diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/output b/src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/output deleted file mode 100644 index b1bb951e92..0000000000 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/output +++ /dev/null @@ -1,2 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.search_filter_extended/ldap_search.log b/src/spicy/spicy-ldap/tests/baseline/analyzer.search_filter_extended/ldap_search.log deleted file mode 100644 index 555a1c7270..0000000000 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.search_filter_extended/ldap_search.log +++ /dev/null @@ -1,12 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ldap_search -#open XXXX-XX-XX-XX-XX-XX -#fields uid filter base_object -#types string string vector[string] -#close XXXX-XX-XX-XX-XX-XX -CHhAvVGS1DHFjwGM9 (departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709) DC=matrix\x2cDC=local diff --git a/src/spicy/spicy-ldap/tests/btest.cfg b/src/spicy/spicy-ldap/tests/btest.cfg deleted file mode 100644 index 914dea4dde..0000000000 --- a/src/spicy/spicy-ldap/tests/btest.cfg +++ /dev/null @@ -1,34 +0,0 @@ -[btest] -MinVersion = 0.66 - -TestDirs = analyzer -TmpDir = %(testbase)s/.tmp -BaselineDir = %(testbase)s/baseline -IgnoreDirs = .svn CVS .tmp Baseline Failing traces Traces -IgnoreFiles = .DS_Store *.pcap data.* *.dat *.wmv *.der *.tmp *.swp .*.swp #* CMakeLists.txt - -[environment] -DIST=%(testbase)s/.. -PATH=%(testbase)s/../tests/scripts:`spicyz --print-plugin-path`/tests/scripts:%(default_path)s -SCRIPTS=`spicyz --print-plugin-path`/tests/Scripts -ZEEK_SPICY_MODULE_PATH=%(testbase)s/../build/spicy-modules -TEST_DIFF_CANONIFIER=`spicyz --print-plugin-path`/tests/Scripts/canonify-zeek-log-sorted -TRACES=%(testbase)s/traces -ZEEKPATH=%(testbase)s/..:`zeek-config --zeekpath` -ZEEK_SEED_FILE=`spicyz --print-plugin-path`/tests/random.seed - -# Set variables to well-defined state. -LANG=C -LC_ALL=C -TZ=UTC -CC= -CXX= -CFLAGS= -CPPFLAGS= -CXXFLAGS= -LDFLAGS= -DYLDFLAGS= - -[environment-installation] -ZEEK_SPICY_MODULE_PATH= -ZEEKPATH=`%(testbase)s/scripts/zeek-path-install` diff --git a/src/spicy/spicy-ldap/tests/scripts/zeek-path-install b/src/spicy/spicy-ldap/tests/scripts/zeek-path-install deleted file mode 100755 index 3ce6131d6d..0000000000 --- a/src/spicy/spicy-ldap/tests/scripts/zeek-path-install +++ /dev/null @@ -1,5 +0,0 @@ -#! /bin/sh -# -# Assembles the Zeek path for testing the installed version (can't do that in btest.cfg directly). - -echo $(spicyz --print-scripts-path):$(zkg config script_dir):$(zeek-config --zeekpath) diff --git a/src/spicy/spicy-ldap/tests/traces/README b/src/spicy/spicy-ldap/tests/traces/README deleted file mode 100644 index 5a388dc70d..0000000000 --- a/src/spicy/spicy-ldap/tests/traces/README +++ /dev/null @@ -1,15 +0,0 @@ -The test suite comes with a set of traces collected from a variety of -places that we document below. While these traces are all coming from -public sources, please note that they may carry their own licenses. -We collect them here for convenience only. - -- [ldap-simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap) -- ldap-simpleauth-diff-port.pcap: made with - `tcprewrite -r 3268:32681 -i ldap-simpleauth.pcap -o ldap-simpleauth-diff-port.pcap` -- ldap-krb5-sign-seal-01.pcap: trace is derived from - - - the LDAP flow selected (filtered out the Kerberos packets) - - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message) - - one `\x30` byte in the ciphertext changed to `\x00` -- ldap-issue-32.pcapng: Provided by GH user martinvanhensbergen, - diff --git a/src/spicy/spicy-ldap/tests/traces/ldap-issue-32.pcapng b/src/spicy/spicy-ldap/tests/traces/ldap-issue-32.pcapng deleted file mode 100644 index 8ed316dd51..0000000000 Binary files a/src/spicy/spicy-ldap/tests/traces/ldap-issue-32.pcapng and /dev/null differ diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index 25d9e950bf..68d049e536 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -360,6 +360,39 @@ connection { * ts: time, log=T, optional=F * uid: string, log=T, optional=F } + * ldap_messages: table[int] of record LDAP::Message, log=F, optional=T + LDAP::Message { + * argument: vector of string, log=T, optional=T + * diagnostic_message: vector of string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * message_id: int, log=T, optional=T + * object: vector of string, log=T, optional=T + * opcode: set[string], log=T, optional=T + * proto: string, log=T, optional=T + * result: set[string], log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * version: int, log=T, optional=T + } + * ldap_proto: string, log=F, optional=T + * ldap_searches: table[int] of record LDAP::Search, log=F, optional=T + LDAP::Search { + * attributes: vector of string, log=T, optional=T + * base_object: vector of string, log=T, optional=T + * deref: set[string], log=T, optional=T + * diagnostic_message: vector of string, log=T, optional=T + * filter: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * message_id: int, log=T, optional=T + * proto: string, log=T, optional=T + * result: set[string], log=T, optional=T + * result_count: count, log=T, optional=T + * scope: set[string], log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } * modbus: record Modbus::Info, log=F, optional=T Modbus::Info { * exception: string, log=T, optional=T diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log similarity index 84% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/conn.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log index 3bdde7206c..a69f1ec56a 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - #close XXXX-XX-XX-XX-XX-XX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp spicy_ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log similarity index 94% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log index 462cec25c7..8f50988763 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log similarity index 93% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap_search.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log index 954b0a5d01..ad4567a0a2 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log similarity index 84% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/conn.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log index 3bdde7206c..a69f1ec56a 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - #close XXXX-XX-XX-XX-XX-XX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp spicy_ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log similarity index 94% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log index 462cec25c7..8f50988763 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.attributes/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log similarity index 93% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap_search.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log index 9bc7fa70de..1497e67a58 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.parse/output b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/output similarity index 73% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.parse/output rename to testing/btest/Baseline/scripts.base.protocols.ldap.basic/output index c07b15461b..49d861c74c 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.parse/output +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/output @@ -1,4 +1 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -LDAP::Messages { - payload: test string -} diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log similarity index 84% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.basic/conn.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log index 3bdde7206c..f60bcc1b32 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - #close XXXX-XX-XX-XX-XX-XX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp spicy_ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log similarity index 94% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log index 4cebad26c1..5c2ec47c69 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log similarity index 93% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap_search.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log index 7d50764ff7..5113c76d90 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log similarity index 84% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/conn.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log index 2d87050cfa..a69f1ec56a 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.diff_port/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - #close XXXX-XX-XX-XX-XX-XX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp spicy_ldap_tcp 181.520479 258 188 RSTO 0 ShADdR 8 590 4 360 - diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/output b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/output similarity index 68% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.basic/output rename to testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/output index b1bb951e92..49d861c74c 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.basic/output +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/output @@ -1,2 +1 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log similarity index 83% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/conn.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log index 3159ed4b82..eaaa60672a 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp ldap_tcp 0.813275 1814 2391 S1 0 ShADd 6 2062 4 2559 - #close XXXX-XX-XX-XX-XX-XX -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp spicy_ldap_tcp 0.813275 1814 2391 S1 0 ShADd 6 2062 4 2559 - diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log similarity index 92% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log index 40dd1d3672..a1f0e5f0b8 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 215 3 bind SASL success - - GSS-SPNEGO +#close XXXX-XX-XX-XX-XX-XX diff --git a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log similarity index 92% rename from src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap_search.log rename to testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log index 7ad3fbccb5..0436cc9f1c 100644 --- a/src/spicy/spicy-ldap/tests/baseline/analyzer.sasl-encrypted/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -### NOTE: This file has been sorted with diff-sort. #separator \x09 #set_separator , #empty_field (empty) @@ -8,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] -#close XXXX-XX-XX-XX-XX-XX XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 213 base never - 1 success - (objectclass=*) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index f7ea25b807..bc5a304436 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -6,4 +6,15 @@ depend on them for tests. Trace Index/Sources: -- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. \ No newline at end of file +- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. + +- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap) +- ldap/simpleauth-diff-port.pcap: made with + `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap` +- ldap/krb5-sign-seal-01.pcap: trace is derived from + + - the LDAP flow selected (filtered out the Kerberos packets) + - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message) + - one `\x30` byte in the ciphertext changed to `\x00` +- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen, + diff --git a/src/spicy/spicy-ldap/tests/traces/issue-32.pcapng b/testing/btest/Traces/ldap/issue-32.pcapng similarity index 100% rename from src/spicy/spicy-ldap/tests/traces/issue-32.pcapng rename to testing/btest/Traces/ldap/issue-32.pcapng diff --git a/src/spicy/spicy-ldap/tests/traces/ldap-krb5-sign-seal-01.pcap b/testing/btest/Traces/ldap/krb5-sign-seal-01.pcap similarity index 100% rename from src/spicy/spicy-ldap/tests/traces/ldap-krb5-sign-seal-01.pcap rename to testing/btest/Traces/ldap/krb5-sign-seal-01.pcap diff --git a/src/spicy/spicy-ldap/tests/traces/ldap-simpleauth-diff-port.pcap b/testing/btest/Traces/ldap/simpleauth-diff-port.pcap similarity index 100% rename from src/spicy/spicy-ldap/tests/traces/ldap-simpleauth-diff-port.pcap rename to testing/btest/Traces/ldap/simpleauth-diff-port.pcap diff --git a/src/spicy/spicy-ldap/tests/traces/ldap-simpleauth.pcap b/testing/btest/Traces/ldap/simpleauth.pcap similarity index 100% rename from src/spicy/spicy-ldap/tests/traces/ldap-simpleauth.pcap rename to testing/btest/Traces/ldap/simpleauth.pcap diff --git a/src/spicy/spicy-ldap/tests/analyzer/attributes.zeek b/testing/btest/scripts/base/protocols/ldap/attributes.zeek similarity index 83% rename from src/spicy/spicy-ldap/tests/analyzer/attributes.zeek rename to testing/btest/scripts/base/protocols/ldap/attributes.zeek index e20cf7cc6b..bc482ebbfa 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/attributes.zeek +++ b/testing/btest/scripts/base/protocols/ldap/attributes.zeek @@ -1,6 +1,6 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. -# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ldap.log @@ -8,6 +8,4 @@ # # @TEST-DOC: Test LDAP search attributes with small trace. -@load analyzer - redef LDAP::default_log_search_attributes = T; diff --git a/src/spicy/spicy-ldap/tests/analyzer/availability.zeek b/testing/btest/scripts/base/protocols/ldap/availability.zeek similarity index 100% rename from src/spicy/spicy-ldap/tests/analyzer/availability.zeek rename to testing/btest/scripts/base/protocols/ldap/availability.zeek diff --git a/src/spicy/spicy-ldap/tests/analyzer/basic.zeek b/testing/btest/scripts/base/protocols/ldap/basic.zeek similarity index 82% rename from src/spicy/spicy-ldap/tests/analyzer/basic.zeek rename to testing/btest/scripts/base/protocols/ldap/basic.zeek index c7bb23e16e..b5753b1fea 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/basic.zeek +++ b/testing/btest/scripts/base/protocols/ldap/basic.zeek @@ -1,6 +1,6 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. -# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT >output 2>&1 +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log # @TEST-EXEC: btest-diff conn.log @@ -8,5 +8,3 @@ # @TEST-EXEC: btest-diff ldap_search.log # # @TEST-DOC: Test LDAP analyzer with small trace. - -@load analyzer diff --git a/src/spicy/spicy-ldap/tests/analyzer/diff_port.zeek b/testing/btest/scripts/base/protocols/ldap/diff_port.zeek similarity index 80% rename from src/spicy/spicy-ldap/tests/analyzer/diff_port.zeek rename to testing/btest/scripts/base/protocols/ldap/diff_port.zeek index 5e415fbb69..565903355d 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/diff_port.zeek +++ b/testing/btest/scripts/base/protocols/ldap/diff_port.zeek @@ -1,11 +1,9 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. -# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth-diff-port.pcap %INPUT +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth-diff-port.pcap %INPUT # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ldap.log # @TEST-EXEC: btest-diff ldap_search.log # # @TEST-DOC: Test LDAP analyzer with small trace. - -@load analyzer diff --git a/src/spicy/spicy-ldap/tests/analyzer/functions.spicy b/testing/btest/scripts/base/protocols/ldap/functions.spicy similarity index 96% rename from src/spicy/spicy-ldap/tests/analyzer/functions.spicy rename to testing/btest/scripts/base/protocols/ldap/functions.spicy index 5679dba650..4bcc721673 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/functions.spicy +++ b/testing/btest/scripts/base/protocols/ldap/functions.spicy @@ -1,4 +1,7 @@ -# @TEST-EXEC: spicyc -j -d -L ${DIST}/analyzer %INPUT +# This test can only run if we have the LDAP grammar available. +# @TEST-REQUIRES: [ -n ${DIST} ] +# +# @TEST-EXEC: spicyc -j -d -L ${DIST}/src/analyzer/protocol/ldap %INPUT # # @TEST-DOC: Validates helper functions in LDAP module. diff --git a/src/spicy/spicy-ldap/tests/analyzer/log_policy.zeek b/testing/btest/scripts/base/protocols/ldap/log_policy.zeek similarity index 88% rename from src/spicy/spicy-ldap/tests/analyzer/log_policy.zeek rename to testing/btest/scripts/base/protocols/ldap/log_policy.zeek index 0a642223db..0317fc6a7d 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/log_policy.zeek +++ b/testing/btest/scripts/base/protocols/ldap/log_policy.zeek @@ -1,6 +1,6 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. -# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT >output 2>&1 +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log # @TEST-EXEC: btest-diff conn.log @@ -9,8 +9,6 @@ # # @TEST-DOC: Test LDAP analyzer with small trace using logging policies. -@load analyzer - hook LDAP::log_policy(rec: LDAP::Message, id: Log::ID, filter: Log::Filter) { break; diff --git a/src/spicy/spicy-ldap/tests/analyzer/sasl-encrypted.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek similarity index 83% rename from src/spicy/spicy-ldap/tests/analyzer/sasl-encrypted.zeek rename to testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek index 52bbce73cb..f84f979237 100644 --- a/src/spicy/spicy-ldap/tests/analyzer/sasl-encrypted.zeek +++ b/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek @@ -1,6 +1,6 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. -# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-krb5-sign-seal-01.pcap %INPUT +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/krb5-sign-seal-01.pcap %INPUT # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ldap.log @@ -9,5 +9,3 @@ # @TEST-EXEC: ! test -f dpd.log # # @TEST-DOC: Test LDAP analyzer with SASL encrypted payloads. - -@load analyzer diff --git a/src/spicy/spicy-ldap/tests/analyzer/search_filter_extended.zeek b/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek similarity index 100% rename from src/spicy/spicy-ldap/tests/analyzer/search_filter_extended.zeek rename to testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek