diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 1462d895e2..38e9caf788 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,4 +1,4 @@ -@load base/packet-protocols/default +@load base/packet-protocols/ip @load base/packet-protocols/skip @load base/packet-protocols/ethernet @load base/packet-protocols/fddi diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek deleted file mode 100644 index 0adc5e3f67..0000000000 --- a/scripts/base/packet-protocols/default/main.zeek +++ /dev/null @@ -1,7 +0,0 @@ -module PacketAnalyzer::Default; - -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) -}; diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index efcbf8adb7..9c8e3631cf 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -22,5 +22,5 @@ redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 181cd27534..229846dab6 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -4,5 +4,5 @@ const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/default/__load__.zeek b/scripts/base/packet-protocols/ip/__load__.zeek similarity index 100% rename from scripts/base/packet-protocols/default/__load__.zeek rename to scripts/base/packet-protocols/ip/__load__.zeek diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek new file mode 100644 index 0000000000..4c9d2c2740 --- /dev/null +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -0,0 +1,7 @@ +module PacketAnalyzer::IP; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_IP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/packet-protocols/skip/main.zeek b/scripts/base/packet-protocols/skip/main.zeek index b16bcfb22a..8ea2a951f4 100644 --- a/scripts/base/packet-protocols/skip/main.zeek +++ b/scripts/base/packet-protocols/skip/main.zeek @@ -6,5 +6,5 @@ export { } redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 7c74b4ab18..2bc92afa7b 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -121,7 +121,7 @@ protected: * * @return The outcome of the analysis. */ - virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const; /** diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index 5ae00729ff..4aee498aa2 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,4 +1,3 @@ -add_subdirectory(default) add_subdirectory(skip) add_subdirectory(wrapper) @@ -15,5 +14,6 @@ add_subdirectory(mpls) add_subdirectory(linux_sll) add_subdirectory(arp) +add_subdirectory(ip) add_subdirectory(ipv4) add_subdirectory(ipv6) diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc deleted file mode 100644 index de904f9ad7..0000000000 --- a/src/packet_analysis/protocol/default/Default.cc +++ /dev/null @@ -1,44 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "Default.h" -#include "NetVar.h" - -using namespace zeek::packet_analysis::Default; - -DefaultAnalyzer::DefaultAnalyzer() - : zeek::packet_analysis::Analyzer("DefaultAnalyzer") - { - } - -zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) - { - // Assume we're pointing at IP. Just figure out which version. - if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) - { - packet->Weird("packet_analyzer_truncated_header"); - return AnalyzerResult::Failed; - } - - auto ip = (const struct ip *)data; - uint32_t protocol = ip->ip_v; - - return AnalyzeInnerPacket(packet, data, protocol); - } - -zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::AnalyzeInnerPacket(Packet* packet, - const uint8_t*& data, uint32_t identifier) const - { - auto inner_analyzer = Lookup(identifier); - - if ( inner_analyzer == nullptr ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s failed, could not find analyzer for identifier %#x.", - GetAnalyzerName(), identifier); - packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; - } - - DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s succeeded, next layer identifier is %#x.", - GetAnalyzerName(), identifier); - return inner_analyzer->Analyze(packet, data); - } \ No newline at end of file diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h deleted file mode 100644 index 9a37a11a44..0000000000 --- a/src/packet_analysis/protocol/default/Default.h +++ /dev/null @@ -1,27 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include -#include - -namespace zeek::packet_analysis::Default { - -class DefaultAnalyzer : public Analyzer { -public: - DefaultAnalyzer(); - ~DefaultAnalyzer() override = default; - - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; - - static zeek::packet_analysis::AnalyzerPtr Instantiate() - { - return std::make_shared(); - } - -protected: - AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, - uint32_t identifier) const override; -}; - -} diff --git a/src/packet_analysis/protocol/default/CMakeLists.txt b/src/packet_analysis/protocol/ip/CMakeLists.txt similarity index 61% rename from src/packet_analysis/protocol/default/CMakeLists.txt rename to src/packet_analysis/protocol/ip/CMakeLists.txt index c41a982b87..3be79005d9 100644 --- a/src/packet_analysis/protocol/default/CMakeLists.txt +++ b/src/packet_analysis/protocol/ip/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(PacketAnalyzer Default) -zeek_plugin_cc(Default.cc Plugin.cc) +zeek_plugin_begin(PacketAnalyzer IP) +zeek_plugin_cc(IP.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc new file mode 100644 index 0000000000..d6c2b91e9a --- /dev/null +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -0,0 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IP.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::IP; + +IPAnalyzer::IPAnalyzer() + : zeek::packet_analysis::Analyzer("IP") + { + } + +zeek::packet_analysis::AnalyzerResult IPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) + { + // Assume we're pointing at IP. Just figure out which version. + if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) + { + packet->Weird("packet_analyzer_truncated_header"); + return AnalyzerResult::Failed; + } + + auto ip = (const struct ip *)data; + uint32_t protocol = ip->ip_v; + + auto inner_analyzer = Lookup(protocol); + + if ( inner_analyzer == nullptr ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", + GetAnalyzerName(), protocol); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Failed; + } + + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", + GetAnalyzerName(), protocol); + return inner_analyzer->Analyze(packet, data); + } \ No newline at end of file diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h new file mode 100644 index 0000000000..f57012247c --- /dev/null +++ b/src/packet_analysis/protocol/ip/IP.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::IP { + +class IPAnalyzer : public Analyzer { +public: + IPAnalyzer(); + ~IPAnalyzer() override = default; + + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } +}; + +} diff --git a/src/packet_analysis/protocol/default/Plugin.cc b/src/packet_analysis/protocol/ip/Plugin.cc similarity index 55% rename from src/packet_analysis/protocol/default/Plugin.cc rename to src/packet_analysis/protocol/ip/Plugin.cc index 30e27711f3..5645220677 100644 --- a/src/packet_analysis/protocol/default/Plugin.cc +++ b/src/packet_analysis/protocol/ip/Plugin.cc @@ -1,6 +1,6 @@ // See the file "COPYING" in the main distribution directory for copyright. -#include "Default.h" +#include "IP.h" #include "plugin/Plugin.h" #include "packet_analysis/Component.h" @@ -10,12 +10,12 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::packet_analysis::Component("DefaultAnalyzer", - zeek::packet_analysis::Default::DefaultAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("IP", + zeek::packet_analysis::IP::IPAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "Zeek::DefaultAnalyzer"; - config.description = "Default packet analyzer for IP fallback"; + config.name = "Zeek::IP"; + config.description = "Packet analyzer for IP fallback (v4 or v6)"; return config; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index fc541cc1b1..c95f448c08 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-08-28-14-19-59 +#open 2020-08-28-15-37-31 #fields name #types string scripts/base/init-bare.zeek @@ -20,8 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek - scripts/base/packet-protocols/default/__load__.zeek - scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ip/__load__.zeek + scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek @@ -212,4 +212,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-08-28-14-19-59 +#close 2020-08-28-15-37-31 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index cb80b86ab0..2c4f3c2331 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-17-05-35 +#open 2020-09-22-17-07-43 #fields name #types string scripts/base/init-bare.zeek @@ -20,8 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek - scripts/base/packet-protocols/default/__load__.zeek - scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ip/__load__.zeek + scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek @@ -408,4 +408,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-17-05-36 +#close 2020-09-22-17-07-43 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index c30578cb03..24d3425197 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -827,7 +827,6 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/default) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dir.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.zeek) -> -1 @@ -858,6 +857,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ip) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll) -> -1 @@ -1226,7 +1226,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1407,7 +1407,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1770,7 +1770,6 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/control) 0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc) -0.000000 MetaHookPre LoadFile(0, base<...>/default) 0.000000 MetaHookPre LoadFile(0, base<...>/dhcp) 0.000000 MetaHookPre LoadFile(0, base<...>/dir.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.zeek) @@ -1801,6 +1800,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/input) 0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/intel) +0.000000 MetaHookPre LoadFile(0, base<...>/ip) 0.000000 MetaHookPre LoadFile(0, base<...>/irc) 0.000000 MetaHookPre LoadFile(0, base<...>/krb) 0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll) @@ -2168,7 +2168,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2349,7 +2349,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2724,7 +2724,6 @@ 0.000000 | HookLoadFile base<...>/control 0.000000 | HookLoadFile base<...>/data.bif.zeek 0.000000 | HookLoadFile base<...>/dce-rpc -0.000000 | HookLoadFile base<...>/default 0.000000 | HookLoadFile base<...>/dhcp 0.000000 | HookLoadFile base<...>/dir.zeek 0.000000 | HookLoadFile base<...>/directions-and-hosts.zeek @@ -2755,6 +2754,7 @@ 0.000000 | HookLoadFile base<...>/input 0.000000 | HookLoadFile base<...>/input.bif.zeek 0.000000 | HookLoadFile base<...>/intel +0.000000 | HookLoadFile base<...>/ip 0.000000 | HookLoadFile base<...>/irc 0.000000 | HookLoadFile base<...>/krb 0.000000 | HookLoadFile base<...>/linux_sll @@ -2822,7 +2822,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init()