mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Increase size of proto fields to uint16_t, add common default value
This commit is contained in:
Tim Wojtulewicz
parent
f762a45e83
commit
d0896e81d6
36 changed files with 110 additions and 110 deletions
|
|
@ -448,8 +448,7 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string, source: strin
|
||||||
# We add the source and destination as port 0/unknown because that is
|
# We add the source and destination as port 0/unknown because that is
|
||||||
# what fits best here.
|
# what fits best here.
|
||||||
local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
|
local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
|
||||||
$resp_h=dst, $resp_p=count_to_port(0, unknown_transport),
|
$resp_h=dst, $resp_p=count_to_port(0, unknown_transport));
|
||||||
$proto=256);
|
|
||||||
|
|
||||||
local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));
|
local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -217,7 +217,7 @@ type conn_id: record {
|
||||||
orig_p: port &log; ##< The originator's port number.
|
orig_p: port &log; ##< The originator's port number.
|
||||||
resp_h: addr &log; ##< The responder's IP address.
|
resp_h: addr &log; ##< The responder's IP address.
|
||||||
resp_p: port &log; ##< The responder's port number.
|
resp_p: port &log; ##< The responder's port number.
|
||||||
proto: count;
|
proto: count &default=65535; ##< The transport protocol ID. Defaults to 65535 as an "unknown" value.
|
||||||
};
|
};
|
||||||
|
|
||||||
## The identifying 4-tuple of a uni-directional flow.
|
## The identifying 4-tuple of a uni-directional flow.
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,7 @@ struct ConnTuple {
|
||||||
uint32_t src_port = 0;
|
uint32_t src_port = 0;
|
||||||
uint32_t dst_port = 0;
|
uint32_t dst_port = 0;
|
||||||
bool is_one_way = false; // if true, don't canonicalize order
|
bool is_one_way = false; // if true, don't canonicalize order
|
||||||
uint8_t proto;
|
uint16_t proto = UNKNOWN_IP_PROTO;
|
||||||
};
|
};
|
||||||
|
|
||||||
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
|
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
|
||||||
|
|
|
||||||
2
src/IP.h
2
src/IP.h
|
|
@ -36,6 +36,8 @@ class FragReassembler;
|
||||||
#define IPPROTO_MOBILITY 135
|
#define IPPROTO_MOBILITY 135
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
constexpr uint16_t UNKNOWN_IP_PROTO = 65535;
|
||||||
|
|
||||||
struct ip6_mobility {
|
struct ip6_mobility {
|
||||||
uint8_t ip6mob_payload;
|
uint8_t ip6mob_payload;
|
||||||
uint8_t ip6mob_len;
|
uint8_t ip6mob_len;
|
||||||
|
|
|
||||||
|
|
@ -77,7 +77,7 @@ ConnKey::ConnKey(Val* v) {
|
||||||
resp_p = vr->FieldOffset("resp_p");
|
resp_p = vr->FieldOffset("resp_p");
|
||||||
proto = vr->FieldOffset("proto");
|
proto = vr->FieldOffset("proto");
|
||||||
|
|
||||||
if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) {
|
if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) {
|
||||||
valid = false;
|
valid = false;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,7 @@ public:
|
||||||
src_port(0),
|
src_port(0),
|
||||||
dst_port(0),
|
dst_port(0),
|
||||||
proto(TRANSPORT_UNKNOWN),
|
proto(TRANSPORT_UNKNOWN),
|
||||||
proto_id(255),
|
proto_id(UNKNOWN_IP_PROTO),
|
||||||
type(t),
|
type(t),
|
||||||
uid(UID(detail::bits_per_uid)) {}
|
uid(UID(detail::bits_per_uid)) {}
|
||||||
|
|
||||||
|
|
@ -137,7 +137,7 @@ protected:
|
||||||
uint16_t src_port;
|
uint16_t src_port;
|
||||||
uint16_t dst_port;
|
uint16_t dst_port;
|
||||||
TransportProto proto;
|
TransportProto proto;
|
||||||
uint8_t proto_id;
|
uint16_t proto_id;
|
||||||
BifEnum::Tunnel::Type type;
|
BifEnum::Tunnel::Type type;
|
||||||
UID uid;
|
UID uid;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
#include "zeek/Conn.h"
|
#include "zeek/Conn.h"
|
||||||
#include "zeek/RunState.h"
|
#include "zeek/RunState.h"
|
||||||
#include "zeek/analyzer/Manager.h"
|
#include "zeek/analyzer/Manager.h"
|
||||||
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
|
|
||||||
#include "zeek/analyzer/protocol/pia/PIA.h"
|
#include "zeek/analyzer/protocol/pia/PIA.h"
|
||||||
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
|
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
|
||||||
#include "zeek/packet_analysis/protocol/udp/events.bif.h"
|
#include "zeek/packet_analysis/protocol/udp/events.bif.h"
|
||||||
|
|
|
||||||
|
|
@ -7,5 +7,5 @@ PASS: expected '1:HhA1B+6CoLbiKPEs5nhNYN4XWfk=', got '1:HhA1B+6CoLbiKPEs5nhNYN4X
|
||||||
PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1)
|
