event bro_init() +event zeek_init() { local d: double; local dmax: double = 1.79e308; @@ -78,7 +78,7 @@ event bro_init() logwrite(d); } -# @TEST-START-FILE test-json.bro +# @TEST-START-FILE test-json.zeek redef LogAscii::use_json = T; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro b/testing/btest/scripts/base/frameworks/logging/ascii-empty.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-empty.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-empty.zeek index 0bb5900e30..bb38f988ae 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-empty.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-empty.zeek @@ -23,7 +23,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.zeek index 3df3ea1d25..d7e7739547 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.zeek @@ -12,7 +12,7 @@ export { } &log; } -event bro_init() +event zeek_init() { local a = "abc\0def"; local b = escape_string(a); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.zeek index e18926a194..0145c52243 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.zeek @@ -14,7 +14,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.zeek index 8c1401b179..c42a92fdac 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.zeek @@ -14,7 +14,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::write(Test::LOG, [$x=LogAscii::unset_field, $z=""]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-odd-url.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.zeek index f5fb7a6259..03139bf2b8 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-set-separator.zeek @@ -11,7 +11,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro b/testing/btest/scripts/base/frameworks/logging/ascii-escape.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-escape.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-escape.zeek index d73464777a..9fa6555391 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-escape.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape.zeek @@ -18,7 +18,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.zeek index 2a1c388322..3e73b56500 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.zeek @@ -17,7 +17,7 @@ export { redef Log::default_rotation_interval = 1hr; redef LogAscii::gzip_level = 1; -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-gz.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-gz.zeek index 9563f42c40..74573fe3d4 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.zeek @@ -42,7 +42,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed", diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.zeek index 8cb1210a68..bfe998a78e 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.zeek @@ -17,7 +17,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [ diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek similarity index 88% rename from testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek index c26683a338..364de2fe4c 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff testing.log -@load tuning/json-logs.bro +@load tuning/json-logs module testing; @@ -17,7 +17,7 @@ export { global log_test: event(rec: Info); } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(testing::LOG, [$columns=testing::Info, $ev=log_test]); local info: Info; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-json.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-json.zeek index 2b6055930f..8985715d1d 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json.zeek @@ -40,7 +40,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro b/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.zeek index 4670811b2a..33de6e720a 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-line-like-comment.zeek @@ -13,7 +13,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Info]); Log::write(Test::LOG, [$data="Test1"]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro b/testing/btest/scripts/base/frameworks/logging/ascii-options.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-options.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-options.zeek index 474b179536..b72f077c81 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-options.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-options.zeek @@ -19,7 +19,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-timestamps.zeek index e63e30f6c6..2e786f4927 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-timestamps.zeek @@ -12,7 +12,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Info]); Log::write(Test::LOG, [$data=double_to_time(1234567890)]); diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-tsv.zeek index 09276a08fd..c29b291003 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.zeek @@ -17,7 +17,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro b/testing/btest/scripts/base/frameworks/logging/attr-extend.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/attr-extend.bro rename to testing/btest/scripts/base/frameworks/logging/attr-extend.zeek index 7f58f3f8c1..7aece07642 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr-extend.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr-extend.zeek @@ -26,7 +26,7 @@ redef record Log += { } &log; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/attr.bro b/testing/btest/scripts/base/frameworks/logging/attr.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/attr.bro rename to testing/btest/scripts/base/frameworks/logging/attr.zeek index 8ec3d1c385..84287cc280 100644 --- a/testing/btest/scripts/base/frameworks/logging/attr.bro +++ b/testing/btest/scripts/base/frameworks/logging/attr.zeek @@ -15,7 +15,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/disable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/disable-stream.zeek index c2f64da8e6..e3b2aa2b93 100644 --- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro +++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.zeek @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/empty-event.bro b/testing/btest/scripts/base/frameworks/logging/empty-event.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/empty-event.bro rename to testing/btest/scripts/base/frameworks/logging/empty-event.zeek index 6aa867220f..e7928de5c7 100644 --- a/testing/btest/scripts/base/frameworks/logging/empty-event.bro +++ b/testing/btest/scripts/base/frameworks/logging/empty-event.zeek @@ -17,7 +17,7 @@ export { global log_ssh: event(rec: Log); -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log, $ev=log_ssh]); diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/enable-stream.bro rename to testing/btest/scripts/base/frameworks/logging/enable-stream.zeek index 0f525eced1..95d02068d8 100644 --- a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro +++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.zeek @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/events.bro b/testing/btest/scripts/base/frameworks/logging/events.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/events.bro rename to testing/btest/scripts/base/frameworks/logging/events.zeek index bf156e6d60..d1cf0fba7e 100644 --- a/testing/btest/scripts/base/frameworks/logging/events.bro +++ b/testing/btest/scripts/base/frameworks/logging/events.zeek @@ -20,7 +20,7 @@ export { global ssh_log: event(rec: Log); -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log, $ev=ssh_log]); diff --git a/testing/btest/scripts/base/frameworks/logging/exclude.bro b/testing/btest/scripts/base/frameworks/logging/exclude.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/exclude.bro rename to testing/btest/scripts/base/frameworks/logging/exclude.zeek index 7b245541ab..b776cf91a4 100644 --- a/testing/btest/scripts/base/frameworks/logging/exclude.bro +++ b/testing/btest/scripts/base/frameworks/logging/exclude.zeek @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek similarity index 86% rename from testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek index dd30ad4c6f..1beaa72024 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.zeek @@ -1,15 +1,15 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: grep qux manager-1/reporter.log | sed 's#line ..#line XX#g' > manager-reporter.log # @TEST-EXEC: grep qux manager-1/reporter-2.log | sed 's#line ..*#line XX#g' >> manager-reporter.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | $SCRIPTS/diff-remove-abspath | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -62,7 +62,7 @@ event kill_worker() Broker::publish("death", slow_death); } -event bro_init() +event zeek_init() { if ( Cluster::node == "worker-1" ) { diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek similarity index 83% rename from testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek index d38b5b744b..39fe6c566a 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/http.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -55,7 +55,7 @@ event kill_worker() Broker::publish("death", slow_death); } -event bro_init() +event zeek_init() { if ( Cluster::node == "worker-1" ) { diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-complex.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-complex.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-complex.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-complex.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-invalid.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-optional.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-optional.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-optional.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-optional.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-table.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-table.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension-table.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension-table.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension.bro b/testing/btest/scripts/base/frameworks/logging/field-extension.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-extension.bro rename to testing/btest/scripts/base/frameworks/logging/field-extension.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-name-map.bro b/testing/btest/scripts/base/frameworks/logging/field-name-map.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-name-map.bro rename to testing/btest/scripts/base/frameworks/logging/field-name-map.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/field-name-map2.bro b/testing/btest/scripts/base/frameworks/logging/field-name-map2.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/field-name-map2.bro rename to testing/btest/scripts/base/frameworks/logging/field-name-map2.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/file.bro b/testing/btest/scripts/base/frameworks/logging/file.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/file.bro rename to testing/btest/scripts/base/frameworks/logging/file.zeek index 94bdad6b1b..011c9bbe82 100644 --- a/testing/btest/scripts/base/frameworks/logging/file.bro +++ b/testing/btest/scripts/base/frameworks/logging/file.zeek @@ -15,7 +15,7 @@ export { const foo_log = open_log_file("Foo") &redef; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [$t=network_time(), $f=foo_log]); diff --git a/testing/btest/scripts/base/frameworks/logging/include.bro b/testing/btest/scripts/base/frameworks/logging/include.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/include.bro rename to testing/btest/scripts/base/frameworks/logging/include.zeek index d0fea93c99..7179c54338 100644 --- a/testing/btest/scripts/base/frameworks/logging/include.bro +++ b/testing/btest/scripts/base/frameworks/logging/include.zeek @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/no-local.bro b/testing/btest/scripts/base/frameworks/logging/no-local.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/no-local.bro rename to testing/btest/scripts/base/frameworks/logging/no-local.zeek index 9ae7d32d61..9418afea14 100644 --- a/testing/btest/scripts/base/frameworks/logging/no-local.bro +++ b/testing/btest/scripts/base/frameworks/logging/no-local.zeek @@ -17,7 +17,7 @@ export { redef Log::enable_local_logging = F; -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/none-debug.bro b/testing/btest/scripts/base/frameworks/logging/none-debug.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/none-debug.bro rename to testing/btest/scripts/base/frameworks/logging/none-debug.zeek index 5d2e98323a..9a9f73d8f9 100644 --- a/testing/btest/scripts/base/frameworks/logging/none-debug.bro +++ b/testing/btest/scripts/base/frameworks/logging/none-debug.zeek @@ -20,7 +20,7 @@ export { } &log; } -event bro_init() +event zeek_init() { local config: table[string] of string; config["foo"]="bar"; diff --git a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro rename to testing/btest/scripts/base/frameworks/logging/path-func-column-demote.zeek index aff886c2f4..ebb514042e 100644 --- a/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.bro +++ b/testing/btest/scripts/base/frameworks/logging/path-func-column-demote.zeek @@ -16,7 +16,7 @@ function split_log(id: Log::ID, path: string, rec: record {id:conn_id;}): string return Site::is_local_addr(rec$id$orig_h) ? "local" : "remote"; } -event bro_init() +event zeek_init() { # Add a new filter to the Conn::LOG stream that logs only # timestamp and originator address. diff --git a/testing/btest/scripts/base/frameworks/logging/path-func.bro b/testing/btest/scripts/base/frameworks/logging/path-func.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/path-func.bro rename to testing/btest/scripts/base/frameworks/logging/path-func.zeek index 684aa03ed6..fa52cccc48 100644 --- a/testing/btest/scripts/base/frameworks/logging/path-func.bro +++ b/testing/btest/scripts/base/frameworks/logging/path-func.zeek @@ -28,7 +28,7 @@ function path_func(id: Log::ID, path: string, rec: Log) : string return fmt("%s-%d-%s", path, c, rec$country); } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_default_filter(SSH::LOG); diff --git a/testing/btest/scripts/base/frameworks/logging/pred.bro b/testing/btest/scripts/base/frameworks/logging/pred.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/pred.bro rename to testing/btest/scripts/base/frameworks/logging/pred.zeek index e13c726656..c6f85183b4 100644 --- a/testing/btest/scripts/base/frameworks/logging/pred.bro +++ b/testing/btest/scripts/base/frameworks/logging/pred.zeek @@ -24,7 +24,7 @@ function fail(rec: Log): bool return rec$status != "success"; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::remove_default_filter(Test::LOG); diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/remove.bro rename to testing/btest/scripts/base/frameworks/logging/remove.zeek index 3b80d24e9f..2247648e7c 100644 --- a/testing/btest/scripts/base/frameworks/logging/remove.bro +++ b/testing/btest/scripts/base/frameworks/logging/remove.zeek @@ -20,7 +20,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]); diff --git a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro b/testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/rotate-custom.bro rename to testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek index c0f0ef8643..89264fa6e5 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate-custom.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek @@ -28,7 +28,7 @@ function custom_rotate(info: Log::RotationInfo) : bool return T; } -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); Log::add_filter(Test::LOG, [$name="2nd", $path="test2", $interv=30mins, $postprocessor=custom_rotate]); diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/rotate.bro rename to testing/btest/scripts/base/frameworks/logging/rotate.zeek index 501c0db8ea..2a988a88f0 100644 --- a/testing/btest/scripts/base/frameworks/logging/rotate.bro +++ b/testing/btest/scripts/base/frameworks/logging/rotate.zeek @@ -21,7 +21,7 @@ export { redef Log::default_rotation_interval = 1hr; redef Log::default_rotation_postprocessor_cmd = "echo"; -event bro_init() +event zeek_init() { Log::create_stream(Test::LOG, [$columns=Log]); } diff --git a/testing/btest/scripts/base/frameworks/logging/scope_sep.bro b/testing/btest/scripts/base/frameworks/logging/scope_sep.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/scope_sep.bro rename to testing/btest/scripts/base/frameworks/logging/scope_sep.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.bro b/testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.bro rename to testing/btest/scripts/base/frameworks/logging/scope_sep_and_field_name_map.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/logging/sqlite/error.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek index e48e066c6c..d453804858 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/error.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek @@ -73,7 +73,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/sqlite/set.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek index 0cceb7af08..8612cd5765 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/set.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek @@ -32,7 +32,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek index 2e864aa791..7f9ea2d870 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek @@ -47,7 +47,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::create_stream(SSH::LOG2, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/sqlite/types.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek index 6c088e9f2f..e878ec32d3 100644 --- a/testing/btest/scripts/base/frameworks/logging/sqlite/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek @@ -45,7 +45,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::remove_filter(SSH::LOG, "default"); diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro rename to testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek diff --git a/testing/btest/scripts/base/frameworks/logging/stdout.bro b/testing/btest/scripts/base/frameworks/logging/stdout.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/stdout.bro rename to testing/btest/scripts/base/frameworks/logging/stdout.zeek index f431a5b6c9..bce55fd0ca 100644 --- a/testing/btest/scripts/base/frameworks/logging/stdout.bro +++ b/testing/btest/scripts/base/frameworks/logging/stdout.zeek @@ -16,7 +16,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/test-logging.bro b/testing/btest/scripts/base/frameworks/logging/test-logging.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/logging/test-logging.bro rename to testing/btest/scripts/base/frameworks/logging/test-logging.zeek index 9f90d515fb..f7d07e843a 100644 --- a/testing/btest/scripts/base/frameworks/logging/test-logging.bro +++ b/testing/btest/scripts/base/frameworks/logging/test-logging.zeek @@ -15,7 +15,7 @@ export { } &log; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/types.bro b/testing/btest/scripts/base/frameworks/logging/types.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/types.bro rename to testing/btest/scripts/base/frameworks/logging/types.zeek index d79c667e50..9d208335ad 100644 --- a/testing/btest/scripts/base/frameworks/logging/types.bro +++ b/testing/btest/scripts/base/frameworks/logging/types.zeek @@ -40,7 +40,7 @@ function foo(i : count) : string return "Bar"; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/unset-record.bro b/testing/btest/scripts/base/frameworks/logging/unset-record.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/logging/unset-record.bro rename to testing/btest/scripts/base/frameworks/logging/unset-record.zeek index bb922dc9c8..00f97ffc1a 100644 --- a/testing/btest/scripts/base/frameworks/logging/unset-record.bro +++ b/testing/btest/scripts/base/frameworks/logging/unset-record.zeek @@ -14,7 +14,7 @@ type Bar: record { b: count &log; }; -event bro_init() +event zeek_init() { Log::create_stream(TESTING, [$columns=Bar]); diff --git a/testing/btest/scripts/base/frameworks/logging/vec.bro b/testing/btest/scripts/base/frameworks/logging/vec.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/vec.bro rename to testing/btest/scripts/base/frameworks/logging/vec.zeek index 00c5ff5117..6809e132bc 100644 --- a/testing/btest/scripts/base/frameworks/logging/vec.bro +++ b/testing/btest/scripts/base/frameworks/logging/vec.zeek @@ -12,7 +12,7 @@ export { }; } -event bro_init() +event zeek_init() { Log::create_stream(SSH::LOG, [$columns=Log]); diff --git a/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro b/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro rename to testing/btest/scripts/base/frameworks/logging/writer-path-conflict.zeek index 908fb43c72..916e5a6775 100644 --- a/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.bro +++ b/testing/btest/scripts/base/frameworks/logging/writer-path-conflict.zeek @@ -7,7 +7,7 @@ @load base/protocols/http -event bro_init() +event zeek_init() { # Both the default filter for the http stream and this new one will # attempt to have the same writer write to path "http", which will diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro rename to testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek index 9e0db8531a..5561b3b674 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -14,7 +14,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -89,7 +89,7 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker @@ -101,7 +101,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/netcontrol/acld.bro rename to testing/btest/scripts/base/frameworks/netcontrol/acld.zeek index 243e5e9b7c..94fda84c64 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff send/netcontrol.log # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -94,7 +94,7 @@ event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, ms @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker @@ -106,7 +106,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek similarity index 81% rename from testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek index 50c04433ad..3f3ecb5e60 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek @@ -2,17 +2,17 @@ # @TEST-PORT: BROKER_PORT2 # @TEST-PORT: BROKER_PORT3 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" # @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat worker-1/.pid) 10 || (btest-bg-wait -k 1 && false) -# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" +# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -26,7 +26,7 @@ redef Log::default_rotation_interval = 0secs; @load base/frameworks/netcontrol @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/basic.bro rename to testing/btest/scripts/base/frameworks/netcontrol/basic.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/netcontrol/broker.bro rename to testing/btest/scripts/base/frameworks/netcontrol/broker.zeek index 4d232c3325..bf8957e4ff 100644 --- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro +++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek @@ -1,13 +1,13 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff send/netcontrol.log # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/frameworks/netcontrol @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global have_peer = F; global did_init = F; -event bro_init() +event zeek_init() { suspend_processing(); } @@ -78,7 +78,7 @@ event NetControl::rule_timeout(r: NetControl::Rule, i: NetControl::FlowInfo, p: @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/netcontrol @load base/frameworks/broker @@ -90,7 +90,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/event/netcontroltest"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro rename to testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro rename to testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro rename to testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro b/testing/btest/scripts/base/frameworks/netcontrol/duplicate.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/duplicate.bro rename to testing/btest/scripts/base/frameworks/netcontrol/duplicate.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro b/testing/btest/scripts/base/frameworks/netcontrol/find-rules.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/find-rules.bro rename to testing/btest/scripts/base/frameworks/netcontrol/find-rules.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/hook.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/hook.bro rename to testing/btest/scripts/base/frameworks/netcontrol/hook.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro b/testing/btest/scripts/base/frameworks/netcontrol/multiple.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/multiple.bro rename to testing/btest/scripts/base/frameworks/netcontrol/multiple.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/openflow.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/openflow.bro rename to testing/btest/scripts/base/frameworks/netcontrol/openflow.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro b/testing/btest/scripts/base/frameworks/netcontrol/packetfilter.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/packetfilter.bro rename to testing/btest/scripts/base/frameworks/netcontrol/packetfilter.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro b/testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.bro rename to testing/btest/scripts/base/frameworks/netcontrol/quarantine-openflow.zeek diff --git a/testing/btest/scripts/base/frameworks/netcontrol/timeout.bro b/testing/btest/scripts/base/frameworks/netcontrol/timeout.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/netcontrol/timeout.bro rename to testing/btest/scripts/base/frameworks/netcontrol/timeout.zeek diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/notice/cluster.bro rename to testing/btest/scripts/base/frameworks/notice/cluster.zeek index 69d1ac8364..cda5fc857e 100644 --- a/testing/btest/scripts/base/frameworks/notice/cluster.bro +++ b/testing/btest/scripts/base/frameworks/notice/cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/notice.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/notice/mail-alarms.bro b/testing/btest/scripts/base/frameworks/notice/mail-alarms.zeek similarity index 100% rename from testing/btest/scripts/base/frameworks/notice/mail-alarms.bro rename to testing/btest/scripts/base/frameworks/notice/mail-alarms.zeek diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro rename to testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek index e9b31e1756..73cd65cfe9 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/notice.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1"], diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro b/testing/btest/scripts/base/frameworks/notice/suppression-disable.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/notice/suppression-disable.bro rename to testing/btest/scripts/base/frameworks/notice/suppression-disable.zeek index 96b932caf8..5eeab5bff2 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression-disable.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression-disable.zeek @@ -18,7 +18,7 @@ event second_notice() NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]); } -event bro_init() +event zeek_init() { NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]); schedule 1msec { second_notice() }; diff --git a/testing/btest/scripts/base/frameworks/notice/suppression.bro b/testing/btest/scripts/base/frameworks/notice/suppression.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/notice/suppression.bro rename to testing/btest/scripts/base/frameworks/notice/suppression.zeek index 87ce3672b6..d91aa17a2e 100644 --- a/testing/btest/scripts/base/frameworks/notice/suppression.bro +++ b/testing/btest/scripts/base/frameworks/notice/suppression.zeek @@ -15,7 +15,7 @@ event second_notice() NOTICE([$note=Test_Notice, $msg="another test", $identifier="static"]); } -event bro_init() +event zeek_init() { NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]); schedule 1msec { second_notice() }; diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek similarity index 93% rename from testing/btest/scripts/base/frameworks/openflow/broker-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek index 9d43089b93..3cce7bda1e 100644 --- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT -# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" -# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out" +# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.zeek >recv.out" +# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.zeek >send.out" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out -@TEST-START-FILE send.bro +@TEST-START-FILE send.zeek @load base/protocols/conn @load base/frameworks/openflow @@ -15,7 +15,7 @@ redef exit_only_after_terminate = T; global of_controller: OpenFlow::Controller; -event bro_init() +event zeek_init() { suspend_processing(); of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, to_port(getenv("BROKER_PORT")), "bro/openflow", 42); @@ -67,7 +67,7 @@ event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_ @TEST-END-FILE -@TEST-START-FILE recv.bro +@TEST-START-FILE recv.zeek @load base/frameworks/openflow @@ -80,7 +80,7 @@ event die() terminate(); } -event bro_init() +event zeek_init() { Broker::subscribe("bro/openflow"); Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT"))); diff --git a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro b/testing/btest/scripts/base/frameworks/openflow/log-basic.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/openflow/log-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/log-basic.zeek index d4f08e7822..5aa615f691 100644 --- a/testing/btest/scripts/base/frameworks/openflow/log-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/log-basic.zeek @@ -8,7 +8,7 @@ global of_controller: OpenFlow::Controller; global cookie_id: count = 42; -event bro_init() +event zeek_init() { of_controller = OpenFlow::log_new(42); diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek similarity index 82% rename from testing/btest/scripts/base/frameworks/openflow/log-cluster.bro rename to testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek index 33f20f8ce5..c6a9e90cb4 100644 --- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro +++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.zeek @@ -1,12 +1,12 @@ # @TEST-PORT: BROKER_PORT1 # @TEST-PORT: BROKER_PORT2 # -# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" -# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT" +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/openflow.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -22,7 +22,7 @@ redef Log::default_rotation_interval = 0secs; global of_controller: OpenFlow::Controller; @if ( Cluster::local_node_type() == Cluster::WORKER ) -event bro_init() +event zeek_init() { suspend_processing(); } @@ -33,7 +33,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) } @endif -event bro_init() +event zeek_init() { of_controller = OpenFlow::log_new(42); } diff --git a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro rename to testing/btest/scripts/base/frameworks/openflow/ryu-basic.zeek index 3bfaa4c076..9df9822450 100644 --- a/testing/btest/scripts/base/frameworks/openflow/ryu-basic.bro +++ b/testing/btest/scripts/base/frameworks/openflow/ryu-basic.zeek @@ -6,7 +6,7 @@ global of_controller: OpenFlow::Controller; -event bro_init() +event zeek_init() { of_controller = OpenFlow::ryu_new(127.0.0.1, 8080, 42); of_controller$state$ryu_debug=T; diff --git a/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro b/testing/btest/scripts/base/frameworks/reporter/disable-stderr.zeek similarity index 95% rename from testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro rename to testing/btest/scripts/base/frameworks/reporter/disable-stderr.zeek index b1afb99b5c..bf449e886d 100644 --- a/testing/btest/scripts/base/frameworks/reporter/disable-stderr.bro +++ b/testing/btest/scripts/base/frameworks/reporter/disable-stderr.zeek @@ -7,7 +7,7 @@ redef Reporter::errors_to_stderr = F; global test: table[count] of string = {}; -event bro_init() +event zeek_init() { print test[3]; } diff --git a/testing/btest/scripts/base/frameworks/reporter/stderr.bro b/testing/btest/scripts/base/frameworks/reporter/stderr.zeek similarity index 94% rename from testing/btest/scripts/base/frameworks/reporter/stderr.bro rename to testing/btest/scripts/base/frameworks/reporter/stderr.zeek index ef01c9fdf9..6b878ceef5 100644 --- a/testing/btest/scripts/base/frameworks/reporter/stderr.bro +++ b/testing/btest/scripts/base/frameworks/reporter/stderr.zeek @@ -4,7 +4,7 @@ global test: table[count] of string = {}; -event bro_init() +event zeek_init() { print test[3]; } diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.zeek similarity index 88% rename from testing/btest/scripts/base/frameworks/software/version-parsing.bro rename to testing/btest/scripts/base/frameworks/software/version-parsing.zeek index 9a54f3d966..fd43145826 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.zeek @@ -1,5 +1,5 @@ # @TEST-EXEC: bro %INPUT > output -# @TEST-EXEC: btest-diff output +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff output module Software; @@ -121,9 +121,19 @@ global matched_software: table[string] of Software::Description = { [$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""], ["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] = [$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""], + ["A/8.0.0/Google/Pixel#XL/marlin/unknown/QCX3/l8100358318783302904/-/1456904160/-/google/662107/662098/-"] = + [$name="Android (Google Pixel)", $version=[$major=8,$minor=0,$minor2=0], $unparsed_version=""], + ["A/8.1.0/Google/Pixel#2/walleye/unknown/QCX3/l10660929675510745862/-/104360422/-/google/3606/3607/-"] = + [$name="Android (Google Pixel)", $version=[$major=8,$minor=1,$minor2=0], $unparsed_version=""], + ["A/9/Google/Pixel#2/walleye/unknown/QCX3/l17463753539612639959/-/2406658516/-/google/724998/724992/-"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], + ["A/9/Google/Pixel#2#XL/taimen/unknown/QCX3/l2640039522761750592/-/1061307257/-/google/1199700/1199701/-"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], + ["A/9/Google/Pixel#2/walleye/unknown/QCX3/l9335055540778241916/-/1576068601/-/google/63672/63666/00:BOOT.XF.1.2.2.c1-00036-M8998LZB-2+01:TZ.BF.4.0.6-00152+03:RPM.BF.1.7-00128+11:MPSS.AT.2.0.c4.5-00253-8998_GEN_PACK-1.172723.1.178350.2+12:ADSP.HT.3.0-00372-CB8998-1+14:VIDEO.VE.4.4-00033+15:SLPI.HB.2.0.c3-00016-M8998AZL-1"] = + [$name="Android (Google Pixel)", $version=[$major=9], $unparsed_version=""], }; -event bro_init() +event zeek_init() { for ( sw in matched_software ) { diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek index 8f4bd26ef1..726aa09416 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -21,7 +21,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE, SumStats::HLL_UNIQUE)]; SumStats::create([$name="test", @@ -71,7 +71,7 @@ event ready_for_data() @if ( Cluster::local_node_type() == Cluster::MANAGER ) -event bro_init() &priority=100 +event zeek_init() &priority=100 { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/basic.bro rename to testing/btest/scripts/base/frameworks/sumstats/basic.zeek index 40f269ab1a..1362c739cf 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/basic.zeek @@ -4,7 +4,7 @@ redef exit_only_after_terminate=T; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM, diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro rename to testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek index 949fcb3644..04cdcca725 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -18,7 +18,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; SumStats::create([$name="test", diff --git a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek index da8f8fb80f..4482b43524 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/last-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/last-cluster.zeek @@ -7,7 +7,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -27,7 +27,7 @@ event do_observe() schedule 0.1secs { do_observe() }; } -event bro_init() +event zeek_init() { local r1 = SumStats::Reducer($stream="test", $apply=set(SumStats::LAST), diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek similarity index 96% rename from testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek index bb429a52cb..3ab0492f29 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.zeek @@ -10,7 +10,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -22,7 +22,7 @@ redef Log::default_rotation_interval = 0secs; global n = 0; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1 = SumStats::Reducer($stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)); SumStats::create([$name="test sumstat", @@ -37,7 +37,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/sumstats/on-demand.bro rename to testing/btest/scripts/base/frameworks/sumstats/on-demand.zeek index 78aba726ca..99658ad7d0 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/on-demand.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand.zeek @@ -28,7 +28,7 @@ event on_demand_key() } } -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.reducer", $apply=set(SumStats::SUM)]; diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek index 227313635a..44dcd3abd4 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek @@ -8,7 +8,7 @@ # @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: btest-diff manager-1/.stdout -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -18,7 +18,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SAMPLE), $num_samples=5]; SumStats::create([$name="test", @@ -47,7 +47,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample.bro b/testing/btest/scripts/base/frameworks/sumstats/sample.zeek similarity index 98% rename from testing/btest/scripts/base/frameworks/sumstats/sample.bro rename to testing/btest/scripts/base/frameworks/sumstats/sample.zeek index 4ba395b463..30e80b1b49 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/sample.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/sample.zeek @@ -1,7 +1,7 @@ # @TEST-EXEC: bro %INPUT # @TEST-EXEC: btest-diff .stdout -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SAMPLE), $num_samples=2]; diff --git a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro b/testing/btest/scripts/base/frameworks/sumstats/thresholding.zeek similarity index 99% rename from testing/btest/scripts/base/frameworks/sumstats/thresholding.bro rename to testing/btest/scripts/base/frameworks/sumstats/thresholding.zeek index b7bb826446..f751a85e98 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/thresholding.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/thresholding.zeek @@ -5,7 +5,7 @@ redef enum Notice::Type += { Test_Notice, }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)]; SumStats::create([$name="test1", diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek similarity index 97% rename from testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro rename to testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek index 8a3a9bcf1b..e32e417cc5 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/.stdout # -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], @@ -20,7 +20,7 @@ redef Cluster::nodes = { redef Log::default_rotation_interval = 0secs; -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::TOPK)]; @@ -53,7 +53,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) global ready_for_data: event(); -event bro_init() +event zeek_init() { Broker::auto_publish(Cluster::worker_topic, ready_for_data); } diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk.bro b/testing/btest/scripts/base/frameworks/sumstats/topk.zeek similarity index 90% rename from testing/btest/scripts/base/frameworks/sumstats/topk.bro rename to testing/btest/scripts/base/frameworks/sumstats/topk.zeek index 99c301c669..0b7ae1ea2f 100644 --- a/testing/btest/scripts/base/frameworks/sumstats/topk.bro +++ b/testing/btest/scripts/base/frameworks/sumstats/topk.zeek @@ -1,10 +1,15 @@ # @TEST-EXEC: bro %INPUT # @TEST-EXEC: btest-diff .stdout -event bro_init() &priority=5 +event zeek_init() &priority=5 { local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::TOPK)]; + # Merge two empty sets + local topk1: opaque of topk = topk_init(4); + local topk2: opaque of topk = topk_init(4); + topk_merge(topk1, topk2); + SumStats::create([$name="topk-test", $epoch=3secs, $reducers=set(r1), diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.zeek similarity index 100% rename from testing/btest/scripts/base/misc/version.bro rename to testing/btest/scripts/base/misc/version.zeek diff --git a/testing/btest/scripts/base/protocols/conn/new_connection_contents.bro b/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/conn/new_connection_contents.bro rename to testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek diff --git a/testing/btest/scripts/base/protocols/conn/threshold.bro b/testing/btest/scripts/base/protocols/conn/threshold.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/conn/threshold.bro rename to testing/btest/scripts/base/protocols/conn/threshold.zeek diff --git a/testing/btest/scripts/base/protocols/dce-rpc/context.bro b/testing/btest/scripts/base/protocols/dce-rpc/context.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dce-rpc/context.bro rename to testing/btest/scripts/base/protocols/dce-rpc/context.zeek diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek index 533bfd8e0b..e551bbf7d6 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek similarity index 97% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek index 3e8c4f56d4..489be56505 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek index e95637b67d..9155ea0174 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek index 8da9f078a4..87140ec1fe 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek index 60761360ed..8ca9e3107d 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek similarity index 95% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek index 867382148b..868ce39cc0 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek similarity index 83% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek index ffb0e03653..340e2b3132 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek index d97d37d0ce..f88c262d54 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek similarity index 95% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek index a8acf4755c..9119c33a97 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek index a5f1f895cc..07479c92a2 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek index 073e758df4..cf64179dfe 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek similarity index 94% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek index c8708b10cd..c6deb5eb69 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek index d832d937a7..f88e04f37a 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek similarity index 82% rename from testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro rename to testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek index 8669d701b2..86b99a11c7 100644 --- a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.bro +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.bro >output +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dnp3/events.bro rename to testing/btest/scripts/base/protocols/dnp3/events.zeek diff --git a/testing/btest/scripts/base/protocols/dns/caa.bro b/testing/btest/scripts/base/protocols/dns/caa.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/caa.bro rename to testing/btest/scripts/base/protocols/dns/caa.zeek diff --git a/testing/btest/scripts/base/protocols/dns/dns-key.bro b/testing/btest/scripts/base/protocols/dns/dns-key.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/dns-key.bro rename to testing/btest/scripts/base/protocols/dns/dns-key.zeek diff --git a/testing/btest/scripts/base/protocols/dns/dnskey.bro b/testing/btest/scripts/base/protocols/dns/dnskey.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/dnskey.bro rename to testing/btest/scripts/base/protocols/dns/dnskey.zeek diff --git a/testing/btest/scripts/base/protocols/dns/ds.bro b/testing/btest/scripts/base/protocols/dns/ds.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/ds.bro rename to testing/btest/scripts/base/protocols/dns/ds.zeek diff --git a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro rename to testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek diff --git a/testing/btest/scripts/base/protocols/dns/flip.bro b/testing/btest/scripts/base/protocols/dns/flip.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/flip.bro rename to testing/btest/scripts/base/protocols/dns/flip.zeek diff --git a/testing/btest/scripts/base/protocols/dns/huge-ttl.bro b/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/huge-ttl.bro rename to testing/btest/scripts/base/protocols/dns/huge-ttl.zeek diff --git a/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.bro b/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/multiple-txt-strings.bro rename to testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek diff --git a/testing/btest/scripts/base/protocols/dns/nsec.bro b/testing/btest/scripts/base/protocols/dns/nsec.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/nsec.bro rename to testing/btest/scripts/base/protocols/dns/nsec.zeek diff --git a/testing/btest/scripts/base/protocols/dns/nsec3.bro b/testing/btest/scripts/base/protocols/dns/nsec3.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/nsec3.bro rename to testing/btest/scripts/base/protocols/dns/nsec3.zeek diff --git a/testing/btest/scripts/base/protocols/dns/rrsig.bro b/testing/btest/scripts/base/protocols/dns/rrsig.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/rrsig.bro rename to testing/btest/scripts/base/protocols/dns/rrsig.zeek diff --git a/testing/btest/scripts/base/protocols/dns/tsig.bro b/testing/btest/scripts/base/protocols/dns/tsig.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/tsig.bro rename to testing/btest/scripts/base/protocols/dns/tsig.zeek diff --git a/testing/btest/scripts/base/protocols/dns/zero-responses.bro b/testing/btest/scripts/base/protocols/dns/zero-responses.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/dns/zero-responses.bro rename to testing/btest/scripts/base/protocols/dns/zero-responses.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/cwd-navigation.bro rename to testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro rename to testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek diff --git a/testing/btest/scripts/base/protocols/http/100-continue.bro b/testing/btest/scripts/base/protocols/http/100-continue.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/100-continue.bro rename to testing/btest/scripts/base/protocols/http/100-continue.zeek diff --git a/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro b/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/101-switching-protocols.bro rename to testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek diff --git a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek similarity index 97% rename from testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro rename to testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek index b96b8f02a6..74ce213505 100644 --- a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro +++ b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek @@ -19,7 +19,7 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) got_gap = T; } -event bro_done() +event zeek_done() { if ( ! got_data_after_gap ) exit(1); diff --git a/testing/btest/scripts/base/protocols/http/content-range-gap.bro b/testing/btest/scripts/base/protocols/http/content-range-gap.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/content-range-gap.bro rename to testing/btest/scripts/base/protocols/http/content-range-gap.zeek diff --git a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro rename to testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek diff --git a/testing/btest/scripts/base/protocols/http/entity-gap.bro b/testing/btest/scripts/base/protocols/http/entity-gap.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/entity-gap.bro rename to testing/btest/scripts/base/protocols/http/entity-gap.zeek diff --git a/testing/btest/scripts/base/protocols/http/entity-gap2.bro b/testing/btest/scripts/base/protocols/http/entity-gap2.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/entity-gap2.bro rename to testing/btest/scripts/base/protocols/http/entity-gap2.zeek diff --git a/testing/btest/scripts/base/protocols/http/fake-content-length.bro b/testing/btest/scripts/base/protocols/http/fake-content-length.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/fake-content-length.bro rename to testing/btest/scripts/base/protocols/http/fake-content-length.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro rename to testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-connect-with-header.bro b/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-connect-with-header.bro rename to testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-connect.bro b/testing/btest/scripts/base/protocols/http/http-connect.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-connect.bro rename to testing/btest/scripts/base/protocols/http/http-connect.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-filename.bro b/testing/btest/scripts/base/protocols/http/http-filename.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-filename.bro rename to testing/btest/scripts/base/protocols/http/http-filename.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-header-crlf.bro b/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-header-crlf.bro rename to testing/btest/scripts/base/protocols/http/http-header-crlf.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-methods.bro b/testing/btest/scripts/base/protocols/http/http-methods.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/http-methods.bro rename to testing/btest/scripts/base/protocols/http/http-methods.zeek diff --git a/testing/btest/scripts/base/protocols/http/http-pipelining.bro b/testing/btest/scripts/base/protocols/http/http-pipelining.zeek similarity index 94% rename from testing/btest/scripts/base/protocols/http/http-pipelining.bro rename to testing/btest/scripts/base/protocols/http/http-pipelining.zeek index bb392b1c4b..afb1a7f33e 100644 --- a/testing/btest/scripts/base/protocols/http/http-pipelining.bro +++ b/testing/btest/scripts/base/protocols/http/http-pipelining.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-diff http.log # mime type is irrelevant to this test, so filter it out -event bro_init() +event zeek_init() { Log::remove_default_filter(HTTP::LOG); Log::add_filter(HTTP::LOG, [$name="less-mime-types", $exclude=set("mime_type")]); diff --git a/testing/btest/scripts/base/protocols/http/missing-zlib-header.bro b/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/missing-zlib-header.bro rename to testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek diff --git a/testing/btest/scripts/base/protocols/http/multipart-extract.bro b/testing/btest/scripts/base/protocols/http/multipart-extract.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/multipart-extract.bro rename to testing/btest/scripts/base/protocols/http/multipart-extract.zeek diff --git a/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek b/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek new file mode 100644 index 0000000000..7c0690babd --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek @@ -0,0 +1,23 @@ +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT >out-limited +# @TEST-EXEC: mv http.log http-limited.log +# @TEST-EXEC: btest-diff http-limited.log +# @TEST-EXEC: btest-diff out-limited +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored +# @TEST-EXEC: mv http.log http-limit-ignored.log +# @TEST-EXEC: btest-diff http-limit-ignored.log +# @TEST-EXEC: btest-diff out-limit-ignored + +option ignore_http_file_limit = F; + +redef HTTP::max_files_orig = 1; +redef HTTP::max_files_resp = 1; + +hook HTTP::max_files_policy(f: fa_file, is_orig: bool) + { + print "max_files reached"; + + if ( ignore_http_file_limit ) + break; + } diff --git a/testing/btest/scripts/base/protocols/http/no-uri.bro b/testing/btest/scripts/base/protocols/http/no-uri.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/no-uri.bro rename to testing/btest/scripts/base/protocols/http/no-uri.zeek diff --git a/testing/btest/scripts/base/protocols/http/no-version.bro b/testing/btest/scripts/base/protocols/http/no-version.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/no-version.bro rename to testing/btest/scripts/base/protocols/http/no-version.zeek diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/percent-end-of-line.bro rename to testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek diff --git a/testing/btest/scripts/base/protocols/http/x-gzip.bro b/testing/btest/scripts/base/protocols/http/x-gzip.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/x-gzip.bro rename to testing/btest/scripts/base/protocols/http/x-gzip.zeek diff --git a/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro b/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro rename to testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test index 618f4d9079..d4fb893e2c 100644 --- a/testing/btest/scripts/base/protocols/irc/basic.test +++ b/testing/btest/scripts/base/protocols/irc/basic.test @@ -6,7 +6,7 @@ # @TEST-EXEC: btest-diff conn.log # dcc mime types are irrelevant to this test, so filter it out -event bro_init() +event zeek_init() { Log::remove_default_filter(IRC::LOG); Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]); diff --git a/testing/btest/scripts/base/protocols/irc/names-weird.bro b/testing/btest/scripts/base/protocols/irc/names-weird.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/irc/names-weird.bro rename to testing/btest/scripts/base/protocols/irc/names-weird.zeek diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb.test b/testing/btest/scripts/base/protocols/krb/smb2_krb.test index 08c05d83f1..32c2a6e58d 100644 --- a/testing/btest/scripts/base/protocols/krb/smb2_krb.test +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test @@ -11,7 +11,7 @@ redef KRB::keytab = "smb2_krb.keytab"; global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; -event bro_init() &priority=5{ +event zeek_init() &priority=5{ Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); } diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test index 0d2c68d142..d08543a0fb 100644 --- a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test @@ -10,7 +10,7 @@ global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; -event bro_init() &priority=5{ +event zeek_init() &priority=5{ Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); } diff --git a/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.bro b/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/coil_parsing_big.bro rename to testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.bro b/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/coil_parsing_small.bro rename to testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.zeek similarity index 99% rename from testing/btest/scripts/base/protocols/modbus/events.bro rename to testing/btest/scripts/base/protocols/modbus/events.zeek index fe748fa3dc..55a3f3cb04 100644 --- a/testing/btest/scripts/base/protocols/modbus/events.bro +++ b/testing/btest/scripts/base/protocols/modbus/events.zeek @@ -7,6 +7,7 @@ # @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff conn.log +redef DPD::ignore_violations_after = 1; event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) { diff --git a/testing/btest/scripts/base/protocols/modbus/exception_handling.test b/testing/btest/scripts/base/protocols/modbus/exception_handling.test index 9d15c754f9..8a4fadcbeb 100644 --- a/testing/btest/scripts/base/protocols/modbus/exception_handling.test +++ b/testing/btest/scripts/base/protocols/modbus/exception_handling.test @@ -1,10 +1,8 @@ # @TEST-EXEC: bro -r $TRACES/modbus/fuzz-72.trace # @TEST-EXEC: btest-diff modbus.log -# @TEST-EXEC: btest-diff weird.log # The pcap has a flow with some fuzzed modbus traffic in it that should cause # the binpac-generated analyzer code to throw a binpac::ExceptionOutOfBound. # This should be correctly caught as a type of binpac::Exception and the # binpac::ModbusTCP::Exception type that's defined as part of the analyzer # shouldn't interfere with that handling and definitely shouldn't crash bro. -# A weird is currently emitted for parsing exceptions. diff --git a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro b/testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek similarity index 95% rename from testing/btest/scripts/base/protocols/modbus/length_mismatch.bro rename to testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek index 35835e4b64..17371f3788 100644 --- a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro +++ b/testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek @@ -12,4 +12,3 @@ # data buffer. # @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap -# @TEST-EXEC: btest-diff weird.log diff --git a/testing/btest/scripts/base/protocols/modbus/policy.bro b/testing/btest/scripts/base/protocols/modbus/policy.zeek similarity index 61% rename from testing/btest/scripts/base/protocols/modbus/policy.bro rename to testing/btest/scripts/base/protocols/modbus/policy.zeek index b28ebd3b4b..5dab1d09f8 100644 --- a/testing/btest/scripts/base/protocols/modbus/policy.bro +++ b/testing/btest/scripts/base/protocols/modbus/policy.zeek @@ -5,5 +5,7 @@ # @TEST-EXEC: btest-diff known_modbus.log # -@load protocols/modbus/known-masters-slaves.bro -@load protocols/modbus/track-memmap.bro +@load protocols/modbus/known-masters-slaves +@load protocols/modbus/track-memmap + +redef DPD::ignore_violations_after = 1; diff --git a/testing/btest/scripts/base/protocols/modbus/register_parsing.bro b/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/modbus/register_parsing.bro rename to testing/btest/scripts/base/protocols/modbus/register_parsing.zeek diff --git a/testing/btest/scripts/base/protocols/mount/basic.test b/testing/btest/scripts/base/protocols/mount/basic.test index 8576874ce3..bd6fd5d5db 100644 --- a/testing/btest/scripts/base/protocols/mount/basic.test +++ b/testing/btest/scripts/base/protocols/mount/basic.test @@ -4,7 +4,7 @@ global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef; redef ignore_checksums = T; -event bro_init() +event zeek_init() { Analyzer::register_for_ports(Analyzer::ANALYZER_MOUNT, mount_ports); Analyzer::enable_analyzer(Analyzer::ANALYZER_MOUNT); diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.zeek similarity index 96% rename from testing/btest/scripts/base/protocols/ncp/event.bro rename to testing/btest/scripts/base/protocols/ncp/event.zeek index acb4bf0a0c..2333544b05 100644 --- a/testing/btest/scripts/base/protocols/ncp/event.bro +++ b/testing/btest/scripts/base/protocols/ncp/event.zeek @@ -3,7 +3,7 @@ redef likely_server_ports += { 524/tcp }; -event bro_init() +event zeek_init() { const ports = { 524/tcp }; Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek similarity index 97% rename from testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro rename to testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek index 46ad87e752..cc4a5799f2 100644 --- a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro +++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek @@ -3,7 +3,7 @@ redef likely_server_ports += { 524/tcp }; -event bro_init() +event zeek_init() { const ports = { 524/tcp }; Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test index f2d2b1862a..9b7ae91910 100755 --- a/testing/btest/scripts/base/protocols/nfs/basic.test +++ b/testing/btest/scripts/base/protocols/nfs/basic.test @@ -4,7 +4,7 @@ global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef; redef ignore_checksums = T; -event bro_init() +event zeek_init() { Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports); Analyzer::enable_analyzer(Analyzer::ANALYZER_NFS); diff --git a/testing/btest/scripts/base/protocols/pop3/starttls.bro b/testing/btest/scripts/base/protocols/pop3/starttls.zeek similarity index 92% rename from testing/btest/scripts/base/protocols/pop3/starttls.bro rename to testing/btest/scripts/base/protocols/pop3/starttls.zeek index 8e0d1ab5ef..d2bfee6449 100644 --- a/testing/btest/scripts/base/protocols/pop3/starttls.bro +++ b/testing/btest/scripts/base/protocols/pop3/starttls.zeek @@ -14,7 +14,7 @@ const ports = { }; redef likely_server_ports += { ports }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports); } diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.bro b/testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-proprietary-encryption.zeek diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.bro b/testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro b/testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/rdp/rdp-x509.bro rename to testing/btest/scripts/base/protocols/rdp/rdp-x509.zeek diff --git a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test index 627e396517..d65ee81c41 100644 --- a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test +++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test @@ -6,7 +6,7 @@ # The DCE_RPC analyzer is a little weird since it's instantiated # by the SMB analyzer directly in some cases. Care needs to be # taken to handle a disabled analyzer correctly. -event bro_init() +event zeek_init() { Analyzer::disable_analyzer(Analyzer::ANALYZER_DCE_RPC); } diff --git a/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek b/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek new file mode 100644 index 0000000000..0d59e7a495 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-read-write.zeek @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -C -r $TRACES/smb/smb2readwrite.pcap %INPUT +# @TEST-EXEC: btest-diff smb_files.log +# @TEST-EXEC: btest-diff files.log +# @TEST-EXEC: test ! -f dpd.log + +@load base/protocols/smb + +redef SMB::logged_file_actions += { SMB::FILE_READ, SMB::FILE_WRITE }; + diff --git a/testing/btest/scripts/base/protocols/smb/smb2-write-response.test b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test new file mode 100644 index 0000000000..f926628f03 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-write-response.test @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -C -r $TRACES/smb/smb2readwrite.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# A test for write response. +event smb2_write_response(c: connection, hdr: SMB2::Header, length: count) + { + print fmt("smb2_write_response %s -> %s:%d, length: %d", c$id$orig_h, c$id$resp_h, c$id$resp_p, length); + print (hdr); + } + + diff --git a/testing/btest/scripts/base/protocols/smb/smb3.test b/testing/btest/scripts/base/protocols/smb/smb3.test new file mode 100644 index 0000000000..f762ea10f3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb3.test @@ -0,0 +1,14 @@ +# @TEST-EXEC: bro -r $TRACES/smb/smb3.pcap %INPUT +# @TEST-EXEC: btest-diff smb_mapping.log +# @TEST-EXEC: test ! -f dpd.log +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# Add a test for SMB2 transform header. +event smb2_transform_header(c: connection, hdr: SMB2::Transform_header) + { + print fmt("smb2_transform_header %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, hdr); + } + diff --git a/testing/btest/scripts/base/protocols/smb/smb311.test b/testing/btest/scripts/base/protocols/smb/smb311.test new file mode 100644 index 0000000000..22f232c14a --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb311.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b -C -r $TRACES/smb/smb311.pcap %INPUT +# @TEST-EXEC: test ! -f dpd.log +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: btest-diff .stdout + +@load base/protocols/smb + +# Add some tests for SMB3 +event smb2_negotiate_response(c: connection, hdr: SMB2::Header, nr: SMB2::NegotiateResponse) + { + print fmt("smb2_negotiate_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, nr); + } diff --git a/testing/btest/scripts/base/protocols/snmp/snmp-addr.bro b/testing/btest/scripts/base/protocols/snmp/snmp-addr.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/snmp/snmp-addr.bro rename to testing/btest/scripts/base/protocols/snmp/snmp-addr.zeek diff --git a/testing/btest/scripts/base/protocols/snmp/v1.bro b/testing/btest/scripts/base/protocols/snmp/v1.zeek similarity index 78% rename from testing/btest/scripts/base/protocols/snmp/v1.bro rename to testing/btest/scripts/base/protocols/snmp/v1.zeek index 7dd5bd4a68..09f86a28e4 100644 --- a/testing/btest/scripts/base/protocols/snmp/v1.bro +++ b/testing/btest/scripts/base/protocols/snmp/v1.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get_short.pcap %INPUT $SCRIPTS/snmp-test.bro >out2 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_set.pcap %INPUT $SCRIPTS/snmp-test.bro >out3 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_trap.pcap %INPUT $SCRIPTS/snmp-test.bro >out4 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get_short.pcap %INPUT $SCRIPTS/snmp-test.zeek >out2 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_set.pcap %INPUT $SCRIPTS/snmp-test.zeek >out3 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_trap.pcap %INPUT $SCRIPTS/snmp-test.zeek >out4 # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/scripts/base/protocols/snmp/v2.bro b/testing/btest/scripts/base/protocols/snmp/v2.zeek similarity index 77% rename from testing/btest/scripts/base/protocols/snmp/v2.bro rename to testing/btest/scripts/base/protocols/snmp/v2.zeek index a2b9885fbb..58491d33b2 100644 --- a/testing/btest/scripts/base/protocols/snmp/v2.bro +++ b/testing/btest/scripts/base/protocols/snmp/v2.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_bulk.pcap %INPUT $SCRIPTS/snmp-test.bro >out2 -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out3 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_bulk.pcap %INPUT $SCRIPTS/snmp-test.zeek >out2 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_next.pcap %INPUT $SCRIPTS/snmp-test.zeek >out3 # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/scripts/base/protocols/snmp/v3.bro b/testing/btest/scripts/base/protocols/snmp/v3.zeek similarity index 79% rename from testing/btest/scripts/base/protocols/snmp/v3.bro rename to testing/btest/scripts/base/protocols/snmp/v3.zeek index 43edbdc2df..4d72b6476d 100644 --- a/testing/btest/scripts/base/protocols/snmp/v3.bro +++ b/testing/btest/scripts/base/protocols/snmp/v3.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv3_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out1 +# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv3_get_next.pcap %INPUT $SCRIPTS/snmp-test.zeek >out1 # @TEST-EXEC: btest-diff out1 diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/socks/socks-auth.bro rename to testing/btest/scripts/base/protocols/socks/socks-auth.zeek diff --git a/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test index d2aa7b536f..878d2a3064 100644 --- a/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test +++ b/testing/btest/scripts/base/protocols/ssl/cve-2015-3194.test @@ -3,4 +3,4 @@ # @TEST-EXEC: bro -r $TRACES/tls/CVE-2015-3194.pcap %INPUT # @TEST-EXEC: btest-diff ssl.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index 1a16a10db4..20b6ab6b74 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -9,7 +9,7 @@ @load base/frameworks/signatures @load-sigs base/protocols/ssl/dpd.sig -event bro_init() +event zeek_init() { print "Start test run"; } diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test new file mode 100644 index 0000000000..e8731bb1be --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/dtls-no-dtls.test @@ -0,0 +1,15 @@ +# This tests checks that non-dtls connections to which we attach don't trigger tons of errors. + +# @TEST-EXEC: bro -C -r $TRACES/dns-txt-multiple.trace %INPUT +# @TEST-EXEC: btest-diff .stdout + +event zeek_init() + { + const add_ports = { 53/udp }; + Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, add_ports); + } + +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) + { + print c$id, atype, reason; + } diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test index 6e1106ece7..9c65ea5dda 100644 --- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test +++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test @@ -16,7 +16,7 @@ @load base/protocols/ssl @load base/files/x509 -@load protocols/ssl/extract-certs-pem.bro +@load protocols/ssl/extract-certs-pem module SSL; diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index c8c8acc589..181ee34909 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 05483717b0..ff493a62a8 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -5,7 +5,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index b95203dfd8..cfa5b99375 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index 43dbf82583..3b8c4a2d57 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index e4378135ad..3ee0e96776 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -6,7 +6,7 @@ @load files/x509/log-ocsp -event bro_init() +event zeek_init() { Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); diff --git a/testing/btest/scripts/base/protocols/syslog/missing-pri.zeek b/testing/btest/scripts/base/protocols/syslog/missing-pri.zeek new file mode 100644 index 0000000000..c33eb1638b --- /dev/null +++ b/testing/btest/scripts/base/protocols/syslog/missing-pri.zeek @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/syslog-missing-pri.trace %INPUT +# @TEST-EXEC: btest-diff syslog.log + +@load base/protocols/syslog diff --git a/testing/btest/scripts/base/protocols/tcp/pending.bro b/testing/btest/scripts/base/protocols/tcp/pending.zeek similarity index 100% rename from testing/btest/scripts/base/protocols/tcp/pending.bro rename to testing/btest/scripts/base/protocols/tcp/pending.zeek diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test index 97d06448ca..9f94a14c7f 100644 --- a/testing/btest/scripts/base/utils/active-http.test +++ b/testing/btest/scripts/base/utils/active-http.test @@ -35,7 +35,7 @@ function test_request(label: string, req: ActiveHTTP::Request) } } -event bro_init() +event zeek_init() { test_request("test1", [$url="127.0.0.1:32123"]); test_request("test2", [$url="127.0.0.1:32123/empty", $method="POST"]); diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test index 224fd9dc62..8e5580d3e5 100644 --- a/testing/btest/scripts/base/utils/addrs.test +++ b/testing/btest/scripts/base/utils/addrs.test @@ -3,7 +3,7 @@ @load base/utils/addrs -event bro_init() +event zeek_init() { local ip = "0.0.0.0"; diff --git a/testing/btest/scripts/base/utils/decompose_uri.bro b/testing/btest/scripts/base/utils/decompose_uri.zeek similarity index 98% rename from testing/btest/scripts/base/utils/decompose_uri.bro rename to testing/btest/scripts/base/utils/decompose_uri.zeek index 6ed30e7889..074e782474 100644 --- a/testing/btest/scripts/base/utils/decompose_uri.bro +++ b/testing/btest/scripts/base/utils/decompose_uri.zeek @@ -10,7 +10,7 @@ function dc(s: string) print ""; } -event bro_init() +event zeek_init() { dc("https://www.bro.org:42/documentation/faq.html?k1=v1&k2=v2"); dc(""); diff --git a/testing/btest/scripts/base/utils/dir.test b/testing/btest/scripts/base/utils/dir.test index 4cbb4a3c89..c02f215d51 100644 --- a/testing/btest/scripts/base/utils/dir.test +++ b/testing/btest/scripts/base/utils/dir.test @@ -1,4 +1,4 @@ -# @TEST-EXEC: btest-bg-run bro bro -b ../dirtest.bro +# @TEST-EXEC: btest-bg-run bro bro -b ../dirtest.zeek # @TEST-EXEC: $SCRIPTS/wait-for-file bro/next1 10 || (btest-bg-wait -k 1 && false) # @TEST-EXEC: touch testdir/newone # @TEST-EXEC: rm testdir/bye @@ -8,7 +8,7 @@ # @TEST-EXEC: touch testdir/newone # @TEST-EXEC: btest-diff bro/.stdout -@TEST-START-FILE dirtest.bro +@TEST-START-FILE dirtest.zeek @load base/utils/dir redef exit_only_after_terminate = T; @@ -47,7 +47,7 @@ function new_file(fname: string) terminate(); } -event bro_init() +event zeek_init() { Dir::monitor("../testdir", new_file, .25sec); } diff --git a/testing/btest/scripts/base/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test index 92d1b48d3a..a955053d4a 100644 --- a/testing/btest/scripts/base/utils/directions-and-hosts.test +++ b/testing/btest/scripts/base/utils/directions-and-hosts.test @@ -40,7 +40,7 @@ function test_dir(id: conn_id, d: Direction, expect: bool) result == expect ? "SUCCESS" : "FAIL"); } -event bro_init() +event zeek_init() { test_host(local_ip, LOCAL_HOSTS, T); test_host(local_ip, REMOTE_HOSTS, F); diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test index 0b926df402..8913ed025c 100644 --- a/testing/btest/scripts/base/utils/exec.test +++ b/testing/btest/scripts/base/utils/exec.test @@ -1,8 +1,8 @@ -# @TEST-EXEC: btest-bg-run bro bro -b ../exectest.bro +# @TEST-EXEC: btest-bg-run bro bro -b ../exectest.zeek # @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout -@TEST-START-FILE exectest.bro +@TEST-START-FILE exectest.zeek @load base/utils/exec redef exit_only_after_terminate = T; @@ -26,7 +26,7 @@ function test_cmd(label: string, cmd: Exec::Command) } } -event bro_init() +event zeek_init() { test_cmd("test1", [$cmd="bash ../somescript.sh", $read_files=set("out1", "out2")]); diff --git a/testing/btest/scripts/base/utils/files.test b/testing/btest/scripts/base/utils/files.test index 3324522030..402da96bed 100644 --- a/testing/btest/scripts/base/utils/files.test +++ b/testing/btest/scripts/base/utils/files.test @@ -12,9 +12,9 @@ event connection_established(c: connection) print generate_extraction_filename("", c, ""); } -event bro_init() +event zeek_init() { print extract_filename_from_content_disposition("attachment; filename=Economy"); print extract_filename_from_content_disposition("attachment; name=\"US-$ rates\""); print extract_filename_from_content_disposition("attachment; filename*=iso-8859-1'en'%A3%20rates"); - } \ No newline at end of file + } diff --git a/testing/btest/scripts/base/utils/hash_hrw.bro b/testing/btest/scripts/base/utils/hash_hrw.zeek similarity index 100% rename from testing/btest/scripts/base/utils/hash_hrw.bro rename to testing/btest/scripts/base/utils/hash_hrw.zeek diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test index 264151136a..968db1cefe 100644 --- a/testing/btest/scripts/base/utils/json.test +++ b/testing/btest/scripts/base/utils/json.test @@ -16,7 +16,7 @@ type myrec2: record { m: myrec1 &log; }; -event bro_init() +event zeek_init() { # ##################################### # Test the basic (non-container) types: diff --git a/testing/btest/scripts/base/utils/queue.test b/testing/btest/scripts/base/utils/queue.test index 344ea73f45..b11cac233f 100644 --- a/testing/btest/scripts/base/utils/queue.test +++ b/testing/btest/scripts/base/utils/queue.test @@ -4,7 +4,7 @@ # This is loaded by default @load base/utils/queue -event bro_init() +event zeek_init() { local q = Queue::init([$max_len=2]); Queue::put(q, 1); @@ -30,4 +30,4 @@ event bro_init() Queue::get_vector(q2, test3); for ( i in test3 ) print fmt("String queue value: %s", test3[i]); - } \ No newline at end of file + } diff --git a/testing/btest/scripts/base/utils/site.test b/testing/btest/scripts/base/utils/site.test index cfd7dd2ceb..50438a0b9c 100644 --- a/testing/btest/scripts/base/utils/site.test +++ b/testing/btest/scripts/base/utils/site.test @@ -12,7 +12,7 @@ redef Site::local_admins += { [141.142.100.0/24] = b, }; -event bro_init() +event zeek_init() { print Site::get_emails(141.142.1.1); print Site::get_emails(141.142.100.100); diff --git a/testing/btest/scripts/check-test-all-policy.bro b/testing/btest/scripts/check-test-all-policy.zeek similarity index 100% rename from testing/btest/scripts/check-test-all-policy.bro rename to testing/btest/scripts/check-test-all-policy.zeek diff --git a/testing/btest/scripts/policy/frameworks/files/extract-all.bro b/testing/btest/scripts/policy/frameworks/files/extract-all.zeek similarity index 100% rename from testing/btest/scripts/policy/frameworks/files/extract-all.bro rename to testing/btest/scripts/policy/frameworks/files/extract-all.zeek diff --git a/testing/btest/scripts/policy/frameworks/intel/removal.zeek b/testing/btest/scripts/policy/frameworks/intel/removal.zeek new file mode 100644 index 0000000000..41c87bc6fb --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/intel/removal.zeek @@ -0,0 +1,46 @@ + +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff broproc/intel.log + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.remove +10.0.0.1 Intel::ADDR source1 T +10.0.0.2 Intel::ADDR source1 F +@TEST-END-FILE + +@load frameworks/intel/removal + +redef exit_only_after_terminate = T; +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +hook Intel::filter_item(item: Intel::Item) + { + if ( item$indicator_type == Intel::ADDR && + Site::is_local_addr(to_addr(item$indicator)) ) + break; + } + +event do_it() + { + Intel::seen([$host=10.0.0.1, + $where=SOMEWHERE]); + Intel::seen([$host=10.0.0.2, + $where=SOMEWHERE]); + } + +global log_lines = 0; +event Intel::log_intel(rec: Intel::Info) + { + ++log_lines; + if ( log_lines == 1 ) + terminate(); + } + +event zeek_init() &priority=-10 + { + Intel::insert([$indicator="10.0.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + Intel::insert([$indicator="10.0.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + schedule 1sec { do_it() }; + } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro b/testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek similarity index 98% rename from testing/btest/scripts/policy/frameworks/intel/seen/certs.bro rename to testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek index 8571784d9a..c90c5e41f4 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek @@ -17,7 +17,7 @@ www.dresdner-privat.de Intel::DOMAIN source1 test entry http://some-data-distrib redef Intel::read_files += { "intel.dat" }; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smb.zeek b/testing/btest/scripts/policy/frameworks/intel/seen/smb.zeek new file mode 100644 index 0000000000..5e0024ec7c --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/intel/seen/smb.zeek @@ -0,0 +1,22 @@ +# @TEST-EXEC: bro -C -r $TRACES/smb/smb2readwrite.pcap %INPUT +# @TEST-EXEC: btest-diff intel.log + +@load base/frameworks/intel +@load frameworks/intel/seen + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +pythonfile Intel::FILE_NAME source1 test entry http://some-data-distributor.com/100000 +@TEST-END-FILE + +redef Intel::read_files += { "intel.dat" }; + +event zeek_init() + { + suspend_processing(); + } + +event Input::end_of_data(name: string, source: string) + { + continue_processing(); + } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.zeek similarity index 98% rename from testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro rename to testing/btest/scripts/policy/frameworks/intel/seen/smtp.zeek index fd21e0f73a..6ad04e95bd 100644 --- a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro +++ b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.zeek @@ -16,7 +16,7 @@ name-addr@example.com Intel::EMAIL source1 test entry http://some-data-distribut redef Intel::read_files += { "intel.dat" }; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro b/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek similarity index 98% rename from testing/btest/scripts/policy/frameworks/intel/whitelisting.bro rename to testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek index 53acd49aa9..560ba35c0a 100644 --- a/testing/btest/scripts/policy/frameworks/intel/whitelisting.bro +++ b/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek @@ -23,7 +23,7 @@ redef Intel::read_files += { global total_files_read = 0; -event bro_init() +event zeek_init() { suspend_processing(); } diff --git a/testing/btest/scripts/policy/frameworks/software/version-changes.bro b/testing/btest/scripts/policy/frameworks/software/version-changes.zeek similarity index 98% rename from testing/btest/scripts/policy/frameworks/software/version-changes.bro rename to testing/btest/scripts/policy/frameworks/software/version-changes.zeek index c6d2433236..493bc1d354 100644 --- a/testing/btest/scripts/policy/frameworks/software/version-changes.bro +++ b/testing/btest/scripts/policy/frameworks/software/version-changes.zeek @@ -34,7 +34,7 @@ event new_software() event new_software(); } -event bro_init() +event zeek_init() { event new_software(); } diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.zeek similarity index 98% rename from testing/btest/scripts/policy/frameworks/software/vulnerable.bro rename to testing/btest/scripts/policy/frameworks/software/vulnerable.zeek index 2ea7009a21..dd233a6ffc 100644 --- a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro +++ b/testing/btest/scripts/policy/frameworks/software/vulnerable.zeek @@ -11,7 +11,7 @@ redef Software::vulnerable_versions += { ["Java"] = set(java_1_6_vuln, java_1_7_vuln) }; -event bro_init() +event zeek_init() { Software::found([$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], [$name="Java", $host=1.2.3.4, $version=[$major=1, $minor=7, $minor2=0, $minor3=15]]); diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.zeek similarity index 57% rename from testing/btest/scripts/policy/misc/dump-events.bro rename to testing/btest/scripts/policy/misc/dump-events.zeek index 33c9c97534..d318266787 100644 --- a/testing/btest/scripts/policy/misc/dump-events.bro +++ b/testing/btest/scripts/policy/misc/dump-events.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT >all-events.log -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include_args=F >all-events-no-args.log -# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include=/smtp_/ >smtp-events.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT >all-events.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include_args=F >all-events-no-args.log +# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include=/smtp_/ >smtp-events.log # # @TEST-EXEC: btest-diff all-events.log # @TEST-EXEC: btest-diff all-events-no-args.log diff --git a/testing/btest/scripts/policy/misc/weird-stats-cluster.bro b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek similarity index 98% rename from testing/btest/scripts/policy/misc/weird-stats-cluster.bro rename to testing/btest/scripts/policy/misc/weird-stats-cluster.zeek index 140bb3b006..0c73ccf189 100644 --- a/testing/btest/scripts/policy/misc/weird-stats-cluster.bro +++ b/testing/btest/scripts/policy/misc/weird-stats-cluster.zeek @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-diff manager-1/weird_stats.log -@TEST-START-FILE cluster-layout.bro +@TEST-START-FILE cluster-layout.zeek redef Cluster::nodes = { ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], diff --git a/testing/btest/scripts/policy/misc/weird-stats.bro b/testing/btest/scripts/policy/misc/weird-stats.zeek similarity index 92% rename from testing/btest/scripts/policy/misc/weird-stats.bro rename to testing/btest/scripts/policy/misc/weird-stats.zeek index b26fce8e47..16a0ca02d7 100644 --- a/testing/btest/scripts/policy/misc/weird-stats.bro +++ b/testing/btest/scripts/policy/misc/weird-stats.zeek @@ -2,7 +2,7 @@ # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: btest-diff bro/weird_stats.log -@load misc/weird-stats.bro +@load misc/weird-stats redef exit_only_after_terminate = T; redef WeirdStats::weird_stat_interval = 5sec; @@ -24,7 +24,7 @@ event gen_weirds(n: count, done: bool &default = F) schedule 5sec { die() }; } -event bro_init() +event zeek_init() { event gen_weirds(1000); schedule 7.5sec { gen_weirds(2000) } ; diff --git a/testing/btest/scripts/policy/protocols/conn/known-hosts.bro b/testing/btest/scripts/policy/protocols/conn/known-hosts.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/known-hosts.bro rename to testing/btest/scripts/policy/protocols/conn/known-hosts.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/known-services.bro b/testing/btest/scripts/policy/protocols/conn/known-services.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/known-services.bro rename to testing/btest/scripts/policy/protocols/conn/known-services.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/mac-logging.bro b/testing/btest/scripts/policy/protocols/conn/mac-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/mac-logging.bro rename to testing/btest/scripts/policy/protocols/conn/mac-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/conn/vlan-logging.bro b/testing/btest/scripts/policy/protocols/conn/vlan-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/conn/vlan-logging.bro rename to testing/btest/scripts/policy/protocols/conn/vlan-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/dns/inverse-request.bro b/testing/btest/scripts/policy/protocols/dns/inverse-request.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/dns/inverse-request.bro rename to testing/btest/scripts/policy/protocols/dns/inverse-request.zeek diff --git a/testing/btest/scripts/policy/protocols/http/flash-version.bro b/testing/btest/scripts/policy/protocols/http/flash-version.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/http/flash-version.bro rename to testing/btest/scripts/policy/protocols/http/flash-version.zeek diff --git a/testing/btest/scripts/policy/protocols/http/header-names.bro b/testing/btest/scripts/policy/protocols/http/header-names.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/http/header-names.bro rename to testing/btest/scripts/policy/protocols/http/header-names.zeek diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek similarity index 99% rename from testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro rename to testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek index 2e82eb9dfb..3041abab75 100644 --- a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro +++ b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek @@ -3,8 +3,8 @@ @load protocols/http/detect-sqli -event bro_init () -{ +event zeek_init() + { local positive_matches: set[string]; local negative_matches: set[string]; diff --git a/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro b/testing/btest/scripts/policy/protocols/krb/ticket-logging.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/krb/ticket-logging.bro rename to testing/btest/scripts/policy/protocols/krb/ticket-logging.zeek diff --git a/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro b/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro rename to testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro b/testing/btest/scripts/policy/protocols/ssl/expiring-certs.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/expiring-certs.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro b/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro rename to testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/heartbleed.bro rename to testing/btest/scripts/policy/protocols/ssl/heartbleed.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/known-certs.bro b/testing/btest/scripts/policy/protocols/ssl/known-certs.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/known-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/known-certs.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro rename to testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.zeek diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek similarity index 75% rename from testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek index 4a3ec44468..ccca29fd7c 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.zeek @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs redef SSL::ssl_cache_intermediate_ca = F; diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek similarity index 76% rename from testing/btest/scripts/policy/protocols/ssl/validate-certs.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek index 9a00919643..9686c1ab28 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log -# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log -@load protocols/ssl/validate-certs.bro +@load protocols/ssl/validate-certs diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek similarity index 62% rename from testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek index 4e53a46b02..21d174be91 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -1,9 +1,9 @@ -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log -# @TEST-EXEC: bro $SCRIPTS/external-ca-list.bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT +# @TEST-EXEC: bro $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-digicert.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-digicert.log diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek similarity index 83% rename from testing/btest/scripts/policy/protocols/ssl/validate-sct.bro rename to testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek index 0e6065f937..c21dc18094 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.zeek @@ -1,11 +1,11 @@ -# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log -# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT +# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log # @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log -@load protocols/ssl/validate-sct.bro +@load protocols/ssl/validate-sct module SSL; diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.zeek similarity index 100% rename from testing/btest/scripts/policy/protocols/ssl/weak-keys.bro rename to testing/btest/scripts/policy/protocols/ssl/weak-keys.zeek diff --git a/testing/btest/signatures/bad-eval-condition.bro b/testing/btest/signatures/bad-eval-condition.zeek similarity index 100% rename from testing/btest/signatures/bad-eval-condition.bro rename to testing/btest/signatures/bad-eval-condition.zeek diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.zeek similarity index 98% rename from testing/btest/signatures/dpd.bro rename to testing/btest/signatures/dpd.zeek index 39f1b01294..b6d58fb3a3 100644 --- a/testing/btest/signatures/dpd.bro +++ b/testing/btest/signatures/dpd.zeek @@ -30,7 +30,7 @@ signature my_ftp_server { @load base/utils/addrs -event bro_init() +event zeek_init() { # no analyzer attached to any port by default, depends entirely on sigs print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|; diff --git a/testing/btest/signatures/dst-ip-cidr-v4.bro b/testing/btest/signatures/dst-ip-cidr-v4.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-cidr-v4.bro rename to testing/btest/signatures/dst-ip-cidr-v4.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v4-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v4-masks.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v4-masks.bro rename to testing/btest/signatures/dst-ip-header-condition-v4-masks.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v4.bro b/testing/btest/signatures/dst-ip-header-condition-v4.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v4.bro rename to testing/btest/signatures/dst-ip-header-condition-v4.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v6-masks.bro b/testing/btest/signatures/dst-ip-header-condition-v6-masks.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v6-masks.bro rename to testing/btest/signatures/dst-ip-header-condition-v6-masks.zeek diff --git a/testing/btest/signatures/dst-ip-header-condition-v6.bro b/testing/btest/signatures/dst-ip-header-condition-v6.zeek similarity index 100% rename from testing/btest/signatures/dst-ip-header-condition-v6.bro rename to testing/btest/signatures/dst-ip-header-condition-v6.zeek diff --git a/testing/btest/signatures/dst-port-header-condition.bro b/testing/btest/signatures/dst-port-header-condition.zeek similarity index 100% rename from testing/btest/signatures/dst-port-header-condition.bro rename to testing/btest/signatures/dst-port-header-condition.zeek diff --git a/testing/btest/signatures/eval-condition-no-return-value.bro b/testing/btest/signatures/eval-condition-no-return-value.zeek similarity index 100% rename from testing/btest/signatures/eval-condition-no-return-value.bro rename to testing/btest/signatures/eval-condition-no-return-value.zeek diff --git a/testing/btest/signatures/eval-condition.bro b/testing/btest/signatures/eval-condition.zeek similarity index 100% rename from testing/btest/signatures/eval-condition.bro rename to testing/btest/signatures/eval-condition.zeek diff --git a/testing/btest/signatures/header-header-condition.bro b/testing/btest/signatures/header-header-condition.zeek similarity index 100% rename from testing/btest/signatures/header-header-condition.bro rename to testing/btest/signatures/header-header-condition.zeek diff --git a/testing/btest/signatures/id-lookup.bro b/testing/btest/signatures/id-lookup.zeek similarity index 100% rename from testing/btest/signatures/id-lookup.bro rename to testing/btest/signatures/id-lookup.zeek diff --git a/testing/btest/signatures/ip-proto-header-condition.bro b/testing/btest/signatures/ip-proto-header-condition.zeek similarity index 100% rename from testing/btest/signatures/ip-proto-header-condition.bro rename to testing/btest/signatures/ip-proto-header-condition.zeek diff --git a/testing/btest/signatures/load-sigs.bro b/testing/btest/signatures/load-sigs.zeek similarity index 100% rename from testing/btest/signatures/load-sigs.bro rename to testing/btest/signatures/load-sigs.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v4-masks.bro b/testing/btest/signatures/src-ip-header-condition-v4-masks.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v4-masks.bro rename to testing/btest/signatures/src-ip-header-condition-v4-masks.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v4.bro b/testing/btest/signatures/src-ip-header-condition-v4.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v4.bro rename to testing/btest/signatures/src-ip-header-condition-v4.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v6-masks.bro b/testing/btest/signatures/src-ip-header-condition-v6-masks.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v6-masks.bro rename to testing/btest/signatures/src-ip-header-condition-v6-masks.zeek diff --git a/testing/btest/signatures/src-ip-header-condition-v6.bro b/testing/btest/signatures/src-ip-header-condition-v6.zeek similarity index 100% rename from testing/btest/signatures/src-ip-header-condition-v6.bro rename to testing/btest/signatures/src-ip-header-condition-v6.zeek diff --git a/testing/btest/signatures/src-port-header-condition.bro b/testing/btest/signatures/src-port-header-condition.zeek similarity index 100% rename from testing/btest/signatures/src-port-header-condition.bro rename to testing/btest/signatures/src-port-header-condition.zeek diff --git a/testing/btest/signatures/udp-packetwise-match.bro b/testing/btest/signatures/udp-packetwise-match.zeek similarity index 100% rename from testing/btest/signatures/udp-packetwise-match.bro rename to testing/btest/signatures/udp-packetwise-match.zeek diff --git a/testing/btest/signatures/udp-payload-size.bro b/testing/btest/signatures/udp-payload-size.zeek similarity index 100% rename from testing/btest/signatures/udp-payload-size.bro rename to testing/btest/signatures/udp-payload-size.zeek diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 5ec3d9d5e4..8322309e89 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -2f7a827cc339fc14b0c978c986fa776dd9e7903c +1ab5538b8cdb0ef78616d665e02343321f269f3d diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 310cc69417..70de5bacf4 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -60170dfea85dedd4dc9bece020d0614f04d7f30e +f30a47f38dbde8431b5c32f4060da660d162371c diff --git a/testing/external/scripts/external-ca-list.bro b/testing/external/scripts/external-ca-list.bro deleted file mode 120000 index a52a9be196..0000000000 --- a/testing/external/scripts/external-ca-list.bro +++ /dev/null @@ -1 +0,0 @@ -../../scripts/external-ca-list.bro \ No newline at end of file diff --git a/testing/external/scripts/external-ca-list.zeek b/testing/external/scripts/external-ca-list.zeek new file mode 120000 index 0000000000..a50808a16d --- /dev/null +++ b/testing/external/scripts/external-ca-list.zeek @@ -0,0 +1 @@ +../../scripts/external-ca-list.zeek \ No newline at end of file diff --git a/testing/external/scripts/testing-setup.bro b/testing/external/scripts/testing-setup.zeek similarity index 91% rename from testing/external/scripts/testing-setup.bro rename to testing/external/scripts/testing-setup.zeek index a56a72aee5..d24813e1fc 100644 --- a/testing/external/scripts/testing-setup.bro +++ b/testing/external/scripts/testing-setup.zeek @@ -1,6 +1,6 @@ # Sets some testing specific options. -@load external-ca-list.bro +@load external-ca-list @ifdef ( SMTP::never_calc_md5 ) # MDD5s can depend on libmagic output. diff --git a/testing/scripts/external-ca-list.bro b/testing/scripts/external-ca-list.zeek similarity index 100% rename from testing/scripts/external-ca-list.bro rename to testing/scripts/external-ca-list.zeek diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.zeek similarity index 99% rename from testing/scripts/file-analysis-test.bro rename to testing/scripts/file-analysis-test.zeek index aa7d158b55..337bf3c1c0 100644 --- a/testing/scripts/file-analysis-test.bro +++ b/testing/scripts/file-analysis-test.zeek @@ -108,7 +108,7 @@ event file_state_remove(f: fa_file) print fmt("SHA256: %s", f$info$sha256); } -event bro_init() +event zeek_init() { add test_file_analyzers[Files::ANALYZER_MD5]; add test_file_analyzers[Files::ANALYZER_SHA1]; diff --git a/testing/scripts/gen-broxygen-docs.sh b/testing/scripts/gen-zeexygen-docs.sh similarity index 81% rename from testing/scripts/gen-broxygen-docs.sh rename to testing/scripts/gen-zeexygen-docs.sh index 11f1cb066e..66287b01aa 100755 --- a/testing/scripts/gen-broxygen-docs.sh +++ b/testing/scripts/gen-zeexygen-docs.sh @@ -11,9 +11,9 @@ unset BRO_DEFAULT_CONNECT_RETRY dir="$( cd "$( dirname "$0" )" && pwd )" source_dir="$( cd $dir/../.. && pwd )" build_dir=$source_dir/build -conf_file=$build_dir/broxygen-test.conf +conf_file=$build_dir/zeexygen-test.conf output_dir=$source_dir/doc -bro_error_file=$build_dir/broxygen-test-stderr.txt +zeek_error_file=$build_dir/zeexygen-test-stderr.txt if [ -n "$1" ]; then output_dir=$1 @@ -28,13 +28,13 @@ cd $build_dir . bro-path-dev.sh export BRO_SEED_FILE=$source_dir/testing/btest/random.seed -function run_bro +function run_zeek { - ZEEK_ALLOW_INIT_ERRORS=1 bro -X $conf_file broxygen >/dev/null 2>$bro_error_file + ZEEK_ALLOW_INIT_ERRORS=1 bro -X $conf_file zeexygen >/dev/null 2>$zeek_error_file if [ $? -ne 0 ]; then - echo "Failed running bro with broxygen config file $conf_file" - echo "See stderr in $bro_error_file" + echo "Failed running zeek with zeexygen config file $conf_file" + echo "See stderr in $zeek_error_file" exit 1 fi } @@ -43,7 +43,7 @@ scripts_output_dir=$output_dir/scripts rm -rf $scripts_output_dir printf "script\t*\t$scripts_output_dir/" > $conf_file echo "Generating $scripts_output_dir/" -run_bro +run_zeek script_ref_dir=$output_dir/script-reference mkdir -p $script_ref_dir @@ -52,7 +52,7 @@ function generate_index { echo "Generating $script_ref_dir/$2" printf "$1\t*\t$script_ref_dir/$2\n" > $conf_file - run_bro + run_zeek } generate_index "script_index" "autogenerated-script-index.rst" diff --git a/testing/scripts/snmp-test.bro b/testing/scripts/snmp-test.zeek similarity index 100% rename from testing/scripts/snmp-test.bro rename to testing/scripts/snmp-test.zeek diff --git a/testing/scripts/update-external-repo-pointer.sh b/testing/scripts/update-external-repo-pointer.sh new file mode 100755 index 0000000000..e6711a0d9d --- /dev/null +++ b/testing/scripts/update-external-repo-pointer.sh @@ -0,0 +1,49 @@ +#! /usr/bin/env bash + +set -e + +if [ $# -ne 2 ]; then + echo "usage: $0 " + exit 1 +fi + +repo_dir=$1 +hash_file=$2 + +repo_base=$(basename $repo_dir) +file_base=$(basename $hash_file) + +if [ ! -d "$repo_dir" ]; then + echo "External repo does not exist: $repo_dir" + exit 1 +fi + +printf "Checking for '$repo_base' changes ..." + +origin_hash=$(cd $repo_dir && git fetch origin && git rev-parse origin/master) +head_hash=$(cd $repo_dir && git rev-parse HEAD) +file_hash=$(cat $hash_file) + +if [ "$file_hash" != "$head_hash" ]; then + printf "\n" + printf "\n" + printf " '$repo_base' pointer has changed:\n" + + line=" $file_base at $file_hash" + len=${#line} + + printf "%${len}s\n" "$line" + printf "%${len}s\n" "origin/master at $origin_hash" + printf "%${len}s\n" "HEAD at $head_hash" + printf "\n" + printf "Update file '$file_base' to HEAD commit ? " + + read -p "[Y/n] " choice + + case "$choice" in + n|N) echo "Skipped '$repo_base'";; + *) echo $head_hash > $hash_file && git add $hash_file && echo "Updated '$file_base'";; + esac +else + echo " none" +fi