From d0896e81d65cdff359778eb2c9a9793ffa46d4de Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 7 Nov 2024 11:04:04 -0700 Subject: [PATCH] Increase size of proto fields to uint16_t, add common default value --- scripts/base/frameworks/notice/weird.zeek | 3 +-- scripts/base/init-bare.zeek | 2 +- src/Conn.h | 2 +- src/IP.h | 2 ++ src/IPAddr.cc | 2 +- src/TunnelEncapsulation.h | 4 ++-- src/packet_analysis/protocol/udp/UDP.cc | 1 - .../btest/Baseline/bifs.community_id.v1/out | 4 ++-- .../core.tunnels.gre-erspan3-dot1q/out | 2 +- .../Baseline/core.tunnels.ip-in-ip/output | 16 +++++++------- .../core.tunnels.ip-tunnel-uid/output | 22 +++++++++---------- .../Baseline/coverage.record-fields/out.bare | 2 +- .../coverage.record-fields/out.default | 2 +- .../a.out | 2 +- .../c.out | 2 +- .../out | 2 +- .../ssh-new-default.log | 4 ++-- .../ssh-filtered.log | 10 ++++----- .../ssh.log | 10 ++++----- .../ssh-filtered.log | 10 ++++----- .../ssh.log | 10 ++++----- .../ssh-filtered.log | 10 ++++----- .../ssh.log | 10 ++++----- .../ssh.log | 2 +- .../output | 4 ++-- .../ssh.log | 10 ++++----- .../ssh.log | 10 ++++----- .../output | 14 ++++++------ .../test.failure.log | 2 +- .../ssh.failure.log | 4 ++-- .../ssh.log | 6 ++--- .../output | 10 ++++----- .../ssh.log | 10 ++++----- .../files.log | 2 +- .../output | 8 +++---- testing/btest/bifs/community_id/v1.zeek | 4 ++-- 36 files changed, 110 insertions(+), 110 deletions(-) diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index f7fffb5059..54527a2232 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -448,8 +448,7 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string, source: strin # We add the source and destination as port 0/unknown because that is # what fits best here. local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport), - $resp_h=dst, $resp_p=count_to_port(0, unknown_transport), - $proto=256); + $resp_h=dst, $resp_p=count_to_port(0, unknown_transport)); local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst)); diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index e44c4aac3d..edf4913f8f 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -217,7 +217,7 @@ type conn_id: record { orig_p: port &log; ##< The originator's port number. resp_h: addr &log; ##< The responder's IP address. resp_p: port &log; ##< The responder's port number. - proto: count; + proto: count &default=65535; ##< The transport protocol ID. Defaults to 65535 as an "unknown" value. }; ## The identifying 4-tuple of a uni-directional flow. diff --git a/src/Conn.h b/src/Conn.h index ffe0a4ce3b..528d76f49b 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -60,7 +60,7 @@ struct ConnTuple { uint32_t src_port = 0; uint32_t dst_port = 0; bool is_one_way = false; // if true, don't canonicalize order - uint8_t proto; + uint16_t proto = UNKNOWN_IP_PROTO; }; static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) { diff --git a/src/IP.h b/src/IP.h index 8e3b2bd553..5527fee3e8 100644 --- a/src/IP.h +++ b/src/IP.h @@ -36,6 +36,8 @@ class FragReassembler; #define IPPROTO_MOBILITY 135 #endif +constexpr uint16_t UNKNOWN_IP_PROTO = 65535; + struct ip6_mobility { uint8_t ip6mob_payload; uint8_t ip6mob_len; diff --git a/src/IPAddr.cc b/src/IPAddr.cc index 30322c2612..08dd4d400c 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -77,7 +77,7 @@ ConnKey::ConnKey(Val* v) { resp_p = vr->FieldOffset("resp_p"); proto = vr->FieldOffset("proto"); - if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) { + if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) { valid = false; return; } diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index 45bdfa6e84..fb8687a891 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -46,7 +46,7 @@ public: src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN), - proto_id(255), + proto_id(UNKNOWN_IP_PROTO), type(t), uid(UID(detail::bits_per_uid)) {} @@ -137,7 +137,7 @@ protected: uint16_t src_port; uint16_t dst_port; TransportProto proto; - uint8_t proto_id; + uint16_t proto_id; BifEnum::Tunnel::Type type; UID uid; }; diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index d733c28d7f..4e6f549de1 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -5,7 +5,6 @@ #include "zeek/Conn.h" #include "zeek/RunState.h" #include "zeek/analyzer/Manager.h" -#include "zeek/analyzer/protocol/conn-size/ConnSize.h" #include "zeek/analyzer/protocol/pia/PIA.h" #include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h" #include "zeek/packet_analysis/protocol/udp/events.bif.h" diff --git a/testing/btest/Baseline/bifs.community_id.v1/out b/testing/btest/Baseline/bifs.community_id.v1/out index c4f58451ff..8ab3e48d23 100644 --- a/testing/btest/Baseline/bifs.community_id.v1/out +++ b/testing/btest/Baseline/bifs.community_id.v1/out @@ -7,5 +7,5 @@ PASS: expected '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=', got '1:HhA1B+6CoLbiKPEs5nhNYN4X PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1) PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1) PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1) -PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], seed=0) -PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=255], seed=1) +PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0) +PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1) diff --git a/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out b/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out index e553a5d46e..6a3f8dd026 100644 --- a/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out +++ b/testing/btest/Baseline/core.tunnels.gre-erspan3-dot1q/out @@ -2,5 +2,5 @@ echo request, 43, 4 echo reply, 43, 4 [orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1] -[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] +[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] vlans 10, nil diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip/output b/testing/btest/Baseline/core.tunnels.ip-in-ip/output index 4d2ba40033..2c8960fd7c 100644 --- a/testing/btest/Baseline/core.tunnels.ip-in-ip/output +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip/output @@ -1,23 +1,23 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] + encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6] - encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] new_connection: tunnel conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] tunnel_changed: conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] - old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] - new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] + old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] diff --git a/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output index 68090e6455..619e0d5a7a 100644 --- a/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output +++ b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output @@ -1,34 +1,34 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. new_connection: tunnel conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] NEW_PACKET: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] - [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] diff --git a/testing/btest/Baseline/coverage.record-fields/out.bare b/testing/btest/Baseline/coverage.record-fields/out.bare index 9c26d27bc2..9f507ca9a1 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.bare +++ b/testing/btest/Baseline/coverage.record-fields/out.bare @@ -9,7 +9,7 @@ connection { conn_id { * orig_h: addr, log=T, optional=F * orig_p: port, log=T, optional=F - * proto: count, log=F, optional=F + * proto: count, log=F, optional=T * resp_h: addr, log=T, optional=F * resp_p: port, log=T, optional=F } diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index e12d51d97b..e5c415c548 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -10,7 +10,7 @@ connection { conn_id { * orig_h: addr, log=T, optional=F * orig_p: port, log=T, optional=F - * proto: count, log=F, optional=F + * proto: count, log=F, optional=T * resp_h: addr, log=T, optional=F * resp_p: port, log=T, optional=F } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out index 3621d768c8..419daffadb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out @@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 555523, 0 -[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6] [orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6] +[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6] FILE_BOF_BUFFER %PDF-1.4\x0a%\xd0 MIME_TYPE diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 2c0b1b4a57..0d3eb05179 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 498668, 0 -[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6] +[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6] FILE_BOF_BUFFER %PDF-1.4\x0d%\xe2 MIME_TYPE diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out index 89d5d0ffc0..ef6e1b3f09 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] -CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] +CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log index a53ccf36ba..ba76b61bf5 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success unknown -XXXXXXXXXX.XXXXXX - - - - failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh-filtered.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh-filtered.log index a51465c4a1..981cb7e1dc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh-filtered.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh-filtered.log @@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET PREFIX<>path|ssh PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b PREFIX<>types|time|addr|port|addr|port|string|string|bool -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log index f47f22d74a..9a1dd8fee4 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log @@ -6,8 +6,8 @@ #path||ssh #fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country #types||time||addr||port||addr||port||string||string -XXXXXXXXXX.XXXXXX||-||-||-||-||success||unknown -XXXXXXXXXX.XXXXXX||-||-||-||-||failure||US -XXXXXXXXXX.XXXXXX||-||-||-||-||fa\x7c\x7cure||UK -XXXXXXXXXX.XXXXXX||-||-||-||-||su\x7c\x7cess||BR -XXXXXXXXXX.XXXXXX||-||-||-||-||failure||MX +XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||success||unknown +XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||US +XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK +XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR +XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log index a51465c4a1..981cb7e1dc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-logdir/ssh-filtered.log @@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET PREFIX<>path|ssh PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b PREFIX<>types|time|addr|port|addr|port|string|string|bool -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET -XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log index 05cf105659..2003851ec6 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log @@ -1,6 +1,6 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -XXXXXXXXXX.XXXXXX|-|-|-|-|success|unknown -XXXXXXXXXX.XXXXXX|-|-|-|-|failure|US -XXXXXXXXXX.XXXXXX|-|-|-|-|failure|UK -XXXXXXXXXX.XXXXXX|-|-|-|-|success|BR -XXXXXXXXXX.XXXXXX|-|-|-|-|failure|MX +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|US +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|BR +XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|MX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log index e6b7bab90d..9d2ab4df28 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log @@ -1,7 +1,7 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. t id.orig_h id.orig_p id.resp_h id.resp_p status country b -XXXXXXXXXX.XXXXXX - - - - success unknown - -XXXXXXXXXX.XXXXXX - - - - - US - -XXXXXXXXXX.XXXXXX - - - - failure UK - -XXXXXXXXXX.XXXXXX - - - - - BR - -XXXXXXXXXX.XXXXXX - - - - failure (empty) T +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown - +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - US - +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK - +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - BR - +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure (empty) T diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log index 890c58f1c9..e83cbbeec3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success unknown -XXXXXXXXXX.XXXXXX - - - - failure US -XXXXXXXXXX.XXXXXX - - - - failure UK -XXXXXXXXXX.XXXXXX - - - - success BR -XXXXXXXXXX.XXXXXX - - - - failure MX +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log index 5835846d05..4df727b748 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure MX +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.events/output b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output index dbaa501ed3..792d6caf8b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.events/output +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.events/output @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=], status=success, country=unknown] -[t=XXXXXXXXXX.XXXXXX, id=[orig_h=, orig_p=, resp_h=, resp_p=, proto=], status=failure, country=US] +[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=success, country=unknown] +[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=failure, country=US] diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log index a2cf03d018..6d248f616d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields id.orig_p id.resp_h id.resp_p status country #types port addr port string string -- - - success unknown -- - - failure US -- - - failure UK -- - - success BR -- - - failure MX +1234 2.3.4.5 80 success unknown +1234 2.3.4.5 80 failure US +1234 2.3.4.5 80 failure UK +1234 2.3.4.5 80 success BR +1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log index c75da1806d..4cac2d6eef 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h #types time addr -XXXXXXXXXX.XXXXXX - -XXXXXXXXXX.XXXXXX - -XXXXXXXXXX.XXXXXX - -XXXXXXXXXX.XXXXXX - -XXXXXXXXXX.XXXXXX - +XXXXXXXXXX.XXXXXX 1.2.3.4 +XXXXXXXXXX.XXXXXX 1.2.3.4 +XXXXXXXXXX.XXXXXX 1.2.3.4 +XXXXXXXXXX.XXXXXX 1.2.3.4 +XXXXXXXXXX.XXXXXX 1.2.3.4 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output index 5862279304..3a2d7cea27 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output @@ -14,7 +14,7 @@ static-prefix-2-UK.log #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success BR +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -24,7 +24,7 @@ XXXXXXXXXX.XXXXXX - - - - success BR #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure MX3 +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX3 #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -34,7 +34,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX3 #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success unknown +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -44,7 +44,7 @@ XXXXXXXXXX.XXXXXX - - - - success unknown #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure MX +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -54,7 +54,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -64,7 +64,7 @@ XXXXXXXXXX.XXXXXX - - - - failure US #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure MX2 +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX2 #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -74,5 +74,5 @@ XXXXXXXXXX.XXXXXX - - - - failure MX2 #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log index 06f61532b6..b6286c159a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log index cb9aae93e0..9ea8268ac3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure US -XXXXXXXXXX.XXXXXX - - - - failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log index 5e50a91cbb..9a7200f2e0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - failure US -XXXXXXXXXX.XXXXXX - - - - failure UK -XXXXXXXXXX.XXXXXX - - - - failure BR +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure BR #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output index 9f23ce1cd3..2384cf2d89 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success unknown -XXXXXXXXXX.XXXXXX - - - - failure US -XXXXXXXXXX.XXXXXX - - - - failure UK -XXXXXXXXXX.XXXXXX - - - - success BR -XXXXXXXXXX.XXXXXX - - - - failure MX +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log index 890c58f1c9..e83cbbeec3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #types time addr port addr port string string -XXXXXXXXXX.XXXXXX - - - - success unknown -XXXXXXXXXX.XXXXXX - - - - failure US -XXXXXXXXXX.XXXXXX - - - - failure UK -XXXXXXXXXX.XXXXXX - - - - success BR -XXXXXXXXXX.XXXXXX - - - - failure MX +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR +XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/files.log b/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/files.log index 7022e4d662..a958be3fb9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/files.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.concurrent-range-requests/files.log @@ -8,6 +8,6 @@ #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - -XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - +XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.set_version/output b/testing/btest/Baseline/scripts.base.protocols.ssh.set_version/output index 95300ab075..d156cd8469 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.set_version/output +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.set_version/output @@ -10,7 +10,7 @@ incomplete server version, F incomplete client version, F SSH1 vs SSH2, F SSH2 vs SSH1, F -conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=], SSH vs SSH-1.5-OpenSSH_6.2, -conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=], SSH-1.5-OpenSSH_6.2 vs SSH, -conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9, -conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2, +conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH vs SSH-1.5-OpenSSH_6.2, +conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH, +conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9, +conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2, diff --git a/testing/btest/bifs/community_id/v1.zeek b/testing/btest/bifs/community_id/v1.zeek index 86f8f19591..dc01f971b0 100644 --- a/testing/btest/bifs/community_id/v1.zeek +++ b/testing/btest/bifs/community_id/v1.zeek @@ -23,7 +23,7 @@ event zeek_init() test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=128/icmp, $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=129/icmp, $proto=1], 1, "1:IO27GQzPuCtNnwFvjWALMHu5tJE="); - test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=255], 0, ""); + test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown], 0, ""); test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown, - $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=255], 1, ""); + $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, ""); }