PASS: expected '1:OShq+iKDAMVouh/4bMxB9Sz4amw=', got '1:OShq+iKDAMVouh/4bMxB9Sz4amw=' ([orig_h=1.2.3.4, orig_p=1122/udp, resp_h=5.6.7.8, resp_p=3344/udp, proto=17], seed=1)
|
||||||
PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1)
|
PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=' ([orig_h=1.2.3.4, orig_p=8/icmp, resp_h=5.6.7.8, resp_p=0/icmp, proto=1], seed=1)
|
||||||
PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
|
PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
|
||||||
PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], seed=0)
|
PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0)
|
||||||
PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=255], seed=1)
|
PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1)
|
||||||
|
|
|
||||||
|
|
@ -2,5 +2,5 @@
|
||||||
echo request, 43, 4
|
echo request, 43, 4
|
||||||
echo reply, 43, 4
|
echo reply, 43, 4
|
||||||
[orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1]
|
[orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1]
|
||||||
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
vlans 10, nil
|
vlans 10, nil
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,23 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||||
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
|
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6]
|
conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6]
|
||||||
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17]
|
||||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
tunnel_changed:
|
tunnel_changed:
|
||||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||||
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]
|
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]
|
||||||
|
|
|
||||||
|
|
@ -1,34 +1,34 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
new_connection: tunnel
|
new_connection: tunnel
|
||||||
conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
NEW_PACKET:
|
NEW_PACKET:
|
||||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=255], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ connection {
|
||||||
conn_id {
|
conn_id {
|
||||||
* orig_h: addr, log=T, optional=F
|
* orig_h: addr, log=T, optional=F
|
||||||
* orig_p: port, log=T, optional=F
|
* orig_p: port, log=T, optional=F
|
||||||
* proto: count, log=F, optional=F
|
* proto: count, log=F, optional=T
|
||||||
* resp_h: addr, log=T, optional=F
|
* resp_h: addr, log=T, optional=F
|
||||||
* resp_p: port, log=T, optional=F
|
* resp_p: port, log=T, optional=F
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ connection {
|
||||||
conn_id {
|
conn_id {
|
||||||
* orig_h: addr, log=T, optional=F
|
* orig_h: addr, log=T, optional=F
|
||||||
* orig_p: port, log=T, optional=F
|
* orig_p: port, log=T, optional=F
|
||||||
* proto: count, log=F, optional=F
|
* proto: count, log=F, optional=T
|
||||||
* resp_h: addr, log=T, optional=F
|
* resp_h: addr, log=T, optional=F
|
||||||
* resp_p: port, log=T, optional=F
|
* resp_p: port, log=T, optional=F
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION
|
||||||
FILE_OVER_NEW_CONNECTION
|
FILE_OVER_NEW_CONNECTION
|
||||||
FILE_STATE_REMOVE
|
FILE_STATE_REMOVE
|
||||||
file #0, 555523, 0
|
file #0, 555523, 0
|
||||||
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
|
|
||||||
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
|
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
|
||||||
|
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp, proto=6]
|
||||||
FILE_BOF_BUFFER
|
FILE_BOF_BUFFER
|
||||||
%PDF-1.4\x0a%\xd0
|
%PDF-1.4\x0a%\xd0
|
||||||
MIME_TYPE
|
MIME_TYPE
|
||||||
|
|
|
||||||
|
|
@ -5,8 +5,8 @@ FILE_OVER_NEW_CONNECTION
|
||||||
FILE_OVER_NEW_CONNECTION
|
FILE_OVER_NEW_CONNECTION
|
||||||
FILE_STATE_REMOVE
|
FILE_STATE_REMOVE
|
||||||
file #0, 498668, 0
|
file #0, 498668, 0
|
||||||
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
|
|
||||||
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
|
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
|
||||||
|
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp, proto=6]
|
||||||
FILE_BOF_BUFFER
|
FILE_BOF_BUFFER
|
||||||
%PDF-1.4\x0d%\xe2
|
%PDF-1.4\x0d%\xe2
|
||||||
MIME_TYPE
|
MIME_TYPE
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
||||||
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
|
||||||
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
||||||
|
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp, proto=6]
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,6 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET
|
||||||
PREFIX<>path|ssh
|
PREFIX<>path|ssh
|
||||||
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
||||||
PREFIX<>types|time|addr|port|addr|port|string|string|bool
|
PREFIX<>types|time|addr|port|addr|port|string|string|bool
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
|
||||||
|
|
|
||||||
|
|
@ -6,8 +6,8 @@
|
||||||
#path||ssh
|
#path||ssh
|
||||||
#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
|
#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
|
||||||
#types||time||addr||port||addr||port||string||string
|
#types||time||addr||port||addr||port||string||string
|
||||||
XXXXXXXXXX.XXXXXX||-||-||-||-||success||unknown
|
XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||success||unknown
|
||||||
XXXXXXXXXX.XXXXXX||-||-||-||-||failure||US
|
XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||US
|
||||||
XXXXXXXXXX.XXXXXX||-||-||-||-||fa\x7c\x7cure||UK
|
XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
|
||||||
XXXXXXXXXX.XXXXXX||-||-||-||-||su\x7c\x7cess||BR
|
XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
|
||||||
XXXXXXXXXX.XXXXXX||-||-||-||-||failure||MX
|
XXXXXXXXXX.XXXXXX||1.2.3.4||1234||2.3.4.5||80||failure||MX
|
||||||
|
|
|
||||||
|
|
@ -6,8 +6,8 @@ PREFIX<>unset_field|NOT-SET
|
||||||
PREFIX<>path|ssh
|
PREFIX<>path|ssh
|
||||||
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
||||||
PREFIX<>types|time|addr|port|addr|port|string|string|bool
|
PREFIX<>types|time|addr|port|addr|port|string|string|bool
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|success|unknown|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|US|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|UK|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|NOT-SET|BR|NOT-SET
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
|
||||||
XXXXXXXXXX.XXXXXX|NOT-SET|NOT-SET|NOT-SET|NOT-SET|failure|EMPTY|T
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
XXXXXXXXXX.XXXXXX|-|-|-|-|success|unknown
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|unknown
|
||||||
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|US
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|US
|
||||||
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|UK
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|UK
|
||||||
XXXXXXXXXX.XXXXXX|-|-|-|-|success|BR
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|success|BR
|
||||||
XXXXXXXXXX.XXXXXX|-|-|-|-|failure|MX
|
XXXXXXXXXX.XXXXXX|1.2.3.4|1234|2.3.4.5|80|failure|MX
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
t id.orig_h id.orig_p id.resp_h id.resp_p status country b
|
t id.orig_h id.orig_p id.resp_h id.resp_p status country b
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown -
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown -
|
||||||
XXXXXXXXXX.XXXXXX - - - - - US -
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - US -
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK -
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK -
|
||||||
XXXXXXXXXX.XXXXXX - - - - - BR -
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 - BR -
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure (empty) T
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure (empty) T
|
||||||
|
|
|
||||||
|
|
@ -7,9 +7,9 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
XXXXXXXXXX.XXXXXX - - - - success BR
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,5 +7,5 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=<uninitialized>], status=success, country=unknown]
|
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=success, country=unknown]
|
||||||
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=<uninitialized>, orig_p=<uninitialized>, resp_h=<uninitialized>, resp_p=<uninitialized>, proto=<uninitialized>], status=failure, country=US]
|
[t=XXXXXXXXXX.XXXXXX, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp, proto=65535], status=failure, country=US]
|
||||||
|
|
|
||||||
|
|
@ -7,9 +7,9 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields id.orig_p id.resp_h id.resp_p status country
|
#fields id.orig_p id.resp_h id.resp_p status country
|
||||||
#types port addr port string string
|
#types port addr port string string
|
||||||
- - - success unknown
|
1234 2.3.4.5 80 success unknown
|
||||||
- - - failure US
|
1234 2.3.4.5 80 failure US
|
||||||
- - - failure UK
|
1234 2.3.4.5 80 failure UK
|
||||||
- - - success BR
|
1234 2.3.4.5 80 success BR
|
||||||
- - - failure MX
|
1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,9 +7,9 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h
|
#fields t id.orig_h
|
||||||
#types time addr
|
#types time addr
|
||||||
XXXXXXXXXX.XXXXXX -
|
XXXXXXXXXX.XXXXXX 1.2.3.4
|
||||||
XXXXXXXXXX.XXXXXX -
|
XXXXXXXXXX.XXXXXX 1.2.3.4
|
||||||
XXXXXXXXXX.XXXXXX -
|
XXXXXXXXXX.XXXXXX 1.2.3.4
|
||||||
XXXXXXXXXX.XXXXXX -
|
XXXXXXXXXX.XXXXXX 1.2.3.4
|
||||||
XXXXXXXXXX.XXXXXX -
|
XXXXXXXXXX.XXXXXX 1.2.3.4
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ static-prefix-2-UK.log
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success BR
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -24,7 +24,7 @@ XXXXXXXXXX.XXXXXX - - - - success BR
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX3
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX3
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -34,7 +34,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX3
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -44,7 +44,7 @@ XXXXXXXXXX.XXXXXX - - - - success unknown
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -54,7 +54,7 @@ XXXXXXXXXX.XXXXXX - - - - failure MX
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -64,7 +64,7 @@ XXXXXXXXXX.XXXXXX - - - - failure US
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX2
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX2
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
|
|
@ -74,5 +74,5 @@ XXXXXXXXXX.XXXXXX - - - - failure MX2
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,5 +7,5 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,6 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure BR
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure BR
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,9 +7,9 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
XXXXXXXXXX.XXXXXX - - - - success BR
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -7,9 +7,9 @@
|
||||||
#open XXXX-XX-XX-XX-XX-XX
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||||
#types time addr port addr port string string
|
#types time addr port addr port string string
|
||||||
XXXXXXXXXX.XXXXXX - - - - success unknown
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure US
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure UK
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||||
XXXXXXXXXX.XXXXXX - - - - success BR
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||||
XXXXXXXXXX.XXXXXX - - - - failure MX
|
XXXXXXXXXX.XXXXXX 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,6 @@
|
||||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
||||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
||||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
|
||||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
||||||
|
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 F F 30003 104857600 179998 0 T -
|
||||||
#close XXXX-XX-XX-XX-XX-XX
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ incomplete server version, F
|
||||||
incomplete client version, F
|
incomplete client version, F
|
||||||
SSH1 vs SSH2, F
|
SSH1 vs SSH2, F
|
||||||
SSH2 vs SSH1, F
|
SSH2 vs SSH1, F
|
||||||
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH vs SSH-1.5-OpenSSH_6.2,
|
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH vs SSH-1.5-OpenSSH_6.2,
|
||||||
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-1.5-OpenSSH_6.2 vs SSH,
|
conn_weird:, SSH_cannot_determine_version, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH,
|
||||||
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9,
|
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-1.5-OpenSSH_6.2 vs SSH-2.0-OpenSSH_5.9,
|
||||||
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=<uninitialized>], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2,
|
conn_weird:, SSH_version_mismatch, [orig_h=127.0.0.1, orig_p=40/tcp, resp_h=127.0.0.1, resp_p=40/tcp, proto=65535], SSH-2.0-OpenSSH_5.9 vs SSH-1.5-OpenSSH_6.2,
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ event zeek_init()
|
||||||
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=128/icmp,
|
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=128/icmp,
|
||||||
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=129/icmp, $proto=1], 1, "1:IO27GQzPuCtNnwFvjWALMHu5tJE=");
|
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=129/icmp, $proto=1], 1, "1:IO27GQzPuCtNnwFvjWALMHu5tJE=");
|
||||||
|
|
||||||
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=255], 0, "");
|
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown], 0, "");
|
||||||
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
|
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
|
||||||
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=255], 1, "");
|
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, "");
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue