diff --git a/CHANGES b/CHANGES
index 731643588a..cd67bd37a6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,260 @@
+2.5-381 | 2018-01-12 10:03:21 -0800
+
+
+ * Preallocate all possible PortVals, mark PortVal ctors deprecated.
+
+ The performance benefit is small (maybe ~1% at most), however, it's a
+ trivial change without downsides. (Jon Siwek)
+
+ * Add BRO_DEPRECATED macro. (Jon Siwek)
+
+ * Add functions for retrieving files by their id.
+
+ There are two new script level functions to query and lookup files
+ from the core by their IDs. These are adding feature parity for
+ similarly named functions for files. The function prototypes are
+ as follows:
+
+ Files::file_exists(fuid: string): bool
+ Files::lookup_File(fuid: string): fa_file (Seth Hall)
+
+2.5-375 | 2018-01-11 11:47:01 -0600
+
+ * Fix a test that fails in some environments (Daniel Thayer)
+
+ * Add CVE ID for BIT-1856. (Johanna Amann)
+
+2.5-372 | 2017-12-15 15:08:51 -0600
+
+ * Remove some DNS weirds that caused volume and are generally not useful:
+ dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply.
+ (Corelight)
+
+2.5-369 | 2017-12-13 14:22:47 -0600
+
+ * Fix typo in analyzer::Manager API docs (Corelight)
+
+2.5-368 | 2017-12-08 13:09:25 -0600
+
+ * Improve for-loop iteration performance over empty tables. (Justin Azoff)
+
+ * Fix gcc7 warnings. (Johanna Amann)
+
+2.5-363 | 2017-12-05 11:00:09 -0600
+
+ * Fix documentation for ReassemblerStats. (Corelight)
+
+2.5-362 | 2017-12-02 09:45:04 -0600
+
+ * BIT-1791: Do not log SOCKS passwords by default and add
+ SOCKS::default_capture_password option. (Johanna Amann)
+
+ * Add missing ; in SSL binpac parser, found by Luke Valenta. (Johanna Amann)
+
+2.5-359 | 2017-11-29 14:01:37 -0600
+
+ * Add --ccache option to configure script (requires CMake 3.10+). (Corelight)
+
+2.5-358 | 2017-11-28 12:28:14 -0800
+
+ * Extend the TLS analyzer with several events containing cryptographic
+ parameters from the client and server key exchanges.
+
+ The new events are:
+
+ ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+ ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+ Since ssl_ecdh_server_params contains more information than the old
+ ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
+ (Luke Valenta)
+
+2.5-352 | 2017-11-21 13:21:51 -0600
+
+ * Fix assignments to event arguments becoming visible to subsequent
+ handlers. (Robin Sommer)
+
+2.5-350 | 2017-11-21 12:19:28 -0600
+
+ * Add HookReporter plugin hook function.
+
+ This hook gives access to basically all information that is available in
+ the function in Reporter.cc that performs the logging. The hook is
+ called each time when anything passes through the reporter in the cases
+ in which an event usually would be called. This includes weirds. The
+ hook can return false to prevent the normal reporter events from being
+ raised. (Corelight)
+
+2.5-348 | 2017-11-21 11:30:55 -0600
+
+ * Fix a nb_dns.c compile error (older OSs) due to C90 vs C99. (Corelight)
+
+2.5-347 | 2017-11-20 14:00:37 -0600
+
+ * Fix and extend behavior of HookLoadFile. (Corelight)
+
+2.5-345 | 2017-11-20 11:28:59 -0600
+
+ * BIT-1827: fix error on initializing DNS w/ IPv6 nameserver. (Corelight)
+
+ * Add --build-type flag to configure wrapper. (Corelight)
+
+2.5-343 | 2017-11-17 15:27:04 -0800
+
+ * Fix ASCII logging of very large values of type "double".
+ Previously, the nonsensical "NAN.0" would be written to ASCII logs
+ for any value >= 1e248). (Daniel Thayer)
+
+ * Add more test cases to ascii-double.bro (Daniel Thayer)
+
+ * Enforce a maximum line length in ContentLine analyzer. (Justin Azoff)
+
+ * Fix OOB read with IP packets that have a header length greater than the total
+ length of their packet. (Johanna Amann)
+
+ * Verify version field of IP packets read from tunnels. (Johanna Amann)
+
+2.5-332 | 2017-10-27 13:27:16 -0700
+
+ * Bro docs tweaks for correctness and readability. (Christian Kreibich)
+
+ * Fix use-after-free in Trigger.cc. (Johanna Amann)
+
+2.5-328 | 2017-10-16 13:13:41 -0700
+
+ * Patch OOB write in content-line analyzer.
+
+ A combination of packets can trigger an out of bound write of '0' byte
+ in the content-line analyzer. Addresses BIT-1856 / CVE-2017-1000458.
+ (Frank Meier/Johanna Amann)
+
+2.5-327 | 2017-10-16 12:21:01 -0700
+
+ * Updating submodule(s).
+
+2.5-326 | 2017-10-05 14:34:20 -0700
+
+ * Update the SSH analyzer to support the "curve25519-sha256" KEX.
+ (Vlad Grigorescu)
+
+2.5-321 | 2017-10-03 12:00:29 -0500
+
+ * Add "-B scripts" flag to allow debug output of script load order.
+ (Corelight)
+
+ * Fix segmentation fault on eval condition with no return value. (Corelight)
+
+2.5-317 | 2017-09-29 09:54:50 -0400
+
+ * BIT-1853 - Fix an issue with broctl triggering reporter error in the
+ intel framework. (Justin Azoff)
+
+ * BIT-1845 - Make "in" keyword work with binary data. (Johanna Amann)
+
+ * Add TLS 1.3 fix and testcase due to Google Chrome's use of TLS 1.3.
+
+ It turns out that Chrome supports an experimental mode to support TLS
+ 1.3, which uses a non-standard way to negotiate TLS 1.3 with a server.
+ This non-standard way to negotiate TLS 1.3 breaks the current draft RFC
+ and re-uses an extension on the server-side with a different binary
+ formatting, causing us to throw a binpac exception.
+
+ This patch ignores the extension when sent by the server, continuing to
+ correctly parse the server_hello reply (as far as possible).
+
+ From what I can tell this seems to be google working around the fac
+ that MITM equipment cannot deal with TLS 1.3 server hellos; this change
+ makes the fact that TLS 1.3 is used completely opaque unless one looks
+ into a few extensions.
+
+ We currently log this as TLS 1.2. (Johanna Amann)
+
+2.5-310 | 2017-09-21 09:10:21 -0700
+
+ * fix interaction of gridftp scripts with other thresholds. (Justin Azoff)
+
+2.5-307 | 2017-09-20 10:51:09 -0500
+
+ * BIT-1846: Updating broctl submodule to include fix for symlinking
+ issue (Jon Siwek)
+
+2.5-306 | 2017-09-18 14:43:42 -0700
+
+ * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen)
+
+ * Prevent crash when calling bro -U. (Thomas Petersen)
+
+ * Remove annoying error message from connsize bifs. (Johanna Amann)
+
+ * Add test to verify that log rotation works with gzipped logs (Daniel Thayer)
+
+ * Fix ascii writer to not discard a ".gz" file extension. (Daniel Thayer)
+
+ When Bro writes a compressed log, it uses a file extension of ".gz".
+ However, upon log rotation the ascii writer script function
+ "default_rotation_postprocessor_func" was discarding the ".gz"
+ file extension. Fixed so that the correct file extension is
+ preserved after rotation. (Daniel Thayer)
+
+2.5-297 | 2017-09-11 09:26:33 -0700
+
+ * Fix small OCSP parser bug; serial numbers were not passed to events
+ (Johanna Amann)
+
+ * Fix expire-redef.bro test. (Daniel Thayer)
+
+2.5-294 | 2017-08-11 13:51:49 -0500
+
+ * Fix core.truncation unit test on macOS. (Jon Siwek)
+
+ * Fix a netcontrol test that often fails (Daniel Thayer)
+
+ * Update install instructions for Fedora 26 (Daniel Thayer)
+
+2.5-288 | 2017-08-04 14:17:10 -0700
+
+ * Fix field not being populated, which resulted in a reporter
+ messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall)
+
+ * Support for OCSP and Signed Certificate Timestamp. (Liang
+ Zhu/Johanna Amann)
+
+ - OCSP parsing is added to the X.509 module.
+
+ - Signed Certificate Timestamp extraction, parsing, & validation
+ is added to the SSL, X.509, and OCSP analyzers. Validation is
+ added to the X.509 BIFs.
+
+ This adds the following events and BIFs:
+
+ - event ocsp_request(f: fa_file, version: count, requestorName: string);
+ - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string);
+ - event ocsp_response_status(f: fa_file, status: string);
+ - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector);
+ - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time);
+ - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool);
+ - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string);
+ - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string);
+ - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool
+ - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string
+ - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string
+ - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string
+
+ This also changes the MIME types that we use to identify X.509
+ certificates in SSL connections from "application/pkix-cert" to
+ "application/x-x509-user-cert" for host certificates and
+ "application/x-x509-ca-cert" for CA certificates.
+
+ * The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+ to trigger actions after the handshake has concluded. (Johanna
+ Amann)
+
+ * Add an internal API for protocol analyzers to provide the MIME
+ type of file data directly, disabling automatic inferrence.
+ (Johanna Amann).
+
2.5-186 | 2017-07-28 12:22:20 -0700
* Improved handling of '%' at end of line in HTTP analyzer. (Johanna
@@ -800,7 +1056,7 @@
2.4-683 | 2016-07-08 14:55:04 -0700
- * Extendign connection history field to flag with '^' when Bro flips
+ * Extending connection history field to flag with '^' when Bro flips
a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
2.4-680 | 2016-07-06 09:18:21 -0700
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 990c09b611..2abd715732 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -9,6 +9,18 @@ include(cmake/CommonCMakeConfig.cmake)
########################################################################
## Project/Build Configuration
+if ( ENABLE_CCACHE )
+ find_program(CCACHE_PROGRAM ccache)
+
+ if ( NOT CCACHE_PROGRAM )
+ message(FATAL_ERROR "ccache not found")
+ endif ()
+
+ message(STATUS "Using ccache: ${CCACHE_PROGRAM}")
+ set(CMAKE_C_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
+ set(CMAKE_CXX_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
+endif ()
+
set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
if (NOT BRO_SCRIPT_INSTALL_PATH)
# set the default Bro script installation path (user did not specify one)
@@ -246,6 +258,8 @@ endif ()
message(
"\n====================| Bro Build Summary |====================="
"\n"
+ "\nBuild type: ${CMAKE_BUILD_TYPE}"
+ "\nBuild dir: ${CMAKE_BINARY_DIR}"
"\nInstall prefix: ${CMAKE_INSTALL_PREFIX}"
"\nBro Script Path: ${BRO_SCRIPT_INSTALL_PATH}"
"\nDebug mode: ${ENABLE_DEBUG}"
diff --git a/NEWS b/NEWS
index a884f4fe5a..a5790fabef 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,61 @@ their own ``CHANGES``.)
Bro 2.6 (in progress)
=====================
+New Functionality
+-----------------
+
+- Support for OCSP and Signed Certificate Timestamp. This adds the
+ following events and BIFs:
+
+ - Events: ocsp_request, ocsp_request_certificate,
+ ocsp_response_status, ocsp_response_bytes
+ ocsp_response_certificate ocsp_extension
+ x509_ocsp_ext_signed_certificate_timestamp
+ ssl_extension_signed_certificate_timestamp
+
+ - Functions: sct_verify, x509_subject_name_hash,
+ x509_issuer_name_hash x509_spki_hash
+
+- The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+ to trigger actions after the handshake has concluded.
+
+- New functionality has been added to the TLS parser, adding several
+ events. These events mostly extract information from the server and client
+ key exchange messages. The new events are:
+
+ ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+ ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+ Since ssl_ecdh_server_params contains more information than the old
+ ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
+- Functions for retrieving files by their ID have been added:
+
+ Files::file_exists, Files::lookup_File
+
+Changed Functionality
+---------------------
+
+- The MIME types used to identify X.509 certificates in SSL
+ connections changed from "application/pkix-cert" to
+ "application/x-x509-user-cert" for host certificates and
+ "application/x-x509-ca-cert" for CA certificates.
+
+- With the new ssl_ecdh_server_params event, the ssl_server_curve
+ event is considered deprecated and will be removed in a future
+ version of Bro.
+
+- The Socks analyzer no longer logs passwords by default. This
+ brings its behavior in line with the FTP/HTTP analyzers which also
+ do not log passwords by default.
+
+ To restore the previous behavior and log Socks passwords, use:
+
+ redef SOCKS::default_capture_password = T;
+
+- The DNS base scripts no longer generate some noisy and annoying
+ weirds (dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply)
+
Removed Functionality
---------------------
diff --git a/VERSION b/VERSION
index aa91067d4a..bef1549729 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-186
+2.5-381
diff --git a/aux/binpac b/aux/binpac
index 27356ae52f..e6d13e5dfc 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704
+Subproject commit e6d13e5dfc9f727f7c59c0496b529bdb2a1d9b62
diff --git a/aux/bro-aux b/aux/bro-aux
index 43f4b90bba..e9e91eac74 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
+Subproject commit e9e91eac74bf1a240e40bc62ad4f4dc3d88bc126
diff --git a/aux/broccoli b/aux/broccoli
index 25907f6b0a..13fe5fba7e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0
+Subproject commit 13fe5fba7ebd314e6bf2bedbac465d4c3f2e4301
diff --git a/aux/broctl b/aux/broctl
index 1ab5ed3d3b..a075a80639 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8
+Subproject commit a075a80639b7d543b55cc31191965eb1364e3623
diff --git a/aux/broker b/aux/broker
index 862c982f35..761ef15d9b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb
+Subproject commit 761ef15d9b72d189d29af7dd09c9e576d61fd78f
diff --git a/aux/btest b/aux/btest
index 2810ccee25..b3a5742b6b 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a
+Subproject commit b3a5742b6b04acdd851dba4e08723a568c4aa755
diff --git a/cmake b/cmake
index 79f2b2e944..9bac595066 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 79f2b2e944da77774675be4d5254156451967371
+Subproject commit 9bac5950664ac7b50fb576a2f9422b819b505e21
diff --git a/configure b/configure
index b58dd84c6a..23b12bfb03 100755
--- a/configure
+++ b/configure
@@ -18,7 +18,15 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
Build Options:
--builddir=DIR place build files in directory [build]
+ --build-type=TYPE set CMake build type [RelWithDebInfo]:
+ - Debug: optimizations off, debug symbols + flags
+ - MinSizeRel: size optimizations, debugging off
+ - Release: optimizations on, debugging off
+ - RelWithDebInfo: optimizations on,
+ debug symbols on, debug flags off
--generator=GENERATOR CMake generator to use (see cmake --help)
+ --ccache use ccache to speed up recompilation (requires
+ ccache installation and CMake 3.10+)
Installation Directories:
--prefix=PREFIX installation directory [/usr/local/bro]
@@ -34,7 +42,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--conf-files-dir=PATH config files installation directory [PREFIX/etc]
Optional Features:
- --enable-debug compile in debugging mode
+ --enable-debug compile in debugging mode (like --build-type=Debug)
--enable-mobile-ipv6 analyze mobile IPv6 features defined by RFC 6275
--enable-perftools force use of Google perftools on non-Linux systems
(automatically on when perftools is present on Linux)
@@ -153,9 +161,19 @@ while [ $# -ne 0 ]; do
--builddir=*)
builddir=$optarg
;;
+ --build-type=*)
+ append_cache_entry CMAKE_BUILD_TYPE STRING $optarg
+
+ if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then
+ append_cache_entry ENABLE_DEBUG BOOL true
+ fi
+ ;;
--generator=*)
CMakeGenerator="$optarg"
;;
+ --ccache)
+ append_cache_entry ENABLE_CCACHE BOOL true
+ ;;
--prefix=*)
prefix=$optarg
append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
diff --git a/doc/_static/broxygen.css b/doc/_static/broxygen.css
index 5259c3adfc..ad06b0f9d9 100644
--- a/doc/_static/broxygen.css
+++ b/doc/_static/broxygen.css
@@ -152,12 +152,10 @@ sup, sub {
pre, code {
white-space: pre;
- overflow: auto;
- margin-left: 2em;
- margin-right: 2em;
- margin-top: .5em;
- margin-bottom: 1.5em;
- word-wrap: normal;
+ overflow: auto;
+ margin-left: 0.25em;
+ margin-right: 0.25em;
+ word-wrap: normal;
}
pre, code, tt {
@@ -482,4 +480,4 @@ li {
.btest-cmd .code pre, .btest-include .code pre {
margin-left: 0px;
-}
\ No newline at end of file
+}
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html
index 3df56a12ff..4debd1d90e 100644
--- a/doc/_templates/layout.html
+++ b/doc/_templates/layout.html
@@ -10,7 +10,7 @@
{% endblock %}
{% block header %}
-
{% endblock %}
@@ -108,6 +108,6 @@
{% endblock %}
{% block footer %}
-
{% endblock %}
diff --git a/doc/install/install.rst b/doc/install/install.rst
index e7ff45b4fe..4c43ee9c73 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -54,6 +54,9 @@ To install the required dependencies, you can use:
sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
+ In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead
+ of ``openssl-devel``.
+
* DEB/Debian-based Linux:
.. console::
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index 795b33f6b8..e8550ee41c 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -76,6 +76,10 @@ Files
+============================+=======================================+=================================+
| files.log | File analysis results | :bro:type:`Files::Info` |
+----------------------------+---------------------------------------+---------------------------------+
+| ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` |
+| | (OCSP). Only created if policy script | |
+| | is loaded. | |
++----------------------------+---------------------------------------+---------------------------------+
| pe.log | Portable Executable (PE) | :bro:type:`PE::Info` |
+----------------------------+---------------------------------------+---------------------------------+
| x509.log | X.509 certificate info | :bro:type:`X509::Info` |
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index 8b50366cd2..515b0e0b1c 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1 +1,2 @@
Support for X509 certificates with the file analysis framework.
+Also supports parsing OCSP requests and responses.
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index bbf99f6a4d..30f60f1362 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -10,23 +10,17 @@ export {
type Info: record {
## Current timestamp.
ts: time &log;
-
## File id of this certificate.
id: string &log;
-
## Basic information about the certificate.
certificate: X509::Certificate &log;
-
## The opaque wrapping the certificate. Mainly used
## for the verify operations.
handle: opaque of x509;
-
## All extensions that were encountered in the certificate.
extensions: vector of X509::Extension &default=vector();
-
## Subject alternative name extension of the certificate.
san: X509::SubjectAlternativeName &optional &log;
-
## Basic constraints extension of the certificate.
basic_constraints: X509::BasicConstraints &optional &log;
};
@@ -38,6 +32,24 @@ export {
event bro_init() &priority=5
{
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
+
+ # We use MIME types internally to distinguish between user and CA certificates.
+ # The first certificate in a connection always gets tagged as user-cert, all
+ # following certificates get tagged as CA certificates. Certificates gotten via
+ # other means (e.g. identified from HTTP traffic when they are transfered in plain
+ # text) get tagged as application/pkix-cert.
+ Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
+ Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
+ Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
+
+ # Always calculate hashes. They are not necessary for base scripts
+ # but very useful for identification, and required for policy scripts
+ Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
+ Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
+ Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
+ Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
+ Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
+ Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
}
redef record Files::Info += {
@@ -48,9 +60,6 @@ redef record Files::Info += {
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
{
- if ( ! f$info?$mime_type )
- f$info$mime_type = "application/pkix-cert";
-
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
}
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index ed73028236..71147a77aa 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -135,6 +135,20 @@ export {
## The default per-file reassembly buffer size.
const reassembly_buffer_size = 524288 &redef;
+ ## Lookup to see if a particular file id exists and is still valid.
+ ##
+ ## fuid: the file id.
+ ##
+ ## Returns: T if the file uid is known.
+ global file_exists: function(fuid: string): bool;
+
+ ## Lookup an :bro:see:`fa_file` record with the file id.
+ ##
+ ## fuid: the file id.
+ ##
+ ## Returns: the associated :bro:see:`fa_file` record.
+ global lookup_file: function(fuid: string): fa_file;
+
## Allows the file reassembler to be used if it's necessary because the
## file is transferred out of order.
##
@@ -338,6 +352,16 @@ function set_info(f: fa_file)
f$info$is_orig = f$is_orig;
}
+function file_exists(fuid: string): bool
+ {
+ return __file_exists(fuid);
+ }
+
+function lookup_file(fuid: string): fa_file
+ {
+ return __lookup_file(fuid);
+ }
+
function set_timeout_interval(f: fa_file, t: interval): bool
{
return __set_timeout_interval(f$id, t);
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 820a5497a2..e75bdd0573 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer)
{
# When a worker connects, send it the complete minimal data store.
# It will be kept up to date after this by the cluster_new_item event.
- if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+ if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
{
send_id(p, "Intel::min_data_store");
}
diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index bbf11c26e7..6f2b03aafd 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -79,9 +79,12 @@ export {
# runs the writer's default postprocessor command on it.
function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
{
+ # If the filename has a ".gz" extension, then keep it.
+ local gz = info$fname[-3:] == ".gz" ? ".gz" : "";
+
# Move file to name including both opening and closing time.
- local dst = fmt("%s.%s.log", info$path,
- strftime(Log::default_rotation_date_format, info$open));
+ local dst = fmt("%s.%s.log%s", info$path,
+ strftime(Log::default_rotation_date_format, info$open), gz);
system(fmt("/bin/mv %s %s", info$fname, dst));
diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index 6c8ba14974..42bed543ee 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -106,6 +106,7 @@ export {
["baroque_SYN"] = ACTION_LOG,
["base64_illegal_encoding"] = ACTION_LOG,
["connection_originator_SYN_ack"] = ACTION_LOG_PER_ORIG,
+ ["contentline_size_exceeded"] = ACTION_LOG,
["corrupt_tcp_options"] = ACTION_LOG_PER_ORIG,
["crud_trailing_HTTP_request"] = ACTION_LOG,
["data_after_reset"] = ACTION_LOG,
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 84fca683ea..f2ea2ed29a 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -442,10 +442,13 @@ type fa_file: record {
## Metadata that's been inferred about a particular file.
type fa_metadata: record {
- ## The strongest matching mime type if one was discovered.
+ ## The strongest matching MIME type if one was discovered.
mime_type: string &optional;
- ## All matching mime types if any were discovered.
+ ## All matching MIME types if any were discovered.
mime_types: mime_matches &optional;
+ ## Specifies whether the MIME type was inferred using signatures,
+ ## or provided directly by the protocol the file appeared in.
+ inferred: bool &default=T;
};
## Fields of a SYN packet.
@@ -528,7 +531,7 @@ type EventStats: record {
dispatched: count; ##< Total number of events dispatched so far.
};
-## Summary statistics of all regular expression matchers.
+## Holds statistics for all types of reassembly.
##
## .. bro:see:: get_reassembler_stats
type ReassemblerStats: record {
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index db5d30b55c..a8946e871e 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -2,7 +2,6 @@
##! their responses.
@load base/utils/queue
-@load base/frameworks/notice/weird
@load ./consts
module DNS;
@@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
for ( i in infos )
{
- local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
- $id=infos[i]$id);
- Weird::weird(wi);
Log::write(DNS::LOG, infos[i]);
}
}
@@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
function log_unmatched_msgs(msgs: PendingMessages)
{
for ( trans_id in msgs )
+ {
log_unmatched_msgs_queue(msgs[trans_id]);
+ }
clear_table(msgs);
}
function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
{
- local wi: Weird::Info;
if ( id !in msgs )
{
if ( |msgs| > max_pending_query_ids )
{
- wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
- $id=msg$id);
- Weird::weird(wi);
# Throw away all unmatched on assumption they'll never be matched.
log_unmatched_msgs(msgs);
}
@@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
{
if ( Queue::len(msgs[id]) > max_pending_msgs )
{
- wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
- $id=msg$id);
- Weird::weird(wi);
log_unmatched_msgs_queue(msgs[id]);
# Throw away all unmatched on assumption they'll never be matched.
msgs[id] = Queue::init();
@@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
# Create a new DNS session and put it in the reply queue so
# we can wait for a matching query.
c$dns = new_session(c, msg$id);
- event conn_weird("dns_unmatched_reply", c, "");
enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
}
}
diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro
index 68be66d53a..38f6d8186c 100644
--- a/scripts/base/protocols/ftp/gridftp.bro
+++ b/scripts/base/protocols/ftp/gridftp.bro
@@ -75,6 +75,9 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is
if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time )
return;
+ if ( ! data_channel_initial_criteria(c) )
+ return;
+
add c$service["gridftp-data"];
event GridFTP::data_channel_detected(c);
diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index a486a56290..43e782c696 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -90,12 +90,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
c$krb$server_cert = f$info;
c$krb$server_cert_fuid = f$id;
}
-
- Files::add_analyzer(f, Files::ANALYZER_X509);
- # Always calculate hashes. They are not necessary for base scripts
- # but very useful for identification, and required for policy scripts
- Files::add_analyzer(f, Files::ANALYZER_MD5);
- Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
function fill_in_subjects(c: connection)
diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro
index c6d550c3f7..f543fd2cae 100644
--- a/scripts/base/protocols/rdp/main.bro
+++ b/scripts/base/protocols/rdp/main.bro
@@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
{
# Count up X509 certs.
++c$rdp$cert_count;
-
- Files::add_analyzer(f, Files::ANALYZER_X509);
- Files::add_analyzer(f, Files::ANALYZER_MD5);
- Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
}
diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index 536e240b81..5d0ecf693d 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -6,32 +6,37 @@ module SOCKS;
export {
redef enum Log::ID += { LOG };
+ ## Whether passwords are captured or not.
+ const default_capture_password = F &redef;
+
## The record type which contains the fields of the SOCKS log.
type Info: record {
## Time when the proxy connection was first detected.
- ts: time &log;
+ ts: time &log;
## Unique ID for the tunnel - may correspond to connection uid
## or be non-existent.
- uid: string &log;
+ uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
- id: conn_id &log;
+ id: conn_id &log;
## Protocol version of SOCKS.
- version: count &log;
+ version: count &log;
## Username used to request a login to the proxy.
- user: string &log &optional;
+ user: string &log &optional;
## Password used to request a login to the proxy.
- password: string &log &optional;
+ password: string &log &optional;
## Server status for the attempt at using the proxy.
- status: string &log &optional;
+ status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name
## or both.
- request: SOCKS::Address &log &optional;
+ request: SOCKS::Address &log &optional;
## Client requested port.
- request_p: port &log &optional;
+ request_p: port &log &optional;
## Server bound address. Could be an address, a name or both.
- bound: SOCKS::Address &log &optional;
+ bound: SOCKS::Address &log &optional;
## Server bound port.
- bound_p: port &log &optional;
+ bound_p: port &log &optional;
+ ## Determines if the password will be captured for this request.
+ capture_password: bool &default=default_capture_password;
};
## Event that can be handled to access the SOCKS
@@ -90,10 +95,12 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
{
# Authentication only possible with the version 5.
- set_session(c, 5);
+ set_session(c, 5);
c$socks$user = user;
- c$socks$password = password;
+
+ if ( c$socks$capture_password )
+ c$socks$password = password;
}
event socks_login_userpass_reply(c: connection, code: count) &priority=5
diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README
index 8fa99fd553..1fd0568101 100644
--- a/scripts/base/protocols/ssl/README
+++ b/scripts/base/protocols/ssl/README
@@ -1 +1 @@
-Support for Secure Sockets Layer (SSL) protocol analysis.
+Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
index 42287fb039..b8e4d52523 100644
--- a/scripts/base/protocols/ssl/__load__.bro
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -1,6 +1,7 @@
@load ./consts
@load ./main
@load ./mozilla-ca-list
+@load ./ct-list
@load ./files
@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
new file mode 100644
index 0000000000..d48f58877c
--- /dev/null
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -0,0 +1,48 @@
+#
+# Do not edit this file. This file is automatically generated by gen-ct-list.pl
+# File generated at Thu Jul 27 16:59:25 2017
+# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json
+#
+
+@load base/protocols/ssl
+module SSL;
+redef ct_logs += {
+["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
+["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
+["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
+["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
+["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
+["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
+["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
+["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
+["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
+["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
+["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
+["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
+["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
+["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
+["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
+["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
+["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
+["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"),
+["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"),
+["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"),
+["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"),
+["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"),
+["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"),
+["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"),
+["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"),
+};
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index fad0fa0483..8750645b36 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -91,11 +91,26 @@ event bro_init() &priority=5
$describe = SSL::describe_file]);
}
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
{
- if ( ! c?$ssl )
+ if ( |f$conns| != 1 )
return;
+ if ( ! f?$info || ! f$info?$mime_type )
+ return;
+
+ if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+ || f$info$mime_type == "application/pkix-cert" ) )
+ return;
+
+ for ( cid in f$conns )
+ {
+ if ( ! f$conns[cid]?$ssl )
+ return;
+
+ local c = f$conns[cid];
+ }
+
if ( ! c$ssl?$cert_chain )
{
c$ssl$cert_chain = vector();
@@ -104,7 +119,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
c$ssl$client_cert_chain_fuids = string_vec();
}
- if ( is_orig )
+ if ( f$is_orig )
{
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
@@ -114,12 +129,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
}
-
- Files::add_analyzer(f, Files::ANALYZER_X509);
- # Always calculate hashes. They are not necessary for base scripts
- # but very useful for identification, and required for policy scripts.
- Files::add_analyzer(f, Files::ANALYZER_MD5);
- Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
event ssl_established(c: connection) &priority=6
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 858fa343bb..5a50d4a4c3 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -64,7 +64,6 @@ export {
## Flag to indicate if this ssl session has been established
## successfully, or if it was aborted during the handshake.
established: bool &log &default=F;
-
## Flag to indicate if this record already has been logged, to
## prevent duplicates.
logged: bool &default=F;
@@ -74,6 +73,26 @@ export {
## script sets this to Mozilla's root CA list.
const root_certs: table[string] of string = {} &redef;
+ ## The record type which contains the field for the Certificate
+ ## Transparency log bundle.
+ type CTInfo: record {
+ ## Description of the Log
+ description: string;
+ ## Operator of the Log
+ operator: string;
+ ## Public key of the Log.
+ key: string;
+ ## Maximum merge delay of the Log
+ maximum_merge_delay: count;
+ ## URL of the Log
+ url: string;
+ };
+
+ ## The Certificate Transparency log bundle. By default, the ct-list.bro
+ ## script sets this to the current list of known logs. Entries
+ ## are indexed by (binary) log-id.
+ const ct_logs: table[string] of CTInfo = {} &redef;
+
## If true, detach the SSL analyzer from the connection to prevent
## continuing to process encrypted traffic. Helps with performance
## (especially with large file transfers).
@@ -90,6 +109,10 @@ export {
## Event that can be handled to access the SSL
## record as it is sent on to the logging framework.
global log_ssl: event(rec: Info);
+
+ # Hook that can be used to perform actions right before the log record
+ # is written.
+ global ssl_finishing: hook(c: connection);
}
redef record connection += {
@@ -201,7 +224,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
c$ssl$resumed = T;
}
-event ssl_server_curve(c: connection, curve: count) &priority=5
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
{
set_session(c);
@@ -281,11 +304,22 @@ event ssl_established(c: connection) &priority=7
c$ssl$established = T;
}
+event ssl_established(c: connection) &priority=20
+ {
+ hook ssl_finishing(c);
+ }
+
event ssl_established(c: connection) &priority=-5
{
finish(c, T);
}
+event connection_state_remove(c: connection) &priority=20
+ {
+ if ( c?$ssl && ! c$ssl$logged )
+ hook ssl_finishing(c);
+ }
+
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ssl )
diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro
new file mode 100644
index 0000000000..e416535dd4
--- /dev/null
+++ b/scripts/policy/files/x509/log-ocsp.bro
@@ -0,0 +1,62 @@
+##! Enable logging of OCSP responses.
+#
+# This script is in policy and not loaded by default because OCSP logging
+# does not provide a lot of interesting information in most environments.
+
+module OCSP;
+
+export {
+ redef enum Log::ID += { LOG };
+
+ ## The record type which contains the fields of the OCSP log.
+ type Info: record {
+ ## Time when the OCSP reply was encountered.
+ ts: time &log;
+ ## File id of the OCSP reply.
+ id: string &log;
+ ## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+ hashAlgorithm: string &log;
+ ## Hash of the issuer's distingueshed name.
+ issuerNameHash: string &log;
+ ## Hash of the issuer's public key.
+ issuerKeyHash: string &log;
+ ## Serial number of the affected certificate.
+ serialNumber: string &log;
+ ## Status of the affected certificate.
+ certStatus: string &log;
+ ## Time at which the certificate was revoked.
+ revoketime: time &log &optional;
+ ## Reason for which the certificate was revoked.
+ revokereason: string &log &optional;
+ ## The time at which the status being shows is known to have been correct.
+ thisUpdate: time &log;
+ ## The latest time at which new information about the status of the certificate will be available.
+ nextUpdate: time &log &optional;
+ };
+
+ ## Event that can be handled to access the OCSP record
+ ## as it is sent to the logging framework.
+ global log_ocsp: event(rec: Info);
+}
+
+event bro_init()
+ {
+ Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+ Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+ }
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+ {
+ local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
+ $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
+ $thisUpdate=thisUpdate);
+
+ if ( revokereason != "" )
+ wr$revokereason = revokereason;
+ if ( time_to_double(revoketime) != 0 )
+ wr$revoketime = revoketime;
+ if ( time_to_double(nextUpdate) != 0 )
+ wr$nextUpdate = nextUpdate;
+
+ Log::write(LOG, wr);
+ }
diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index f537616e7f..7f07c2b069 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -8,7 +8,7 @@ module X509;
export {
redef record Info += {
- # Logging is suppressed if field is set to F
+ ## Logging of certificate is suppressed if set to F
logcert: bool &default=T;
};
}
@@ -39,14 +39,29 @@ event bro_init() &priority=2
Log::add_filter(X509::LOG, f);
}
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
{
- if ( ! c?$ssl )
+ if ( |f$conns| != 1 )
return;
+ if ( ! f?$info || ! f$info?$mime_type )
+ return;
+
+ if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+ || f$info$mime_type == "application/pkix-cert" ) )
+ return;
+
+ for ( cid in f$conns )
+ {
+ if ( ! f$conns[cid]?$ssl )
+ return;
+
+ local c = f$conns[cid];
+ }
+
local chain: vector of string;
- if ( is_orig )
+ if ( f$is_orig )
chain = c$ssl$client_cert_chain_fuids;
else
chain = c$ssl$cert_chain_fuids;
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 97072e4cab..352ff4e863 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -19,12 +19,17 @@ export {
redef record Info += {
## Result of certificate validation for this connection.
validation_status: string &log &optional;
+ ## Result of certificate validation for this connection, given
+ ## as OpenSSL validation code.
+ validation_code: int &optional;
+ ## Ordered chain of validated certificate, if validation succeeded.
+ valid_chain: vector of opaque of x509 &optional;
};
- ## MD5 hash values for recently validated chains along with the
+ ## Result values for recently validated chains along with the
## validation status are kept in this table to avoid constant
## validation every time the same certificate chain is seen.
- global recently_validated_certs: table[string] of string = table()
+ global recently_validated_certs: table[string] of X509::Result = table()
&read_expire=5mins &redef;
## Use intermediate CA certificate caching when trying to validate
@@ -39,6 +44,11 @@ export {
## that you encounter. Only disable if you want to find misconfigured servers.
global ssl_cache_intermediate_ca: bool = T &redef;
+ ## Store the valid chain in c$ssl$valid_chain if validation succeeds.
+ ## This has a potentially high memory impact, depending on the local environment
+ ## and is thus disabled by default.
+ global ssl_store_valid_chain: bool = F &redef;
+
## Event from a worker to the manager that it has encountered a new
## valid intermediate.
global intermediate_add: event(key: string, value: vector of opaque of x509);
@@ -83,7 +93,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509)
}
@endif
-function cache_validate(chain: vector of opaque of x509): string
+function cache_validate(chain: vector of opaque of x509): X509::Result
{
local chain_hash: vector of string = vector();
@@ -97,7 +107,10 @@ function cache_validate(chain: vector of opaque of x509): string
return recently_validated_certs[chain_id];
local result = x509_verify(chain, root_certs);
- recently_validated_certs[chain_id] = result$result_string;
+ if ( ! ssl_store_valid_chain && result?$chain_certs )
+ recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string);
+ else
+ recently_validated_certs[chain_id] = result;
# if we have a working chain where we did not store the intermediate certs
# in our cache yet - do so
@@ -107,8 +120,8 @@ function cache_validate(chain: vector of opaque of x509): string
|result$chain_certs| > 2 )
{
local result_chain = result$chain_certs;
- local icert = x509_parse(result_chain[1]);
- if ( icert$subject !in intermediate_cache )
+ local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256
+ if ( isnh !in intermediate_cache )
{
local cachechain: vector of opaque of x509;
for ( i in result_chain )
@@ -116,14 +129,14 @@ function cache_validate(chain: vector of opaque of x509): string
if ( i >=1 && i<=|result_chain|-2 )
cachechain[i-1] = result_chain[i];
}
- add_to_cache(icert$subject, cachechain);
+ add_to_cache(isnh, cachechain);
}
}
- return result$result_string;
+ return result;
}
-event ssl_established(c: connection) &priority=3
+hook ssl_finishing(c: connection) &priority=20
{
# If there aren't any certs we can't very well do certificate validation.
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
@@ -131,23 +144,26 @@ event ssl_established(c: connection) &priority=3
return;
local intermediate_chain: vector of opaque of x509 = vector();
- local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
+ local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256
local hash = c$ssl$cert_chain[0]$sha1;
- local result: string;
+ local result: X509::Result;
# Look if we already have a working chain for the issuer of this cert.
# If yes, try this chain first instead of using the chain supplied from
# the server.
- if ( ssl_cache_intermediate_ca && issuer in intermediate_cache )
+ if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache )
{
intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle;
- for ( i in intermediate_cache[issuer] )
- intermediate_chain[i+1] = intermediate_cache[issuer][i];
+ for ( i in intermediate_cache[issuer_name_hash] )
+ intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i];
result = cache_validate(intermediate_chain);
- if ( result == "ok" )
+ if ( result$result_string == "ok" )
{
- c$ssl$validation_status = result;
+ c$ssl$validation_status = result$result_string;
+ c$ssl$validation_code = result$result;
+ if ( result?$chain_certs )
+ c$ssl$valid_chain = result$chain_certs;
return;
}
}
@@ -163,13 +179,16 @@ event ssl_established(c: connection) &priority=3
}
result = cache_validate(chain);
- c$ssl$validation_status = result;
+ c$ssl$validation_status = result$result_string;
+ c$ssl$validation_code = result$result;
+ if ( result?$chain_certs )
+ c$ssl$valid_chain = result$chain_certs;
- if ( result != "ok" )
+ if ( result$result_string != "ok" )
{
local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
NOTICE([$note=Invalid_Server_Cert, $msg=message,
- $sub=c$ssl$subject, $conn=c,
- $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
+ $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
+ $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
}
}
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 3beabbe59c..7cb8be9f0e 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,9 @@
-##! Perform OCSP response validation.
+##! Perform validation of stapled OCSP responses.
+#!
+#! Note: this _only_ performs validation of stapled OCSP responsed. It does
+#! not validate OCSP responses that are retrieved via HTTP, because we do not
+#! have a mapping to certificates.
+
@load base/frameworks/notice
@load base/protocols/ssl
@@ -15,7 +20,6 @@ export {
redef record Info += {
## Result of ocsp validation for this connection.
ocsp_status: string &log &optional;
-
## ocsp response as string.
ocsp_response: string &optional;
};
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..a89a5e5b19
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,210 @@
+##! Perform validation of Signed Certificate Timestamps, as used
+##! for Certificate Transparency. See RFC6962 for more details.
+
+@load base/protocols/ssl
+@load protocols/ssl/validate-certs
+
+# We need to know issuer certificates to be able to determine the IssuerKeyHash,
+# which is required for validating certificate extensions.
+redef SSL::ssl_store_valid_chain = T;
+
+module SSL;
+
+export {
+
+ ## List of the different sources for Signed Certificate Timestamp
+ type SctSource: enum {
+ ## Signed Certificate Timestamp was encountered in the extension of
+ ## an X.509 certificate.
+ SCT_X509_EXT,
+ ## Signed Certificate Timestamp was encountered in an TLS session
+ ## extension.
+ SCT_TLS_EXT,
+ ## Signed Certificate Timestamp was encountered in the extension of
+ ## an stapled OCSP reply.
+ SCT_OCSP_EXT
+ };
+
+ ## This record is used to store information about the SCTs that are
+ ## encountered in a SSL connection.
+ type SctInfo: record {
+ ## The version of the encountered SCT (should always be 0 for v1).
+ version: count;
+ ## The ID of the log issuing this SCT.
+ logid: string;
+ ## The timestamp at which this SCT was issued measured since the
+ ## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+ ## milliseconds. Not converted to a Bro timestamp because we need
+ ## the exact value for validation.
+ timestamp: count;
+ ## The signature algorithm used for this sct.
+ sig_alg: count;
+ ## The hash algorithm used for this sct.
+ hash_alg: count;
+ ## The signature of this SCT.
+ signature: string;
+ ## Source of this SCT.
+ source: SctSource;
+ ## Validation result of this SCT.
+ valid: bool &optional;
+ };
+
+ redef record Info += {
+ ## Number of valid SCTs that were encountered in the connection.
+ valid_scts: count &optional;
+ ## Number of SCTs that could not be validated that were encountered in the connection.
+ invalid_scts: count &optional;
+ ## Number of different Logs for which valid SCTs were encountered in the connection.
+ valid_ct_logs: count &log &optional;
+ ## Number of different Log operators of which valid SCTs were encountered in the connection.
+ valid_ct_operators: count &log &optional;
+ ## List of operators for which valid SCTs were encountered in the connection.
+ valid_ct_operators_list: set[string] &optional;
+ ## Information about all SCTs that were encountered in the connection.
+ ct_proofs: vector of SctInfo &default=vector();
+ };
+}
+
+# Used to cache validations for 5 minutes to lessen computational load.
+global recently_validated_scts: table[string] of bool = table()
+ &read_expire=5mins &redef;
+
+event bro_init()
+ {
+ Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+ }
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+ {
+ c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
+ }
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5
+ {
+ local src: SctSource;
+ if ( ! f?$info )
+ return;
+
+ if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" )
+ src = SCT_OCSP_EXT;
+ else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" )
+ src = SCT_X509_EXT;
+ else
+ return;
+
+ if ( |f$conns| != 1 )
+ return;
+
+ for ( cid in f$conns )
+ {
+ if ( ! f$conns[cid]?$ssl )
+ return;
+
+ local c = f$conns[cid];
+ }
+
+ c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
+ }
+
+# Priority = 19 will be handled after validation is done
+hook ssl_finishing(c: connection) &priority=19
+ {
+ if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+ return;
+
+ local cert = c$ssl$cert_chain[0]$x509$handle;
+ local certhash = c$ssl$cert_chain[0]$sha1;
+ local issuer_name_hash = x509_issuer_name_hash(cert, 4);
+ local valid_proofs = 0;
+ local invalid_proofs = 0;
+ c$ssl$valid_ct_operators_list = string_set();
+ local valid_logs = string_set();
+ local issuer_key_hash = "";
+
+ for ( i in c$ssl$ct_proofs )
+ {
+ local proof = c$ssl$ct_proofs[i];
+ if ( proof$logid !in SSL::ct_logs )
+ {
+ # Well, if we don't know the log, there is nothing to do here...
+ proof$valid = F;
+ next;
+ }
+ local log = SSL::ct_logs[proof$logid];
+
+ local valid = F;
+ local found_cache = F;
+
+ local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source);
+ if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code )
+ validatestring = cat(validatestring, c$ssl$validation_code);
+ local validate_hash = sha1_hash(validatestring);
+ if ( validate_hash in recently_validated_scts )
+ {
+ valid = recently_validated_scts[validate_hash];
+ found_cache = T;
+ }
+
+ if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) )
+ {
+ valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg);
+ }
+ else if ( found_cache == F )
+ {
+ # X.509 proof. Here things get awkward because we need information about
+ # the issuer cert... and we need to try a few times, because we have to see if we got
+ # the right issuer cert.
+ #
+ # First - Let's try if a previous round already established the correct issuer key hash.
+ if ( issuer_key_hash != "" )
+ {
+ valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+ }
+
+ # Second - let's see if we might already know the issuer cert through verification.
+ if ( ! valid && issuer_name_hash in intermediate_cache )
+ {
+ issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4);
+ valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+ }
+ if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 )
+ {
+ issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+ valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+ }
+
+ # ok, if it still did not work - let's just try with all the certs that were sent
+ # in the connection. Perhaps it will work with one of them.
+ if ( !valid )
+ for ( i in c$ssl$cert_chain )
+ {
+ if ( i == 0 ) # end-host-cert
+ next;
+
+ issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
+ valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+ if ( valid )
+ break;
+ }
+ }
+
+ if ( ! found_cache )
+ recently_validated_scts[validate_hash] = valid;
+
+ proof$valid = valid;
+
+ if ( valid )
+ {
+ ++valid_proofs;
+ add c$ssl$valid_ct_operators_list[log$operator];
+ add valid_logs[proof$logid];
+ }
+ else
+ ++invalid_proofs;
+ }
+
+ c$ssl$valid_scts = valid_proofs;
+ c$ssl$invalid_scts = invalid_proofs;
+ c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|;
+ c$ssl$valid_ct_logs = |valid_logs|;
+ }
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index a022060cd4..7c828241d0 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -34,6 +34,7 @@
@load frameworks/files/entropy-test-all-files.bro
#@load frameworks/files/extract-all-files.bro
@load frameworks/files/hash-all-files.bro
+@load files/x509/log-ocsp.bro
@load frameworks/packet-filter/shunt.bro
@load frameworks/software/version-changes.bro
@load frameworks/software/vulnerable.bro
@@ -98,6 +99,7 @@
#@load protocols/ssl/notary.bro
@load protocols/ssl/validate-certs.bro
@load protocols/ssl/validate-ocsp.bro
+@load protocols/ssl/validate-sct.bro
@load protocols/ssl/weak-keys.bro
@load tuning/__load__.bro
@load tuning/defaults/__load__.bro
diff --git a/src/Anon.cc b/src/Anon.cc
index 87791501a4..a2afc489ca 100644
--- a/src/Anon.cc
+++ b/src/Anon.cc
@@ -82,7 +82,8 @@ int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */)
{
- return htonl(seq++);
+ ++seq;
+ return htonl(seq);
}
ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
diff --git a/src/CompHash.cc b/src/CompHash.cc
index 2e28bff78e..f120c3618b 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -703,7 +703,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
break;
case TYPE_PORT:
- pval = new PortVal(*kp);
+ pval = port_mgr->Get(*kp);
break;
default:
diff --git a/src/Conn.cc b/src/Conn.cc
index 2034a57786..1edecde0b9 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -364,9 +364,9 @@ RecordVal* Connection::BuildConnVal()
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, new AddrVal(orig_addr));
- id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
+ id_val->Assign(1, port_mgr->Get(ntohs(orig_port), prot_type));
id_val->Assign(2, new AddrVal(resp_addr));
- id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
+ id_val->Assign(3, port_mgr->Get(ntohs(resp_port), prot_type));
RecordVal *orig_endp = new RecordVal(endpoint);
orig_endp->Assign(0, new Val(0, TYPE_COUNT));
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 6a095a15db..07590590df 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -19,7 +19,8 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
{ "logging", 0, false }, {"input", 0, false },
{ "threading", 0, false }, { "file_analysis", 0, false },
{ "plugins", 0, false }, { "broxygen", 0, false },
- { "pktio", 0, false }, { "broker", 0, false }
+ { "pktio", 0, false }, { "broker", 0, false },
+ { "scripts", 0, false}
};
DebugLogger::DebugLogger()
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 3ec3979e7f..1eb8e30417 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -33,6 +33,7 @@ enum DebugStream {
DBG_BROXYGEN, // Broxygen
DBG_PKTIO, // Packet sources and dumpers.
DBG_BROKER, // Broker communication
+ DBG_SCRIPTS, // Script initialization
NUM_DBGS // Has to be last
};
diff --git a/src/Desc.cc b/src/Desc.cc
index 1d76c32e55..b64bcec8d8 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -145,7 +145,9 @@ void ODesc::Add(double d, bool no_exp)
AddBytes(&d, sizeof(d));
else
{
- char tmp[256];
+ // Buffer needs enough chars to store max. possible "double" value
+ // of 1.79e308 without using scientific notation.
+ char tmp[350];
if ( no_exp )
modp_dtoa3(d, tmp, sizeof(tmp), IsReadable() ? 6 : 8);
diff --git a/src/Event.cc b/src/Event.cc
index 6371a69248..7b1c88ea64 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -166,7 +166,7 @@ RecordVal* EventMgr::GetLocalPeerVal()
src_val = new RecordVal(peer);
src_val->Assign(0, new Val(0, TYPE_COUNT));
src_val->Assign(1, new AddrVal("127.0.0.1"));
- src_val->Assign(2, new PortVal(0));
+ src_val->Assign(2, port_mgr->Get(0));
src_val->Assign(3, new Val(true, TYPE_BOOL));
Ref(peer_description);
diff --git a/src/Expr.cc b/src/Expr.cc
index 9927ca52ec..bea43ff7c4 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -4351,9 +4351,8 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
const BroString* s1 = v1->AsString();
const BroString* s2 = v2->AsString();
- // Could do better here - either roll our own, to deal with
- // NULs, and/or Boyer-Moore if done repeatedly.
- return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL);
+ // Could do better here e.g. Boyer-Moore if done repeatedly.
+ return new Val(strstr_n(s2->Len(), s2->Bytes(), s1->Len(), reinterpret_cast(s1->CheckString())) != -1, TYPE_BOOL);
}
if ( v1->Type()->Tag() == TYPE_ADDR &&
diff --git a/src/File.cc b/src/File.cc
index 7c4a21d5e8..e0e0d63332 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -302,7 +302,7 @@ FILE* BroFile::BringIntoCache()
if ( ! f )
{
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("can't open %s: %s", name, buf);
f = fopen("/dev/null", "w");
@@ -313,7 +313,7 @@ FILE* BroFile::BringIntoCache()
return f;
}
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("can't open /dev/null: %s", buf);
return 0;
}
@@ -323,7 +323,7 @@ FILE* BroFile::BringIntoCache()
if ( fseek(f, position, SEEK_SET) < 0 )
{
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("reopen seek failed: %s", buf);
}
@@ -413,7 +413,7 @@ void BroFile::Suspend()
if ( (position = ftell(f)) < 0 )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("ftell failed: %s", buf);
position = 0;
}
diff --git a/src/Flare.cc b/src/Flare.cc
index 5df6d663aa..87dc946955 100644
--- a/src/Flare.cc
+++ b/src/Flare.cc
@@ -16,7 +16,7 @@ Flare::Flare()
static void bad_pipe_op(const char* which)
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->FatalErrorWithCore("unexpected pipe %s failure: %s", which, buf);
}
diff --git a/src/Func.cc b/src/Func.cc
index 88da9a7a04..f7877d04a0 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -383,11 +383,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
FType()->FlavorString().c_str(), d.Description());
}
- loop_over_list(*args, i)
- f->SetElement(i, (*args)[i]);
-
stmt_flow_type flow = FLOW_NEXT;
-
Val* result = 0;
for ( size_t i = 0; i < bodies.size(); ++i )
@@ -397,6 +393,20 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
bodies[i].stmts->GetLocationInfo());
Unref(result);
+
+ loop_over_list(*args, j)
+ {
+ Val* arg = (*args)[j];
+
+ if ( f->NthElement(j) != arg )
+ {
+ // Either not yet set, or somebody reassigned
+ // the frame slot.
+ Ref(arg);
+ f->SetElement(j, arg);
+ }
+ }
+
f->Reset(args->length());
try
@@ -434,6 +444,11 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
}
}
+ // We have an extra Ref for each argument (so that they don't get
+ // deleted between bodies), release that.
+ loop_over_list(*args, k)
+ Unref((*args)[k]);
+
if ( Flavor() == FUNC_FLAVOR_HOOK )
{
if ( ! result )
diff --git a/src/IP.cc b/src/IP.cc
index ebe778e3d7..79e1cf4fba 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -370,8 +370,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len;
- tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
- tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
+ tcp_hdr->Assign(0, port_mgr->Get(ntohs(tp->th_sport), TRANSPORT_TCP));
+ tcp_hdr->Assign(1, port_mgr->Get(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
@@ -388,8 +388,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
- udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
- udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
+ udp_hdr->Assign(0, port_mgr->Get(ntohs(up->uh_sport), TRANSPORT_UDP));
+ udp_hdr->Assign(1, port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
pkt_hdr->Assign(sindex + 3, udp_hdr);
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
index 9400b2d0ca..52778ed10c 100644
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@@ -191,7 +191,7 @@ void PersistenceSerializer::RaiseFinishedSendState()
{
val_list* vl = new val_list;
vl->append(new AddrVal(htonl(remote_host)));
- vl->append(new PortVal(remote_port));
+ vl->append(port_mgr->Get(remote_port));
mgr.QueueEvent(finished_send_state, vl);
reporter->Log("Serialization done.");
diff --git a/src/Pipe.cc b/src/Pipe.cc
index 3f60409fdb..3775ca705d 100644
--- a/src/Pipe.cc
+++ b/src/Pipe.cc
@@ -12,7 +12,7 @@ using namespace bro;
static void pipe_fail(int eno)
{
char tmp[256];
- strerror_r(eno, tmp, sizeof(tmp));
+ bro_strerror_r(eno, tmp, sizeof(tmp));
reporter->FatalError("Pipe failure: %s", tmp);
}
diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index bd41c15e9d..22f09e6970 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -84,7 +84,7 @@ bool LoadPolicyFileText(const char* policy_filename)
if ( fstat(fileno(f), &st) != 0 )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("fstat failed on %s: %s", policy_filename, buf);
fclose(f);
return false;
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 7d8899d8b9..78080e31f5 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -1809,7 +1809,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
// Sic! Network order for AddrVal, host order for PortVal.
v->Assign(1, new AddrVal(peer->ip));
- v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
+ v->Assign(2, port_mgr->Get(peer->port, TRANSPORT_TCP));
v->Assign(3, new Val(false, TYPE_BOOL));
v->Assign(4, new StringVal("")); // set when received
v->Assign(5, peer->peer_class.size() ?
diff --git a/src/Reporter.cc b/src/Reporter.cc
index 4823b33ef3..eb89a29d30 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -10,6 +10,8 @@
#include "NetVar.h"
#include "Net.h"
#include "Conn.h"
+#include "plugin/Plugin.h"
+#include "plugin/Manager.h"
#ifdef SYSLOG_INT
extern "C" {
@@ -323,7 +325,24 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
// buffer size above.
safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix);
- if ( event && via_events && ! in_error_handler )
+ bool raise_event = true;
+
+ if ( via_events && ! in_error_handler )
+ {
+ if ( locations.size() )
+ {
+ auto locs = locations.back();
+ raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+ HookReporter(prefix, event, conn, addl, location,
+ locs.first, locs.second, time, buffer), true);
+ }
+ else
+ raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+ HookReporter(prefix, event, conn, addl, location,
+ nullptr, nullptr, time, buffer), true);
+ }
+
+ if ( raise_event && event && via_events && ! in_error_handler )
{
val_list* vl = new val_list;
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 9df70f118b..d9a8608e8c 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -175,8 +175,14 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
try
{
Val* val = id->ID_Val()->AsFunc()->Call(&args);
- result = val->AsBool();
- Unref(val);
+
+ if ( val )
+ {
+ result = val->AsBool();
+ Unref(val);
+ }
+ else
+ result = false;
}
catch ( InterpreterException& e )
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index cf2c52a08b..8a1a2abf51 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -115,6 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22)
SERIAL_VAL(X509_VAL, 23)
SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
SERIAL_VAL(COMM_DATA_VAL, 25)
+SERIAL_VAL(OCSP_RESP_VAL, 26)
#define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
SERIAL_EXPR(EXPR, 1)
diff --git a/src/Sessions.cc b/src/Sessions.cc
index e0a47780dd..9dc569daa7 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -337,11 +337,25 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
return;
}
+ // For both of these it is safe to pass ip_hdr because the presence
+ // is guaranteed for the functions that pass data to us.
+ uint16 ip_hdr_len = ip_hdr->HdrLen();
+ if ( ip_hdr_len > len )
+ {
+ Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+ return;
+ }
+
+ if ( ip_hdr_len > caplen )
+ {
+ Weird("internally_truncated_header", ip_hdr, encapsulation);
+ return;
+ }
+
// Ignore if packet matches packet filter.
if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
return;
- int ip_hdr_len = ip_hdr->HdrLen();
if ( ! ignore_checksums && ip4 &&
ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
{
@@ -381,6 +395,12 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
caplen = len = ip_hdr->TotalLen();
ip_hdr_len = ip_hdr->HdrLen();
+
+ if ( ip_hdr_len > len )
+ {
+ Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+ return;
+ }
}
}
@@ -618,9 +638,10 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
// Check for a valid inner packet first.
IP_Hdr* inner = 0;
int result = ParseIPPacket(caplen, data, proto, inner);
- if ( result < 0 )
+ if ( result == -2 )
+ Weird("invalid_inner_IP_version", ip_hdr, encapsulation);
+ else if ( result < 0 )
Weird("truncated_inner_IP", ip_hdr, encapsulation);
-
else if ( result > 0 )
Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation);
@@ -819,7 +840,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
if ( caplen < (int)sizeof(struct ip6_hdr) )
return -1;
- inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen);
+ const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
+ inner = new IP_Hdr(ip6, false, caplen);
+ if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
+ return -2;
}
else if ( proto == IPPROTO_IPV4 )
@@ -827,7 +851,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
if ( caplen < (int)sizeof(struct ip) )
return -1;
- inner = new IP_Hdr((const struct ip*) pkt, false);
+ const struct ip* ip4 = (const struct ip*) pkt;
+ inner = new IP_Hdr(ip4, false);
+ if ( ip4->ip_v != 4 )
+ return -2;
}
else
diff --git a/src/Sessions.h b/src/Sessions.h
index 305c9c145f..37fa81016e 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -151,8 +151,9 @@ public:
/**
* Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
- * or IPv6 header based on whether it's long enough to contain such a header
- * and also that the payload length field of that header matches the actual
+ * or IPv6 header based on whether it's long enough to contain such a header,
+ * if version given in the header matches the proto argument, and also checks
+ * that the payload length field of that header matches the actual
* length of \a pkt given by \a caplen.
*
* @param caplen The length of \a pkt in bytes.
@@ -163,7 +164,8 @@ public:
* if \a pkt looks like a valid IP packet or at least long enough
* to hold an IP header.
* @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
- * is greater than the supposed IP packet's payload length field or
+ * is greater than the supposed IP packet's payload length field, -2
+ * if the version of the inner header does not match proto or
* 1 if \a caplen is less than the supposed packet's payload length.
* In the -1 case, \a inner may still be non-null if \a caplen was
* long enough to be an IP header, and \a inner is always non-null
diff --git a/src/Stmt.cc b/src/Stmt.cc
index d93e8ff14e..71100e51e2 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -1293,6 +1293,9 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
TableVal* tv = v->AsTableVal();
const PDict(TableEntryVal)* loop_vals = tv->AsTable();
+ if ( ! loop_vals->Length() )
+ return 0;
+
HashKey* k;
IterCookie* c = loop_vals->InitForIteration();
while ( loop_vals->NextEntry(k, c) )
diff --git a/src/Trigger.cc b/src/Trigger.cc
index 772a991791..3867c607fd 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -136,12 +136,12 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
if ( timeout_val )
{
- Unref(timeout_val);
timeout_value = timeout_val->AsInterval();
+ Unref(timeout_val);
}
// Make sure we don't get deleted if somebody calls a method like
- // Timeout() while evaluating the trigger.
+ // Timeout() while evaluating the trigger.
Ref(this);
if ( ! Eval() && timeout_value >= 0 )
diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index cb4b1eaabe..556de9382a 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, new AddrVal(src_addr));
- id_val->Assign(1, new PortVal(ntohs(src_port), proto));
+ id_val->Assign(1, port_mgr->Get(ntohs(src_port), proto));
id_val->Assign(2, new AddrVal(dst_addr));
- id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
+ id_val->Assign(3, port_mgr->Get(ntohs(dst_port), proto));
rv->Assign(0, id_val);
rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
diff --git a/src/Type.cc b/src/Type.cc
index cce328d92b..aa9388d64e 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -545,7 +545,7 @@ bool IndexType::DoUnserialize(UnserialInfo* info)
DO_UNSERIALIZE(BroType);
UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
- indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+ indices = (TypeList*) BroType::Unserialize(info);
return indices != 0;
}
@@ -865,11 +865,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
- args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
+ args = (RecordType*) BroType::Unserialize(info);
if ( ! args )
return false;
- arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+ arg_types = (TypeList*) BroType::Unserialize(info);
if ( ! arg_types )
return false;
diff --git a/src/Type.h b/src/Type.h
index 5c8a05b3f6..ab52e10734 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -628,6 +628,7 @@ extern OpaqueType* cardinality_type;
extern OpaqueType* topk_type;
extern OpaqueType* bloomfilter_type;
extern OpaqueType* x509_opaque_type;
+extern OpaqueType* ocsp_resp_opaque_type;
// Returns the Bro basic (non-parameterized) type with the given type.
// The reference count of the type is not increased.
diff --git a/src/Val.cc b/src/Val.cc
index ca70e1f5df..4db8aedd73 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -760,34 +760,92 @@ bool IntervalVal::DoUnserialize(UnserialInfo* info)
return true;
}
-PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+PortManager::PortManager()
+ {
+ for ( auto i = 0u; i < ports.size(); ++i )
+ {
+ auto& arr = ports[i];
+ auto port_type = (TransportProto)i;
+
+ for ( auto j = 0u; j < arr.size(); ++j )
+ arr[j] = new PortVal(Mask(j, port_type), true);
+ }
+ }
+
+PortManager::~PortManager()
+ {
+ for ( auto& arr : ports )
+ for ( auto& pv : arr )
+ Unref(pv);
+ }
+
+PortVal* PortManager::Get(uint32 port_num) const
+ {
+ auto mask = port_num & PORT_SPACE_MASK;
+ port_num &= ~PORT_SPACE_MASK;
+
+ if ( mask == TCP_PORT_MASK )
+ return Get(port_num, TRANSPORT_TCP);
+ else if ( mask == UDP_PORT_MASK )
+ return Get(port_num, TRANSPORT_UDP);
+ else if ( mask == ICMP_PORT_MASK )
+ return Get(port_num, TRANSPORT_ICMP);
+ else
+ return Get(port_num, TRANSPORT_UNKNOWN);
+ }
+
+PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const
+ {
+ if ( port_num >= 65536 )
+ {
+ reporter->Warning("bad port number %d", port_num);
+ port_num = 0;
+ }
+
+ auto rval = ports[port_type][port_num];
+ ::Ref(rval);
+ return rval;
+ }
+
+uint32 PortManager::Mask(uint32 port_num, TransportProto port_type) const
{
// Note, for ICMP one-way connections:
// src_port = icmp_type, dst_port = icmp_code.
- if ( p >= 65536 )
+ if ( port_num >= 65536 )
{
- InternalWarning("bad port number");
- p = 0;
+ reporter->Warning("bad port number %d", port_num);
+ port_num = 0;
}
switch ( port_type ) {
case TRANSPORT_TCP:
- p |= TCP_PORT_MASK;
+ port_num |= TCP_PORT_MASK;
break;
case TRANSPORT_UDP:
- p |= UDP_PORT_MASK;
+ port_num |= UDP_PORT_MASK;
break;
case TRANSPORT_ICMP:
- p |= ICMP_PORT_MASK;
+ port_num |= ICMP_PORT_MASK;
break;
default:
- break; // "other"
+ break; // "unknown/other"
}
+ return port_num;
+ }
+
+PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+ {
+ auto port_num = port_mgr->Mask(p, port_type);
+ val.uint_val = static_cast(port_num);
+ }
+
+PortVal::PortVal(uint32 p, bool unused) : Val(TYPE_PORT)
+ {
val.uint_val = static_cast(p);
}
diff --git a/src/Val.h b/src/Val.h
index 160eeafe64..6da37b7137 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -7,6 +7,7 @@
#include
#include
+#include
#include "net_util.h"
#include "Type.h"
@@ -503,11 +504,35 @@ protected:
#define UDP_PORT_MASK 0x20000
#define ICMP_PORT_MASK 0x30000
+class PortManager {
+public:
+ PortManager();
+ ~PortManager();
+
+ // Port number given in host order.
+ PortVal* Get(uint32 port_num, TransportProto port_type) const;
+
+ // Host-order port number already masked with port space protocol mask.
+ PortVal* Get(uint32 port_num) const;
+
+ // Returns a masked port number
+ uint32 Mask(uint32 port_num, TransportProto port_type) const;
+
+private:
+ std::array, NUM_PORT_SPACES> ports;
+};
+
+extern PortManager* port_mgr;
+
class PortVal : public Val {
public:
- // Constructors - both take the port number in host order.
+ // Port number given in host order.
+ BRO_DEPRECATED("use port_mgr->Get() instead")
PortVal(uint32 p, TransportProto port_type);
- PortVal(uint32 p); // used for already-massaged port value.
+
+ // Host-order port number already masked with port space protocol mask.
+ BRO_DEPRECATED("use port_mgr->Get() instead")
+ PortVal(uint32 p);
Val* SizeVal() const override { return new Val(val.uint_val, TYPE_INT); }
@@ -533,7 +558,9 @@ public:
protected:
friend class Val;
+ friend class PortManager;
PortVal() {}
+ PortVal(uint32 p, bool unused);
void ValDescribe(ODesc* d) const override;
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 9858001c6f..4b5441f395 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -434,14 +434,16 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( tcp_contents && ! reass )
{
- PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
+ auto dport = port_mgr->Get(ntohs(conn->RespPort()), TRANSPORT_TCP);
Val* result;
if ( ! reass )
- reass = tcp_content_delivery_ports_orig->Lookup(&dport);
+ reass = tcp_content_delivery_ports_orig->Lookup(dport);
if ( ! reass )
- reass = tcp_content_delivery_ports_resp->Lookup(&dport);
+ reass = tcp_content_delivery_ports_resp->Lookup(dport);
+
+ Unref(dport);
}
if ( reass )
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 2388a36219..d341940e7d 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -114,7 +114,7 @@ public:
bool DisableAnalyzer(Tag tag);
/**
- * Enables an analyzer type. Disabled analyzers will not be
+ * Disables an analyzer type. Disabled analyzers will not be
* instantiated for new connections.
*
* @param tag The analyzer's tag as an enum of script type \c
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
index 56fcc794bc..1d8cbe90b6 100644
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@@ -59,6 +59,11 @@ flow AYIYA_Flow
if ( result == 0 )
connection()->bro_analyzer()->ProtocolConfirmation();
+ else if ( result == -2 )
+ connection()->bro_analyzer()->ProtocolViolation(
+ "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(),
+ ${pdu.packet}.length());
+
else if ( result < 0 )
connection()->bro_analyzer()->ProtocolViolation(
"Truncated AYIYA", (const char*) ${pdu.packet}.data(),
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 43ee6a2b21..452fb0fe6c 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -482,7 +482,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* peer = new RecordVal(bittorrent_peer);
peer->Assign(0, new AddrVal(ad));
- peer->Assign(1, new PortVal(pt, TRANSPORT_TCP));
+ peer->Assign(1, port_mgr->Get(pt, TRANSPORT_TCP));
res_val_peers->Assign(peer, 0);
Unref(peer);
diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
index 3bc6d90230..6040577d39 100644
--- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
+++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
@@ -222,7 +222,7 @@ flow BitTorrent_Flow(is_orig: bool) {
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
- new PortVal(listen_port, TRANSPORT_TCP));
+ port_mgr->Get(listen_port, TRANSPORT_TCP));
}
return true;
diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif
index a05359a17b..225e9db913 100644
--- a/src/analyzer/protocol/conn-size/functions.bif
+++ b/src/analyzer/protocol/conn-size/functions.bif
@@ -5,10 +5,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
- {
- reporter->Error("cannot find connection");
return 0;
- }
analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
if ( ! a )
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc
index a9818ff7af..e1be27e795 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@@ -17,9 +17,9 @@ Finger_Analyzer::Finger_Analyzer(Connection* conn)
: tcp::TCP_ApplicationAnalyzer("FINGER", conn)
{
did_deliver = 0;
- content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
+ content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
content_line_orig->SetIsNULSensitive(true);
- content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
+ content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(content_line_orig);
AddSupportAnalyzer(content_line_resp);
}
diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif
index b57b24df20..9508061102 100644
--- a/src/analyzer/protocol/ftp/functions.bif
+++ b/src/analyzer/protocol/ftp/functions.bif
@@ -33,13 +33,13 @@ static Val* parse_port(const char* line)
}
r->Assign(0, new AddrVal(htonl(addr)));
- r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+ r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
r->Assign(2, new Val(good, TYPE_BOOL));
}
else
{
r->Assign(0, new AddrVal(uint32(0)));
- r->Assign(1, new PortVal(0, TRANSPORT_TCP));
+ r->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
r->Assign(2, new Val(0, TYPE_BOOL));
}
@@ -109,7 +109,7 @@ static Val* parse_eftp(const char* line)
}
r->Assign(0, new AddrVal(addr));
- r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+ r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
r->Assign(2, new Val(good, TYPE_BOOL));
return r;
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
index 23281c1bb8..c0d9b6e32f 100644
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@@ -740,6 +740,9 @@ flow GTPv1_Flow(is_orig: bool)
a->ProtocolConfirmation();
}
+ else if ( result == -2 )
+ violate("Invalid IP version in wrapped packet", pdu);
+
else if ( result < 0 )
violate("Truncated GTPv1", pdu);
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 6a42e064d7..2dedca5ae1 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -352,9 +352,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, new AddrVal(src_addr));
- id_val->Assign(1, new PortVal(src_port, proto));
+ id_val->Assign(1, port_mgr->Get(src_port, proto));
id_val->Assign(2, new AddrVal(dst_addr));
- id_val->Assign(3, new PortVal(dst_port, proto));
+ id_val->Assign(3, port_mgr->Get(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
@@ -411,9 +411,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, new AddrVal(src_addr));
- id_val->Assign(1, new PortVal(src_port, proto));
+ id_val->Assign(1, port_mgr->Get(src_port, proto));
id_val->Assign(2, new AddrVal(dst_addr));
- id_val->Assign(3, new PortVal(dst_port, proto));
+ id_val->Assign(3, port_mgr->Get(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index f668be921c..27eafb5426 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -17,8 +17,8 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn)
{
did_bad_reply = did_deliver = 0;
- orig_ident = new tcp::ContentLine_Analyzer(conn, true);
- resp_ident = new tcp::ContentLine_Analyzer(conn, false);
+ orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000);
+ resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000);
orig_ident->SetIsNULSensitive(true);
resp_ident->SetIsNULSensitive(true);
@@ -82,8 +82,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
val_list* vl = new val_list;
vl->append(BuildConnVal());
- vl->append(new PortVal(local_port, TRANSPORT_TCP));
- vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
ConnectionEvent(ident_request, vl);
@@ -143,8 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
val_list* vl = new val_list;
vl->append(BuildConnVal());
- vl->append(new PortVal(local_port, TRANSPORT_TCP));
- vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
vl->append(new StringVal(end_of_line - line, line));
ConnectionEvent(ident_error, vl);
@@ -177,8 +177,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
val_list* vl = new val_list;
vl->append(BuildConnVal());
- vl->append(new PortVal(local_port, TRANSPORT_TCP));
- vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+ vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
vl->append(new StringVal(end_of_line - line, line));
vl->append(new StringVal(sys_type_s));
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index a26045f250..a69674eb50 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -21,9 +21,9 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
orig_zip_status = NO_ZIP;
resp_zip_status = NO_ZIP;
starttls = false;
- cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+ cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
AddSupportAnalyzer(cl_orig);
- cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+ cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
AddSupportAnalyzer(cl_resp);
}
diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac
index b178239f4d..271958fcb4 100644
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
string file_id = file_mgr->HashHandle(file_handle.Description());
file_mgr->DataIn(reinterpret_cast(cert.data()),
- cert.length(), bro_analyzer->GetAnalyzerTag(),
- bro_analyzer->Conn(), true, file_id);
+ cert.length(), bro_analyzer->GetAnalyzerTag(),
+ bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
file_mgr->EndOfFile(file_id);
break;
@@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
string file_id = file_mgr->HashHandle(file_handle.Description());
file_mgr->DataIn(reinterpret_cast(cert.data()),
- cert.length(), bro_analyzer->GetAnalyzerTag(),
- bro_analyzer->Conn(), false, file_id);
+ cert.length(), bro_analyzer->GetAnalyzerTag(),
+ bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert");
file_mgr->EndOfFile(file_id);
break;
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 01b47e9478..1ba2c465d8 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -142,7 +142,7 @@ refine flow RDP_Flow += {
connection()->bro_analyzer()->GetAnalyzerTag(),
connection()->bro_analyzer()->Conn(),
false, // It seems there are only server certs?
- file_id);
+ file_id, "application/x-x509-user-cert");
file_mgr->EndOfFile(file_id);
return true;
diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc
index 5d7c980879..9f52394ac4 100644
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@@ -126,7 +126,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
RecordVal* rv = c->RequestVal()->AsRecordVal();
Val* is_tcp = rv->Lookup(2);
- reply = new PortVal(CheckPort(port),
+ reply = port_mgr->Get(CheckPort(port),
is_tcp->IsOne() ?
TRANSPORT_TCP : TRANSPORT_UDP);
event = pm_request_getport;
@@ -178,7 +178,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
if ( ! opaque_reply )
return 0;
- reply = new PortVal(CheckPort(port), TRANSPORT_UDP);
+ reply = port_mgr->Get(CheckPort(port), TRANSPORT_UDP);
event = pm_request_callit;
}
else
@@ -202,7 +202,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32 port = extract_XDR_uint32(buf, len);
- mapping->Assign(2, new PortVal(CheckPort(port),
+ mapping->Assign(2, port_mgr->Get(CheckPort(port),
is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
if ( ! buf )
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index b8c4165a54..0f13335785 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -32,7 +32,7 @@ refine connection SOCKS_Conn += {
4,
${request.command},
sa,
- new PortVal(${request.port} | TCP_PORT_MASK),
+ port_mgr->Get(${request.port} | TCP_PORT_MASK),
array_to_string(${request.user}));
static_cast(bro_analyzer())->EndpointDone(true);
@@ -50,7 +50,7 @@ refine connection SOCKS_Conn += {
4,
${reply.status},
sa,
- new PortVal(${reply.port} | TCP_PORT_MASK));
+ port_mgr->Get(${reply.port} | TCP_PORT_MASK));
bro_analyzer()->ProtocolConfirmation();
static_cast(bro_analyzer())->EndpointDone(false);
@@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
5,
${request.command},
sa,
- new PortVal(${request.port} | TCP_PORT_MASK),
+ port_mgr->Get(${request.port} | TCP_PORT_MASK),
new StringVal(""));
static_cast(bro_analyzer())->EndpointDone(true);
@@ -141,7 +141,7 @@ refine connection SOCKS_Conn += {
5,
${reply.reply},
sa,
- new PortVal(${reply.port} | TCP_PORT_MASK));
+ port_mgr->Get(${reply.port} | TCP_PORT_MASK));
bro_analyzer()->ProtocolConfirmation();
static_cast(bro_analyzer())->EndpointDone(false);
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 28b0379999..3b147f6b6e 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -410,7 +410,7 @@ refine connection SSH_Conn += {
return true;
if ( update_kex_state_if_equal("ecmqv-sha2", KEX_ECC) )
return true;
- if ( update_kex_state_if_equal("curve25519-sha256@libssh.org", KEX_ECC) )
+ if ( update_kex_state_if_startswith("curve25519-sha256", KEX_ECC) )
return true;
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 0f45aa1f32..14e41892c8 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz
proc-client-hello.pac
proc-server-hello.pac
proc-certificate.pac
+ tls-handshake-signed_certificate_timestamp.pac
)
bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
proc-client-hello.pac
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 8142f67c7d..890f6da396 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -27,6 +27,8 @@
## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate ssl_handshake_message
## ssl_change_cipher_spec
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms
event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -64,6 +66,8 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_session_ticket_handshake x509_certificate ssl_server_curve
## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms
event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
@@ -104,8 +108,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
-## ssl_extension_key_share
+## ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -125,6 +130,8 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
## ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms ssl_server_signature
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
## Generated for an Signature Algorithms extension. This TLS extension
@@ -143,6 +150,8 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms ssl_server_signature
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -160,6 +169,8 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms ssl_server_signature
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
## Generated if a named curve is chosen by the server for an SSL/TLS connection.
@@ -170,15 +181,35 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
##
## curve: The curve.
##
+## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params
+## event. This event will be removed in a future version of Bro.
+##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
-event ssl_server_curve%(c: connection, curve: count%);
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms ssl_server_signature
+event ssl_server_curve%(c: connection, curve: count%) &deprecated;
+
+## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+## This event contains the named curve name and the server ECDH parameters contained
+## in the ServerKeyExchange message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## curve: The curve parameters.
+##
+## point: The server's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+## ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
+event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
-## the server DH parameters, which are sent in the ServerKeyExchange message as
+## the server DH parameters, contained in the ServerKeyExchange message as
## defined in :rfc:`5246`.
##
## c: The connection.
@@ -190,15 +221,71 @@ event ssl_server_curve%(c: connection, curve: count%);
## Ys: The server's DH public key.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-## ssl_session_ticket_handshake ssl_server_curve
+## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+## ssl_rsa_client_pms
event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
+## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
+## contains the server signature over the key exchange parameters contained in
+## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
+##
+## c: The connection.
+##
+## signed_params: A hash of the server params, with the signature appropriate to
+## that hash applied. The private key corresponding to the certified
+## public key in the server's certificate message is used for signing.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+event ssl_server_signature%(c: connection, signed_params: string%);
+
+## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
+## contains the client ECDH public value contained in the ClientKeyExchange
+## message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## point: The client's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+## ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
+event ssl_ecdh_client_params%(c: connection, point: string%);
+
+## Generated if a client uses a DH-anon or DHE cipher suite. This event contains
+## the client DH parameters contained in the ClientKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## Yc: The client's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+## ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
+event ssl_dh_client_params%(c: connection, Yc: string%);
+
+## Generated if a client uses RSA key exchange. This event contains the client
+## encrypted pre-master secret which is encrypted using the public key of the
+## server's certificate as defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## pms: The encrypted pre-master secret.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+event ssl_rsa_client_pms%(c: connection, pms: string%);
+
## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
## the initial handshake. It contains the list of client supported application
## protocols by the client or the server, respectively.
##
-## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
##
## c: The connection.
##
@@ -211,6 +298,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
## ssl_extension_server_name ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_extension_signed_certificate_timestamp
event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -231,8 +319,39 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
## ssl_extension_application_layer_protocol_negotiation
## ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_extension_signed_certificate_timestamp
event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+## Generated for the signed_certificate_timestamp TLS extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+## should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+## the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+## digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+## ssl_session_ticket_handshake ssl_extension
+## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+## ssl_extension_server_name ssl_extension_key_share
+## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+## ssl_extension_application_layer_protocol_negotiation
+## x509_ocsp_ext_signed_certificate_timestamp sct_verify
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+
## Generated for an TLS Supported Versions extension. This TLS extension
## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
## It contains the TLS versions that it supports. This informaion can be used by
@@ -249,7 +368,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
## ssl_extension_application_layer_protocol_negotiation
## ssl_extension_key_share ssl_extension_server_name
-## ssl_extension_psk_key_exchange_modes
+## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
@@ -266,7 +385,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
## ssl_extension_application_layer_protocol_negotiation
## ssl_extension_key_share ssl_extension_server_name
-## ssl_extension_supported_versions
+## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index f7fa76ca36..17720bcbb1 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -1,6 +1,7 @@
%%{
#include "analyzer/protocol/ssl/SSL.h"
+#include
%%}
## Sets if the SSL analyzer should consider the connection established (handshake
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index c2353e3a88..7c57f31744 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -9,6 +9,9 @@
common.AddRaw(is_orig ? "T" : "F", 1);
bro_analyzer()->Conn()->IDString(&common);
+ static const string user_mime = "application/x-x509-user-cert";
+ static const string ca_mime = "application/x-x509-ca-cert";
+
for ( unsigned int i = 0; i < certificates->size(); ++i )
{
const bytestring& cert = (*certificates)[i];
@@ -21,7 +24,7 @@
file_mgr->DataIn(reinterpret_cast(cert.data()),
cert.length(), bro_analyzer()->GetAnalyzerTag(),
- bro_analyzer()->Conn(), is_orig, file_id);
+ bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime);
file_mgr->EndOfFile(file_id);
}
return true;
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index fc4c879e81..ae62f610e7 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -243,27 +243,116 @@ refine connection Handshake_Conn += {
function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
%{
- if ( status_type == 1 ) // ocsp
+ ODesc common;
+ common.AddRaw("Analyzer::ANALYZER_SSL");
+ common.Add(bro_analyzer()->Conn()->StartTime());
+ common.AddRaw("F");
+ bro_analyzer()->Conn()->IDString(&common);
+
+ if ( status_type == 1 ) // ocsp
{
+ ODesc file_handle;
+ file_handle.Add(common.Description());
+ file_handle.Add("ocsp");
+
+ string file_id = file_mgr->HashHandle(file_handle.Description());
+
+ file_mgr->DataIn(reinterpret_cast(response.data()),
+ response.length(), bro_analyzer()->GetAnalyzerTag(),
+ bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
+
BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig},
new StringVal(response.length(),
(const char*) response.data()));
+
+ file_mgr->EndOfFile(file_id);
}
return true;
%}
- function proc_ec_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16) : bool
+ function proc_ecdhe_server_key_exchange(kex: EcdheServerKeyExchange) : bool
%{
- if ( curve_type == NAMED_CURVE )
- BifEvent::generate_ssl_server_curve(bro_analyzer(),
- bro_analyzer()->Conn(), curve);
+ if ( ${kex.curve_type} != NAMED_CURVE )
+ return true;
+
+ BifEvent::generate_ssl_server_curve(bro_analyzer(),
+ bro_analyzer()->Conn(), ${kex.params.curve});
+ BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+ bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+ BifEvent::generate_ssl_server_signature(bro_analyzer(),
+ bro_analyzer()->Conn(), new StringVal(${kex.params.signed_params}.length(), (const char*)${kex.params.signed_params}.data()));
return true;
%}
- function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+ function proc_ecdh_anon_server_key_exchange(kex: EcdhAnonServerKeyExchange) : bool
+ %{
+ if ( ${kex.curve_type} != NAMED_CURVE )
+ return true;
+
+ BifEvent::generate_ssl_server_curve(bro_analyzer(),
+ bro_analyzer()->Conn(), ${kex.params.curve});
+ BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+ bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+
+ return true;
+ %}
+
+ function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
+ %{
+ BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
+ return true;
+ %}
+
+ function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
+ %{
+ BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
+ return true;
+ %}
+
+ function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
+ %{
+ BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
+ return true;
+ %}
+
+ function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+ %{
+ RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+ ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT));
+ ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT));
+
+ BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
+ bro_analyzer()->Conn(), ${rec.is_orig},
+ version,
+ new StringVal(logid.length(), reinterpret_cast(logid.begin())),
+ timestamp,
+ ha,
+ new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin()))
+ );
+
+ return true;
+ %}
+
+ function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: bytestring) : bool
+ %{
+ BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ new StringVal(p.length(), (const char*) p.data()),
+ new StringVal(g.length(), (const char*) g.data()),
+ new StringVal(Ys.length(), (const char*) Ys.data())
+ );
+ BifEvent::generate_ssl_server_signature(bro_analyzer(),
+ bro_analyzer()->Conn(),
+ new StringVal(signed_params.length(), (const char*) signed_params.data())
+ );
+
+ return true;
+ %}
+
+ function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
%{
BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
@@ -283,7 +372,6 @@ refine connection Handshake_Conn += {
return true;
%}
-
};
refine typeattr ClientHello += &let {
@@ -353,12 +441,32 @@ refine typeattr CertificateStatus += &let {
proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
};
-refine typeattr EcServerKeyExchange += &let {
- proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+refine typeattr EcdheServerKeyExchange += &let {
+ proc : bool = $context.connection.proc_ecdhe_server_key_exchange(this);
};
-refine typeattr DhServerKeyExchange += &let {
- proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+refine typeattr EcdhAnonServerKeyExchange += &let {
+ proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(this);
+};
+
+refine typeattr DheServerKeyExchange += &let {
+ proc : bool = $context.connection.proc_dhe_server_key_exchange(rec, dh_p, dh_g, dh_Ys, signed_params);
+};
+
+refine typeattr DhAnonServerKeyExchange += &let {
+ proc : bool = $context.connection.proc_dh_anon_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
+
+refine typeattr RsaClientKeyExchange += &let {
+ proc : bool = $context.connection.proc_rsa_client_key_exchange(rec, rsa_pms);
+};
+
+refine typeattr DhClientKeyExchange += &let {
+ proc : bool = $context.connection.proc_dh_client_key_exchange(rec, dh_Yc);
+};
+
+refine typeattr EcdhClientKeyExchange += &let {
+ proc : bool = $context.connection.proc_ecdh_client_key_exchange(rec, point);
};
refine typeattr SupportedVersions += &let {
@@ -373,3 +481,6 @@ refine typeattr Handshake += &let {
proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
};
+refine typeattr SignedCertificateTimestamp += &let {
+ proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 0f6287ea4a..1ccd128dee 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -176,13 +176,333 @@ type CertificateStatus(rec: HandshakeRecord) = record {
# V3 Server Key Exchange Message (7.4.3.)
######################################################################
-# Usually, the server key exchange does not contain any information
-# that we are interested in.
-#
-# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
-# In this case, we can extract information about the chosen cipher from
-# here.
+# The server key exchange contains the server public key exchange values, and a
+# signature over those values for non-anonymous exchanges. The server key
+# exchange messages is only sent for ECDHE, ECDH-anon, DHE, and DH-anon cipher
+# suites.
type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+ # ECDHE suites
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+ TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_PSK_WITH_NULL_SHA,
+ TLS_ECDHE_PSK_WITH_NULL_SHA256,
+ TLS_ECDHE_PSK_WITH_NULL_SHA384,
+ TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+ TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+ -> ecdhe_server_key_exchange : EcdheServerKeyExchange(rec);
+
+ # ECDH-anon suites
+ TLS_ECDH_ANON_WITH_NULL_SHA,
+ TLS_ECDH_ANON_WITH_RC4_128_SHA,
+ TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+ # ECDH non-anon suites do not send a ServerKeyExchange
+ -> ecdh_anon_server_key_exchange : EcdhAnonServerKeyExchange(rec);
+
+ # DHE suites
+ TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+ TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+ TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+ TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+ TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_PSK_WITH_RC4_128_SHA,
+ TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+ TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+ TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+ TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+ TLS_DHE_PSK_WITH_NULL_SHA256,
+ TLS_DHE_PSK_WITH_NULL_SHA384,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+ TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+ TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+ TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+ TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+ TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+ TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+ TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ TLS_DHE_RSA_WITH_AES_128_CCM,
+ TLS_DHE_RSA_WITH_AES_256_CCM,
+ TLS_DHE_RSA_WITH_AES_128_CCM_8,
+ TLS_DHE_RSA_WITH_AES_256_CCM_8,
+ TLS_DHE_PSK_WITH_AES_128_CCM,
+ TLS_DHE_PSK_WITH_AES_256_CCM,
+ TLS_PSK_DHE_WITH_AES_128_CCM_8,
+ TLS_PSK_DHE_WITH_AES_256_CCM_8,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ -> dhe_server_key_exchange : DheServerKeyExchange(rec);
+
+ # DH-anon suites
+ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+ TLS_DH_ANON_WITH_RC4_128_MD5,
+ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+ TLS_DH_ANON_WITH_DES_CBC_SHA,
+ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+ TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+ TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+ TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+ TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+ TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DH_ANON_WITH_SEED_CBC_SHA,
+ TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+ TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+ TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+ TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+ TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+ TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+ TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+ TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+ # DH non-anon suites do not send a ServerKeyExchange
+ -> dh_anon_server_key_exchange : DhAnonServerKeyExchange(rec);
+
+ default
+ -> key : bytestring &restofdata &transient;
+};
+
+# Parse an ECDHE ServerKeyExchange message, which contains a signature over the
+# parameters. Parsing explicit curve parameters from the server is not
+# currently supported.
+type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
+ curve_type: uint8;
+ named_curve: case curve_type of {
+ NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+ default -> data: bytestring &restofdata &transient;
+ };
+};
+
+# Parse an ECDH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters. Parsing explicit curve parameters from the
+# server is not currently supported.
+type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+ curve_type: uint8;
+ named_curve: case curve_type of {
+ NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+ default -> data: bytestring &restofdata &transient;
+ };
+};
+
+type ServerEDCHParamsAndSignature() = record {
+ curve: uint16;
+ point_length: uint8;
+ point: bytestring &length=point_length;
+ signed_params: bytestring &restofdata; # only present in case of non-anon message
+};
+
+# Parse a DHE ServerKeyExchange message, which contains a signature over the
+# parameters.
+type DheServerKeyExchange(rec: HandshakeRecord) = record {
+ dh_p_length: uint16;
+ dh_p: bytestring &length=dh_p_length;
+ dh_g_length: uint16;
+ dh_g: bytestring &length=dh_g_length;
+ dh_Ys_length: uint16;
+ dh_Ys: bytestring &length=dh_Ys_length;
+ signed_params: bytestring &restofdata;
+};
+
+# Parse a DH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters.
+type DhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+ dh_p_length: uint16;
+ dh_p: bytestring &length=dh_p_length;
+ dh_g_length: uint16;
+ dh_g: bytestring &length=dh_g_length;
+ dh_Ys_length: uint16;
+ dh_Ys: bytestring &length=dh_Ys_length;
+ data: bytestring &restofdata &transient;
+};
+
+######################################################################
+# V3 Certificate Request (7.4.4.)
+######################################################################
+
+# For now, ignore Certificate Request Details; just eat up message.
+type CertificateRequest(rec: HandshakeRecord) = record {
+ cont : bytestring &restofdata &transient;
+};
+
+
+######################################################################
+# V3 Server Hello Done (7.4.5.)
+######################################################################
+
+# Server Hello Done is empty
+type ServerHelloDone(rec: HandshakeRecord) = empty;
+
+
+######################################################################
+# V3 Client Certificate (7.4.6.)
+######################################################################
+
+# Client Certificate is identical to Server Certificate;
+# no further definition here
+
+
+######################################################################
+# V3 Client Key Exchange Message (7.4.7.)
+######################################################################
+
+# Parse a ClientKeyExchange message. For RSA cipher suites, this consists of an
+# encrypted pre-master secret. For DH, DH-anon, and DHE cipher suites, this
+# consists of the client public finite-field Diffie-Hellman value. For ECDH,
+# ECDH-anon, and ECDHE cipher suites, this consists of the client public
+# elliptic curve point.
+type ClientKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+ # RSA suites
+ TLS_RSA_WITH_NULL_MD5,
+ TLS_RSA_WITH_NULL_SHA,
+ TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+ TLS_RSA_WITH_RC4_128_MD5,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+ TLS_RSA_WITH_IDEA_CBC_SHA,
+ TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+ TLS_RSA_WITH_DES_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_NULL_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
+ TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_RMD,
+ TLS_RSA_WITH_AES_128_CBC_RMD,
+ TLS_RSA_WITH_AES_256_CBC_RMD,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_RSA_PSK_WITH_RC4_128_SHA,
+ TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+ TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+ TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+ TLS_RSA_PSK_WITH_NULL_SHA256,
+ TLS_RSA_PSK_WITH_NULL_SHA384,
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+ TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+ TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+ TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+ TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+ TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+ TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+ TLS_RSA_WITH_AES_128_CCM,
+ TLS_RSA_WITH_AES_256_CCM,
+ TLS_RSA_WITH_AES_128_CCM_8,
+ TLS_RSA_WITH_AES_256_CCM_8
+ -> rsa_client_key_exchange: RsaClientKeyExchange(rec);
+
+ #ECHDE
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -275,7 +595,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- -> ec_server_key_exchange : EcServerKeyExchange(rec);
+ -> ecdh_client_key_exchange : EcdhClientKeyExchange(rec);
# DHE suites
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
@@ -377,72 +697,24 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
- # DH non-anon suites do not send a ServerKeyExchange
- -> dh_server_key_exchange : DhServerKeyExchange(rec);
+ -> dh_server_key_exchange : DhClientKeyExchange(rec);
default
-> key : bytestring &restofdata &transient;
};
-# For the moment, we really only are interested in the curve name. If it
-# is not set (if the server sends explicit parameters), we do not bother.
-# We also do not parse the actual signature data following the named curve.
-type EcServerKeyExchange(rec: HandshakeRecord) = record {
- curve_type: uint8;
- curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
- data: bytestring &restofdata &transient;
+type RsaClientKeyExchange(rec: HandshakeRecord) = record {
+ rsa_pms : bytestring &restofdata;
};
-# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
-# structure. After that, they start to differ, but we do not care about that.
-type DhServerKeyExchange(rec: HandshakeRecord) = record {
- dh_p_length: uint16;
- dh_p: bytestring &length=dh_p_length;
- dh_g_length: uint16;
- dh_g: bytestring &length=dh_g_length;
- dh_Ys_length: uint16;
- dh_Ys: bytestring &length=dh_Ys_length;
- data: bytestring &restofdata &transient;
+type DhClientKeyExchange(rec: HandshakeRecord) = record {
+ dh_Yc : bytestring &restofdata;
};
-
-######################################################################
-# V3 Certificate Request (7.4.4.)
-######################################################################
-
-# For now, ignore Certificate Request Details; just eat up message.
-type CertificateRequest(rec: HandshakeRecord) = record {
- cont : bytestring &restofdata &transient;
+type EcdhClientKeyExchange(rec: HandshakeRecord) = record {
+ point : bytestring &restofdata;
};
-
-######################################################################
-# V3 Server Hello Done (7.4.5.)
-######################################################################
-
-# Server Hello Done is empty
-type ServerHelloDone(rec: HandshakeRecord) = empty;
-
-
-######################################################################
-# V3 Client Certificate (7.4.6.)
-######################################################################
-
-# Client Certificate is identical to Server Certificate;
-# no further definition here
-
-
-######################################################################
-# V3 Client Key Exchange Message (7.4.7.)
-######################################################################
-
-# For now ignore details of ClientKeyExchange (most of it is
-# encrypted anyway); just eat up message.
-type ClientKeyExchange(rec: HandshakeRecord) = record {
- key : bytestring &restofdata &transient;
-};
-
-
######################################################################
# V3 Certificate Verify (7.4.8.)
######################################################################
@@ -485,13 +757,21 @@ type SSLExtension(rec: HandshakeRecord) = record {
# EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
+ EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
- EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
+ EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
default -> data: bytestring &restofdata;
};
} &length=data_len+4 &exportsourcedata;
+%include tls-handshake-signed_certificate_timestamp.pac
+
+type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
+ true -> a: SupportedVersions(rec);
+ false -> b: bytestring &length=data_len &transient;
+}
+
type SupportedVersions(rec: HandshakeRecord) = record {
length: uint8;
versions: uint16[] &until($input.length() == 0);
@@ -563,11 +843,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
default -> other : bytestring &restofdata &transient;
};
-type SignatureAndHashAlgorithm() = record {
- HashAlgorithm: uint8;
- SignatureAlgorithm: uint8;
-}
-
type SignatureAlgorithm(rec: HandshakeRecord) = record {
length: uint16;
supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
new file mode 100644
index 0000000000..f921db0790
--- /dev/null
+++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
@@ -0,0 +1,28 @@
+# We keep this extension separate, because it also can be included in X.509 certificates.
+# If included there, it uses the exact same syntax and we just symlink it from the X.509
+# file analyzer tree.
+
+type SignatureAndHashAlgorithm() = record {
+ HashAlgorithm: uint8;
+ SignatureAlgorithm: uint8;
+}
+
+type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
+ length: uint16;
+ SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
+} &length=length+2;
+
+type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
+ # before - framing
+ length: uint16;
+ # from here: SignedCertificateTimestamp
+ version: uint8;
+ logid: bytestring &length=32;
+ timestamp: uint64;
+ extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
+ extensions: bytestring &length=extensions_length;
+ digitally_signed_algorithms: SignatureAndHashAlgorithm;
+ digitally_signed_signature_length: uint16;
+ digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
+} &length=length+2;
+
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index f5dd7aaf07..7fc8085246 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -7,14 +7,14 @@
using namespace analyzer::tcp;
-ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
-: TCP_SupportAnalyzer("CONTENTLINE", conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length)
{
InitState();
}
-ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig)
-: TCP_SupportAnalyzer(name, conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer(name, conn, orig), max_line_length(max_line_length)
{
InitState();
}
@@ -229,6 +229,12 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
return seq_len; \
}
+ if ( offset >= max_line_length )
+ {
+ Weird("contentline_size_exceeded");
+ EMIT_LINE
+ }
+
switch ( c ) {
case '\r':
// Look ahead for '\n'.
@@ -250,6 +256,16 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
case '\n':
if ( last_char == '\r' )
{
+ // Weird corner-case:
+ // this can happen if we see a \r at the end of a packet where crlf is
+ // set to CR_as_EOL | LF_as_EOL, with the packet causing crlf to be set to
+ // 0 and the next packet beginning with a \n. In this case we just swallow
+ // the character and re-set last_char.
+ if ( offset == 0 )
+ {
+ last_char = c;
+ break;
+ }
--offset; // remove '\r'
EMIT_LINE
}
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index 7a5a6b996e..5cb6d2f3d4 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -10,9 +10,12 @@ namespace analyzer { namespace tcp {
#define CR_as_EOL 1
#define LF_as_EOL 2
+// Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M.
+#define DEFAULT_MAX_LINE_LENGTH 16 * 1024 * 1024 - 100
+
class ContentLine_Analyzer : public TCP_SupportAnalyzer {
public:
- ContentLine_Analyzer(Connection* conn, bool orig);
+ ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
~ContentLine_Analyzer();
void SupressWeirds(bool enable)
@@ -60,7 +63,7 @@ public:
{ return seq + length <= seq_to_skip; }
protected:
- ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
+ ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
virtual void DeliverStream(int len, const u_char* data, bool is_orig);
virtual void Undelivered(uint64 seq, int len, bool orig);
@@ -80,6 +83,7 @@ protected:
int offset; // where we are in buf
int buf_len; // how big buf is, total
unsigned int last_char; // last (non-option) character scanned
+ int max_line_length; // how large of a line to accumulate before emitting and raising a weird
uint64_t seq; // last seq number
uint64_t seq_to_skip;
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index 7c359623f3..c3175ec9f5 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -229,7 +229,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
if ( fwrite(data, 1, len, f) < unsigned(len) )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("TCP contents write failed: %s", buf);
if ( contents_file_write_failure )
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index b1d7dca012..bcbe20d499 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -38,18 +38,19 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
if ( ::tcp_contents )
{
- // Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
- PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
+ auto dst_port_val = port_mgr->Get(ntohs(tcp_analyzer->Conn()->RespPort()),
TRANSPORT_TCP);
TableVal* ports = IsOrig() ?
tcp_content_delivery_ports_orig :
tcp_content_delivery_ports_resp;
- Val* result = ports->Lookup(&dst_port_val);
+ Val* result = ports->Lookup(dst_port_val);
if ( (IsOrig() && tcp_content_deliver_all_orig) ||
(! IsOrig() && tcp_content_deliver_all_resp) ||
(result && result->AsBool()) )
deliver_tcp_contents = 1;
+
+ Unref(dst_port_val);
}
}
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 6ad00a82dc..3d7fb397fb 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -130,7 +130,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
RecordVal* teredo_origin = new RecordVal(teredo_origin_type);
uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF;
uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF;
- teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP));
+ teredo_origin->Assign(0, port_mgr->Get(port, TRANSPORT_UDP));
teredo_origin->Assign(1, new AddrVal(htonl(addr)));
teredo_hdr->Assign(1, teredo_origin);
}
@@ -195,7 +195,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
else
{
delete inner;
- ProtocolViolation("Truncated Teredo", (const char*) data, len);
+ ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*) data, len);
return;
}
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 3bd3736b2a..ca46b88339 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -97,14 +97,14 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( udp_contents )
{
- PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP);
+ auto port_val = port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP);
Val* result = 0;
bool do_udp_contents = false;
if ( is_orig )
{
result = udp_content_delivery_ports_orig->Lookup(
- &port_val);
+ port_val);
if ( udp_content_deliver_all_orig ||
(result && result->AsBool()) )
do_udp_contents = true;
@@ -112,7 +112,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
else
{
result = udp_content_delivery_ports_resp->Lookup(
- &port_val);
+ port_val);
if ( udp_content_deliver_all_resp ||
(result && result->AsBool()) )
do_udp_contents = true;
@@ -126,6 +126,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
vl->append(new StringVal(len, (const char*) data));
ConnectionEvent(udp_contents, vl);
}
+
+ Unref(port_val);
}
if ( is_orig )
diff --git a/src/bro.bif b/src/bro.bif
index 852f806230..b6922f9fab 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -2270,7 +2270,7 @@ function port_to_count%(p: port%): count
## .. bro:see:: port_to_count
function count_to_port%(num: count, proto: transport_proto%): port
%{
- return new PortVal(num, (TransportProto)proto->AsEnum());
+ return port_mgr->Get(num, (TransportProto)proto->AsEnum());
%}
## Converts a :bro:type:`string` to an :bro:type:`addr`.
@@ -2430,16 +2430,16 @@ function to_port%(s: string%): port
{
++slash;
if ( streq(slash, "tcp") )
- return new PortVal(port, TRANSPORT_TCP);
+ return port_mgr->Get(port, TRANSPORT_TCP);
else if ( streq(slash, "udp") )
- return new PortVal(port, TRANSPORT_UDP);
+ return port_mgr->Get(port, TRANSPORT_UDP);
else if ( streq(slash, "icmp") )
- return new PortVal(port, TRANSPORT_ICMP);
+ return port_mgr->Get(port, TRANSPORT_ICMP);
}
}
builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/");
- return new PortVal(port, TRANSPORT_UNKNOWN);
+ return port_mgr->Get(port, TRANSPORT_UNKNOWN);
%}
## Converts a string of bytes (in network byte order) to a :bro:type:`double`.
@@ -3208,9 +3208,9 @@ function lookup_connection%(cid: conn_id%): connection
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, new AddrVal((unsigned int) 0));
- id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
+ id_val->Assign(1, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
id_val->Assign(2, new AddrVal((unsigned int) 0));
- id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
+ id_val->Assign(3, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
c->Assign(0, id_val);
RecordVal* orig_endp = new RecordVal(endpoint);
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 6420144193..09b0da11e1 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -135,7 +135,7 @@ struct val_converter {
result_type operator()(broker::port& a)
{
if ( type->Tag() == TYPE_PORT )
- return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
+ return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
return nullptr;
}
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index eebcd2792f..d5acb27b5a 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -697,7 +697,7 @@ void bro_broker::Manager::Process()
{
val_list* vl = new val_list;
vl->append(new StringVal(u.relation.remote_tuple().first));
- vl->append(new PortVal(u.relation.remote_tuple().second,
+ vl->append(port_mgr->Get(u.relation.remote_tuple().second,
TRANSPORT_TCP));
vl->append(new StringVal(u.peer_name));
mgr.QueueEvent(Broker::outgoing_connection_established, vl);
@@ -709,7 +709,7 @@ void bro_broker::Manager::Process()
{
val_list* vl = new val_list;
vl->append(new StringVal(u.relation.remote_tuple().first));
- vl->append(new PortVal(u.relation.remote_tuple().second,
+ vl->append(port_mgr->Get(u.relation.remote_tuple().second,
TRANSPORT_TCP));
mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
}
@@ -720,7 +720,7 @@ void bro_broker::Manager::Process()
{
val_list* vl = new val_list;
vl->append(new StringVal(u.relation.remote_tuple().first));
- vl->append(new PortVal(u.relation.remote_tuple().second,
+ vl->append(port_mgr->Get(u.relation.remote_tuple().second,
TRANSPORT_TCP));
mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
}
diff --git a/src/broker/data.bif b/src/broker/data.bif
index d526d0a779..7f9c27f9a2 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -88,7 +88,7 @@ function Broker::__refine_to_port%(d: Broker::Data%): port
%{
auto& a = bro_broker::require_data_type(d->AsRecordVal(),
TYPE_PORT, frame);
- return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
+ return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
%}
function Broker::__refine_to_time%(d: Broker::Data%): time
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 46e67f7cd8..711186335e 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -34,9 +34,9 @@ static RecordVal* get_conn_id_val(const Connection* conn)
{
RecordVal* v = new RecordVal(conn_id);
v->Assign(0, new AddrVal(conn->OrigAddr()));
- v->Assign(1, new PortVal(ntohs(conn->OrigPort()), conn->ConnTransport()));
+ v->Assign(1, port_mgr->Get(ntohs(conn->OrigPort()), conn->ConnTransport()));
v->Assign(2, new AddrVal(conn->RespAddr()));
- v->Assign(3, new PortVal(ntohs(conn->RespPort()), conn->ConnTransport()));
+ v->Assign(3, port_mgr->Get(ntohs(conn->RespPort()), conn->ConnTransport()));
return v;
}
@@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1;
int File::bof_buffer_idx = -1;
int File::meta_mime_type_idx = -1;
int File::meta_mime_types_idx = -1;
+int File::meta_inferred_idx = -1;
void File::StaticInit()
{
@@ -76,6 +77,7 @@ void File::StaticInit()
bof_buffer_idx = Idx("bof_buffer", fa_file_type);
meta_mime_type_idx = Idx("mime_type", fa_metadata_type);
meta_mime_types_idx = Idx("mime_types", fa_metadata_type);
+ meta_inferred_idx = Idx("inferred", fa_metadata_type);
}
File::File(const string& file_id, const string& source_name, Connection* conn,
@@ -290,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max)
reassembly_max_buffer = max;
}
+bool File::SetMime(const string& mime_type)
+ {
+ if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference )
+ return false;
+
+ did_metadata_inference = true;
+ bof_buffer.full = true;
+
+ if ( ! FileEventAvailable(file_sniff) )
+ return false;
+
+ val_list* vl = new val_list();
+ vl->append(val->Ref());
+ RecordVal* meta = new RecordVal(fa_metadata_type);
+ vl->append(meta);
+ meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
+ meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL));
+ FileEvent(file_sniff, vl);
+ return true;
+ }
+
void File::InferMetadata()
{
did_metadata_inference = true;
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index c799907a8f..1d4fb03789 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -171,6 +171,27 @@ public:
*/
void FileEvent(EventHandlerPtr h, val_list* vl);
+
+ /**
+ * Sets the MIME type for a file to a specific value.
+ *
+ * Setting the MIME type has to be done before the MIME type is
+ * inferred from the content, and before any data is passed to the
+ * analyzer (the beginning of file buffer has to be empty). After
+ * data has been sent or a MIME type has been set once, it cannot be
+ * changed.
+ *
+ * This function should only be called when it does not make sense
+ * to perform automated MIME type detections. This is e.g. the case
+ * in protocols where the file type is fixed in the protocol description.
+ * This is for example the case for TLS and X.509 certificates.
+ *
+ * @param mime_type mime type to set
+ * @return true if the mime type was set. False if it could not be set because
+ * a mime type was already set or inferred.
+ */
+ bool SetMime(const string& mime_type);
+
protected:
friend class Manager;
friend class FileReassembler;
@@ -319,6 +340,7 @@ protected:
static int bof_buffer_idx;
static int mime_type_idx;
static int mime_types_idx;
+ static int meta_inferred_idx;
static int meta_mime_type_idx;
static int meta_mime_types_idx;
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 217c901969..41528e2ceb 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -110,7 +110,7 @@ void Manager::SetHandle(const string& handle)
string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
analyzer::Tag tag, Connection* conn, bool is_orig,
- const string& precomputed_id)
+ const string& precomputed_id, const string& mime_type)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
File* file = GetFile(id, conn, tag, is_orig);
@@ -118,6 +118,15 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
if ( ! file )
return "";
+ // This only has any effect when
+ // * called for the first time for a file
+ // * being called before file->DataIn is called for the first time (before data is
+ // added to the bof buffer).
+ // Afterwards SetMime just ignores what is passed to it. Thus this only has effect during
+ // the first Manager::DataIn call for each file.
+ if ( ! mime_type.empty() )
+ file->SetMime(mime_type);
+
file->DataIn(data, len, offset);
if ( file->IsComplete() )
@@ -130,7 +139,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
}
string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
- Connection* conn, bool is_orig, const string& precomputed_id)
+ Connection* conn, bool is_orig, const string& precomputed_id,
+ const string& mime_type)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
// Sequential data input shouldn't be going over multiple conns, so don't
@@ -140,6 +150,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
if ( ! file )
return "";
+ if ( ! mime_type.empty() )
+ file->SetMime(mime_type);
+
file->DataIn(data, len);
if ( file->IsComplete() )
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bcc8ac5dd2..b6d3658f9e 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -93,6 +93,13 @@ public:
* or false if is being sent in the opposite direction.
* @param precomputed_file_id may be set to a previous return value in order to
* bypass costly file handle lookups.
+ * @param mime_type may be set to the mime type of the file, if already known due
+ * to the protocol. This is, e.g., the case in TLS connections where X.509
+ * certificates are passed as files; here the type of the file is set by
+ * the protocol. If this parameter is given, MIME type detection will be
+ * disabled.
+ * This parameter only has any effect for the first DataIn call of each
+ * file. It is ignored for all subsequent calls.
* @return a unique file ID string which, in certain contexts, may be
* cached and passed back in to a subsequent function call in order
* to avoid costly file handle lookups (which have to go through
@@ -101,7 +108,8 @@ public:
*/
std::string DataIn(const u_char* data, uint64 len, uint64 offset,
analyzer::Tag tag, Connection* conn, bool is_orig,
- const std::string& precomputed_file_id = "");
+ const std::string& precomputed_file_id = "",
+ const std::string& mime_type = "");
/**
* Pass in sequential file data.
@@ -113,6 +121,12 @@ public:
* or false if is being sent in the opposite direction.
* @param precomputed_file_id may be set to a previous return value in order to
* bypass costly file handle lookups.
+ * @param mime_type may be set to the mime type of the file, if already known due
+ * to the protocol. This is, e.g., the case in TLS connections where X.509
+ * certificates are passed as files; here the type of the file is set by
+ * the protocol. If this parameter is give, mime type detection will be
+ * disabled.
+ * This parameter is only used for the first bit of data for each file.
* @return a unique file ID string which, in certain contexts, may be
* cached and passed back in to a subsequent function call in order
* to avoid costly file handle lookups (which have to go through
@@ -121,7 +135,8 @@ public:
*/
std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
Connection* conn, bool is_orig,
- const std::string& precomputed_file_id = "");
+ const std::string& precomputed_file_id = "",
+ const std::string& mime_type = "");
/**
* Pass in sequential file data from external source (e.g. input framework).
@@ -241,6 +256,14 @@ public:
bool SetExtractionLimit(const string& file_id, RecordVal* args,
uint64 n) const;
+ /**
+ * Try to retrieve a file that's being analyzed, using its identifier/hash.
+ * @param file_id the file identifier/hash.
+ * @return the File object mapped to \a file_id, or a null pointer if no
+ * mapping exists.
+ */
+ File* LookupFile(const string& file_id) const;
+
/**
* Queue attachment of an analzer to the file identifier. Multiple
* analyzers of a given type can be attached per file identifier at a time
@@ -340,14 +363,6 @@ protected:
bool is_orig = false, bool update_conn = true,
const char* source_name = 0);
- /**
- * Try to retrieve a file that's being analyzed, using its identifier/hash.
- * @param file_id the file identifier/hash.
- * @return the File object mapped to \a file_id, or a null pointer if no
- * mapping exists.
- */
- File* LookupFile(const string& file_id) const;
-
/**
* Evaluate timeout policy for a file and remove the File object mapped to
* \a file_id if needed.
diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc
index c758414a6e..f936a5156b 100644
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@@ -20,7 +20,7 @@ Extract::Extract(RecordVal* args, File* file, const string& arg_filename,
{
fd = 0;
char buf[128];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("cannot open %s: %s", filename.c_str(), buf);
}
}
diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
index 11072f140b..bedf54be5b 100644
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@@ -54,7 +54,7 @@ refine flow Flow += {
case 17: proto = TRANSPORT_UDP; break;
}
- return new PortVal(n, proto);
+ return port_mgr->Get(n, proto);
%}
#function proc_record(rec: Record) : bool
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..a4c5767e56 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,6 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
+bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
new file mode 100644
index 0000000000..02c9274999
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -0,0 +1,407 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include
+
+#include "OCSP.h"
+#include "X509.h"
+#include "Event.h"
+
+#include "types.bif.h"
+#include "ocsp_events.bif.h"
+
+#include "file_analysis/Manager.h"
+
+#include
+#include
+#include
+#include
+
+#include "file_analysis/analyzer/x509/X509.h"
+
+// helper function of sk_X509_value to avoid namespace problem
+// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
+// X509 => file_analysis::X509
+X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
+ {
+ return sk_X509_value(certs, i);
+ }
+
+using namespace file_analysis;
+
+IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
+
+#define OCSP_STRING_BUF_SIZE 2048
+
+static Val* get_ocsp_type(RecordVal* args, const char* name)
+ {
+ Val* rval = args->Lookup(name);
+
+ if ( ! rval )
+ reporter->Error("File extraction analyzer missing arg field: %s", name);
+
+ return rval;
+ }
+
+static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
+ {
+ if (resp_id->type == V_OCSP_RESPID_NAME)
+ X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE);
+ else if (resp_id->type == V_OCSP_RESPID_KEY)
+ i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
+ }
+
+void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
+ {
+ char buf[OCSP_STRING_BUF_SIZE];
+ memset(buf, 0, sizeof(buf));
+
+ i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
+ int len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+
+ i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
+ len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+
+ i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
+ len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+
+ i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
+ len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+ }
+
+file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
+ {
+ return new OCSP(args, file, true);
+ }
+
+file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
+ {
+ return new OCSP(args, file, false);
+ }
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
+ : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
+ {
+ }
+
+bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
+ {
+ ocsp_data.append(reinterpret_cast(data), len);
+ return true;
+ }
+
+bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
+ {
+ return false;
+ }
+
+// we parse the entire OCSP response in EOF, because we just pass it on
+// to OpenSSL.
+bool file_analysis::OCSP::EndOfFile()
+ {
+ const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data());
+
+ if ( request )
+ {
+ OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+
+ if (!req)
+ {
+ reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
+ return false;
+ }
+
+ ParseRequest(req, GetFile()->GetID().c_str());
+ OCSP_REQUEST_free(req);
+ }
+ else
+ {
+ OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+ if (!resp)
+ {
+ reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
+ return false;
+ }
+
+ OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
+ ParseResponse(resp_val, GetFile()->GetID().c_str());
+ Unref(resp_val);
+ }
+
+ return true;
+}
+
+void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
+ {
+ OCSP_REQINFO *inf = req->tbsRequest;
+
+ char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
+ memset(buf, 0, sizeof(buf));
+
+ // build up our response as we go along...
+ val_list* vl = new val_list();
+ vl->append(GetFile()->GetVal()->Ref());
+ vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
+ BIO *bio = BIO_new(BIO_s_mem());
+
+ if (inf->requestorName != NULL)
+ {
+ GENERAL_NAME_print(bio, inf->requestorName);
+ int len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+ }
+ else
+ vl->append(new StringVal(0, ""));
+
+ mgr.QueueEvent(ocsp_request, vl);
+
+ int req_count = OCSP_request_onereq_count(req);
+ for ( int i=0; iappend(GetFile()->GetVal()->Ref());
+
+ OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
+ OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
+
+ ocsp_add_cert_id(cert_id, rvl, bio);
+ mgr.QueueEvent(ocsp_request_certificate, rvl);
+ }
+
+ BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
+ {
+ OCSP_RESPONSE *resp = resp_val->GetResp();
+ OCSP_RESPBYTES *resp_bytes = resp->responseBytes;
+ OCSP_BASICRESP *basic_resp = nullptr;
+ OCSP_RESPDATA *resp_data = nullptr;
+ OCSP_RESPID *resp_id = nullptr;
+
+ int resp_count, num_ext = 0;
+ VectorVal *certs_vector = nullptr;
+ int len = 0;
+
+ char buf[OCSP_STRING_BUF_SIZE];
+ memset(buf, 0, sizeof(buf));
+
+ val_list* vl = new val_list();
+ vl->append(GetFile()->GetVal()->Ref());
+
+ const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
+ StringVal* status_val = new StringVal(strlen(status_str), status_str);
+ vl->append(status_val->Ref());
+ mgr.QueueEvent(ocsp_response_status, vl);
+ vl = nullptr;
+
+ if (!resp_bytes)
+ {
+ Unref(status_val);
+ return;
+ }
+
+ BIO *bio = BIO_new(BIO_s_mem());
+ //i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
+ //int len = BIO_read(bio, buf, sizeof(buf));
+ //BIO_reset(bio);
+
+ // get the basic response
+ basic_resp = OCSP_response_get1_basic(resp);
+ if ( !basic_resp )
+ goto clean_up;
+
+ resp_data = basic_resp->tbsResponseData;
+ if ( !resp_data )
+ goto clean_up;
+
+ vl = new val_list();
+ vl->append(GetFile()->GetVal()->Ref());
+ vl->append(resp_val->Ref());
+ vl->append(status_val);
+ vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+
+ // responderID
+ resp_id = resp_data->responderId;
+ OCSP_RESPID_bio(resp_id, bio);
+ len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+
+ // producedAt
+ vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
+
+ // responses
+ resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
+ for ( int i=0; iresponses, i);
+ if ( !single_resp )
+ continue;
+
+ val_list* rvl = new val_list();
+ rvl->append(GetFile()->GetVal()->Ref());
+
+ // cert id
+ OCSP_CERTID *cert_id = single_resp->certId;
+ ocsp_add_cert_id(cert_id, rvl, bio);
+ BIO_reset(bio);
+
+ // certStatus
+ OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
+ const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
+ rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
+
+ // revocation time and reason if revoked
+ if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
+ {
+ OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
+ rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
+
+ if ( revoked_info->revocationReason )
+ {
+ const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
+ rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
+ }
+ else
+ rvl->append(new StringVal(0, ""));
+ }
+ else
+ {
+ rvl->append(new Val(0, TYPE_TIME));
+ rvl->append(new StringVal(0, ""));
+ }
+
+ rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
+ if ( single_resp->nextUpdate )
+ rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
+ else
+ rvl->append(new Val(0, TYPE_TIME));
+
+ mgr.QueueEvent(ocsp_response_certificate, rvl);
+
+ num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
+ for ( int k = 0; k < num_ext; ++k )
+ {
+ X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k);
+ if ( ! ex )
+ continue;
+
+ ParseExtension(ex, ocsp_extension, false);
+ }
+ }
+
+ i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
+ len = BIO_read(bio, buf, sizeof(buf));
+ vl->append(new StringVal(len, buf));
+ BIO_reset(bio);
+
+ //i2a_ASN1_OBJECT(bio, basic_resp->signature);
+ //len = BIO_read(bio, buf, sizeof(buf));
+ //ocsp_resp_record->Assign(7, new StringVal(len, buf));
+ //BIO_reset(bio);
+
+ certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+ vl->append(certs_vector);
+ if ( basic_resp->certs )
+ {
+ int num_certs = sk_X509_num(basic_resp->certs);
+ for ( int i=0; icerts, i));
+ //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
+ if (this_cert)
+ certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
+ else
+ reporter->Weird("OpenSSL returned null certificate");
+ }
+ }
+ mgr.QueueEvent(ocsp_response_bytes, vl);
+
+ // ok, now that we are done with the actual certificate - let's parse extensions :)
+ num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
+ for ( int k = 0; k < num_ext; ++k )
+ {
+ X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k);
+ if ( ! ex )
+ continue;
+
+ ParseExtension(ex, ocsp_extension, true);
+ }
+
+clean_up:
+ if (basic_resp)
+ OCSP_BASICRESP_free(basic_resp);
+ BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+ {
+ // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
+ // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+ // look it up by performing a string comparison on the oid.
+#ifdef NID_ct_cert_scts
+ if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
+#else
+ if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
+#endif
+ ParseSignedCertificateTimestamps(ex);
+ }
+
+OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
+ {
+ ocsp_resp = arg_ocsp_resp;
+ }
+
+OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
+ {
+ ocsp_resp = nullptr;
+ }
+
+OCSP_RESPVal::~OCSP_RESPVal()
+ {
+ if (ocsp_resp)
+ OCSP_RESPONSE_free(ocsp_resp);
+ }
+
+OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
+ {
+ return ocsp_resp;
+ }
+
+bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
+ {
+ DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
+ unsigned char *buf = nullptr;
+ int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
+ if ( length < 0 )
+ return false;
+ bool res = SERIALIZE_STR(reinterpret_cast(buf), length);
+ OPENSSL_free(buf);
+ return res;
+ }
+
+bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
+ {
+ DO_UNSERIALIZE(OpaqueVal)
+
+ int length;
+ unsigned char *ocsp_resp_buf, *opensslbuf;
+
+ if ( ! UNSERIALIZE_STR(reinterpret_cast(&ocsp_resp_buf), &length) )
+ return false;
+ opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
+ ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast(&opensslbuf), length);
+ delete [] ocsp_resp_buf;
+ if ( ! ocsp_resp )
+ return false;
+ return true;
+ }
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
new file mode 100644
index 0000000000..d1d15dd14f
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -0,0 +1,54 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_OCSP_H
+#define FILE_ANALYSIS_OCSP_H
+
+#include
+
+#include "Val.h"
+#include "../File.h"
+#include "Analyzer.h"
+#include "X509Common.h"
+
+#include
+
+namespace file_analysis {
+
+class OCSP_RESPVal;
+
+class OCSP : public file_analysis::X509Common {
+public:
+ bool DeliverStream(const u_char* data, uint64 len) override;
+ bool Undelivered(uint64 offset, uint64 len) override;
+ bool EndOfFile() override;
+
+ static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
+ static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
+
+protected:
+ OCSP(RecordVal* args, File* file, bool request);
+
+private:
+ void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
+ void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
+ void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
+
+ std::string ocsp_data;
+ bool request = false; // true if ocsp request, false if reply
+};
+
+class OCSP_RESPVal: public OpaqueVal {
+public:
+ explicit OCSP_RESPVal(OCSP_RESPONSE *);
+ ~OCSP_RESPVal();
+ OCSP_RESPONSE *GetResp() const;
+protected:
+ OCSP_RESPVal();
+private:
+ OCSP_RESPONSE *ocsp_resp;
+ DECLARE_SERIAL(OCSP_RESPVal);
+};
+
+}
+
+#endif
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index d9d1b71ab4..31dbe346a8 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -4,6 +4,7 @@
#include "plugin/Plugin.h"
#include "X509.h"
+#include "OCSP.h"
namespace plugin {
namespace Bro_X509 {
@@ -13,10 +14,12 @@ public:
plugin::Configuration Configure()
{
AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+ AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+ AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
plugin::Configuration config;
config.name = "Bro::X509";
- config.description = "X509 analyzer";
+ config.description = "X509 and OCSP analyzer";
return config;
}
} plugin;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index da3c6635a8..2274f8fe3d 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -21,7 +21,7 @@ using namespace file_analysis;
IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
- : file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
+ : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file)
{
cert_data.clear();
}
@@ -72,7 +72,7 @@ bool file_analysis::X509::EndOfFile()
if ( ! ex )
continue;
- ParseExtension(ex);
+ ParseExtension(ex, x509_extension, false);
}
// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -133,8 +133,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
pX509Cert->Assign(3, new StringVal(len, buf));
BIO_free(bio);
- pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME));
- pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME));
+ pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME));
+ pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@@ -205,101 +205,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
return pX509Cert;
}
-StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
- {
- BIO_flush(bio);
- ERR_clear_error();
- int length = BIO_pending(bio);
-
- if ( ERR_peek_error() != 0 )
- {
- char tmp[120];
- ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
- reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
- BIO_free_all(bio);
- return 0;
- }
-
- if ( length == 0 )
- {
- BIO_free_all(bio);
- return new StringVal("");
- }
-
- char* buffer = (char*) malloc(length);
-
- if ( ! buffer )
- {
- // Just emit an error here and try to continue instead of aborting
- // because it's unclear the length value is very reliable.
- reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
- BIO_free_all(bio);
- return 0;
- }
-
- BIO_read(bio, (void*) buffer, length);
- StringVal* ext_val = new StringVal(length, buffer);
-
- free(buffer);
- BIO_free_all(bio);
-
- return ext_val;
- }
-
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
- {
- char name[256];
- char oid[256];
-
- ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
- const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
-
- OBJ_obj2txt(name, 255, ext_asn, 0);
- OBJ_obj2txt(oid, 255, ext_asn, 1);
-
- int critical = 0;
- if ( X509_EXTENSION_get_critical(ex) != 0 )
- critical = 1;
-
- BIO *bio = BIO_new(BIO_s_mem());
- if( ! X509V3_EXT_print(bio, ex, 0, 0))
- M_ASN1_OCTET_STRING_print(bio,ex->value);
-
- StringVal* ext_val = GetExtensionFromBIO(bio);
-
- if ( ! ext_val )
- ext_val = new StringVal(0, "");
-
- RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
- pX509Ext->Assign(0, new StringVal(name));
-
- if ( short_name and strlen(short_name) > 0 )
- pX509Ext->Assign(1, new StringVal(short_name));
-
- pX509Ext->Assign(2, new StringVal(oid));
- pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
- pX509Ext->Assign(4, ext_val);
-
- // send off generic extension event
- //
- // and then look if we have a specialized event for the extension we just
- // parsed. And if we have it, we send the specialized event on top of the
- // generic event that we just had. I know, that is... kind of not nice,
- // but I am not sure if there is a better way to do it...
- val_list* vl = new val_list();
- vl->append(GetFile()->GetVal()->Ref());
- vl->append(pX509Ext);
-
- mgr.QueueEvent(x509_extension, vl);
-
- // look if we have a specialized handler for this event...
- if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
- ParseBasicConstraints(ex);
-
- else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
- ParseSAN(ex);
- }
-
void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
{
assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@@ -326,6 +231,26 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str()));
}
+void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+ {
+ // look if we have a specialized handler for this event...
+ if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
+ ParseBasicConstraints(ex);
+
+ else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
+ ParseSAN(ex);
+
+ // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+ // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+ // look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+ else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+ else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+#endif
+ ParseSignedCertificateTimestamps(ex);
+ }
+
void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
{
assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
@@ -517,164 +442,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
reporter->InternalError("cannot be reached");
}
-double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid)
- {
- const char *fid = arg_fid ? arg_fid : "";
- time_t lResult = 0;
-
- char lBuffer[26];
- char* pBuffer = lBuffer;
-
- const char *pString = (const char *) atime->data;
- unsigned int remaining = atime->length;
-
- if ( atime->type == V_ASN1_UTCTIME )
- {
- if ( remaining < 11 || remaining > 17 )
- {
- reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
- return 0;
- }
-
- if ( pString[remaining-1] != 'Z' )
- {
- // not valid according to RFC 2459 4.1.2.5.1
- reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
- return 0;
- }
-
- // year is first two digits in YY format. Buffer expects YYYY format.
- if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
- {
- *(pBuffer++) = '2';
- *(pBuffer++) = '0';
- }
- else
- {
- *(pBuffer++) = '1';
- *(pBuffer++) = '9';
- }
-
- memcpy(pBuffer, pString, 10);
- pBuffer += 10;
- pString += 10;
- remaining -= 10;
- }
- else if ( atime->type == V_ASN1_GENERALIZEDTIME )
- {
- // generalized time. We apparently ignore the YYYYMMDDHH case
- // for now and assume we always have minutes and seconds.
- // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
-
- if ( remaining < 12 || remaining > 23 )
- {
- reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
- return 0;
- }
-
- memcpy(pBuffer, pString, 12);
- pBuffer += 12;
- pString += 12;
- remaining -= 12;
- }
- else
- {
- reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
- return 0;
- }
-
- if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
- {
- *(pBuffer++) = '0';
- *(pBuffer++) = '0';
- }
-
- else if ( remaining >= 2 )
- {
- *(pBuffer++) = *(pString++);
- *(pBuffer++) = *(pString++);
-
- remaining -= 2;
-
- // Skip any fractional seconds...
- if ( (remaining > 0) && (*pString == '.') )
- {
- pString++;
- remaining--;
-
- while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
- {
- pString++;
- remaining--;
- }
- }
- }
-
- else
- {
- reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
- return 0;
- }
-
- *(pBuffer++) = 'Z';
- *(pBuffer++) = '\0';
-
- time_t lSecondsFromUTC;
-
- if ( remaining == 0 || *pString == 'Z' )
- lSecondsFromUTC = 0;
- else
- {
- if ( remaining < 5 )
- {
- reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
- return 0;
- }
-
- if ((*pString != '+') && (*pString != '-'))
- {
- reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
- return 0;
- }
-
- lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
- lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
-
- if (*pString == '-')
- lSecondsFromUTC = -lSecondsFromUTC;
- }
-
- tm lTime;
- lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
- lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
- lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
- lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
- lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
- lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
-
- if ( lTime.tm_year > 1900)
- lTime.tm_year -= 1900;
-
- lTime.tm_wday = 0;
- lTime.tm_yday = 0;
- lTime.tm_isdst = 0; // No DST adjustment requested
-
- lResult = mktime(&lTime);
-
- if ( lResult )
- {
- if ( lTime.tm_isdst != 0 )
- lResult -= 3600; // mktime may adjust for DST (OS dependent)
-
- lResult += lSecondsFromUTC;
- }
-
- else
- lResult = 0;
-
- return lResult;
-}
-
X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
{
certificate = arg_certificate;
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c671c68a99..325e8becac 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -6,21 +6,18 @@
#include
#include "Val.h"
-#include "../File.h"
-#include "Analyzer.h"
+#include "X509Common.h"
-#include
-#include
namespace file_analysis {
class X509Val;
-class X509 : public file_analysis::Analyzer {
+class X509 : public file_analysis::X509Common {
public:
- virtual bool DeliverStream(const u_char* data, uint64 len);
- virtual bool Undelivered(uint64 offset, uint64 len);
- virtual bool EndOfFile();
+ bool DeliverStream(const u_char* data, uint64 len) override;
+ bool Undelivered(uint64 offset, uint64 len) override;
+ bool EndOfFile() override;
/**
* Converts an X509 certificate into a \c X509::Certificate record
@@ -40,29 +37,17 @@ public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
{ return new X509(args, file); }
- /**
- * Retrieve an X509 extension value from an OpenSSL BIO to which it was
- * written.
- *
- * @param bio the OpenSSL BIO to read. It will be freed by the function,
- * including when an error occurs.
- *
- * @return The X509 extension value.
- */
- static StringVal* GetExtensionFromBIO(BIO* bio);
-
protected:
X509(RecordVal* args, File* file);
private:
- void ParseExtension(X509_EXTENSION* ex);
void ParseBasicConstraints(X509_EXTENSION* ex);
void ParseSAN(X509_EXTENSION* ex);
+ void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
std::string cert_data;
// Helpers for ParseCertificate.
- static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid);
static StringVal* KeyCurve(EVP_PKEY *key);
static unsigned int KeyLength(EVP_PKEY *key);
};
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
new file mode 100644
index 0000000000..dba593a3eb
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -0,0 +1,316 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "X509Common.h"
+#include "x509-extension_pac.h"
+
+#include "events.bif.h"
+#include "ocsp_events.bif.h"
+#include "types.bif.h"
+
+#include
+#include
+#include
+#include
+#include
+
+using namespace file_analysis;
+
+X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
+ : file_analysis::Analyzer(arg_tag, arg_args, arg_file)
+ {
+ }
+
+double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
+ {
+ const char *fid = arg_fid ? arg_fid : "";
+ time_t lResult = 0;
+
+ char lBuffer[26];
+ char* pBuffer = lBuffer;
+
+ const char *pString = (const char *) atime->data;
+ unsigned int remaining = atime->length;
+
+ if ( atime->type == V_ASN1_UTCTIME )
+ {
+ if ( remaining < 11 || remaining > 17 )
+ {
+ reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
+ return 0;
+ }
+
+ if ( pString[remaining-1] != 'Z' )
+ {
+ // not valid according to RFC 2459 4.1.2.5.1
+ reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
+ return 0;
+ }
+
+ // year is first two digits in YY format. Buffer expects YYYY format.
+ if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
+ {
+ *(pBuffer++) = '2';
+ *(pBuffer++) = '0';
+ }
+ else
+ {
+ *(pBuffer++) = '1';
+ *(pBuffer++) = '9';
+ }
+
+ memcpy(pBuffer, pString, 10);
+ pBuffer += 10;
+ pString += 10;
+ remaining -= 10;
+ }
+ else if ( atime->type == V_ASN1_GENERALIZEDTIME )
+ {
+ // generalized time. We apparently ignore the YYYYMMDDHH case
+ // for now and assume we always have minutes and seconds.
+ // This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
+
+ if ( remaining < 12 || remaining > 23 )
+ {
+ reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
+ return 0;
+ }
+
+ memcpy(pBuffer, pString, 12);
+ pBuffer += 12;
+ pString += 12;
+ remaining -= 12;
+ }
+ else
+ {
+ reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
+ return 0;
+ }
+
+ if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
+ {
+ *(pBuffer++) = '0';
+ *(pBuffer++) = '0';
+ }
+
+ else if ( remaining >= 2 )
+ {
+ *(pBuffer++) = *(pString++);
+ *(pBuffer++) = *(pString++);
+
+ remaining -= 2;
+
+ // Skip any fractional seconds...
+ if ( (remaining > 0) && (*pString == '.') )
+ {
+ pString++;
+ remaining--;
+
+ while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
+ {
+ pString++;
+ remaining--;
+ }
+ }
+ }
+
+ else
+ {
+ reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
+ return 0;
+ }
+
+ *(pBuffer++) = 'Z';
+ *(pBuffer++) = '\0';
+
+ time_t lSecondsFromUTC;
+
+ if ( remaining == 0 || *pString == 'Z' )
+ lSecondsFromUTC = 0;
+ else
+ {
+ if ( remaining < 5 )
+ {
+ reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
+ return 0;
+ }
+
+ if ((*pString != '+') && (*pString != '-'))
+ {
+ reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
+ return 0;
+ }
+
+ lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+ lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
+
+ if (*pString == '-')
+ lSecondsFromUTC = -lSecondsFromUTC;
+ }
+
+ tm lTime;
+ lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
+ lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+ lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+ lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+ lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
+ lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
+
+ if ( lTime.tm_year > 1900)
+ lTime.tm_year -= 1900;
+
+ lTime.tm_wday = 0;
+ lTime.tm_yday = 0;
+ lTime.tm_isdst = 0; // No DST adjustment requested
+
+ lResult = mktime(&lTime);
+
+ if ( lResult )
+ {
+ if ( lTime.tm_isdst != 0 )
+ lResult -= 3600; // mktime may adjust for DST (OS dependent)
+
+ lResult += lSecondsFromUTC;
+ }
+
+ else
+ lResult = 0;
+
+ return lResult;
+}
+
+void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+ {
+ // Ok, signed certificate timestamps are a bit of an odd case out; we don't
+ // want to use the (basically nonexistant) OpenSSL functionality to parse them.
+ // Instead we have our own, self-written binpac parser to parse just them,
+ // which we will initialize here and tear down immediately again.
+
+ ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
+ // the octet string of the extension contains the octet string which in turn
+ // contains the SCT. Obviously.
+
+ unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
+ unsigned char* ext_val_second_pointer = ext_val_copy;
+ memcpy(ext_val_copy, ext_val->data, ext_val->length);
+
+ ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
+ if ( !inner )
+ {
+ reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
+ return;
+ }
+
+ binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
+ binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
+
+ try
+ {
+ interp->NewData(inner->data, inner->data + inner->length);
+ }
+ catch( const binpac::Exception& e )
+ {
+ // throw a warning or sth
+ reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
+ }
+
+ M_ASN1_OCTET_STRING_free(inner);
+ OPENSSL_free(ext_val_second_pointer);
+
+ interp->FlowEOF();
+
+ delete interp;
+ delete conn;
+ }
+
+void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global)
+ {
+ char name[256];
+ char oid[256];
+
+ ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+ const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+ OBJ_obj2txt(name, 255, ext_asn, 0);
+ OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+ int critical = 0;
+ if ( X509_EXTENSION_get_critical(ex) != 0 )
+ critical = 1;
+
+ BIO *bio = BIO_new(BIO_s_mem());
+ if( ! X509V3_EXT_print(bio, ex, 0, 0))
+ M_ASN1_OCTET_STRING_print(bio,ex->value);
+
+ StringVal* ext_val = GetExtensionFromBIO(bio);
+
+ if ( ! ext_val )
+ ext_val = new StringVal(0, "");
+
+ RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+ pX509Ext->Assign(0, new StringVal(name));
+
+ if ( short_name and strlen(short_name) > 0 )
+ pX509Ext->Assign(1, new StringVal(short_name));
+
+ pX509Ext->Assign(2, new StringVal(oid));
+ pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+ pX509Ext->Assign(4, ext_val);
+
+ // send off generic extension event
+ //
+ // and then look if we have a specialized event for the extension we just
+ // parsed. And if we have it, we send the specialized event on top of the
+ // generic event that we just had. I know, that is... kind of not nice,
+ // but I am not sure if there is a better way to do it...
+ val_list* vl = new val_list();
+ vl->append(GetFile()->GetVal()->Ref());
+ vl->append(pX509Ext);
+ if ( h == ocsp_extension )
+ vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
+
+ mgr.QueueEvent(h, vl);
+
+ // let individual analyzers parse more.
+ ParseExtensionsSpecific(ex, global, ext_asn, oid);
+ }
+
+StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio)
+ {
+ BIO_flush(bio);
+ ERR_clear_error();
+ int length = BIO_pending(bio);
+
+ if ( ERR_peek_error() != 0 )
+ {
+ char tmp[120];
+ ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
+ reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
+ BIO_free_all(bio);
+ return 0;
+ }
+
+ if ( length == 0 )
+ {
+ BIO_free_all(bio);
+ return new StringVal("");
+ }
+
+ char* buffer = (char*) malloc(length);
+
+ if ( ! buffer )
+ {
+ // Just emit an error here and try to continue instead of aborting
+ // because it's unclear the length value is very reliable.
+ reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+ BIO_free_all(bio);
+ return 0;
+ }
+
+ BIO_read(bio, (void*) buffer, length);
+ StringVal* ext_val = new StringVal(length, buffer);
+
+ free(buffer);
+ BIO_free_all(bio);
+
+ return ext_val;
+ }
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
new file mode 100644
index 0000000000..1e1a9b94ee
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -0,0 +1,44 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Common base class for the X509 and OCSP analyzer, which share a fair amount of
+// code
+
+#ifndef FILE_ANALYSIS_X509_COMMON
+#define FILE_ANALYSIS_X509_COMMON
+
+#include "../File.h"
+#include "Analyzer.h"
+
+#include
+#include
+
+namespace file_analysis {
+
+class X509Common : public file_analysis::Analyzer {
+public:
+ virtual ~X509Common() {};
+
+ /**
+ * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+ * written.
+ *
+ * @param bio the OpenSSL BIO to read. It will be freed by the function,
+ * including when an error occurs.
+ *
+ * @return The X509 extension value.
+ */
+ static StringVal* GetExtensionFromBIO(BIO* bio);
+
+ static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter);
+
+protected:
+ X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
+
+ void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global);
+ void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
+ virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
+};
+
+}
+
+#endif /* FILE_ANALYSIS_X509_COMMON */
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index fcdeaa31d1..68afe5340a 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
+## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
## connection handshake.
##
## See `Wikipedia `__ for more information
@@ -13,7 +13,7 @@
##
## .. bro:see:: x509_extension x509_ext_basic_constraints
## x509_ext_subject_alternative_name x509_parse x509_verify
-## x509_get_certificate_string
+## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
## Generated for X509 extensions seen in a certificate.
@@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif
##
## .. bro:see:: x509_certificate x509_ext_basic_constraints
## x509_ext_subject_alternative_name x509_parse x509_verify
-## x509_get_certificate_string
+## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
event x509_extension%(f: fa_file, ext: X509::Extension%);
## Generated for the X509 basic constraints extension seen in a certificate.
@@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
##
## .. bro:see:: x509_certificate x509_extension
## x509_ext_subject_alternative_name x509_parse x509_verify
-## x509_get_certificate_string
+## x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
## Generated for the X509 subject alternative name extension seen in a certificate.
@@ -52,6 +52,34 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
## ext: The parsed subject alternative name extension.
##
## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-## x509_parse x509_verify
+## x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
## x509_get_certificate_string
event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
+
+## Generated for the signed_certificate_timestamp X509 extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency. Raised when the extension is encountered
+## in an X.509 certificate or in an OCSP reply.
+##
+## f: The file.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+## should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+## the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+## digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+## x509_parse x509_verify x509_ext_subject_alternative_name
+## x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+## sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+## ocsp_response_bytes ocsp_response_certificate
+## x509_ocsp_ext_signed_certificate_timestamp
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index ca23f77d28..1c1ec51818 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -1,6 +1,7 @@
%%{
#include "file_analysis/analyzer/x509/X509.h"
#include "types.bif.h"
+#include "net_util.h"
#include
#include
@@ -139,6 +140,35 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
return 0;
}
+// Convert hash algorithm registry numbers to the OpenSSL EVP_MD.
+// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+const EVP_MD* hash_to_evp(int hash)
+ {
+ switch ( hash )
+ {
+ case 1:
+ return EVP_md5();
+ break;
+ case 2:
+ return EVP_sha1();
+ break;
+ case 3:
+ return EVP_sha224();
+ break;
+ case 4:
+ return EVP_sha256();
+ break;
+ case 5:
+ return EVP_sha384();
+ break;
+ case 6:
+ return EVP_sha512();
+ break;
+ default:
+ return nullptr;
+ }
+ }
+
%%}
## Parses a certificate into an X509::Certificate structure.
@@ -455,7 +485,7 @@ x509_ocsp_cleanup:
##
## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
## x509_ext_subject_alternative_name x509_parse
-## x509_get_certificate_string x509_ocsp_verify
+## x509_get_certificate_string x509_ocsp_verify sct_verify
function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
%{
X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
@@ -542,3 +572,294 @@ x509_verify_chainerror:
return rrecord;
%}
+
+## Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+## See RFC6962 for more details.
+##
+## cert: Certificate against which the SCT should be validated.
+##
+## logid: Log id of the SCT.
+##
+## log_key: Public key of the Log that issued the SCT proof.
+##
+## timestamp: Timestamp at which the proof was generated.
+##
+## hash_algorithm: Hash algorithm that was used for the SCT proof.
+##
+## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+## This only has to be provided if the SCT was encountered in an X.509
+## certificate extension; in that case, it is necessary for validation.
+##
+## Returns: T if the validation could be performed succesfully, F otherwhise.
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp
+## x509_ocsp_ext_signed_certificate_timestamp
+## x509_verify
+function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
+ %{
+ assert(cert);
+ file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+ X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
+
+ assert(sizeof(timestamp) >= 8);
+ uint64_t timestamp_network = htonll(timestamp);
+
+ bool precert = issuer_key_hash->Len() > 0;
+ if ( precert && issuer_key_hash->Len() != 32)
+ {
+ reporter->Error("Invalid issuer_key_hash length");
+ return new Val(0, TYPE_BOOL);
+ }
+
+ std::string data;
+ data.push_back(0); // version
+ data.push_back(0); // signature_type -> certificate_timestamp
+ data.append(reinterpret_cast(×tamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
+ if ( precert )
+ data.append("\0\1", 2); // entry-type: precert_entry
+ else
+ data.append("\0\0", 2); // entry-type: x509_entry
+
+ if ( precert )
+ {
+ x = X509_dup(x);
+ assert(x);
+ // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+ // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+ // look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+ int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
+ if ( pos < 0 )
+ {
+ reporter->Error("NID_ct_precert_scts not found");
+ return new Val(0, TYPE_BOOL);
+ }
+#else
+ int num_ext = X509_get_ext_count(x);
+ int pos = -1;
+ for ( int k = 0; k < num_ext; ++k )
+ {
+ char oid[256];
+ X509_EXTENSION* ex = X509_get_ext(x, k);
+ ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+ OBJ_obj2txt(oid, 255, ext_asn, 1);
+ if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+ {
+ pos = k;
+ break;
+ }
+ }
+#endif
+ X509_EXTENSION_free(X509_delete_ext(x, pos));
+#ifdef NID_ct_precert_scts
+ assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 );
+#endif
+ }
+
+ unsigned char *cert_out = nullptr;
+ uint32 cert_length;
+ if ( precert )
+ {
+ // we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2
+ x->cert_info->enc.modified = 1;
+ cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+ data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len());
+ }
+ else
+ cert_length = i2d_X509(x, &cert_out);
+ assert( cert_out );
+ uint32 cert_length_network = htonl(cert_length);
+ assert( sizeof(cert_length_network) == 4);
+
+ data.append(reinterpret_cast(&cert_length_network)+1, 3); // 3 bytes certificate length
+ data.append(reinterpret_cast(cert_out), cert_length); // der-encoded certificate
+ OPENSSL_free(cert_out);
+ if ( precert )
+ X509_free(x);
+ data.append("\0\0", 2); // no extensions
+
+ // key is given as a DER-encoded SubjectPublicKeyInfo.
+ const unsigned char *key_char = log_key->Bytes();
+ EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len());
+
+ EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+ assert(mdctx);
+
+ string errstr;
+ int success = 0;
+
+ const EVP_MD* hash = hash_to_evp(hash_algorithm);
+ if ( ! hash )
+ {
+ errstr = "Unknown hash algorithm";
+ goto sct_verify_err;
+ }
+
+ if ( ! key )
+ {
+ errstr = "Could not load log key";
+ goto sct_verify_err;
+ }
+
+ if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) )
+ {
+ errstr = "Could not init signature verification";
+ goto sct_verify_err;
+ }
+
+ if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) )
+ {
+ errstr = "Could not update digest for verification";
+ goto sct_verify_err;
+ }
+
+#ifdef NID_ct_precert_scts
+ success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len());
+#else
+ // older versions of OpenSSL use a non-const-char *sigh*
+ // I don't think they actually manipulate the value though.
+ // todo - this needs a cmake test
+ success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len());
+#endif
+ EVP_MD_CTX_destroy(mdctx);
+ EVP_PKEY_free(key);
+
+ return new Val(success, TYPE_BOOL);
+
+sct_verify_err:
+ if (mdctx)
+ EVP_MD_CTX_destroy(mdctx);
+ if (key)
+ EVP_PKEY_free(key);
+
+ reporter->Error("%s", errstr.c_str());
+ return new Val(0, TYPE_BOOL);
+ %}
+
+
+%%{
+/**
+ * 0 -> subject name
+ * 1 -> issuer name
+ * 2 -> pubkey
+ */
+StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
+ {
+ assert(cert_handle);
+
+ if ( type > 2 )
+ {
+ reporter->InternalError("Unknown type in x509_entity_hash");
+ return nullptr;
+ }
+
+ X509 *cert_x509 = cert_handle->GetCertificate();
+ if ( cert_x509 == nullptr )
+ {
+ builtin_error("cannot get cert from opaque");
+ return nullptr;
+ }
+
+ X509_NAME *subject_name = X509_get_subject_name(cert_x509);
+ X509_NAME *issuer_name = X509_get_issuer_name(cert_x509);
+ if ( subject_name == nullptr || issuer_name == nullptr )
+ {
+ builtin_error("fail to get subject/issuer name from certificate");
+ return nullptr;
+ }
+
+ const EVP_MD *dgst = hash_to_evp(hash_alg);
+ if ( dgst == nullptr )
+ {
+ builtin_error("Unknown hash algorithm.");
+ return nullptr;
+ }
+
+ unsigned char md[EVP_MAX_MD_SIZE];
+ memset(md, 0, sizeof(md));
+ unsigned int len = 0;
+
+ int res = 0;
+
+ if ( type == 0 )
+ res = X509_NAME_digest(subject_name, dgst, md, &len);
+ else if ( type == 1 )
+ res = X509_NAME_digest(issuer_name, dgst, md, &len);
+ else if ( type == 2 )
+ {
+ unsigned char *spki = nullptr;
+ int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki);
+ if ( ! pklen )
+ {
+ builtin_error("Could not get SPKI");
+ return nullptr;
+ }
+ res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr);
+ OPENSSL_free(spki);
+ }
+
+ if ( ! res )
+ {
+ builtin_error("Could not perform hash");
+ return nullptr;
+ }
+
+ assert( len <= sizeof(md) );
+
+ return new StringVal(len, reinterpret_cast(md));
+ }
+%%}
+
+## Get the hash of the subject's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_issuer_name_hash x509_spki_hash
+## x509_verify sct_verify
+function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
+ %{
+ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+ return x509_entity_hash(cert_handle, hash_alg, 0);
+ %}
+
+## Get the hash of the issuer's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_spki_hash
+## x509_verify sct_verify
+function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
+ %{
+ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+ return x509_entity_hash(cert_handle, hash_alg, 1);
+ %}
+
+## Get the hash of the Subject Public Key Information of the certificate.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+## https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash
+## x509_verify sct_verify
+function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
+ %{
+ file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+ return x509_entity_hash(cert_handle, hash_alg, 2);
+ %}
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
new file mode 100644
index 0000000000..4e0ed6e9dc
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -0,0 +1,120 @@
+## Event that is raised when encountering an OCSP request, e.g. in an HTTP
+## connection. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP Request.
+##
+## f: The file.
+##
+## req: version: the version of the OCSP request. Typically 0 (Version 1).
+##
+## requestorName: name of the OCSP requestor. This attribute is optional; if
+## it is not set, an empty string is returned here.
+##
+## .. bro:see:: ocsp_request_certificate ocsp_response_status
+## ocsp_response_bytes ocsp_response_certificate ocsp_extension
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request%(f: fa_file, version: count, requestorName: string%);
+
+## Event that is raised when encountering an OCSP request for a certificate,
+## e.g. in an HTTP connection. See :rfc:`6960` for more details.
+##
+## Note that a single OCSP request can contain requests for several certificates.
+## Thus this event can fire several times for one OCSP request, each time
+## requesting information for a different (or in theory even the same) certificate.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+##
+## issuerKeyHash: Hash of the issuers public key.
+##
+## serialNumber: Serial number of the certificate for which the status is requested.
+##
+## .. bro:see:: ocsp_request ocsp_response_status
+## ocsp_response_bytes ocsp_response_certificate ocsp_extension
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
+
+## This event is raised when encountering an OCSP reply, e.g. in an HTTP
+## connection or a TLS extension. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP reply.
+##
+## f: The file.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate
+## ocsp_response_bytes ocsp_response_certificate ocsp_extension
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_status%(f: fa_file, status: string%);
+
+## This event is raised when encountering an OCSP response that contains response information.
+## An OCSP reply can be encountered, for example, in an HTTP connection or
+## a TLS extension. See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
+## OCSP response.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## version: Version of the OCSP response (typically - for version 1).
+##
+## responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+##
+## producedAt: Time at which the reply was produced.
+##
+## signatureAlgorithm: Algorithm used for the OCSP signature.
+##
+## certs: Optional list of certificates that are sent with the OCSP response; these typically
+## are needed to perform validation of the reply.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+## ocsp_response_certificate ocsp_extension
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+
+## This event is raised for each SingleResponse contained in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+##
+## issuerNameHash: Hash of the issuer's distinguished name.
+##
+## issuerKeyHash: Hash of the issuer's public key.
+##
+## serialNumber: Serial number of the affected certificate.
+##
+## certStatus: Status of the certificate.
+##
+## revokeTime: Time the certificate was revoked, 0 if not revoked.
+##
+## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
+##
+## thisUpdate: Time this response was generated.
+##
+## nextUpdate: Time next response will be ready; 0 if not supploed.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+## ocsp_response_bytes ocsp_extension
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%);
+
+## This event is raised when an OCSP extension is encountered in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## ext: The parsed extension (same format as X.509 extensions).
+##
+## global_resp: T if extension encountered in the global response (in ResponseData),
+## F when encountered in a SingleResponse.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+## ocsp_response_bytes ocsp_response_certificate
+## x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
new file mode 100644
index 0000000000..396debbbbe
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -0,0 +1,54 @@
+# Binpac analyzer for X.509 extensions
+# we just use it for the SignedCertificateTimestamp at the moment
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "types.bif.h"
+#include "file_analysis/File.h"
+#include "events.bif.h"
+%}
+
+analyzer X509Extension withcontext {
+ connection: MockConnection;
+ flow: SignedCertTimestampExt;
+};
+
+connection MockConnection(bro_analyzer: BroFileAnalyzer) {
+ upflow = SignedCertTimestampExt;
+ downflow = SignedCertTimestampExt;
+};
+
+%include x509-signed_certificate_timestamp.pac
+
+# The base record
+type HandshakeRecord() = record {
+ signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient;
+} &byteorder = bigendian;
+
+flow SignedCertTimestampExt {
+ flowunit = HandshakeRecord withcontext(connection, this);
+};
+
+refine connection MockConnection += {
+
+ function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+ %{
+ BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
+ bro_analyzer()->GetFile()->GetVal()->Ref(),
+ version,
+ new StringVal(logid.length(), reinterpret_cast(logid.begin())),
+ timestamp,
+ digitally_signed_algorithms->HashAlgorithm(),
+ digitally_signed_algorithms->SignatureAlgorithm(),
+ new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin()))
+ );
+
+ return true;
+ %}
+};
+
+refine typeattr SignedCertificateTimestamp += &let {
+ proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
new file mode 120000
index 0000000000..88305ed8fd
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
@@ -0,0 +1 @@
+../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
\ No newline at end of file
diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif
index 480d8c84d8..f445a9cf6a 100644
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@@ -71,6 +71,28 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string
return new StringVal(file_mgr->GetComponentName(tag));
%}
+## :bro:see:`Files::file_exists`.
+function Files::__file_exists%(fuid: string%): bool
+ %{
+ if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr )
+ return new Val(true, TYPE_BOOL);
+ else
+ return new Val(false, TYPE_BOOL);
+ %}
+
+## :bro:see:`Files::lookup_file`.
+function Files::__lookup_file%(fuid: string%): fa_file
+ %{
+ auto f = file_mgr->LookupFile(fuid->CheckString());
+ if ( f != nullptr )
+ {
+ return f->GetVal()->Ref();
+ }
+
+ reporter->Error("file ID %s not a known file", fuid->CheckString());
+ return 0;
+ %}
+
module GLOBAL;
## For use within a :bro:see:`get_file_handle` handler to set a unique
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index d029e38092..9a7f1f052f 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2287,7 +2287,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
}
case TYPE_PORT:
- return new PortVal(val->val.port_val.port, val->val.port_val.proto);
+ return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
case TYPE_ADDR:
{
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index ae1f0939a8..27d8b0c685 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -90,7 +90,7 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
return true;
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
Error(Fmt("failed to set fd flags: %s", buf));
return false;
}
@@ -197,7 +197,7 @@ bool Raw::Execute()
else
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
Warning(Fmt("Could not set child process group: %s", buf));
}
}
@@ -293,7 +293,7 @@ bool Raw::OpenInput()
if ( fseek(file.get(), pos, whence) < 0 )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
Error(Fmt("Seek failed in init: %s", buf));
}
}
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index dec1689df4..baaba22665 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -414,7 +414,7 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t
if ( rename(fname.c_str(), nname.c_str()) != 0 )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
Error(Fmt("failed to rename %s to %s: %s", fname.c_str(),
nname.c_str(), buf));
FinishedRotation();
diff --git a/src/main.cc b/src/main.cc
index d9f8ff5b0b..a1ae750963 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -87,6 +87,7 @@ int perftools_profile = 0;
DNS_Mgr* dns_mgr;
TimerMgr* timer_mgr;
+PortManager* port_mgr = 0;
logging::Manager* log_mgr = 0;
threading::Manager* thread_mgr = 0;
input::Manager* input_mgr = 0;
@@ -129,6 +130,7 @@ OpaqueType* cardinality_type = 0;
OpaqueType* topk_type = 0;
OpaqueType* bloomfilter_type = 0;
OpaqueType* x509_opaque_type = 0;
+OpaqueType* ocsp_resp_opaque_type = 0;
// Keep copy of command line
int bro_argc;
@@ -383,6 +385,7 @@ void terminate_bro()
delete plugin_mgr;
delete reporter;
delete iosource_mgr;
+ delete port_mgr;
reporter = 0;
}
@@ -710,6 +713,7 @@ int main(int argc, char** argv)
bro_start_time = current_time(true);
+ port_mgr = new PortManager();
reporter = new Reporter();
thread_mgr = new threading::Manager();
plugin_mgr = new plugin::Manager();
@@ -839,6 +843,7 @@ int main(int argc, char** argv)
topk_type = new OpaqueType("topk");
bloomfilter_type = new OpaqueType("bloomfilter");
x509_opaque_type = new OpaqueType("x509");
+ ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
// The leak-checker tends to produce some false
// positives (memory which had already been
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 35059ab4f0..be6ca66059 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -131,27 +131,42 @@ nb_dns_init(char *errstr)
free(nd);
return (NULL);
}
- nd->s = socket(PF_INET, SOCK_DGRAM, 0);
- if (nd->s < 0) {
- snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
- my_strerror(errno));
- free(nd);
- return (NULL);
- }
- /* XXX should use resolver config */
- nd->server = _res.nsaddr_list[0];
+ int i;
- if (connect(nd->s, (struct sockaddr *)&nd->server,
- sizeof(struct sockaddr)) < 0) {
- snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
- inet_ntoa(nd->server.sin_addr), my_strerror(errno));
- close(nd->s);
- free(nd);
- return (NULL);
- }
+ for ( i = 0; i < _res.nscount; ++i )
+ {
+ nd->server = _res.nsaddr_list[i];
- return (nd);
+ /* XXX support IPv6 */
+ if ( nd->server.sin_family != AF_INET )
+ continue;
+
+ nd->s = socket(nd->server.sin_family, SOCK_DGRAM, 0);
+
+ if ( nd->s < 0 )
+ {
+ snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
+ my_strerror(errno));
+ free(nd);
+ return (NULL);
+ }
+
+ if ( connect(nd->s, (struct sockaddr *)&nd->server,
+ sizeof(struct sockaddr)) < 0 )
+ {
+ snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
+ inet_ntoa(nd->server.sin_addr), my_strerror(errno));
+ close(nd->s);
+ free(nd);
+ return (NULL);
+ }
+
+ return (nd);
+ }
+
+ snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config");
+ return (NULL);
}
void
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index a6c564d4f2..836520d03a 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -569,32 +569,20 @@ void Manager::RequestBroObjDtor(BroObj* obj, Plugin* plugin)
obj->NotifyPluginsOnDtor();
}
-int Manager::HookLoadFile(const string& file)
+int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved)
{
HookArgumentList args;
if ( HavePluginForHook(META_HOOK_PRE) )
{
+ args.push_back(HookArgument(type));
args.push_back(HookArgument(file));
+ args.push_back(HookArgument(resolved));
MetaHookPre(HOOK_LOAD_FILE, args);
}
hook_list* l = hooks[HOOK_LOAD_FILE];
- size_t i = file.find_last_of("./");
-
- string ext;
- string normalized_file = file;
-
- if ( i != string::npos && file[i] == '.' )
- ext = file.substr(i + 1);
- else
- {
- // Add .bro as default extension.
- normalized_file = file + ".bro";
- ext = "bro";
- }
-
int rc = -1;
if ( l )
@@ -602,7 +590,7 @@ int Manager::HookLoadFile(const string& file)
{
Plugin* p = (*i).second;
- rc = p->HookLoadFile(normalized_file, ext);
+ rc = p->HookLoadFile(type, file, resolved);
if ( rc >= 0 )
break;
@@ -853,6 +841,52 @@ bool Manager::HookLogWrite(const std::string& writer,
return result;
}
+bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+ const Connection* conn, const val_list* addl, bool location,
+ const Location* location1, const Location* location2,
+ bool time, const std::string& message)
+
+ {
+ HookArgumentList args;
+
+ if ( HavePluginForHook(META_HOOK_PRE) )
+ {
+ args.push_back(HookArgument(prefix));
+ args.push_back(HookArgument(conn));
+ args.push_back(HookArgument(addl));
+ args.push_back(HookArgument(location1));
+ args.push_back(HookArgument(location2));
+ args.push_back(HookArgument(location));
+ args.push_back(HookArgument(time));
+ args.push_back(HookArgument(message));
+ MetaHookPre(HOOK_REPORTER, args);
+ }
+
+ hook_list* l = hooks[HOOK_REPORTER];
+
+ bool result = true;
+
+ if ( l )
+ {
+ for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+ {
+ Plugin* p = (*i).second;
+
+ if ( ! p->HookReporter(prefix, event, conn, addl, location, location1, location2, time, message) )
+ {
+ result = false;
+ break;
+ }
+ }
+ }
+
+ if ( HavePluginForHook(META_HOOK_POST) )
+ MetaHookPost(HOOK_REPORTER, args, HookArgument(result));
+
+ return result;
+ }
+
+
void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
{
hook_list* l = hooks[HOOK_CALL_FUNCTION];
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 9ece86bfed..61b8dc1047 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -237,7 +237,7 @@ public:
* if a plugin took over the file but had trouble loading it; and -1 if
* no plugin was interested in the file at all.
*/
- virtual int HookLoadFile(const string& file);
+ virtual int HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved);
/**
* Hook that filters calls to a script function/event/hook.
@@ -355,6 +355,39 @@ public:
int num_fields, const threading::Field* const* fields,
threading::Value** vals) const;
+ /**
+ * Hook into reporting. This method will be called for each reporter call
+ * made; this includes weirds. The method cannot manipulate the data at
+ * the current time; however it is possible to prevent script-side events
+ * from being called by returning false.
+ *
+ * @param prefix The prefix passed by the reporter framework
+ *
+ * @param event The event to be called
+ *
+ * @param conn The associated connection
+ *
+ * @param addl Additional Bro values; typically will be passed to the event
+ * by the reporter framework.
+ *
+ * @param location True if event expects location information
+ *
+ * @param location1 First location
+ *
+ * @param location2 Second location
+ *
+ * @param time True if event expects time information
+ *
+ * @param message Message supplied by the reporter framework
+ *
+ * @return true if event should be called by the reporter framework, false
+ * if the event call should be skipped
+ */
+ bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+ const Connection* conn, const val_list* addl, bool location,
+ const Location* location1, const Location* location2,
+ bool time, const std::string& message);
+
/**
* Internal method that registers a freshly instantiated plugin with
* the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index f54749f837..1264759d02 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -208,6 +208,16 @@ void HookArgument::Describe(ODesc* d) const
d->Add("}");
}
break;
+
+ case LOCATION:
+ if ( arg.loc )
+ {
+ arg.loc->Describe(d);
+ }
+ else
+ {
+ d->Add("");
+ }
}
}
@@ -345,7 +355,7 @@ void Plugin::RequestBroObjDtor(BroObj* obj)
plugin_mgr->RequestBroObjDtor(obj, this);
}
-int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
+int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved)
{
return -1;
}
@@ -393,6 +403,14 @@ bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
return true;
}
+bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+ const Connection* conn, const val_list* addl, bool location,
+ const Location* location1, const Location* location2,
+ bool time, const std::string& message)
+ {
+ return true;
+ }
+
void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
{
}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index c3f231bb93..2cec7cf453 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -48,6 +48,7 @@ enum HookType {
HOOK_SETUP_ANALYZER_TREE, //< Activates Plugin::HookAddToAnalyzerTree
HOOK_LOG_INIT, //< Activates Plugin::HookLogInit
HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite
+ HOOK_REPORTER, //< Activates Plugin::HookReporter
// Meta hooks.
META_HOOK_PRE, //< Activates Plugin::MetaHookPre().
@@ -172,7 +173,7 @@ public:
*/
enum Type {
BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
- VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS
+ VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION
};
/**
@@ -250,6 +251,11 @@ public:
*/
explicit HookArgument(const std::pair fpair) { type = THREAD_FIELDS; tfields = fpair; }
+ /**
+ * Constructor with a location argument.
+ */
+ explicit HookArgument(const Location* location) { type = LOCATION; arg.loc = location; }
+
/**
* Returns the value for a boolen argument. The argument's type must
* match accordingly.
@@ -360,6 +366,7 @@ private:
const val_list* vals;
const void* voidp;
const logging::WriterBackend::WriterInfo* winfo;
+ const Location* loc;
} arg;
// Outside union because these have dtors.
@@ -403,6 +410,13 @@ public:
typedef std::list bif_item_list;
typedef std::list > hook_list;
+ /**
+ * The different types of @loads supported by HookLoadFile.
+ */
+ enum LoadType {
+ SCRIPT, SIGNATURES, PLUGIN
+ };
+
/**
* Constructor.
*/
@@ -611,10 +625,15 @@ protected:
* script directives. The hook can take over the file, in which case
* Bro will not further process it otherwise.
*
- * @param file The filename to be loaded, including extension.
+ * @param type The type of load encountered: script load, signatures load,
+ * or plugin load.
*
- * @param ext The extension of the filename. This is provided
- * separately just for convenience. The dot is excluded.
+ * @param file The filename that was passed to @load. Only includes
+ * an extension if it was given in @load.
+ *
+ * @param resolved The file or directory name Bro resolved from
+ * the given path and is going to load. Empty string
+ * if Bro was not able to resolve a path.
*
* @return 1 if the plugin took over the file and loaded it
* successfully; 0 if the plugin took over the file but had trouble
@@ -622,7 +641,7 @@ protected:
* have printed an error message); and -1 if the plugin wasn't
* interested in the file at all.
*/
- virtual int HookLoadFile(const std::string& file, const std::string& ext);
+ virtual int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved);
/**
* Hook into executing a script-level function/event/hook. Whenever
@@ -769,6 +788,39 @@ protected:
const threading::Field* const* fields,
threading::Value** vals);
+ /**
+ * Hook into reporting. This method will be called for each reporter call
+ * made; this includes weirds. The method cannot manipulate the data at
+ * the current time; however it is possible to prevent script-side events
+ * from being called by returning false.
+ *
+ * @param prefix The prefix passed by the reporter framework
+ *
+ * @param event The event to be called
+ *
+ * @param conn The associated connection
+ *
+ * @param addl Additional Bro values; typically will be passed to the event
+ * by the reporter framework.
+ *
+ * @param location True if event expects location information
+ *
+ * @param location1 First location
+ *
+ * @param location2 Second location
+ *
+ * @param time True if event expects time information
+ *
+ * @param message Message supplied by the reporter framework
+ *
+ * @return true if event should be called by the reporter framework, false
+ * if the event call should be skipped
+ */
+ virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+ const Connection* conn, const val_list* addl, bool location,
+ const Location* location1, const Location* location2,
+ bool time, const std::string& message);
+
// Meta hooks.
/**
diff --git a/src/scan.l b/src/scan.l
index 4fd2aac1c3..46848f78fd 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -348,17 +348,60 @@ when return TOK_WHEN;
@load-sigs{WS}{FILE} {
const char* file = skip_whitespace(yytext + 10);
string path = find_relative_file(file, "sig");
+ int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1);
- if ( path.empty() )
- reporter->Error("failed to find file associated with @load-sigs %s",
- file);
- else
- sig_files.push_back(copy_string(path.c_str()));
+ switch ( rc ) {
+ case -1:
+ // No plugin in charge of this file.
+ if ( path.empty() )
+ reporter->Error("failed to find file associated with @load-sigs %s",
+ file);
+ else
+ sig_files.push_back(copy_string(path.c_str()));
+ break;
+
+ case 0:
+ if ( ! reporter->Errors() )
+ reporter->Error("Plugin reported error loading signatures %s", file);
+
+ exit(1);
+ break;
+
+ case 1:
+ // A plugin took care of it, just skip.
+ break;
+
+ default:
+ assert(false);
+ break;
+ }
}
@load-plugin{WS}{ID} {
const char* plugin = skip_whitespace(yytext + 12);
- plugin_mgr->ActivateDynamicPlugin(plugin);
+ int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::PLUGIN, plugin, ""), -1);
+
+ switch ( rc ) {
+ case -1:
+ // No plugin in charge of this file.
+ plugin_mgr->ActivateDynamicPlugin(plugin);
+ break;
+
+ case 0:
+ if ( ! reporter->Errors() )
+ reporter->Error("Plugin reported error loading plugin %s", plugin);
+
+ exit(1);
+ break;
+
+ case 1:
+ // A plugin took care of it, just skip.
+ break;
+
+ default:
+ assert(false);
+ break;
+ }
}
@unload{WS}{FILE} {
@@ -431,7 +474,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
reporter->Error("bad port number - %s", yytext);
p = 0;
}
- RET_CONST(new PortVal(p, TRANSPORT_TCP))
+ RET_CONST(port_mgr->Get(p, TRANSPORT_TCP))
}
{D}"/udp" {
uint32 p = atoi(yytext);
@@ -440,7 +483,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
reporter->Error("bad port number - %s", yytext);
p = 0;
}
- RET_CONST(new PortVal(p, TRANSPORT_UDP))
+ RET_CONST(port_mgr->Get(p, TRANSPORT_UDP))
}
{D}"/icmp" {
uint32 p = atoi(yytext);
@@ -449,7 +492,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
reporter->Error("bad port number - %s", yytext);
p = 0;
}
- RET_CONST(new PortVal(p, TRANSPORT_ICMP))
+ RET_CONST(port_mgr->Get(p, TRANSPORT_ICMP))
}
{D}"/unknown" {
uint32 p = atoi(yytext);
@@ -458,7 +501,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
reporter->Error("bad port number - %s", yytext);
p = 0;
}
- RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
+ RET_CONST(port_mgr->Get(p, TRANSPORT_UNKNOWN))
}
{FLOAT}{OWS}day(s?) RET_CONST(new IntervalVal(atof(yytext),Days))
@@ -547,7 +590,8 @@ static bool already_scanned(const string& path)
static int load_files(const char* orig_file)
{
- int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(orig_file), -1);
+ string file_path = find_relative_file(orig_file, "bro");
+ int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1);
if ( rc == 1 )
return 0; // A plugin took care of it, just skip.
@@ -568,7 +612,6 @@ static int load_files(const char* orig_file)
// Whether we pushed on a FileInfo that will restore the
// current module after the final file has been scanned.
bool did_module_restore = false;
- string file_path;
FILE* f = 0;
if ( streq(orig_file, "-") )
@@ -585,8 +628,6 @@ static int load_files(const char* orig_file)
else
{
- file_path = find_relative_file(orig_file, "bro");
-
if ( file_path.empty() )
reporter->FatalError("can't find %s", orig_file);
@@ -636,6 +677,8 @@ static int load_files(const char* orig_file)
broxygen_mgr->Script(file_path);
+ DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str());
+
// "orig_file", could be an alias for yytext, which is ephemeral
// and will be zapped after the yy_switch_to_buffer() below.
yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index d63b307470..3b6f5d6532 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -98,7 +98,7 @@ const char* BasicThread::Strerror(int err)
if ( ! strerr_buffer )
strerr_buffer = new char[256];
- strerror_r(err, strerr_buffer, 256);
+ bro_strerror_r(err, strerr_buffer, 256);
return strerr_buffer;
}
diff --git a/src/util.cc b/src/util.cc
index acfcb19573..a2f0cb8c94 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1012,7 +1012,7 @@ FILE* open_file(const string& path, const string& mode)
if ( ! rval )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
reporter->Error("Failed to open file %s: %s", filename, buf);
}
@@ -1396,9 +1396,13 @@ void _set_processing_status(const char* status)
if ( fd < 0 )
{
char buf[256];
- strerror_r(errno, buf, sizeof(buf));
- reporter->Error("Failed to open process status file '%s': %s",
- proc_status_file, buf);
+ bro_strerror_r(errno, buf, sizeof(buf));
+ if ( reporter )
+ reporter->Error("Failed to open process status file '%s': %s",
+ proc_status_file, buf);
+ else
+ fprintf(stderr, "Failed to open process status file '%s': %s\n",
+ proc_status_file, buf);
errno = old_errno;
return;
}
@@ -1612,7 +1616,7 @@ void safe_close(int fd)
if ( close(fd) < 0 && errno != EINTR )
{
char buf[128];
- strerror_r(errno, buf, sizeof(buf));
+ bro_strerror_r(errno, buf, sizeof(buf));
fprintf(stderr, "safe_close error %d: %s\n", errno, buf);
abort();
}
@@ -1745,3 +1749,24 @@ std::string canonify_name(const std::string& name)
return nname;
}
+
+static void strerror_r_helper(char* result, char* buf, size_t buflen)
+ {
+ // Seems the GNU flavor of strerror_r may return a pointer to a static
+ // string. So try to copy as much as possible into desired buffer.
+ auto len = strlen(result);
+ strncpy(buf, result, buflen);
+
+ if ( len >= buflen )
+ buf[buflen - 1] = 0;
+ }
+
+static void strerror_r_helper(int result, char* buf, size_t buflen)
+ { /* XSI flavor of strerror_r, no-op. */ }
+
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen)
+ {
+ auto res = strerror_r(bro_errno, buf, buflen);
+ // GNU vs. XSI flavors make it harder to use strerror_r.
+ strerror_r_helper(res, buf, buflen);
+ }
diff --git a/src/util.h b/src/util.h
index a2c1b78db3..5dc2484319 100644
--- a/src/util.h
+++ b/src/util.h
@@ -3,6 +3,15 @@
#ifndef util_h
#define util_h
+#ifdef __GNUC__
+ #define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
+#elif defined(_MSC_VER)
+ #define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
+#else
+ #pragma message("Warning: BRO_DEPRECATED macro not implemented")
+ #define BRO_DEPRECATED(msg)
+#endif
+
// Expose C99 functionality from inttypes.h, which would otherwise not be
// available in C++.
#ifndef __STDC_FORMAT_MACROS
@@ -516,4 +525,10 @@ struct CompareString
*/
std::string canonify_name(const std::string& name);
+/**
+ * Reentrant version of strerror(). Takes care of the difference between the
+ * XSI-compliant and the GNU-specific version of strerror_r().
+ */
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen);
+
#endif
diff --git a/testing/btest/Baseline/core.event-arg-reuse/output b/testing/btest/Baseline/core.event-arg-reuse/output
new file mode 100644
index 0000000000..52024ab5f2
--- /dev/null
+++ b/testing/btest/Baseline/core.event-arg-reuse/output
@@ -0,0 +1,2 @@
+f1, 2
+f2, 1
diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log
new file mode 100644
index 0000000000..a416f90e66
--- /dev/null
+++ b/testing/btest/Baseline/core.ip-broken-header/weird.log
@@ -0,0 +1,465 @@
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-20-30
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557630.000000 - 255.255.0.0 0 255.255.255.223 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 255.255.0.0 0 255.255.255.237 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - - - - - ip_hdr_len_zero - F bro
+1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F bro
+1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F bro
+1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F bro
+1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F bro
+1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F bro
+1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F bro
+1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F bro
+1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F bro
+1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 0.0.0.255 0 11.0.255.0 0 invalid_IP_header_size_in_tunnel - F bro
+1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F bro
+1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F bro
+1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F bro
+1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F bro
+1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F bro
+1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+#close 2017-10-19-17-20-30
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index 678a886c44..85acc259ff 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -3,48 +3,78 @@
#empty_field (empty)
#unset_field -
#path weird
-#open 2015-08-31-21-35-27
+#open 2017-10-19-17-18-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334160095.895421 - - - - - truncated_IP - F bro
-#close 2015-08-31-21-35-27
+#close 2017-10-19-17-18-28
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
-#open 2015-08-31-21-35-27
+#open 2017-10-19-17-18-29
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334156241.519125 - - - - - truncated_IP - F bro
-#close 2015-08-31-21-35-27
+#close 2017-10-19-17-18-30
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
-#open 2015-08-31-21-35-28
+#open 2017-10-19-17-18-32
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334094648.590126 - - - - - truncated_IP - F bro
-#close 2015-08-31-21-35-28
+#close 2017-10-19-17-18-32
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
-#open 2015-08-31-21-35-30
+#open 2017-10-19-17-18-36
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1338328954.078361 - - - - - internally_truncated_header - F bro
-#close 2015-08-31-21-35-30
+#close 2017-10-19-17-18-36
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
-#open 2015-08-31-21-35-30
+#open 2017-10-19-17-18-37
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
0.000000 - - - - - truncated_link_header - F bro
-#close 2015-08-31-21-35-30
+#close 2017-10-19-17-18-38
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-18-39
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F bro
+#close 2017-10-19-17-18-40
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-18-41
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F bro
+#close 2017-10-19-17-18-42
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-18-43
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F bro
+#close 2017-10-19-17-18-44
diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
new file mode 100644
index 0000000000..728d8e4793
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-26-34
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F bro
+#close 2017-10-19-17-26-35
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path weird
+#open 2017-10-19-17-26-36
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
+#types time string addr port addr port string string bool string
+1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
+#close 2017-10-19-17-26-37
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index d53b14ce58..52a660261c 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2017-02-28-17-15-30
+#open 2017-05-02-20-38-47
#fields name
#types string
scripts/base/init-bare.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+ build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -167,4 +168,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
-#close 2017-02-28-17-15-30
+#close 2017-05-02-20-38-47
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index e11edefe16..75ef872a95 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2017-02-28-17-19-41
+#open 2017-05-02-20-39-05
#fields name
#types string
scripts/base/init-bare.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+ build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -284,6 +285,7 @@ scripts/base/init-default.bro
scripts/base/protocols/ssl/consts.bro
scripts/base/protocols/ssl/main.bro
scripts/base/protocols/ssl/mozilla-ca-list.bro
+ scripts/base/protocols/ssl/ct-list.bro
scripts/base/protocols/ssl/files.bro
scripts/base/files/x509/__load__.bro
scripts/base/files/x509/main.bro
@@ -355,4 +357,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-filtered-trace.bro
scripts/base/misc/version.bro
scripts/policy/misc/loaded-scripts.bro
-#close 2017-02-28-17-19-41
+#close 2017-05-02-20-39-05
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 9ff209d2e6..09a08914fe 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -30,6 +30,7 @@ netcontrol_shunt
notice
notice_alarm
ntlm
+ocsp
open_flow
packet_filter
pe
diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output
index d5a745e7f3..42bb1b485c 100644
--- a/testing/btest/Baseline/language.expire-redef/output
+++ b/testing/btest/Baseline/language.expire-redef/output
@@ -1,5 +1,3 @@
-Run 0
Run 1
Expired: 0 --> some data
Run 2
-Run 3
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index fcf29f2b04..42b0b6ef26 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -151,7 +151,16 @@
0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) ->
0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) ->
0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert)) ->
0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) ->
+0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) ->
0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) ->
@@ -247,7 +256,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -377,7 +386,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -413,305 +422,312 @@
0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) ->
0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) ->
0.000000 MetaHookPost DrainEvents() ->
-0.000000 MetaHookPost LoadFile(../main) -> -1
-0.000000 MetaHookPost LoadFile(../plugin) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DHCP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DNP3.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_DNS.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FTP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FTP.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_File.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FileEntropy.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_FileHash.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Finger.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_HTTP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_ICMP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_IMAP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_IRC.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Ident.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_InterConn.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_KRB.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_KRB.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Login.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Login.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_MIME.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Modbus.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_MySQL.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NCP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NTLM.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NTLM.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NTP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_PE.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_POP3.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RDP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RDP.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RFB.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RPC.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SIP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.consts.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_echo.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb1_events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMB.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMTP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SNMP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SNMP.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SSH.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SSH.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SSL.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SSL.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SSL.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Syslog.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_TCP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_TCP.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Teredo.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_UDP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Unified2.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_Unified2.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_X509.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_X509.functions.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_X509.types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./Bro_XMPP.events.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./acld) -> -1
-0.000000 MetaHookPost LoadFile(./addrs) -> -1
-0.000000 MetaHookPost LoadFile(./analyzer.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./average) -> -1
-0.000000 MetaHookPost LoadFile(./bloom-filter.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./bro.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./broker) -> -1
-0.000000 MetaHookPost LoadFile(./broxygen.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./cardinality-counter.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./catch-and-release) -> -1
-0.000000 MetaHookPost LoadFile(./comm.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./const-dos-error) -> -1
-0.000000 MetaHookPost LoadFile(./const-nt-status) -> -1
-0.000000 MetaHookPost LoadFile(./const.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./consts) -> -1
-0.000000 MetaHookPost LoadFile(./consts.bro) -> -1
-0.000000 MetaHookPost LoadFile(./contents) -> -1
-0.000000 MetaHookPost LoadFile(./data.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./dcc-send) -> -1
-0.000000 MetaHookPost LoadFile(./debug) -> -1
-0.000000 MetaHookPost LoadFile(./drop) -> -1
-0.000000 MetaHookPost LoadFile(./entities) -> -1
-0.000000 MetaHookPost LoadFile(./event.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./exec) -> -1
-0.000000 MetaHookPost LoadFile(./file_analysis.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./files) -> -1
-0.000000 MetaHookPost LoadFile(./gridftp) -> -1
-0.000000 MetaHookPost LoadFile(./hll_unique) -> -1
-0.000000 MetaHookPost LoadFile(./hooks.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./inactivity) -> -1
-0.000000 MetaHookPost LoadFile(./info) -> -1
-0.000000 MetaHookPost LoadFile(./init.bro) -> -1
-0.000000 MetaHookPost LoadFile(./input) -> -1
-0.000000 MetaHookPost LoadFile(./input.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./last) -> -1
-0.000000 MetaHookPost LoadFile(./log) -> -1
-0.000000 MetaHookPost LoadFile(./logging.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./magic) -> -1
-0.000000 MetaHookPost LoadFile(./main) -> -1
-0.000000 MetaHookPost LoadFile(./main.bro) -> -1
-0.000000 MetaHookPost LoadFile(./max) -> -1
-0.000000 MetaHookPost LoadFile(./messaging.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./min) -> -1
-0.000000 MetaHookPost LoadFile(./mozilla-ca-list) -> -1
-0.000000 MetaHookPost LoadFile(./netstats) -> -1
-0.000000 MetaHookPost LoadFile(./non-cluster) -> -1
-0.000000 MetaHookPost LoadFile(./openflow) -> -1
-0.000000 MetaHookPost LoadFile(./packetfilter) -> -1
-0.000000 MetaHookPost LoadFile(./patterns) -> -1
-0.000000 MetaHookPost LoadFile(./pcap.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./plugin) -> -1
-0.000000 MetaHookPost LoadFile(./plugins) -> -1
-0.000000 MetaHookPost LoadFile(./polling) -> -1
-0.000000 MetaHookPost LoadFile(./postprocessors) -> -1
-0.000000 MetaHookPost LoadFile(./reporter.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./ryu) -> -1
-0.000000 MetaHookPost LoadFile(./sample) -> -1
-0.000000 MetaHookPost LoadFile(./scp) -> -1
-0.000000 MetaHookPost LoadFile(./sftp) -> -1
-0.000000 MetaHookPost LoadFile(./shunt) -> -1
-0.000000 MetaHookPost LoadFile(./site) -> -1
-0.000000 MetaHookPost LoadFile(./stats.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./std-dev) -> -1
-0.000000 MetaHookPost LoadFile(./store) -> -1
-0.000000 MetaHookPost LoadFile(./store.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./strings.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./sum) -> -1
-0.000000 MetaHookPost LoadFile(./thresholds) -> -1
-0.000000 MetaHookPost LoadFile(./top-k.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./topk) -> -1
-0.000000 MetaHookPost LoadFile(./types) -> -1
-0.000000 MetaHookPost LoadFile(./types.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(./types.bro) -> -1
-0.000000 MetaHookPost LoadFile(./unique) -> -1
-0.000000 MetaHookPost LoadFile(./utils) -> -1
-0.000000 MetaHookPost LoadFile(./utils-commands) -> -1
-0.000000 MetaHookPost LoadFile(./utils.bro) -> -1
-0.000000 MetaHookPost LoadFile(./variance) -> -1
-0.000000 MetaHookPost LoadFile(./weird) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/add-geodata) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/ascii) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/benchmark) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/binary) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/drop) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/email_admin) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/hostnames) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/none) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/page) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/pp-alarms) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/raw) -> -1
-0.000000 MetaHookPost LoadFile(.<...>/sqlite) -> -1
-0.000000 MetaHookPost LoadFile(<...>/__load__.bro) -> -1
-0.000000 MetaHookPost LoadFile(<...>/__preload__.bro) -> -1
-0.000000 MetaHookPost LoadFile(<...>/hooks.bro) -> -1
-0.000000 MetaHookPost LoadFile(base/bif) -> -1
-0.000000 MetaHookPost LoadFile(base/init-default.bro) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/Bro_KRB.types.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/Bro_SNMP.types.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/active-http) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/addrs) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/analyzer) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/analyzer.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/bro.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/broker) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/cluster) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/comm.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/communication) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/conn) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/conn-ids) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/const.bif.bro) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/control) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/data.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dce-rpc) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dhcp) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dir) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/directions-and-hosts) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dnp3) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dns) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/dpd) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/email) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/event.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/exec) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/extract) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/file_analysis.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/files) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/find-checksum-offloading) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/find-filtered-trace) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/ftp) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/geoip-distance) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/hash) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/http) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/imap) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/input) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/input.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/intel) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/irc) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/json) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/krb) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/logging) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/logging.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/main) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/messaging.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/modbus) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/mysql) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/netcontrol) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/notice) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/ntlm) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/numbers) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/openflow) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/packet-filter) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/paths) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/patterns) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/pe) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/plugins) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/pop3) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/queue) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/radius) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/rdp) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/reporter) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/reporter.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/rfb) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/signatures) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/sip) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/site) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/smb) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/smtp) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/snmp) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/socks) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/software) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/ssh) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/ssl) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/store.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/strings) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/strings.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/sumstats) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/syslog) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/thresholds) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/time) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/tunnels) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/types.bif) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/unified2) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/urls) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/utils) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/version) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/weird) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/x509) -> -1
-0.000000 MetaHookPost LoadFile(base<...>/xmpp) -> -1
+0.000000 MetaHookPost LoadFile(0, ..<...>/main.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, ..<...>/plugin.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_File.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_PE.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/acld.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/add-geodata.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/addrs.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/analyzer.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/ascii.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/average.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/benchmark.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/binary.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/bloom-filter.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/bro.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/broker.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/broxygen.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/catch-and-release.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/comm.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/const-dos-error.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/const-nt-status.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/const.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/consts.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/contents.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/ct-list.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/data.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/dcc-send.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/debug.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/drop.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/email_admin.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/entities.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/event.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/exec.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/file_analysis.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/files.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/gridftp.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/hll_unique.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/hooks.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/hostnames.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/inactivity.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/info.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/init.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/input.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/input.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/last.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/log.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/logging.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/magic) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/main.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/max.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/messaging.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/min.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/mozilla-ca-list.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/netstats.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/non-cluster.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/none.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/openflow.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/packetfilter.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/page.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/patterns.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/pcap.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/plugin.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/plugins) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/polling.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/postprocessors) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/pp-alarms.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/raw.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/reporter.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/ryu.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/sample.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/scp.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/sftp.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/shunt.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/site.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/sqlite.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/stats.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/std-dev.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/store.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/store.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/strings.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/sum.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/thresholds.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/top-k.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/topk.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/types.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/unique.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/utils-commands.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/utils.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/variance.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, .<...>/weird.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, <...>/__load__.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, <...>/__preload__.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, <...>/hooks.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/active-http.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/addrs.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/analyzer) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/analyzer.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/bif) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/bro.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/broker) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/cluster) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/comm.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/communication) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/conn) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/conn-ids.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/const.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dir.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dnp3) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dns) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/dpd) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/email.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/event.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/exec.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/extract) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/file_analysis.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/files) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/files.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/find-checksum-offloading.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/find-filtered-trace.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/ftp) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/hash) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/init-default.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/json.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/logging) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/main.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/modbus) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/mysql) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/netcontrol) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/notice) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/numbers.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/paths.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/patterns.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/pe) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/plugins) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/pop3) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/queue.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/radius) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/rdp) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/reporter) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/rfb) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/signatures) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/sip) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/site.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/smb) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/smtp) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/snmp) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/socks) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/software) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/ssh) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/ssl) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/strings.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/sumstats) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/syslog) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/thresholds.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/time.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/tunnels) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/types.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/unified2) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/urls.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/utils.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/version.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/weird.bro) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/x509) -> -1
+0.000000 MetaHookPost LoadFile(0, base<...>/xmpp) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/archive.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/audio.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/dpd.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/font.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/general.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/image.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/libmagic.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/msoffice.sig) -> -1
+0.000000 MetaHookPost LoadFile(1, .<...>/video.sig) -> -1
0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) ->
0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true
0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false
@@ -870,7 +886,16 @@
0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ())
0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ())
0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/pkix-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-ca-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_MD5, application/x-x509-user-cert))
0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_PE, application/x-dosexec))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/pkix-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-ca-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_SHA1, application/x-x509-user-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/pkix-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert))
+0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert))
0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec}))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
@@ -966,7 +991,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -1096,7 +1121,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
@@ -1132,305 +1157,312 @@
0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F))
0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, ))
0.000000 MetaHookPre DrainEvents()
-0.000000 MetaHookPre LoadFile(../main)
-0.000000 MetaHookPre LoadFile(../plugin)
-0.000000 MetaHookPre LoadFile(./Bro_ARP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_AsciiReader.ascii.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_BackDoor.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_BinaryReader.binary.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_BitTorrent.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_ConnSize.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_ConnSize.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.consts.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DCE_RPC.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DHCP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DNP3.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_DNS.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FTP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FTP.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_File.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FileEntropy.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FileExtract.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FileExtract.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_FileHash.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Finger.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_GSSAPI.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_GTPv1.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Gnutella.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_HTTP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_HTTP.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_ICMP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_IMAP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_IRC.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Ident.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_InterConn.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_KRB.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_KRB.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Login.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Login.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_MIME.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Modbus.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_MySQL.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NCP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NTLM.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NTLM.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NTP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NetBIOS.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_NoneWriter.none.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_PE.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_POP3.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RADIUS.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RDP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RDP.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RFB.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RPC.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_RawReader.raw.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SIP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.consts.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_close.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_echo.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb1_events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_close.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_create.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_read.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_com_write.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.smb2_events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMB.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMTP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SMTP.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SNMP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SNMP.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SOCKS.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SQLiteReader.sqlite.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SSH.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SSH.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SSL.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SSL.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SSL.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_SteppingStone.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Syslog.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_TCP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_TCP.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Teredo.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_UDP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Unified2.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_Unified2.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_X509.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_X509.functions.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_X509.types.bif.bro)
-0.000000 MetaHookPre LoadFile(./Bro_XMPP.events.bif.bro)
-0.000000 MetaHookPre LoadFile(./acld)
-0.000000 MetaHookPre LoadFile(./addrs)
-0.000000 MetaHookPre LoadFile(./analyzer.bif.bro)
-0.000000 MetaHookPre LoadFile(./average)
-0.000000 MetaHookPre LoadFile(./bloom-filter.bif.bro)
-0.000000 MetaHookPre LoadFile(./bro.bif.bro)
-0.000000 MetaHookPre LoadFile(./broker)
-0.000000 MetaHookPre LoadFile(./broxygen.bif.bro)
-0.000000 MetaHookPre LoadFile(./cardinality-counter.bif.bro)
-0.000000 MetaHookPre LoadFile(./catch-and-release)
-0.000000 MetaHookPre LoadFile(./comm.bif.bro)
-0.000000 MetaHookPre LoadFile(./const-dos-error)
-0.000000 MetaHookPre LoadFile(./const-nt-status)
-0.000000 MetaHookPre LoadFile(./const.bif.bro)
-0.000000 MetaHookPre LoadFile(./consts)
-0.000000 MetaHookPre LoadFile(./consts.bro)
-0.000000 MetaHookPre LoadFile(./contents)
-0.000000 MetaHookPre LoadFile(./data.bif.bro)
-0.000000 MetaHookPre LoadFile(./dcc-send)
-0.000000 MetaHookPre LoadFile(./debug)
-0.000000 MetaHookPre LoadFile(./drop)
-0.000000 MetaHookPre LoadFile(./entities)
-0.000000 MetaHookPre LoadFile(./event.bif.bro)
-0.000000 MetaHookPre LoadFile(./exec)
-0.000000 MetaHookPre LoadFile(./file_analysis.bif.bro)
-0.000000 MetaHookPre LoadFile(./files)
-0.000000 MetaHookPre LoadFile(./gridftp)
-0.000000 MetaHookPre LoadFile(./hll_unique)
-0.000000 MetaHookPre LoadFile(./hooks.bif.bro)
-0.000000 MetaHookPre LoadFile(./inactivity)
-0.000000 MetaHookPre LoadFile(./info)
-0.000000 MetaHookPre LoadFile(./init.bro)
-0.000000 MetaHookPre LoadFile(./input)
-0.000000 MetaHookPre LoadFile(./input.bif.bro)
-0.000000 MetaHookPre LoadFile(./last)
-0.000000 MetaHookPre LoadFile(./log)
-0.000000 MetaHookPre LoadFile(./logging.bif.bro)
-0.000000 MetaHookPre LoadFile(./magic)
-0.000000 MetaHookPre LoadFile(./main)
-0.000000 MetaHookPre LoadFile(./main.bro)
-0.000000 MetaHookPre LoadFile(./max)
-0.000000 MetaHookPre LoadFile(./messaging.bif.bro)
-0.000000 MetaHookPre LoadFile(./min)
-0.000000 MetaHookPre LoadFile(./mozilla-ca-list)
-0.000000 MetaHookPre LoadFile(./netstats)
-0.000000 MetaHookPre LoadFile(./non-cluster)
-0.000000 MetaHookPre LoadFile(./openflow)
-0.000000 MetaHookPre LoadFile(./packetfilter)
-0.000000 MetaHookPre LoadFile(./patterns)
-0.000000 MetaHookPre LoadFile(./pcap.bif.bro)
-0.000000 MetaHookPre LoadFile(./plugin)
-0.000000 MetaHookPre LoadFile(./plugins)
-0.000000 MetaHookPre LoadFile(./polling)
-0.000000 MetaHookPre LoadFile(./postprocessors)
-0.000000 MetaHookPre LoadFile(./reporter.bif.bro)
-0.000000 MetaHookPre LoadFile(./ryu)
-0.000000 MetaHookPre LoadFile(./sample)
-0.000000 MetaHookPre LoadFile(./scp)
-0.000000 MetaHookPre LoadFile(./sftp)
-0.000000 MetaHookPre LoadFile(./shunt)
-0.000000 MetaHookPre LoadFile(./site)
-0.000000 MetaHookPre LoadFile(./stats.bif.bro)
-0.000000 MetaHookPre LoadFile(./std-dev)
-0.000000 MetaHookPre LoadFile(./store)
-0.000000 MetaHookPre LoadFile(./store.bif.bro)
-0.000000 MetaHookPre LoadFile(./strings.bif.bro)
-0.000000 MetaHookPre LoadFile(./sum)
-0.000000 MetaHookPre LoadFile(./thresholds)
-0.000000 MetaHookPre LoadFile(./top-k.bif.bro)
-0.000000 MetaHookPre LoadFile(./topk)
-0.000000 MetaHookPre LoadFile(./types)
-0.000000 MetaHookPre LoadFile(./types.bif.bro)
-0.000000 MetaHookPre LoadFile(./types.bro)
-0.000000 MetaHookPre LoadFile(./unique)
-0.000000 MetaHookPre LoadFile(./utils)
-0.000000 MetaHookPre LoadFile(./utils-commands)
-0.000000 MetaHookPre LoadFile(./utils.bro)
-0.000000 MetaHookPre LoadFile(./variance)
-0.000000 MetaHookPre LoadFile(./weird)
-0.000000 MetaHookPre LoadFile(.<...>/add-geodata)
-0.000000 MetaHookPre LoadFile(.<...>/ascii)
-0.000000 MetaHookPre LoadFile(.<...>/benchmark)
-0.000000 MetaHookPre LoadFile(.<...>/binary)
-0.000000 MetaHookPre LoadFile(.<...>/drop)
-0.000000 MetaHookPre LoadFile(.<...>/email_admin)
-0.000000 MetaHookPre LoadFile(.<...>/hostnames)
-0.000000 MetaHookPre LoadFile(.<...>/none)
-0.000000 MetaHookPre LoadFile(.<...>/page)
-0.000000 MetaHookPre LoadFile(.<...>/pp-alarms)
-0.000000 MetaHookPre LoadFile(.<...>/raw)
-0.000000 MetaHookPre LoadFile(.<...>/sqlite)
-0.000000 MetaHookPre LoadFile(<...>/__load__.bro)
-0.000000 MetaHookPre LoadFile(<...>/__preload__.bro)
-0.000000 MetaHookPre LoadFile(<...>/hooks.bro)
-0.000000 MetaHookPre LoadFile(base/bif)
-0.000000 MetaHookPre LoadFile(base/init-default.bro)
-0.000000 MetaHookPre LoadFile(base<...>/Bro_KRB.types.bif)
-0.000000 MetaHookPre LoadFile(base<...>/Bro_SNMP.types.bif)
-0.000000 MetaHookPre LoadFile(base<...>/active-http)
-0.000000 MetaHookPre LoadFile(base<...>/addrs)
-0.000000 MetaHookPre LoadFile(base<...>/analyzer)
-0.000000 MetaHookPre LoadFile(base<...>/analyzer.bif)
-0.000000 MetaHookPre LoadFile(base<...>/bro.bif)
-0.000000 MetaHookPre LoadFile(base<...>/broker)
-0.000000 MetaHookPre LoadFile(base<...>/cluster)
-0.000000 MetaHookPre LoadFile(base<...>/comm.bif)
-0.000000 MetaHookPre LoadFile(base<...>/communication)
-0.000000 MetaHookPre LoadFile(base<...>/conn)
-0.000000 MetaHookPre LoadFile(base<...>/conn-ids)
-0.000000 MetaHookPre LoadFile(base<...>/const.bif.bro)
-0.000000 MetaHookPre LoadFile(base<...>/control)
-0.000000 MetaHookPre LoadFile(base<...>/data.bif)
-0.000000 MetaHookPre LoadFile(base<...>/dce-rpc)
-0.000000 MetaHookPre LoadFile(base<...>/dhcp)
-0.000000 MetaHookPre LoadFile(base<...>/dir)
-0.000000 MetaHookPre LoadFile(base<...>/directions-and-hosts)
-0.000000 MetaHookPre LoadFile(base<...>/dnp3)
-0.000000 MetaHookPre LoadFile(base<...>/dns)
-0.000000 MetaHookPre LoadFile(base<...>/dpd)
-0.000000 MetaHookPre LoadFile(base<...>/email)
-0.000000 MetaHookPre LoadFile(base<...>/event.bif)
-0.000000 MetaHookPre LoadFile(base<...>/exec)
-0.000000 MetaHookPre LoadFile(base<...>/extract)
-0.000000 MetaHookPre LoadFile(base<...>/file_analysis.bif)
-0.000000 MetaHookPre LoadFile(base<...>/files)
-0.000000 MetaHookPre LoadFile(base<...>/find-checksum-offloading)
-0.000000 MetaHookPre LoadFile(base<...>/find-filtered-trace)
-0.000000 MetaHookPre LoadFile(base<...>/ftp)
-0.000000 MetaHookPre LoadFile(base<...>/geoip-distance)
-0.000000 MetaHookPre LoadFile(base<...>/hash)
-0.000000 MetaHookPre LoadFile(base<...>/http)
-0.000000 MetaHookPre LoadFile(base<...>/imap)
-0.000000 MetaHookPre LoadFile(base<...>/input)
-0.000000 MetaHookPre LoadFile(base<...>/input.bif)
-0.000000 MetaHookPre LoadFile(base<...>/intel)
-0.000000 MetaHookPre LoadFile(base<...>/irc)
-0.000000 MetaHookPre LoadFile(base<...>/json)
-0.000000 MetaHookPre LoadFile(base<...>/krb)
-0.000000 MetaHookPre LoadFile(base<...>/logging)
-0.000000 MetaHookPre LoadFile(base<...>/logging.bif)
-0.000000 MetaHookPre LoadFile(base<...>/main)
-0.000000 MetaHookPre LoadFile(base<...>/messaging.bif)
-0.000000 MetaHookPre LoadFile(base<...>/modbus)
-0.000000 MetaHookPre LoadFile(base<...>/mysql)
-0.000000 MetaHookPre LoadFile(base<...>/netcontrol)
-0.000000 MetaHookPre LoadFile(base<...>/notice)
-0.000000 MetaHookPre LoadFile(base<...>/ntlm)
-0.000000 MetaHookPre LoadFile(base<...>/numbers)
-0.000000 MetaHookPre LoadFile(base<...>/openflow)
-0.000000 MetaHookPre LoadFile(base<...>/packet-filter)
-0.000000 MetaHookPre LoadFile(base<...>/paths)
-0.000000 MetaHookPre LoadFile(base<...>/patterns)
-0.000000 MetaHookPre LoadFile(base<...>/pe)
-0.000000 MetaHookPre LoadFile(base<...>/plugins)
-0.000000 MetaHookPre LoadFile(base<...>/pop3)
-0.000000 MetaHookPre LoadFile(base<...>/queue)
-0.000000 MetaHookPre LoadFile(base<...>/radius)
-0.000000 MetaHookPre LoadFile(base<...>/rdp)
-0.000000 MetaHookPre LoadFile(base<...>/reporter)
-0.000000 MetaHookPre LoadFile(base<...>/reporter.bif)
-0.000000 MetaHookPre LoadFile(base<...>/rfb)
-0.000000 MetaHookPre LoadFile(base<...>/signatures)
-0.000000 MetaHookPre LoadFile(base<...>/sip)
-0.000000 MetaHookPre LoadFile(base<...>/site)
-0.000000 MetaHookPre LoadFile(base<...>/smb)
-0.000000 MetaHookPre LoadFile(base<...>/smtp)
-0.000000 MetaHookPre LoadFile(base<...>/snmp)
-0.000000 MetaHookPre LoadFile(base<...>/socks)
-0.000000 MetaHookPre LoadFile(base<...>/software)
-0.000000 MetaHookPre LoadFile(base<...>/ssh)
-0.000000 MetaHookPre LoadFile(base<...>/ssl)
-0.000000 MetaHookPre LoadFile(base<...>/store.bif)
-0.000000 MetaHookPre LoadFile(base<...>/strings)
-0.000000 MetaHookPre LoadFile(base<...>/strings.bif)
-0.000000 MetaHookPre LoadFile(base<...>/sumstats)
-0.000000 MetaHookPre LoadFile(base<...>/syslog)
-0.000000 MetaHookPre LoadFile(base<...>/thresholds)
-0.000000 MetaHookPre LoadFile(base<...>/time)
-0.000000 MetaHookPre LoadFile(base<...>/tunnels)
-0.000000 MetaHookPre LoadFile(base<...>/types.bif)
-0.000000 MetaHookPre LoadFile(base<...>/unified2)
-0.000000 MetaHookPre LoadFile(base<...>/urls)
-0.000000 MetaHookPre LoadFile(base<...>/utils)
-0.000000 MetaHookPre LoadFile(base<...>/version)
-0.000000 MetaHookPre LoadFile(base<...>/weird)
-0.000000 MetaHookPre LoadFile(base<...>/x509)
-0.000000 MetaHookPre LoadFile(base<...>/xmpp)
+0.000000 MetaHookPre LoadFile(0, ..<...>/main.bro)
+0.000000 MetaHookPre LoadFile(0, ..<...>/plugin.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ARP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DHCP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNP3.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_DNS.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FTP.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_File.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_FileHash.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Finger.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_ICMP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IMAP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_IRC.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Ident.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_InterConn.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_KRB.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Login.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_PE.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_POP3.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RDP.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RFB.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RPC.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SIP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.consts.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMB.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SNMP.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSH.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SSL.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Syslog.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_TCP.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Teredo.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/Bro_XMPP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/acld.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/add-geodata.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/addrs.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/analyzer.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/ascii.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/average.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/benchmark.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/binary.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/bloom-filter.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/bro.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/broker.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/broxygen.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/cardinality-counter.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/catch-and-release.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/comm.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/const-dos-error.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/const-nt-status.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/const.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/consts.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/contents.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/ct-list.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/data.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/dcc-send.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/debug.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/drop.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/email_admin.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/entities.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/event.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/exec.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/file_analysis.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/files.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/gridftp.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/hll_unique.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/hooks.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/hostnames.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/inactivity.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/info.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/init.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/input.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/input.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/last.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/log.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/logging.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/magic)
+0.000000 MetaHookPre LoadFile(0, .<...>/main.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/max.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/messaging.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/min.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/mozilla-ca-list.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/netstats.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/non-cluster.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/none.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/openflow.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/packetfilter.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/page.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/patterns.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/pcap.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/plugin.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/plugins)
+0.000000 MetaHookPre LoadFile(0, .<...>/polling.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/postprocessors)
+0.000000 MetaHookPre LoadFile(0, .<...>/pp-alarms.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/raw.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/reporter.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/ryu.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/sample.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/scp.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/sftp.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/shunt.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/site.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/sqlite.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/stats.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/std-dev.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/store.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/store.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/strings.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/sum.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/thresholds.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/top-k.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/topk.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/types.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/unique.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/utils-commands.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/utils.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/variance.bro)
+0.000000 MetaHookPre LoadFile(0, .<...>/weird.bro)
+0.000000 MetaHookPre LoadFile(0, <...>/__load__.bro)
+0.000000 MetaHookPre LoadFile(0, <...>/__preload__.bro)
+0.000000 MetaHookPre LoadFile(0, <...>/hooks.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/Bro_KRB.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/Bro_SNMP.types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/active-http.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/addrs.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/analyzer)
+0.000000 MetaHookPre LoadFile(0, base<...>/analyzer.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/bif)
+0.000000 MetaHookPre LoadFile(0, base<...>/bro.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/broker)
+0.000000 MetaHookPre LoadFile(0, base<...>/cluster)
+0.000000 MetaHookPre LoadFile(0, base<...>/comm.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/communication)
+0.000000 MetaHookPre LoadFile(0, base<...>/conn)
+0.000000 MetaHookPre LoadFile(0, base<...>/conn-ids.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/const.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/control)
+0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc)
+0.000000 MetaHookPre LoadFile(0, base<...>/dhcp)
+0.000000 MetaHookPre LoadFile(0, base<...>/dir.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/dnp3)
+0.000000 MetaHookPre LoadFile(0, base<...>/dns)
+0.000000 MetaHookPre LoadFile(0, base<...>/dpd)
+0.000000 MetaHookPre LoadFile(0, base<...>/email.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/event.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/exec.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/extract)
+0.000000 MetaHookPre LoadFile(0, base<...>/file_analysis.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/files)
+0.000000 MetaHookPre LoadFile(0, base<...>/files.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/find-checksum-offloading.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/find-filtered-trace.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/ftp)
+0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/hash)
+0.000000 MetaHookPre LoadFile(0, base<...>/http)
+0.000000 MetaHookPre LoadFile(0, base<...>/imap)
+0.000000 MetaHookPre LoadFile(0, base<...>/init-default.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/input)
+0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/intel)
+0.000000 MetaHookPre LoadFile(0, base<...>/irc)
+0.000000 MetaHookPre LoadFile(0, base<...>/json.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/krb)
+0.000000 MetaHookPre LoadFile(0, base<...>/logging)
+0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/main.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/modbus)
+0.000000 MetaHookPre LoadFile(0, base<...>/mysql)
+0.000000 MetaHookPre LoadFile(0, base<...>/netcontrol)
+0.000000 MetaHookPre LoadFile(0, base<...>/notice)
+0.000000 MetaHookPre LoadFile(0, base<...>/ntlm)
+0.000000 MetaHookPre LoadFile(0, base<...>/numbers.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/openflow)
+0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter)
+0.000000 MetaHookPre LoadFile(0, base<...>/paths.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/patterns.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/pe)
+0.000000 MetaHookPre LoadFile(0, base<...>/plugins)
+0.000000 MetaHookPre LoadFile(0, base<...>/pop3)
+0.000000 MetaHookPre LoadFile(0, base<...>/queue.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/radius)
+0.000000 MetaHookPre LoadFile(0, base<...>/rdp)
+0.000000 MetaHookPre LoadFile(0, base<...>/reporter)
+0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/rfb)
+0.000000 MetaHookPre LoadFile(0, base<...>/signatures)
+0.000000 MetaHookPre LoadFile(0, base<...>/sip)
+0.000000 MetaHookPre LoadFile(0, base<...>/site.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/smb)
+0.000000 MetaHookPre LoadFile(0, base<...>/smtp)
+0.000000 MetaHookPre LoadFile(0, base<...>/snmp)
+0.000000 MetaHookPre LoadFile(0, base<...>/socks)
+0.000000 MetaHookPre LoadFile(0, base<...>/software)
+0.000000 MetaHookPre LoadFile(0, base<...>/ssh)
+0.000000 MetaHookPre LoadFile(0, base<...>/ssl)
+0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/strings.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/sumstats)
+0.000000 MetaHookPre LoadFile(0, base<...>/syslog)
+0.000000 MetaHookPre LoadFile(0, base<...>/thresholds.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/time.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/tunnels)
+0.000000 MetaHookPre LoadFile(0, base<...>/types.bif.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/unified2)
+0.000000 MetaHookPre LoadFile(0, base<...>/urls.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/utils.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/version.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/weird.bro)
+0.000000 MetaHookPre LoadFile(0, base<...>/x509)
+0.000000 MetaHookPre LoadFile(0, base<...>/xmpp)
+0.000000 MetaHookPre LoadFile(1, .<...>/archive.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/audio.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/dpd.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/font.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/general.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/image.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/libmagic.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/msoffice.sig)
+0.000000 MetaHookPre LoadFile(1, .<...>/video.sig)
0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, )
0.000000 MetaHookPre QueueEvent(NetControl::init())
@@ -1588,7 +1620,16 @@
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
0.000000 | HookCallFunction Cluster::is_enabled()
0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert)
0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert)
0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
@@ -1684,7 +1725,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1814,7 +1855,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
@@ -1850,13 +1891,314 @@
0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
0.000000 | HookDrainEvents
-0.000000 | HookLoadFile ..<...>/bro
-0.000000 | HookLoadFile .<...>/bro
-0.000000 | HookLoadFile <...>/bro
+0.000000 | HookLoadFile ..<...>/main.bro
+0.000000 | HookLoadFile ..<...>/plugin.bro
+0.000000 | HookLoadFile .<...>/Bro_ARP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_AsciiReader.ascii.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_AsciiWriter.ascii.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_BackDoor.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_BenchmarkReader.benchmark.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_BinaryReader.binary.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_BitTorrent.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_ConnSize.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_ConnSize.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.consts.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DCE_RPC.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DHCP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DNP3.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_DNS.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FTP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FTP.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_File.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FileEntropy.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FileExtract.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FileExtract.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_FileHash.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Finger.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_GSSAPI.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_GTPv1.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Gnutella.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_HTTP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_HTTP.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_ICMP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_IMAP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_IRC.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Ident.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_InterConn.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_KRB.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Login.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Login.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NTP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NetBIOS.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NetBIOS.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_NoneWriter.none.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_PE.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_POP3.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RADIUS.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RDP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RDP.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RFB.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RPC.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_RawReader.raw.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SIP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.consts.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_check_directory.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_close.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_create_directory.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_echo.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_negotiate.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_query_information.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_read_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_transaction2.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_com_write_andx.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb1_events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_close.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_create.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_negotiate.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_read.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_session_setup.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_set_info.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_com_write.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.smb2_events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMB.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMTP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SMTP.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SNMP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SOCKS.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SQLiteReader.sqlite.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SQLiteWriter.sqlite.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SSH.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SSH.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SSL.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SSL.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SSL.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_SteppingStone.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Syslog.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_TCP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_TCP.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Teredo.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_X509.types.bif.bro
+0.000000 | HookLoadFile .<...>/Bro_XMPP.events.bif.bro
+0.000000 | HookLoadFile .<...>/acld.bro
+0.000000 | HookLoadFile .<...>/add-geodata.bro
+0.000000 | HookLoadFile .<...>/addrs.bro
+0.000000 | HookLoadFile .<...>/analyzer.bif.bro
+0.000000 | HookLoadFile .<...>/archive.sig
+0.000000 | HookLoadFile .<...>/ascii.bro
+0.000000 | HookLoadFile .<...>/audio.sig
+0.000000 | HookLoadFile .<...>/average.bro
+0.000000 | HookLoadFile .<...>/benchmark.bro
+0.000000 | HookLoadFile .<...>/binary.bro
+0.000000 | HookLoadFile .<...>/bloom-filter.bif.bro
+0.000000 | HookLoadFile .<...>/bro.bif.bro
+0.000000 | HookLoadFile .<...>/broker.bro
+0.000000 | HookLoadFile .<...>/broxygen.bif.bro
+0.000000 | HookLoadFile .<...>/cardinality-counter.bif.bro
+0.000000 | HookLoadFile .<...>/catch-and-release.bro
+0.000000 | HookLoadFile .<...>/comm.bif.bro
+0.000000 | HookLoadFile .<...>/const-dos-error.bro
+0.000000 | HookLoadFile .<...>/const-nt-status.bro
+0.000000 | HookLoadFile .<...>/const.bif.bro
+0.000000 | HookLoadFile .<...>/consts.bro
+0.000000 | HookLoadFile .<...>/contents.bro
+0.000000 | HookLoadFile .<...>/ct-list.bro
+0.000000 | HookLoadFile .<...>/data.bif.bro
+0.000000 | HookLoadFile .<...>/dcc-send.bro
+0.000000 | HookLoadFile .<...>/debug.bro
+0.000000 | HookLoadFile .<...>/dpd.sig
+0.000000 | HookLoadFile .<...>/drop.bro
+0.000000 | HookLoadFile .<...>/email_admin.bro
+0.000000 | HookLoadFile .<...>/entities.bro
+0.000000 | HookLoadFile .<...>/event.bif.bro
+0.000000 | HookLoadFile .<...>/exec.bro
+0.000000 | HookLoadFile .<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile .<...>/files.bro
+0.000000 | HookLoadFile .<...>/font.sig
+0.000000 | HookLoadFile .<...>/general.sig
+0.000000 | HookLoadFile .<...>/gridftp.bro
+0.000000 | HookLoadFile .<...>/hll_unique.bro
+0.000000 | HookLoadFile .<...>/hooks.bif.bro
+0.000000 | HookLoadFile .<...>/hostnames.bro
+0.000000 | HookLoadFile .<...>/image.sig
+0.000000 | HookLoadFile .<...>/inactivity.bro
+0.000000 | HookLoadFile .<...>/info.bro
+0.000000 | HookLoadFile .<...>/init.bro
+0.000000 | HookLoadFile .<...>/input.bif.bro
+0.000000 | HookLoadFile .<...>/input.bro
+0.000000 | HookLoadFile .<...>/last.bro
+0.000000 | HookLoadFile .<...>/libmagic.sig
+0.000000 | HookLoadFile .<...>/log.bro
+0.000000 | HookLoadFile .<...>/logging.bif.bro
+0.000000 | HookLoadFile .<...>/magic
+0.000000 | HookLoadFile .<...>/main.bro
+0.000000 | HookLoadFile .<...>/max.bro
+0.000000 | HookLoadFile .<...>/messaging.bif.bro
+0.000000 | HookLoadFile .<...>/min.bro
+0.000000 | HookLoadFile .<...>/mozilla-ca-list.bro
+0.000000 | HookLoadFile .<...>/msoffice.sig
+0.000000 | HookLoadFile .<...>/netstats.bro
+0.000000 | HookLoadFile .<...>/non-cluster.bro
+0.000000 | HookLoadFile .<...>/none.bro
+0.000000 | HookLoadFile .<...>/openflow.bro
+0.000000 | HookLoadFile .<...>/packetfilter.bro
+0.000000 | HookLoadFile .<...>/page.bro
+0.000000 | HookLoadFile .<...>/patterns.bro
+0.000000 | HookLoadFile .<...>/pcap.bif.bro
+0.000000 | HookLoadFile .<...>/plugin.bro
+0.000000 | HookLoadFile .<...>/plugins
+0.000000 | HookLoadFile .<...>/polling.bro
+0.000000 | HookLoadFile .<...>/postprocessors
+0.000000 | HookLoadFile .<...>/pp-alarms.bro
+0.000000 | HookLoadFile .<...>/raw.bro
+0.000000 | HookLoadFile .<...>/reporter.bif.bro
+0.000000 | HookLoadFile .<...>/ryu.bro
+0.000000 | HookLoadFile .<...>/sample.bro
+0.000000 | HookLoadFile .<...>/scp.bro
+0.000000 | HookLoadFile .<...>/sftp.bro
+0.000000 | HookLoadFile .<...>/shunt.bro
+0.000000 | HookLoadFile .<...>/site.bro
+0.000000 | HookLoadFile .<...>/sqlite.bro
+0.000000 | HookLoadFile .<...>/stats.bif.bro
+0.000000 | HookLoadFile .<...>/std-dev.bro
+0.000000 | HookLoadFile .<...>/store.bif.bro
+0.000000 | HookLoadFile .<...>/store.bro
+0.000000 | HookLoadFile .<...>/strings.bif.bro
+0.000000 | HookLoadFile .<...>/sum.bro
+0.000000 | HookLoadFile .<...>/thresholds.bro
+0.000000 | HookLoadFile .<...>/top-k.bif.bro
+0.000000 | HookLoadFile .<...>/topk.bro
+0.000000 | HookLoadFile .<...>/types.bif.bro
+0.000000 | HookLoadFile .<...>/types.bro
+0.000000 | HookLoadFile .<...>/unique.bro
+0.000000 | HookLoadFile .<...>/utils-commands.bro
+0.000000 | HookLoadFile .<...>/utils.bro
+0.000000 | HookLoadFile .<...>/variance.bro
+0.000000 | HookLoadFile .<...>/video.sig
+0.000000 | HookLoadFile .<...>/weird.bro
+0.000000 | HookLoadFile <...>/__load__.bro
+0.000000 | HookLoadFile <...>/__preload__.bro
+0.000000 | HookLoadFile <...>/hooks.bro
+0.000000 | HookLoadFile base<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile base<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile base<...>/active-http.bro
+0.000000 | HookLoadFile base<...>/addrs.bro
+0.000000 | HookLoadFile base<...>/analyzer
+0.000000 | HookLoadFile base<...>/analyzer.bif.bro
0.000000 | HookLoadFile base<...>/bif
-0.000000 | HookLoadFile base<...>/bro
+0.000000 | HookLoadFile base<...>/bro.bif.bro
+0.000000 | HookLoadFile base<...>/broker
+0.000000 | HookLoadFile base<...>/cluster
+0.000000 | HookLoadFile base<...>/comm.bif.bro
+0.000000 | HookLoadFile base<...>/communication
+0.000000 | HookLoadFile base<...>/conn
+0.000000 | HookLoadFile base<...>/conn-ids.bro
+0.000000 | HookLoadFile base<...>/const.bif.bro
+0.000000 | HookLoadFile base<...>/control
+0.000000 | HookLoadFile base<...>/data.bif.bro
+0.000000 | HookLoadFile base<...>/dce-rpc
+0.000000 | HookLoadFile base<...>/dhcp
+0.000000 | HookLoadFile base<...>/dir.bro
+0.000000 | HookLoadFile base<...>/directions-and-hosts.bro
+0.000000 | HookLoadFile base<...>/dnp3
+0.000000 | HookLoadFile base<...>/dns
+0.000000 | HookLoadFile base<...>/dpd
+0.000000 | HookLoadFile base<...>/email.bro
+0.000000 | HookLoadFile base<...>/event.bif.bro
+0.000000 | HookLoadFile base<...>/exec.bro
+0.000000 | HookLoadFile base<...>/extract
+0.000000 | HookLoadFile base<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile base<...>/files
+0.000000 | HookLoadFile base<...>/files.bro
+0.000000 | HookLoadFile base<...>/find-checksum-offloading.bro
+0.000000 | HookLoadFile base<...>/find-filtered-trace.bro
+0.000000 | HookLoadFile base<...>/ftp
+0.000000 | HookLoadFile base<...>/geoip-distance.bro
+0.000000 | HookLoadFile base<...>/hash
+0.000000 | HookLoadFile base<...>/http
+0.000000 | HookLoadFile base<...>/imap
+0.000000 | HookLoadFile base<...>/init-default.bro
+0.000000 | HookLoadFile base<...>/input
+0.000000 | HookLoadFile base<...>/input.bif.bro
+0.000000 | HookLoadFile base<...>/intel
+0.000000 | HookLoadFile base<...>/irc
+0.000000 | HookLoadFile base<...>/json.bro
+0.000000 | HookLoadFile base<...>/krb
+0.000000 | HookLoadFile base<...>/logging
+0.000000 | HookLoadFile base<...>/logging.bif.bro
+0.000000 | HookLoadFile base<...>/main.bro
+0.000000 | HookLoadFile base<...>/messaging.bif.bro
+0.000000 | HookLoadFile base<...>/modbus
+0.000000 | HookLoadFile base<...>/mysql
+0.000000 | HookLoadFile base<...>/netcontrol
+0.000000 | HookLoadFile base<...>/notice
+0.000000 | HookLoadFile base<...>/ntlm
+0.000000 | HookLoadFile base<...>/numbers.bro
+0.000000 | HookLoadFile base<...>/openflow
+0.000000 | HookLoadFile base<...>/packet-filter
+0.000000 | HookLoadFile base<...>/paths.bro
+0.000000 | HookLoadFile base<...>/patterns.bro
+0.000000 | HookLoadFile base<...>/pe
+0.000000 | HookLoadFile base<...>/plugins
+0.000000 | HookLoadFile base<...>/pop3
+0.000000 | HookLoadFile base<...>/queue.bro
+0.000000 | HookLoadFile base<...>/radius
+0.000000 | HookLoadFile base<...>/rdp
+0.000000 | HookLoadFile base<...>/reporter
+0.000000 | HookLoadFile base<...>/reporter.bif.bro
+0.000000 | HookLoadFile base<...>/rfb
+0.000000 | HookLoadFile base<...>/signatures
+0.000000 | HookLoadFile base<...>/sip
+0.000000 | HookLoadFile base<...>/site.bro
+0.000000 | HookLoadFile base<...>/smb
+0.000000 | HookLoadFile base<...>/smtp
+0.000000 | HookLoadFile base<...>/snmp
+0.000000 | HookLoadFile base<...>/socks
+0.000000 | HookLoadFile base<...>/software
+0.000000 | HookLoadFile base<...>/ssh
+0.000000 | HookLoadFile base<...>/ssl
+0.000000 | HookLoadFile base<...>/store.bif.bro
+0.000000 | HookLoadFile base<...>/strings.bif.bro
+0.000000 | HookLoadFile base<...>/strings.bro
+0.000000 | HookLoadFile base<...>/sumstats
+0.000000 | HookLoadFile base<...>/syslog
+0.000000 | HookLoadFile base<...>/thresholds.bro
+0.000000 | HookLoadFile base<...>/time.bro
+0.000000 | HookLoadFile base<...>/tunnels
+0.000000 | HookLoadFile base<...>/types.bif.bro
+0.000000 | HookLoadFile base<...>/unified2
+0.000000 | HookLoadFile base<...>/urls.bro
+0.000000 | HookLoadFile base<...>/utils.bro
+0.000000 | HookLoadFile base<...>/version.bro
+0.000000 | HookLoadFile base<...>/weird.bro
+0.000000 | HookLoadFile base<...>/x509
+0.000000 | HookLoadFile base<...>/xmpp
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite packet_filter [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()
@@ -2204,7 +2546,7 @@
1362692527.009775 MetaHookPost CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=])) ->
1362692527.009775 MetaHookPost CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) ->
1362692527.009775 MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) ->
-1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) ->
+1362692527.009775 MetaHookPost CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) ->
1362692527.009775 MetaHookPost CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) ->
1362692527.009775 MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) ->
1362692527.009775 MetaHookPost CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) ->
@@ -2217,7 +2559,7 @@
1362692527.009775 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) ->
1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, ) -> true
1362692527.009775 MetaHookPost LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, ) -> true
-1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
+1362692527.009775 MetaHookPost QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=])) -> false
1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false
1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false
@@ -2233,7 +2575,7 @@
1362692527.009775 MetaHookPre CallFunction(Log::write, , (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=, extracted_cutoff=, extracted_size=]))
1362692527.009775 MetaHookPre CallFunction(Log::write, , (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]))
1362692527.009775 MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775 MetaHookPre CallFunction(file_sniff, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
1362692527.009775 MetaHookPre CallFunction(file_state_remove, , ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, pe=, u2_events=]))
1362692527.009775 MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
1362692527.009775 MetaHookPre CallFunction(get_file_handle, , (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=