mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
files.log: Unroll and introduce uid and id fields
This is a script-only change that unrolls File::Info records into multiple files.log entries if the same file was seen over different connections by single worker. Consequently, the File::Info record gets the commonly used uid and id fields added. These fields are optional for File::Info - a file may be analyzed without relation to a network connection (e.g by using Input::add_analysis()). The existing tx_hosts, rx_hosts and conn_uids fields of Files::Info are not meaningful after this change and removed by default. Therefore, files.log will have them removed, too. The tx_hosts, rx_hosts and conn_uids fields can be revived by using the policy script frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek included in the distribution. However, with v6.1 this script will be removed.
This commit is contained in:
Arne Welzel
parent
f631551ffb
commit
d2314d2666
39 changed files with 412 additions and 113 deletions
29
NEWS
29
NEWS
|
|
@ -21,9 +21,32 @@ Breaking Changes
|
|||
- The Dictionary and PDict classes are now C++ templates. This may cause
|
||||
plugin/package builds to fail due to needing to modify uses of them to match.
|
||||
|
||||
- The low-level singleton Telemetry BIFs have been removed with the assumption that
|
||||
there haven't been any users. Singleton metrics can be instantiated by providing
|
||||
an empty label vector instead and aren't in any way a special concept.
|
||||
- By default, ``files.log`` does not have the fields ``tx_hosts``, ``rx_hosts``
|
||||
and ``conn_uids`` anymore. These have been replaced with the more commonly
|
||||
used ``uid`` and ``id`` fields. They can be re-instantiated by loading the
|
||||
following policy script through ``local.zeek``:
|
||||
|
||||
@load frameworks/files/deprecated-txhosts-rxhosts-connuids
|
||||
|
||||
Note, however, that this script will be removed with Zeek 6.1. Consumers
|
||||
of ``files.log`` should convert to using the singular ``uid`` and ``id``
|
||||
fields instead.
|
||||
|
||||
- The ``files.log`` is now unrolled consistently. That is, when Zeek associates
|
||||
multiple connections with a single file, each of these connections will result
|
||||
in individual ``files.log`` entries with unique connection uids, all sharing
|
||||
the same file uid.
|
||||
|
||||
This unrolling behavior always existed in a Zeek cluster when the network
|
||||
connections involved in a file transfer are load balanced to different workers.
|
||||
Due to this happening for a marginal ratio of files on real-world networks,
|
||||
unrolling the log was chosen as the pragmatic approach over making the current
|
||||
logic cluster aware.
|
||||
|
||||
The ``seen_bytes`` and ``missing_bytes`` fields of a ``File::Info`` record
|
||||
continue to represent the total number across all connections seen by the
|
||||
current instance of Zeek.
|
||||
|
||||
|
||||
New Functionality
|
||||
-----------------
|
||||
|
|
|
|||
|
|
@ -41,18 +41,13 @@ export {
|
|||
## An identifier associated with a single file.
|
||||
fuid: string &log;
|
||||
|
||||
## If this file was transferred over a network
|
||||
## connection this should show the host or hosts that
|
||||
## the data sourced from.
|
||||
tx_hosts: set[addr] &default=addr_set() &log;
|
||||
## If this file, or parts of it, were transferred over a
|
||||
## network connection, this is the uid for the connection.
|
||||
uid: string &log &optional;
|
||||
|
||||
## If this file was transferred over a network
|
||||
## connection this should show the host or hosts that
|
||||
## the data traveled to.
|
||||
rx_hosts: set[addr] &default=addr_set() &log;
|
||||
|
||||
## Connection UIDs over which the file was transferred.
|
||||
conn_uids: set[string] &default=string_set() &log;
|
||||
## If this file, or parts of it, were transferred over a
|
||||
## network connection, this shows the connection.
|
||||
id: conn_id &log &optional;
|
||||
|
||||
## An identification of the source of the file data. E.g. it
|
||||
## may be a network protocol over which it was transferred, or a
|
||||
|
|
@ -94,6 +89,8 @@ export {
|
|||
is_orig: bool &log &optional;
|
||||
|
||||
## Number of bytes provided to the file analysis engine for the file.
|
||||
## The value refers to the total number of bytes processed for this
|
||||
## file across all connections seen by the current Zeek instance.
|
||||
seen_bytes: count &log &default=0;
|
||||
|
||||
## Total number of bytes that are supposed to comprise the full file.
|
||||
|
|
@ -101,6 +98,8 @@ export {
|
|||
|
||||
## The number of bytes in the file stream that were completely missed
|
||||
## during the process of analysis e.g. due to dropped packets.
|
||||
## The value refers to number of bytes missed for this file
|
||||
## across all connections seen by the current Zeek instance.
|
||||
missing_bytes: count &log &default=0;
|
||||
|
||||
## The number of bytes in the file stream that were not delivered to
|
||||
|
|
@ -532,13 +531,9 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
{
|
||||
set_info(f);
|
||||
|
||||
add f$info$conn_uids[c$uid];
|
||||
local cid = c$id;
|
||||
add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h];
|
||||
if( |Site::local_nets| > 0 )
|
||||
f$info$local_orig=Site::is_local_addr(f$is_orig ? cid$orig_h : cid$resp_h);
|
||||
|
||||
add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h];
|
||||
}
|
||||
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=10
|
||||
|
|
@ -572,5 +567,28 @@ event file_state_remove(f: fa_file) &priority=10
|
|||
|
||||
event file_state_remove(f: fa_file) &priority=-10
|
||||
{
|
||||
Log::write(Files::LOG, f$info);
|
||||
# No network connection for this file? Just write it out once without
|
||||
# uid and c$id fields.
|
||||
if ( ! f?$conns || |f$conns| == 0 )
|
||||
{
|
||||
Log::write(Files::LOG, f$info);
|
||||
return;
|
||||
}
|
||||
|
||||
# If f was seen over multiple connections, unroll them here as
|
||||
# multiple files.log entries. In previous versions of Zeek, there
|
||||
# would only be a single files.log entry (per worker) with multiple
|
||||
# tx_hosts, rx_hosts and conn_uids associated. This changed with v5.1
|
||||
# to have individual log entries that all share the same fuid value.
|
||||
for ( [cid], c in f$conns )
|
||||
{
|
||||
# Make a copy of the record when there's more than one
|
||||
# connection so that the log_files event doesn't see
|
||||
# the same record multiple times due to it being queued
|
||||
# by reference in Log::write() rather than by copy.
|
||||
local info = |f$conns| > 1 ? copy(f$info) : f$info;
|
||||
info$uid = c$uid;
|
||||
info$id = cid;
|
||||
Log::write(Files::LOG, info);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,64 @@
|
|||
##! This script can be used to add back the fields ``tx_hosts``, ``rx_hosts``
|
||||
##! and ``conn_uids`` to the :zeek:see:`Files::Info` record and thereby also
|
||||
##! back into the ``files.log``. These fields have been removed in Zeek 5.1
|
||||
##! and replaced with the more commonly used ``uid`` and ``id`` fields.
|
||||
##!
|
||||
##! It's only purpose is to provide an easy way to add back the fields such that
|
||||
##! existing downstream processes continue to work without the need to adapt them.
|
||||
##! This script will be removed with Zeek 6.1 at which point downstream processes
|
||||
##! hopefully have switched over to use ``uid`` and ``id`` instead.
|
||||
|
||||
# Remove in v6.1.
|
||||
|
||||
@load base/frameworks/files
|
||||
|
||||
module Files;
|
||||
|
||||
# Add back the fields to Files::Info.
|
||||
redef record Info += {
|
||||
## If this file was transferred over a network
|
||||
## connection this should show the host or hosts that
|
||||
## the data sourced from.
|
||||
tx_hosts: set[addr] &default=addr_set() &log;
|
||||
|
||||
## If this file was transferred over a network
|
||||
## connection this should show the host or hosts that
|
||||
## the data traveled to.
|
||||
rx_hosts: set[addr] &default=addr_set() &log;
|
||||
|
||||
## Connection UIDs over which the file was transferred.
|
||||
conn_uids: set[string] &default=string_set() &log;
|
||||
};
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=9
|
||||
{
|
||||
local cid = c$id;
|
||||
add f$info$conn_uids[c$uid];
|
||||
add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h];
|
||||
add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h];
|
||||
}
|
||||
|
||||
# For every log write to files.log, ensure tx_hosts, rx_hosts and conn_uids
|
||||
# hold just a single value. Use a high priority for this handler to ensure
|
||||
# this happens before any user defined hooks.
|
||||
hook Log::log_stream_policy(rec: any, id: Log::ID) &priority=100
|
||||
{
|
||||
if ( id != Files::LOG )
|
||||
return;
|
||||
|
||||
local info = rec as Files::Info;
|
||||
|
||||
# In the common case of a single connection (or the less common case
|
||||
# of no connection), there's nothing to do in this hook.
|
||||
if ( |info$conn_uids| == 1 || ! info?$id )
|
||||
return;
|
||||
|
||||
# Make singular tx_hosts, rx_hosts and conn_uids fields based on
|
||||
# the active uid. Note, this currently assumes that Files::Info$is_orig
|
||||
# is the same for all connections. This seems reasonable given that
|
||||
# all connections will use the same protocol.
|
||||
local cid = info$id;
|
||||
info$conn_uids = set(info$uid);
|
||||
info$tx_hosts = set(info$is_orig ? cid$orig_h : cid$resp_h);
|
||||
info$rx_hosts = set(info$is_orig ? cid$resp_h : cid$orig_h);
|
||||
}
|
||||
|
|
@ -105,5 +105,9 @@ redef digest_salt = "Please change this value.";
|
|||
# this adds the link-layer address for each connection endpoint to the conn.log file.
|
||||
# @load policy/protocols/conn/mac-logging
|
||||
|
||||
# Uncomment the following line to add back the tx_hosts, rx_hosts and
|
||||
# conn_uids field to files.log.
|
||||
# @load policy/frameworks/files/deprecated-txhosts-rxhosts-connuids
|
||||
|
||||
# Uncomment this to source zkg's package state
|
||||
# @load packages
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@
|
|||
@load frameworks/intel/seen/where-locations.zeek
|
||||
@load frameworks/intel/seen/x509.zeek
|
||||
@load frameworks/netcontrol/catch-and-release.zeek
|
||||
@load frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek
|
||||
@load frameworks/files/detect-MHR.zeek
|
||||
@load frameworks/files/entropy-test-all-files.zeek
|
||||
#@load frameworks/files/extract-all-files.zeek
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FnoIda1WW6kUCpRjRc 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - - -
|
||||
XXXXXXXXXX.XXXXXX F1jSMF2ntWAIdj4juj 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FnoIda1WW6kUCpRjRc ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - - - -
|
||||
XXXXXXXXXX.XXXXXX F1jSMF2ntWAIdj4juj C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -10,7 +10,7 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0)
|
|||
[conn] XXXXXXXXXX.XXXXXX|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] XXXXXXXXXX.XXXXXX|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] XXXXXXXXXX.XXXXXX|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[files] XXXXXXXXXX.XXXXXX|F44J9mUl78AQMlNe3|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
|
||||
[files] XXXXXXXXXX.XXXXXX|F44J9mUl78AQMlNe3|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
|
||||
[http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[http] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid extracted extracted_cutoff extracted_size md5 sha1 sha256
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string bool count string string string
|
||||
XXXXXXXXXX.XXXXXX FCceqBvpMfirSN0Ri 141.142.192.162 141.142.228.5 ClEkJM2Vm5giqnMf4h FTP_DATA 0 EXTRACT text/plain - 0.001059 - F 16557 - 0 0 F - 2 T 6000 - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid extracted extracted_cutoff extracted_size md5 sha1 sha256
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string bool count string string string
|
||||
XXXXXXXXXX.XXXXXX FCceqBvpMfirSN0Ri ClEkJM2Vm5giqnMf4h 141.142.228.5 50737 141.142.192.162 38141 FTP_DATA 0 EXTRACT text/plain - 0.001059 - F 16557 - 0 0 F - 2 T 6000 - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,12 +5,12 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string
|
||||
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe 74.125.239.129 192.168.4.149 CHhAvVGS1DHFjwGM9 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 - F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
|
||||
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 74.125.239.129 192.168.4.149 CHhAvVGS1DHFjwGM9 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
|
||||
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g 74.125.239.129 192.168.4.149 CHhAvVGS1DHFjwGM9 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
|
||||
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 74.125.239.129 192.168.4.149 ClEkJM2Vm5giqnMf4h SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 - F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
|
||||
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 74.125.239.129 192.168.4.149 ClEkJM2Vm5giqnMf4h SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
|
||||
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi 74.125.239.129 192.168.4.149 ClEkJM2Vm5giqnMf4h SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string
|
||||
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 - F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
|
||||
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
|
||||
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
|
||||
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 - F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
|
||||
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
|
||||
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 SHA1,MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 SHA1,MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FZkGcy26oUimsCoAH1 198.189.255.75 192.168.1.105 CHhAvVGS1DHFjwGM9 HTTP 0 EXTRACT - - 0.046240 - F 54229 605292323 4244449 0 T - - - - extract-XXXXXXXXXX.XXXXXX-HTTP-FZkGcy26oUimsCoAH1 T 4000
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FZkGcy26oUimsCoAH1 CHhAvVGS1DHFjwGM9 192.168.1.105 49219 198.189.255.75 80 HTTP 0 EXTRACT - - 0.046240 - F 54229 605292323 4244449 0 T - - - - extract-XXXXXXXXXX.XXXXXX-HTTP-FZkGcy26oUimsCoAH1 T 4000
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aC4J4Th3PJpwUYZZ6gc\x0a}
|
||||
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aCHhAvVGS1DHFjwGM9\x0a}
|
||||
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aClEkJM2Vm5giqnMf4h\x0a}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp]
|
||||
CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp]
|
||||
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp]
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX F6EpcI3V7f021PQMmh - - - - - ./myfile 0 SHA256,SHA1,DATA_EVENT,MD5 application/pdf - 0.000000 - - 73 - 0 0 F - af1d49af9deccf191fc934a7403990f7 5e6561772f2179cfbf603fc19eb1dae7fec5b4cf 63ea625f89799e9e25244467bc2b9c6c05d0f3b23796629586545b4ccad02868 - - -
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 HTTP 0 SHA256,EXTRACT,SHA1,MD5,DATA_EVENT text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FMnxxt3xjVcWNS2141-file F -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 SHA256,EXTRACT,SHA1,MD5,DATA_EVENT text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FMnxxt3xjVcWNS2141-file F -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 tcp - 0.125216 117 10290 SF - - 0 ShADadFf 9 593 7 10662 -
|
||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 tcp - 0.173517 111 10284 SF - - 0 ShADadtFf 11 703 10 10812 -
|
||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 tcp - 0.124639 117 10290 SF - - 0 ShADadFf 11 697 9 10766 -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
|
||||
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
|
||||
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 1 GET speed.hetzner.de /100MB.bin - 1.1 curl/7.74.0 - 0 10001 206 Partial Content - - (empty) - - - - - - FaGjhv1ozACeoEnwg5 - -
|
||||
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 1 GET speed.hetzner.de /100MB.bin - 1.1 curl/7.74.0 - 0 10001 206 Partial Content - - (empty) - - - - - - FaGjhv1ozACeoEnwg5 - -
|
||||
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 1 GET speed.hetzner.de /100MB.bin - 1.1 curl/7.74.0 - 0 10001 206 Partial Content - - (empty) - - - - - - FaGjhv1ozACeoEnwg5 - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -5,8 +5,8 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 169.254.128.15 169.254.128.18 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - -
|
||||
XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e 169.254.128.18 169.254.128.15 CHhAvVGS1DHFjwGM9 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FVTHwlRSH2WI8fFw2 CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile 0.000000 - F 16 16 0 0 F - - - - - - -
|
||||
XXXXXXXXXX.XXXXXX FAI5Dc4cLr5RAw3j0e CHhAvVGS1DHFjwGM9 169.254.128.18 49155 169.254.128.15 445 SMB 0 (empty) text/plain pythonfile2 0.000000 - T 7000 - 0 0 F - - - - - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 10.0.0.11 10.0.0.12 CHhAvVGS1DHFjwGM9 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count
|
||||
XXXXXXXXXX.XXXXXX FwL5Z01az5ZsFYcHh5 CHhAvVGS1DHFjwGM9 10.0.0.11 49208 10.0.0.12 445 SMB 0 (empty) application/pdf WP_SMBPlugin.pdf 0.073970 - T 1508939 - 0 0 F - - - - - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -5,10 +5,10 @@
|
|||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string
|
||||
XXXXXXXXXX.XXXXXX FmFp351N5nhsMmAfQg 10.10.1.4 74.53.140.153 CHhAvVGS1DHFjwGM9 SMTP 3 (empty) text/plain - 0.000000 - T 77 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX Fqrb1K5DWEfgy4WU2 10.10.1.4 74.53.140.153 CHhAvVGS1DHFjwGM9 SMTP 4 (empty) text/html - 0.000061 - T 1868 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX FEFYSd1s8Onn9LynKj 10.10.1.4 74.53.140.153 CHhAvVGS1DHFjwGM9 SMTP 5 (empty) text/plain NEWS.txt 1.165512 - T 10809 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX Fc5KpS3kUYqDLwWSMf 192.168.133.100 192.168.133.102 CUM0KZ3MLUfNB0cl11 SMTP 1 (empty) text/plain - 0.000000 - T 204 - 0 0 F -
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
||||
XXXXXXXXXX.XXXXXX FmFp351N5nhsMmAfQg CHhAvVGS1DHFjwGM9 10.10.1.4 1470 74.53.140.153 25 SMTP 3 (empty) text/plain - 0.000000 - T 77 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX Fqrb1K5DWEfgy4WU2 CHhAvVGS1DHFjwGM9 10.10.1.4 1470 74.53.140.153 25 SMTP 4 (empty) text/html - 0.000061 - T 1868 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX FEFYSd1s8Onn9LynKj CHhAvVGS1DHFjwGM9 10.10.1.4 1470 74.53.140.153 25 SMTP 5 (empty) text/plain NEWS.txt 1.165512 - T 10809 - 0 0 F -
|
||||
XXXXXXXXXX.XXXXXX Fc5KpS3kUYqDLwWSMf CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 SMTP 1 (empty) text/plain - 0.000000 - T 204 - 0 0 F -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid tx_hosts rx_hosts conn_uids
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string set[addr] set[addr] set[string]
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T - 88.198.248.254 192.168.0.107 C4J4Th3PJpwUYZZ6gc
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T - 88.198.248.254 192.168.0.107 CHhAvVGS1DHFjwGM9
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T - 88.198.248.254 192.168.0.107 ClEkJM2Vm5giqnMf4h
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 C4J4Th3PJpwUYZZ6gc 192.168.0.107 58720 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 CHhAvVGS1DHFjwGM9 192.168.0.107 58716 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
XXXXXXXXXX.XXXXXX FaGjhv1ozACeoEnwg5 ClEkJM2Vm5giqnMf4h 192.168.0.107 58718 88.198.248.254 80 HTTP 0 (empty) - - 0.076646 - F 30003 104857600 179998 0 T -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid tx_hosts rx_hosts conn_uids
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string set[addr] set[addr] set[string]
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 (empty) text/plain - 0.000263 - F 4705 4705 0 0 F - 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path files
|
||||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
|
||||
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
|
||||
XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 (empty) text/plain - 0.000263 - F 4705 4705 0 0 F -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
BIN
testing/btest/Traces/http/concurrent-range-requests.pcap
Normal file
BIN
testing/btest/Traces/http/concurrent-range-requests.pcap
Normal file
Binary file not shown.
|
|
@ -0,0 +1,26 @@
|
|||
# @TEST-DOC: Implement Files::log_files and verify it is seeing unique File::Info records.
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap uid-id.zeek >out.new
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap frameworks/files/deprecated-txhosts-rxhosts-connuids uid-id-deprecated.zeek >out.deprecated
|
||||
# @TEST-EXEC: btest-diff out.new
|
||||
# @TEST-EXEC: btest-diff out.deprecated
|
||||
|
||||
@TEST-START-FILE uid-id.zeek
|
||||
@load base/frameworks/files
|
||||
@load base/protocols/http
|
||||
|
||||
event Files::log_files(rec: Files::Info)
|
||||
{
|
||||
print rec$uid, rec$id;
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
||||
|
||||
@TEST-START-FILE uid-id-deprecated.zeek
|
||||
@load base/frameworks/files
|
||||
@load base/protocols/http
|
||||
|
||||
event Files::log_files(rec: Files::Info)
|
||||
{
|
||||
print rec$uid, rec$id, cat(rec$tx_hosts), cat(rec$rx_hosts), cat(rec$conn_uids);
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# @TEST-DOC: Verify the files.log mat when Input::add_analysis() The fields info$id and info$uid are not expected to be set.
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
@load base/frameworks/files
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
local source: string = "./myfile";
|
||||
Input::add_analysis([$source=source, $name=source]);
|
||||
}
|
||||
|
||||
@TEST-START-FILE ./myfile
|
||||
%PDF-1.5
|
||||
This isn't an actual pdf, but it shows in files.log as such :-)
|
||||
@TEST-END-FILE
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# @TEST-DOC: Pcap contains concurrent range-requests for the same file. Prior to Zeek v5.1, there would have been just one files.log entry, now there are 3 all having the same fuid.
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# @TEST-DOC: The pcap contains 3 connections with range requests for the same file. We expect 3 files.log entries all with the same fuid, but different uids. With the deprecated fields, we expect tx_hosts, rx_hosts and conn_uuids to agree with the uid and id fields.
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT 2>&1 > out
|
||||
# @TEST-EXEC: mv files.log files.log.new
|
||||
# @TEST-EXEC: mv out out.new
|
||||
# @TEST-EXEC: btest-diff out.new
|
||||
# @TEST-EXEC: btest-diff files.log.new
|
||||
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out
|
||||
# @TEST-EXEC: mv files.log files.log.deprecated
|
||||
# @TEST-EXEC: mv out out.deprecated
|
||||
# @TEST-EXEC: btest-diff out.deprecated
|
||||
# @TEST-EXEC: btest-diff files.log.deprecated
|
||||
|
||||
@load base/frameworks/files
|
||||
@load base/protocols/http
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
# @TEST-DOC: Verify the files.log with and without the tx_hosts, rx_hosts and conn_uids fields
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 > out
|
||||
# @TEST-EXEC: mv files.log files.log.new
|
||||
# @TEST-EXEC: mv out out.new
|
||||
# @TEST-EXEC: btest-diff out.new
|
||||
# @TEST-EXEC: btest-diff files.log.new
|
||||
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out
|
||||
# @TEST-EXEC: mv files.log files.log.deprecated
|
||||
# @TEST-EXEC: mv out out.deprecated
|
||||
# @TEST-EXEC: btest-diff out.deprecated
|
||||
# @TEST-EXEC: btest-diff files.log.deprecated
|
||||
|
||||
@load base/frameworks/files
|
||||
@load base/protocols/http
|
||||
2
testing/external/commit-hash.zeek-testing
vendored
2
testing/external/commit-hash.zeek-testing
vendored
|
|
@ -1 +1 @@
|
|||
c57b93b0d3aa4ee69452b039055122d4bec9058f
|
||||
a186efd4f3e1d25910fadbe7d020b84ba2903ad2
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
5cc0fa2bc184e933606e289fccb0eba22bf69e1b
|
||||
77cd67c3f8e4627c7ca799ae9a5d53dbe6c78caa
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue