Increase size of proto fields to uint16_t, add common default value

This commit is contained in:
Tim Wojtulewicz 2024-11-07 11:04:04 -07:00
parent f762a45e83
commit d0896e81d6
36 changed files with 110 additions and 110 deletions

View file

@ -448,8 +448,7 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string, source: strin
# We add the source and destination as port 0/unknown because that is # We add the source and destination as port 0/unknown because that is
# what fits best here. # what fits best here.
local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport), local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
$resp_h=dst, $resp_p=count_to_port(0, unknown_transport), $resp_h=dst, $resp_p=count_to_port(0, unknown_transport));
$proto=256);
local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst)); local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));

View file

@ -217,7 +217,7 @@ type conn_id: record {
orig_p: port &log; ##< The originator's port number. orig_p: port &log; ##< The originator's port number.
resp_h: addr &log; ##< The responder's IP address. resp_h: addr &log; ##< The responder's IP address.
resp_p: port &log; ##< The responder's port number. resp_p: port &log; ##< The responder's port number.
proto: count; proto: count &default=65535; ##< The transport protocol ID. Defaults to 65535 as an "unknown" value.
}; };
## The identifying 4-tuple of a uni-directional flow. ## The identifying 4-tuple of a uni-directional flow.

View file

@ -60,7 +60,7 @@ struct ConnTuple {
uint32_t src_port = 0; uint32_t src_port = 0;
uint32_t dst_port = 0; uint32_t dst_port = 0;
bool is_one_way = false; // if true, don't canonicalize order bool is_one_way = false; // if true, don't canonicalize order
uint8_t proto; uint16_t proto = UNKNOWN_IP_PROTO;
}; };
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) { static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {

View file

@ -36,6 +36,8 @@ class FragReassembler;
#define IPPROTO_MOBILITY 135 #define IPPROTO_MOBILITY 135
#endif #endif
constexpr uint16_t UNKNOWN_IP_PROTO = 65535;
struct ip6_mobility { struct ip6_mobility {
uint8_t ip6mob_payload; uint8_t ip6mob_payload;
uint8_t ip6mob_len; uint8_t ip6mob_len;

View file

@ -77,7 +77,7 @@ ConnKey::ConnKey(Val* v) {
resp_p = vr->FieldOffset("resp_p"); resp_p = vr->FieldOffset("resp_p");
proto = vr->FieldOffset("proto"); proto = vr->FieldOffset("proto");
if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) { if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) {
valid = false; valid = false;
return; return;
} }

View file

@ -46,7 +46,7 @@ public:
src_port(0), src_port(0),
dst_port(0), dst_port(0),
proto(TRANSPORT_UNKNOWN), proto(TRANSPORT_UNKNOWN),
proto_id(255), proto_id(UNKNOWN_IP_PROTO),
type(t), type(t),
uid(UID(detail::bits_per_uid)) {} uid(UID(detail::bits_per_uid)) {}
@ -137,7 +137,7 @@ protected:
uint16_t src_port; uint16_t src_port;
uint16_t dst_port; uint16_t dst_port;
TransportProto proto; TransportProto proto;
uint8_t proto_id; uint16_t proto_id;
BifEnum::Tunnel::Type type; BifEnum::Tunnel::Type type;
UID uid; UID uid;
}; };

View file

@ -5,7 +5,6 @@
#include "zeek/Conn.h" #include "zeek/Conn.h"
#include "zeek/RunState.h" #include "zeek/RunState.h"
#include "zeek/analyzer/Manager.h" #include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/analyzer/protocol/pia/PIA.h" #include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h" #include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/packet_analysis/protocol/udp/events.bif.h" #include "zeek/packet_analysis/protocol/udp/events.bif.h"

View file

@ -7,5 +7,5 @@ PASS: expected '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=', got '1:HhA1B+6CoLbiKPEs5nhNYN4X
PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1) PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1)
PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1) PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1)
PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1) PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], seed=0) PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0)
PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=255], seed=1) PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1)

View file

@ -2,5 +2,5 @@
echo request, 43, 4 echo request, 43, 4
echo reply, 43, 4 echo reply, 43, 4
[orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1] [orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1]
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
vlans 10, nil vlans 10, nil

View file

@ -1,23 +1,23 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]] encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6] conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6]
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17] conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
tunnel_changed: tunnel_changed:
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17] conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]] new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]

View file

@ -1,34 +1,34 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
new_connection: tunnel new_connection: tunnel
conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
NEW_PACKET: NEW_PACKET:
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58] [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]] [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]

View file

@ -9,7 +9,7 @@ connection {
conn_id { conn_id {
* orig_h: addr, log=T, optional=F * orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F * orig_p: port, log=T, optional=F
* proto: count, log=F, optional=F * proto: count, log=F, optional=T
* resp_h: addr, log=T, optional=F * resp_h: addr, log=T, optional=F
* resp_p: port, log=T, optional=F * resp_p: port, log=T, optional=F
} }

View file

@ -10,7 +10,7 @@ connection {
conn_id { conn_id {
* orig_h: addr, log=T, optional=F * orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F * orig_p: port, log=T, optional=F
* proto: count, log=F, optional=F * proto: count, log=F, optional=T
* resp_h: addr, log=T, optional=F * resp_h: addr, log=T, optional=F
* resp_p: port, log=T, optional=F * resp_p: port, log=T, optional=F
} }

View file

@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #0, 555523, 0 file #0, 555523, 0
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6] [orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
FILE_BOF_BUFFER FILE_BOF_BUFFER
%PDF-1.4\x0a%\xd0 %PDF-1.4\x0a%\xd0
MIME_TYPE MIME_TYPE

View file

@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #0, 498668, 0 file #0, 498668, 0
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
FILE_BOF_BUFFER FILE_BOF_BUFFER
%PDF-1.4\x0d%\xe2 %PDF-1.4\x0d%\xe2
MIME_TYPE MIME_TYPE

View file

@ -1,4 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6] C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]

View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success unknown XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET
PREFIX<>path|ssh PREFIX<>path|ssh
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
PREFIX<>types|time|addr|port|addr|port|string|string|bool PREFIX<>types|time|addr|port|addr|port|string|string|bool
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T

View file

@ -6,8 +6,8 @@
#path||ssh #path||ssh
#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country #fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
#types||time||addr||port||addr||port||string||string #types||time||addr||port||addr||port||string||string
XXXXXXXXXX.XXXXXX||-||-||-||-||success||unknown XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||success||unknown
XXXXXXXXXX.XXXXXX||-||-||-||-||failure||US XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||US
XXXXXXXXXX.XXXXXX||-||-||-||-||fa\x7c\x7cure||UK XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
XXXXXXXXXX.XXXXXX||-||-||-||-||su\x7c\x7cess||BR XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
XXXXXXXXXX.XXXXXX||-||-||-||-||failure||MX XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||MX

View file

@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET
PREFIX<>path|ssh PREFIX<>path|ssh
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
PREFIX<>types|time|addr|port|addr|port|string|string|bool PREFIX<>types|time|addr|port|addr|port|string|string|bool
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T

View file

@ -1,6 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX|-|-|-|-|success|unknown XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|US XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|US
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|UK XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK
XXXXXXXXXX.XXXXXX|-|-|-|-|success|BR XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|BR
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|MX XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|MX

View file

@ -1,7 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
t id.orig_h id.orig_p id.resp_h id.resp_p status country b t id.orig_h id.orig_p id.resp_h id.resp_p status country b
XXXXXXXXXX.XXXXXX - - - - success unknown - XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown -
XXXXXXXXXX.XXXXXX - - - - - US - XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - US -
XXXXXXXXXX.XXXXXX - - - - failure UK - XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK -
XXXXXXXXXX.XXXXXX - - - - - BR - XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - BR -
XXXXXXXXXX.XXXXXX - - - - failure (empty) T XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure (empty) T

View file

@ -7,9 +7,9 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success unknown XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
XXXXXXXXXX.XXXXXX - - - - success BR XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
XXXXXXXXXX.XXXXXX - - - - failure MX XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure MX XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -1,3 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=<uninitialized>], status=success, country=unknown] [t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=success, country=unknown]
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>, proto=<uninitialized>], status=failure, country=US] [t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=failure, country=US]

View file

@ -7,9 +7,9 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields id.orig_p id.resp_h id.resp_p status country #fields id.orig_p id.resp_h id.resp_p status country
#types port addr port string string #types port addr port string string
- - - success unknown 1234 2.3.4.5 80 success unknown
- - - failure US 1234 2.3.4.5 80 failure US
- - - failure UK 1234 2.3.4.5 80 failure UK
- - - success BR 1234 2.3.4.5 80 success BR
- - - failure MX 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,9 +7,9 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h #fields t id.orig_h
#types time addr #types time addr
XXXXXXXXXX.XXXXXX - XXXXXXXXXX.XXXXXX 1.2.3.4
XXXXXXXXXX.XXXXXX - XXXXXXXXXX.XXXXXX 1.2.3.4
XXXXXXXXXX.XXXXXX - XXXXXXXXXX.XXXXXX 1.2.3.4
XXXXXXXXXX.XXXXXX - XXXXXXXXXX.XXXXXX 1.2.3.4
XXXXXXXXXX.XXXXXX - XXXXXXXXXX.XXXXXX 1.2.3.4
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -14,7 +14,7 @@ static-prefix-2-UK.log
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success BR XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -24,7 +24,7 @@ XXXXXXXXXX.XXXXXX - - - - success BR
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure MX3 XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX3
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -34,7 +34,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX3
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success unknown XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -44,7 +44,7 @@ XXXXXXXXXX.XXXXXX - - - - success unknown
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure MX XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -54,7 +54,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -64,7 +64,7 @@ XXXXXXXXXX.XXXXXX - - - - failure US
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure MX2 XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX2
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX
#separator \x09 #separator \x09
#set_separator , #set_separator ,
@ -74,5 +74,5 @@ XXXXXXXXXX.XXXXXX - - - - failure MX2
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,7 +7,7 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
XXXXXXXXXX.XXXXXX - - - - failure BR XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure BR
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,9 +7,9 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success unknown XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
XXXXXXXXXX.XXXXXX - - - - success BR XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
XXXXXXXXXX.XXXXXX - - - - failure MX XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -7,9 +7,9 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
XXXXXXXXXX.XXXXXX - - - - success unknown XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
XXXXXXXXXX.XXXXXX - - - - failure US XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
XXXXXXXXXX.XXXXXX - - - - failure UK XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
XXXXXXXXXX.XXXXXX - - - - success BR XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
XXXXXXXXXX.XXXXXX - - - - failure MX XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -8,6 +8,6 @@
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T - XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

View file

@ -10,7 +10,7 @@ incomplete server version, F
incomplete client version, F incomplete client version, F
SSH1 vs SSH2, F SSH1 vs SSH2, F
SSH2 vs SSH1, F SSH2 vs SSH1, F
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH vs SSH-1.5-OpenSSH_6.2, conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH vs SSH-1.5-OpenSSH_6.2,
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-1.5-OpenSSH_6.2 vs SSH, conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH,
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9, conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9,
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2, conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2,

View file

@ -23,7 +23,7 @@ event zeek_init()
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=128/icmp, test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=128/icmp,
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=129/icmp, $proto=1], 1, "1:IO27GQzPuCtNnwFvjWALMHu5tJE="); $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=129/icmp, $proto=1], 1, "1:IO27GQzPuCtNnwFvjWALMHu5tJE=");
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=255], 0, ""); test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown], 0, "");
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown, test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=255], 1, ""); $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, "");
} }