Merge branch 'master' of git.bro.org:bro

CHANGES

@@ -1,4 +1,12 @@
 
+2.4-307 | 2016-03-07 13:33:45 -0800
+
+  * Add "disable_analyzer_after_detection" and remove
+    "skip_processing_after_detection". Addresses BIT-1545.
+    (Aaron Eppert & Johanna Amann)
+
+  * Add bad_HTTP_request_with_version weird (William Glodek)
+
 2.4-299 | 2016-03-04 12:51:55 -0800
 
   * More detailed installation instructions for FreeBSD 9.X. (Johanna Amann)
@@ -1948,21 +1956,21 @@
 2.3-beta-18 | 2014-06-06 13:11:50 -0700
 
   * Add two more SSL events, one triggered for each handshake message
-    and one triggered for the tls change cipherspec message. (Bernhard
+    and one triggered for the tls change cipherspec message. (Johanna
     Amann)
 
   * Small SSL bug fix. In case SSL::disable_analyzer_after_detection
     was set to false, the ssl_established event would fire after each
-    data packet once the session is established. (Bernhard Amann)
+    data packet once the session is established. (Johanna Amann)
 
 2.3-beta-16 | 2014-06-06 13:05:44 -0700
 
   * Re-activate notice suppression for expiring certificates.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.3-beta-14 | 2014-06-05 14:43:33 -0700
 
-  * Add new TLS extension type numbers from IANA (Bernhard Amann)
+  * Add new TLS extension type numbers from IANA (Johanna Amann)
 
   * Switch to double hashing for Bloomfilters for better performance.
     (Matthias Vallentin)
@@ -1972,7 +1980,7 @@
     (Matthias Vallentin)
 
   * Make buffer for X509 certificate subjects larger. Addresses
-    BIT-1195 (Bernhard Amann)
+    BIT-1195 (Johanna Amann)
 
 2.3-beta-5 | 2014-05-29 15:34:42 -0500
 
@@ -1994,19 +2002,19 @@
 
   * Release 2.3-beta
 
-  * Clean up OpenSSL data structures on exit. (Bernhard Amann)
+  * Clean up OpenSSL data structures on exit. (Johanna Amann)
 
-  * Fixes for OCSP & x509 analysis memory leak issues. (Bernhard Amann)
+  * Fixes for OCSP & x509 analysis memory leak issues. (Johanna Amann)
 
   * Remove remaining references to BROMAGIC (Daniel Thayer)
 
   * Fix typos and formatting in event and BiF documentation (Daniel Thayer)
 
   * Update intel framework plugin for ssl server_name extension API
-    changes. (Bernhard Amann, Justin Azoff)
+    changes. (Johanna Amann, Justin Azoff)
 
   * Fix expression errors in SSL/x509 scripts when unparseable data
-    is in certificate chain. (Bernhard Amann)
+    is in certificate chain. (Johanna Amann)
 
 2.2-478 | 2014-05-19 15:31:33 -0500
 
@@ -2015,7 +2023,7 @@
 
 2.2-477 | 2014-05-19 14:13:00 -0500
 
-  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Bernhard Amann)
+  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Johanna Amann)
 
   * Fix a couple of doc build warnings (Daniel Thayer)
 
@@ -2033,19 +2041,19 @@
 
   * New script policy/protocols/ssl/validate-ocsp.bro that adds OSCP
     validation to ssl.log. The work is done by a new bif
-    x509_ocsp_verify(). (Bernhard Amann)
+    x509_ocsp_verify(). (Johanna Amann)
 
   * STARTTLS support for POP3 and SMTP. The SSL analyzer takes over
     when seen. smtp.log now logs when a connection switches to SSL.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Replace errors when parsing x509 certs with weirds. (Bernhard
+  * Replace errors when parsing x509 certs with weirds. (Johanna
     Amann)
 
-  * Improved Heartbleed attack/scan detection. (Bernhard Amann)
+  * Improved Heartbleed attack/scan detection. (Johanna Amann)
 
   * Let TLS analyzer fail better when no longer in sync with the data
-    stream. (Bernhard Amann)
+    stream. (Johanna Amann)
 
 2.2-444 | 2014-05-16 14:10:32 -0500
 
@@ -2064,7 +2072,7 @@
 
 2.2-427 | 2014-05-15 13:37:23 -0400
 
-  * Fix dynamic SumStats update on clusters (Bernhard Amann)
+  * Fix dynamic SumStats update on clusters (Johanna Amann)
 
 2.2-425 | 2014-05-08 16:34:44 -0700
 
@@ -2116,11 +2124,11 @@
 
   * Add DH support to SSL analyzer.  When using DHE or DH-Anon, sever
     key parameters are now available in scriptland.  Also add script to
-    alert on weak certificate keys or weak dh-params. (Bernhard Amann)
+    alert on weak certificate keys or weak dh-params. (Johanna Amann)
 
-  * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann)
+  * Add a few more ciphers Bro did not know at all so far. (Johanna Amann)
 
-  * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann)
+  * Log chosen curve when using ec cipher suite in TLS. (Johanna Amann)
 
 2.2-397 | 2014-05-01 20:29:20 -0700
 
@@ -2132,7 +2140,7 @@
     (Jon Siwek)
 
   * Correct a notice for heartbleed. The notice is thrown correctly,
-    just the message conteined wrong values. (Bernhard Amann)
+    just the message conteined wrong values. (Johanna Amann)
 
   * Improve/standardize some malloc/realloc return value checks. (Jon
     Siwek)
@@ -2159,7 +2167,7 @@
 2.2-377 | 2014-04-24 16:57:54 -0700
 
   * A larger set of SSL improvements and extensions. Addresses
-    BIT-1178. (Bernhard Amann)
+    BIT-1178. (Johanna Amann)
 
         - Fixes TLS protocol version detection. It also should
           bail-out correctly on non-tls-connections now
@@ -2220,9 +2228,9 @@
 
 2.2-335 | 2014-04-10 15:04:57 -0700
 
-  * Small logic fix for main SSL script. (Bernhard Amann)
+  * Small logic fix for main SSL script. (Johanna Amann)
 
-  * Update DPD signatures for detecting TLS 1.2. (Bernhard Amann)
+  * Update DPD signatures for detecting TLS 1.2. (Johanna Amann)
 
   * Remove unused data member of SMTP_Analyzer to silence a Coverity
     warning. (Jon Siwek)
@@ -2251,7 +2259,7 @@
 2.2-315 | 2014-04-01 16:50:01 -0700
 
   * Change logging's "#types" description of sets to "set". Addresses
-    BIT-1163 (Bernhard Amann)
+    BIT-1163 (Johanna Amann)
 
 2.2-313 | 2014-04-01 16:40:19 -0700
 
@@ -2266,7 +2274,7 @@
     (Jon Siwek)
 
   * Fix potential memory leak in x509 parser reported by Coverity.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-304 | 2014-03-30 23:05:54 +0200
 
@@ -2337,7 +2345,7 @@
     from the certificates (e.g. elliptic curve information, subject
     alternative names, basic constraints). Certificate validation also
     was improved, should be easier to use and exposes information like
-    the full verified certificate chain. (Bernhard Amann)
+    the full verified certificate chain. (Johanna Amann)
 
     This update changes the format of ssl.log and adds a new x509.log
     with certificate information. Furthermore all x509 events and
@@ -2375,7 +2383,7 @@
 2.2-256 | 2014-03-30 19:57:28 +0200
 
   * For the summary statistics framewirk, change all &create_expire
-    attributes to &read_expire in the cluster part. (Bernhard Amann)
+    attributes to &read_expire in the cluster part. (Johanna Amann)
 
 2.2-254 | 2014-03-30 19:55:22 +0200
 
@@ -2399,7 +2407,7 @@
 2.2-244 | 2014-03-17 08:24:17 -0700
 
   * Fix compile errror on FreeBSD caused by wrong include file order.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-240 | 2014-03-14 10:23:54 -0700
 
@@ -2495,7 +2503,7 @@
 
   * Improve SSL logging so that connections are logged even when the
     ssl_established event is not generated as well as other small SSL
-    fixes. (Bernhard Amann)
+    fixes. (Johanna Amann)
 
 2.2-206 | 2014-03-03 16:52:28 -0800
 
@@ -2512,7 +2520,7 @@
   * Allow iterating over bif functions with result type vector of any.
     This changes the internal type that is used to signal that a
     vector is unspecified from any to void. Addresses BIT-1144
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-197 | 2014-02-28 15:36:58 -0800
 
@@ -2520,37 +2528,37 @@
 
 2.2-194 | 2014-02-28 14:50:53 -0800
 
-  * Remove packet sorter. Addresses BIT-700. (Bernhard Amann)
+  * Remove packet sorter. Addresses BIT-700. (Johanna Amann)
 
 2.2-192 | 2014-02-28 09:46:43 -0800
 
-  * Update Mozilla root bundle. (Bernhard Amann)
+  * Update Mozilla root bundle. (Johanna Amann)
 
 2.2-190 | 2014-02-27 07:34:44 -0800
 
-  * Adjust timings of a few leak tests. (Bernhard Amann)
+  * Adjust timings of a few leak tests. (Johanna Amann)
 
 2.2-187 | 2014-02-25 07:24:42 -0800
 
-  * More Google TLS extensions that are being actively used. (Bernhard
+  * More Google TLS extensions that are being actively used. Johanna(
     Amann)
 
   * Remove unused, and potentially unsafe, function
-    ListVal::IncludedInString. (Bernhard Amann)
+    ListVal::IncludedInString. (Johanna Amann)
 
 2.2-184 | 2014-02-24 07:28:18 -0800
 
   * New TLS constants from
     https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-180 | 2014-02-20 17:29:14 -0800
 
   * New SSL alert descriptions from
     https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Update SQLite. (Bernhard Amann)
+  * Update SQLite. (Johanna Amann)
 
 2.2-177 | 2014-02-20 17:27:46 -0800
 
@@ -2581,7 +2589,7 @@
     'modbus_read_fifo_queue_response' event handler. (Jon Siwek)
 
   * Add channel_id TLS extension number. This number is not IANA
-    defined, but we see it being actively used. (Bernhard Amann)
+    defined, but we see it being actively used. (Johanna Amann)
 
   * Test baseline updates for DNS change. (Robin Sommer)
 
@@ -2623,7 +2631,7 @@
 
 2.2-147 | 2014-02-07 08:06:53 -0800
 
-  * Fix x509-extension test sometimes failing. (Bernhard Amann)
+  * Fix x509-extension test sometimes failing. (Johanna Amann)
 
 2.2-144 | 2014-02-06 20:31:18 -0800
 
@@ -2659,7 +2667,7 @@
 
 2.2-128 | 2014-01-30 15:58:47 -0800
 
-  * Add leak test for Exec module. (Bernhard Amann)
+  * Add leak test for Exec module. (Johanna Amann)
 
   * Fix file_over_new_connection event to trigger when entire file is
     missed. (Jon Siwek)
@@ -2677,7 +2685,7 @@
 2.2-120 | 2014-01-28 10:25:23 -0800
 
   * Fix and extend x509_extension() event, which now actually returns
-    the extension. (Bernhard Amann)
+    the extension. (Johanna Amann)
 
     New event signauture:
 
@@ -2792,7 +2800,7 @@
 
   * Several improvements to input framework error handling for more
     robustness and more helpful error messages. Includes tests for
-    many cases. (Bernhard Amann)
+    many cases. (Johanna Amann)
 
 2.2-66 | 2013-12-09 13:54:16 -0800
 
@@ -2818,7 +2826,7 @@
   * Fix memory leak in input framework. If the input framework was
     used to read event streams and those streams contained records
     with more than one field, not all elements of the threading Values
-    were cleaned up. Addresses BIT-1103. (Bernhard Amann)
+    were cleaned up. Addresses BIT-1103. (Johanna Amann)
 
   * Minor Broxygen improvements. Addresses BIT-1098. (Jon Siwek)
 
@@ -2862,7 +2870,7 @@
 2.2-40 | 2013-12-04 12:16:38 -0800
 
   * ssl_client_hello() now receives a vector of ciphers, instead of a
-    set, to preserve their order. (Bernhard Amann)
+    set, to preserve their order. (Johanna Amann)
 
 2.2-38 | 2013-12-04 12:10:54 -0800
 
@@ -2999,13 +3007,13 @@
 2.2-beta-157 | 2013-10-25 11:11:17 -0700
 
   * Extend the documentation of the SQLite reader/writer framework.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fix inclusion of wrong example file in scripting tutorial.
-    Reported by Michael Auger @LM4K. (Bernhard Amann)
+    Reported by Michael Auger @LM4K. (Johanna Amann)
 
   * Alternative fix for the thrading deadlock issue to avoid potential
-    performance impact. (Bernhard Amann)
+    performance impact. (Johanna Amann)
 
 2.2-beta-152 | 2013-10-24 18:16:49 -0700
 
@@ -3018,7 +3026,7 @@
 2.2-beta-150 | 2013-10-24 16:32:14 -0700
 
   * Change temporary ASCII reader workaround for getline() on
-    Mavericks to permanent fix. (Bernhard Amann)
+    Mavericks to permanent fix. (Johanna Amann)
 
 2.2-beta-148 | 2013-10-24 14:34:35 -0700
 
@@ -3032,7 +3040,7 @@
   * Intel framework notes added to NEWS. (Seth Hall)
 
   * Temporary OSX Mavericks libc++ issue workaround for getline()
-    problem in ASCII reader. (Bernhard Amann)
+    problem in ASCII reader. (Johanna Amann)
 
   * Change test of identify_data BIF to ignore charset as it may vary
     with libmagic version. (Jon Siwek)
@@ -3075,16 +3083,16 @@
 
 2.2-beta-80 | 2013-10-18 13:18:05 -0700
 
-  * SQLite reader/writer documentation. (Bernhard Amann)
+  * SQLite reader/writer documentation. (Johanna Amann)
 
   * Check that the SQLite reader is only used in MANUAL reading mode.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Rename the SQLite writer "dbname" configuration option to
-    "tablename". (Bernhard Amann)
+    "tablename". (Johanna Amann)
 
   * Remove the "dbname" configuration option from the SQLite reader as
-    it wasn't used there. (Bernhard Amann)
+    it wasn't used there. (Johanna Amann)
 
 2.2-beta-73 | 2013-10-14 14:28:25 -0700
 
@@ -3116,9 +3124,9 @@
 
 2.2-beta-55 | 2013-10-10 13:36:38 -0700
 
-  * A couple of new TLS extension numbers. (Bernhard Amann)
+  * A couple of new TLS extension numbers. (Johanna Amann)
 
-  * Suport for three more new TLS ciphers. (Bernhard Amann)
+  * Suport for three more new TLS ciphers. (Johanna Amann)
 
   * Removing ICSI notary from default site config. (Robin Sommer)
 
@@ -3163,7 +3171,7 @@
 
 2.2-beta-18 | 2013-10-02 10:28:17 -0700
 
-  * Add support for further TLS cipher suites. (Bernhard Amann)
+  * Add support for further TLS cipher suites. (Johanna Amann)
 
 2.2-beta-13 | 2013-10-01 11:31:55 -0700
 
@@ -3213,7 +3221,7 @@
 
   * Add links to Intelligence Framework documentation. (Daniel Thayer)
 
-  * Update Mozilla root CA list. (Bernhard Amann, Jon Siwek)
+  * Update Mozilla root CA list. (Johanna Amann, Jon Siwek)
 
   * Update documentation of required packages. (Daniel Thayer)
 
@@ -3224,10 +3232,10 @@
 
 2.1-1357 | 2013-09-18 14:58:52 -0700
 
-  * Update HLL API and its documentation. (Bernhard Amann)
+  * Update HLL API and its documentation. (Johanna Amann)
 
   * Fix case in HLL where hll_error_margin could be undefined.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-1352 | 2013-09-18 14:42:28 -0700
 
@@ -3288,7 +3296,7 @@
 
 
   * Support for probabilistic set cardinality, using the HyperLogLog
-    algorithm. (Bernhard Amann, Soumya Basu)
+    algorithm. (Johanna Amann, Soumya Basu)
 
     Bro now provides the following BiFs:
 
@@ -3327,7 +3335,7 @@
 2.1-1137 | 2013-08-27 13:26:44 -0700
 
   * Add BiF hexstr_to_bytestring() that does exactly the opposite of
-    bytestring_to_hexstr(). (Bernhard Amann)
+    bytestring_to_hexstr(). (Johanna Amann)
 
 2.1-1135 | 2013-08-27 12:16:26 -0700
 
@@ -3399,7 +3407,7 @@
 
 2.1-1078 | 2013-08-19 09:29:30 -0700
 
-  * Moving sqlite code into new external 3rdparty submodule. (Bernhard
+  * Moving sqlite code into new external 3rdparty submodule. Johanna(
     Amann)
 
 2.1-1074 | 2013-08-14 10:29:54 -0700
@@ -3499,12 +3507,12 @@
 
 2.1-1007 | 2013-08-01 15:41:54 -0700
 
-  * More function documentation. (Bernhard Amann)
+  * More function documentation. (Johanna Amann)
 
 2.1-1004 | 2013-08-01 14:37:43 -0700
 
   * Adding a probabilistic data structure for computing "top k"
-    elements. (Bernhard Amann)
+    elements. (Johanna Amann)
 
     The corresponding functions are:
 
@@ -3538,7 +3546,7 @@
 2.1-948 | 2013-07-31 20:08:28 -0700
 
   * Fix segfault caused by merging an empty bloom-filter with a
-    bloom-filter already containing values. (Bernhard Amann)
+    bloom-filter already containing values. (Johanna Amann)
 
 2.1-945 | 2013-07-30 10:05:10 -0700
 
@@ -3678,12 +3686,12 @@
 2.1-814 | 2013-07-15 18:18:20 -0700
 
   * Fixing raw reader crash when accessing nonexistant file, and
-    memory leak when reading from file. Addresses #1038. (Bernhard
+    memory leak when reading from file. Addresses #1038. (Johanna
     Amann)
 
 2.1-811 | 2013-07-14 08:01:54 -0700
 
-  * Bump sqlite to 3.7.17. (Bernhard Amann)
+  * Bump sqlite to 3.7.17. (Johanna Amann)
 
   * Small test fixes. (Seth Hall)
 
@@ -3733,7 +3741,7 @@
 2.1-780 | 2013-07-03 16:46:26 -0700
 
   * Rewrite of the RAW input reader for improved robustness and new
-    features. (Bernhard Amann) This includes:
+    features. (Johanna Amann) This includes:
 
         - Send "end_of_data" event for all kind of streams.
         - Send "process_finished" event with exit code of child
@@ -3862,12 +3870,12 @@
 
 2.1-656 | 2013-05-17 15:58:07 -0700
 
-  * Fix mutex lock problem for writers. (Bernhard Amann)
+  * Fix mutex lock problem for writers. (Johanna Amann)
 
 2.1-654 | 2013-05-17 13:49:52 -0700
 
   * Tweaks to sqlite3 configuration to address threading issues.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-651 | 2013-05-17 13:37:16 -0700
 
@@ -3893,7 +3901,7 @@
 
 2.1-640 | 2013-05-15 17:24:09 -0700
 
-  * Support for cleaning up threads that have terminated. (Bernhard
+  * Support for cleaning up threads that have terminated. (Johanna
     Amann and Robin Sommer). Includes:
 
       - Both logging and input frameworks now clean up threads once
@@ -3910,14 +3918,14 @@
 2.1-626 | 2013-05-15 16:09:31 -0700
 
   * Add "reservoir" sampler for SumStats framework. This maintains
-    a set of N uniquely distributed random samples. (Bernhard Amann)
+    a set of N uniquely distributed random samples. (Johanna Amann)
 
 2.1-619 | 2013-05-15 16:01:42 -0700
 
   * SQLite reader and writer combo. This allows to read/write
     persistent data from on disk SQLite databases. The current
     interface is quite low-level, we'll add higher-level abstractions
-    in the future. (Bernhard Amann)
+    in the future. (Johanna Amann)
 
 2.1-576 | 2013-05-15 14:29:09 -0700
 
@@ -3938,7 +3946,7 @@
 2.1-500 | 2013-05-10 19:22:24 -0700
 
   * Fix to prevent merge-hook of SumStat's unique plugin from damaging
-    source data. (Bernhard Amann)
+    source data. (Johanna Amann)
 
 2.1-498 | 2013-05-03 17:44:08 -0700
 
@@ -3954,7 +3962,7 @@
 2.1-492 | 2013-05-02 12:46:26 -0700
 
   * Work-around for sumstats framework not propagating updates after
-    intermediate check in cluster environments. (Bernhard Amann)
+    intermediate check in cluster environments. (Johanna Amann)
 
   * Always apply tcp_connection_attempt. Before this change it was
     only applied when a connection_attempt() event handler was
@@ -4009,7 +4017,7 @@
 2.1-380 | 2013-03-18 12:18:10 -0700
 
   * Fix gcc compile warnings in base64 encoder and benchmark reader.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-377 | 2013-03-17 17:36:09 -0700
 
@@ -4018,10 +4026,10 @@
 2.1-375 | 2013-03-17 13:14:26 -0700
 
   * Add base64 encoding functionality, including new BiFs
-	encode_base64() and encode_base64_custom(). (Bernhard Amann)
+	encode_base64() and encode_base64_custom(). (Johanna Amann)
 
   * Replace call to external "openssl" in extract-certs-pem.bro with
-	that encode_base64(). (Bernhard Amann)
+	that encode_base64(). (Johanna Amann)
 
   * Adding a test for extract-certs-pem.pem. (Robin Sommer)
 
@@ -4055,7 +4063,7 @@
 
 2.1-357 | 2013-03-08 09:18:35 -0800
 
-  * Fix race-condition in table-event test. (Bernhard Amann)
+  * Fix race-condition in table-event test. (Johanna Amann)
 
   * s/bro-ids.org/bro.org/g. (Robin Sommer)
 
@@ -4072,9 +4080,9 @@
 
 2.1-347 | 2013-03-06 16:48:44 -0800
 
-  * Remove unused parameter from vector assignment method. (Bernhard Amann)
+  * Remove unused parameter from vector assignment method. (Johanna Amann)
 
-  * Remove the byte_len() and length() bifs. (Bernhard Amann)
+  * Remove the byte_len() and length() bifs. (Johanna Amann)
 
 2.1-342 | 2013-03-06 15:42:52 -0800
 
@@ -4126,7 +4134,7 @@
 
 2.1-319 | 2013-02-04 09:45:34 -0800
 
-  * Update input tests to use exit_only_after_terminate. (Bernhard
+  * Update input tests to use exit_only_after_terminate. (Johanna
     Amann)
 
   * New option exit_only_after_terminate to prevent Bro from exiting.
@@ -4158,7 +4166,7 @@
 2.1-302 | 2013-01-23 16:17:29 -0800
 
   * Refactoring ASCII formatting/parsing from loggers/readers into a
-    separate AsciiFormatter class. (Bernhard Amann)
+    separate AsciiFormatter class. (Johanna Amann)
 
   * Fix uninitialized locals in event/hook handlers from having a
     value. Addresses #932. (Jon Siwek)
@@ -4189,7 +4197,7 @@
   * Removing unused class member. (Robin Sommer)
 
   * Add opaque type-ignoring for the accept_unsupported_types input
-    framework option. (Bernhard Amann)
+    framework option. (Johanna Amann)
 
 2.1-271 | 2013-01-08 10:18:57 -0800
 
@@ -4270,7 +4278,7 @@
 2.1-229 | 2012-12-14 14:46:12 -0800
 
   * Fix memory leak in ASCII reader when encoutering errors in input.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Improvements for the "bad checksums" detector to make it detect
     bad TCP checksums. (Seth Hall)
@@ -4341,7 +4349,7 @@
     yet. Addresses #66. (Jon Siwek)
 
   * Fix segfault: Delete correct entry in error case in input
-    framework. (Bernhard Amann)
+    framework. (Johanna Amann)
 
   * Bad record constructor initializers now give an error. Addresses
     #34. (Jon Siwek)
@@ -4599,7 +4607,7 @@
   * Rename the Input Framework's update_finished event to end_of_data.
     It will now not only fire after table-reads have been completed,
     but also after the last event of a whole-file-read (or
-    whole-db-read, etc.). (Bernhard Amann)
+    whole-db-read, etc.). (Johanna Amann)
 
   * Fix for DNS log problem when a DNS response is seen with 0 RRs.
     (Seth Hall)
@@ -4614,7 +4622,7 @@
 2.1-61 | 2012-10-12 09:32:48 -0700
 
   * Fix bug in the input framework: the config table did not work.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-58 | 2012-10-08 10:10:09 -0700
 
@@ -4649,7 +4657,7 @@
 
   * Fix for the input framework: BroStrings were constructed without a
     final \0, which makes them unusable by basically all internal
-    functions (like to_count). (Bernhard Amann)
+    functions (like to_count). (Johanna Amann)
 
   * Remove deprecated script functionality (see NEWS for details).
     (Daniel Thayer)
@@ -4701,7 +4709,7 @@
   * Small change to non-blocking DNS initialization. (Jon Siwek)
 
   * Reorder a few statements in scan.l to make 1.5msecs etc work.
-    Adresses #872. (Bernhard Amann)
+    Adresses #872. (Johanna Amann)
 
 2.1-6 | 2012-09-06 23:23:14 -0700
 
@@ -4730,11 +4738,11 @@
   * Fix uninitialized value for 'is_partial' in TCP analyzer. (Jon
     Siwek)
 
-  * Parse 64-bit consts in Bro scripts correctly. (Bernhard Amann)
+  * Parse 64-bit consts in Bro scripts correctly. (Johanna Amann)
 
-  * Output 64-bit counts correctly on 32-bit machines (Bernhard Amann)
+  * Output 64-bit counts correctly on 32-bit machines (Johanna Amann)
 
-  * Input framework fixes, including:  (Bernhard Amann)
+  * Input framework fixes, including:  (Johanna Amann)
 
     - One of the change events got the wrong parameters.
 
@@ -4775,7 +4783,7 @@
 2.1-beta-45 | 2012-08-22 16:11:10 -0700
 
   * Add an option to the input framework that allows the user to chose
-    to not die upon encountering files/functions. (Bernhard Amann)
+    to not die upon encountering files/functions. (Johanna Amann)
 
 2.1-beta-41 | 2012-08-22 16:05:21 -0700
 
@@ -4794,7 +4802,7 @@
 2.1-beta-35 | 2012-08-22 08:44:52 -0700
 
   * Add testcase for input framework reading sets (rather than
-    tables). (Bernhard Amann)
+    tables). (Johanna Amann)
 
 2.1-beta-31 | 2012-08-21 15:46:05 -0700
 
@@ -4853,9 +4861,9 @@
 
 2.1-beta-6 | 2012-08-10 12:22:52 -0700
 
-  * Fix bug in input framework with an edge case. (Bernhard Amann)
+  * Fix bug in input framework with an edge case. (Johanna Amann)
 
-  * Fix small bug in input framework test script. (Bernhard Amann)
+  * Fix small bug in input framework test script. (Johanna Amann)
 
 2.1-beta-3 | 2012-08-03 10:46:49 -0700
 
@@ -4904,13 +4912,13 @@
     writers that don't have a postprocessor. (Seth Hall)
 
   * Update input framework documentation to reflect want_record
-    change. (Bernhard Amann)
+    change. (Johanna Amann)
 
   * Fix crash when encountering an InterpreterException in a predicate
-    in logging or input Framework. (Bernhard Amann)
+    in logging or input Framework. (Johanna Amann)
 
   * Input framework: Make want_record=T the default for events
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Changing the start/end markers in logs to open/close now
     reflecting wall clock. (Robin Sommer)
@@ -4932,10 +4940,10 @@
 
   * Add comprehensive error handling for close() calls. (Jon Siwek)
 
-  * Add more test cases for input framework. (Bernhard Amann)
+  * Add more test cases for input framework. (Johanna Amann)
 
   * Input framework: make error output for non-matching event types
-    much more verbose. (Bernhard Amann)
+    much more verbose. (Johanna Amann)
 
 2.0-877 | 2012-07-25 17:20:34 -0700
 
@@ -4975,12 +4983,12 @@
   * Fix initialization problem in logging class. (Jon Siwek)
 
   * Input framework now accepts escaped ASCII values as input (\x##),
-    and unescapes appropiately. (Bernhard Amann)
+    and unescapes appropiately. (Johanna Amann)
 
   * Make reading ASCII logfiles work when the input separator is
-    different from \t. (Bernhard Amann)
+    different from \t. (Johanna Amann)
 
-  * A number of smaller fixes for input framework. (Bernhard Amann)
+  * A number of smaller fixes for input framework. (Johanna Amann)
 
 2.0-851 | 2012-07-24 15:04:14 -0700
 
@@ -5000,7 +5008,7 @@
   * Reworking parts of the internal threading/logging/input APIs for
     thread-safety. (Robin Sommer)
 
-  * Bugfix for SSL version check. (Bernhard Amann)
+  * Bugfix for SSL version check. (Johanna Amann)
 
   * Changing a HTTP DPD from port 3138 to 3128. Addresses #857. (Robin
     Sommer)
@@ -5020,7 +5028,7 @@
     #763. (Robin Sommer)
 
   * Fix bug, where in dns.log rcode always was set to 0/NOERROR when
-    no reply package was seen. (Bernhard Amann)
+    no reply package was seen. (Johanna Amann)
 
   * Updating to Mozilla's current certificate bundle. (Seth Hall)
 
@@ -5036,7 +5044,7 @@
   * Remove baselines for some leak-detecting unit tests. (Jon Siwek)
 
   * Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that
-    they now propagate to the main thread. Adresses #848. (Bernhard
+    they now propagate to the main thread. Adresses #848. (Johanna
     Amann)
 
 2.0-761 | 2012-07-12 08:14:38 -0700
@@ -5044,7 +5052,7 @@
   * Some small fixes to further reduce SOCKS false positive logs. (Seth Hall)
 
   * Calls to pthread_mutex_unlock now log the reason for failures.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-757 | 2012-07-11 08:30:19 -0700
 
@@ -5075,11 +5083,11 @@
 
 2.0-733 | 2012-07-02 15:31:24 -0700
 
-  * Extending the input reader DoInit() API. (Bernhard Amann). It now
+  * Extending the input reader DoInit() API. (Johanna Amann). It now
     provides a Info struct similar to what we introduced for log
     writers, including a corresponding "config" key/value table.
 
-  * Fix to make writer-info work when debugging is enabled. (Bernhard
+  * Fix to make writer-info work when debugging is enabled. (Johanna
     Amann)
 
 2.0-726 | 2012-07-02 15:19:15 -0700
@@ -5118,7 +5126,7 @@
 
   * Set input frontend type before starting the thread. This means
     that the thread type will be output correctly in the error
-    message. (Bernhard Amann)
+    message. (Johanna Amann)
 
 2.0-719 | 2012-07-02 14:49:03 -0700
 
@@ -5207,7 +5215,7 @@
 
 2.0-622 | 2012-06-15 15:38:43 -0700
 
-  * Input framework updates. (Bernhard Amann)
+  * Input framework updates. (Johanna Amann)
 
     - Disable streaming reads from executed commands. This lead to
       hanging Bros because pclose apparently can wait for eternity if
@@ -5286,7 +5294,7 @@
 
   * A new input framework enables scripts to read in external data
     dynamically on the fly as Bro is processing network traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
     Currently, the framework supports reading ASCII input that's
     structured similar as Bro's log files as well as raw blobs of
@@ -5453,7 +5461,7 @@
 2.0-315 | 2012-05-03 11:44:17 -0700
 
   * Add two more TLS extension values that we see in live traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fixed IPv6 link local unicast CIDR and added IPv6 loopback to
     private address space. (Seth Hall)
@@ -5841,7 +5849,7 @@
 
 2.0-41 | 2012-02-03 04:10:53 -0500
 
-  * Updates to the Software framework to simplify the API. (Bernhard
+  * Updates to the Software framework to simplify the API. (Johanna
     Amann)
 
 2.0-40 | 2012-02-03 01:55:27 -0800
@@ -5984,7 +5992,7 @@
 
 2.0-beta-152 | 2012-01-03 14:51:34 -0800
 
-  * Notices now record the transport-layer protocol. (Bernhard Amann)
+  * Notices now record the transport-layer protocol. (Johanna Amann)
 
 2.0-beta-150 | 2012-01-03 14:42:45 -0800
 
@@ -6011,7 +6019,7 @@
     assignments. Addresses #722. (Jon Siwek)
 
   * Make log headers include the type of data stored inside a set or
-    vector ("vector[string]"). (Bernhard Amann)
+    vector ("vector[string]"). (Johanna Amann)
 
 2.0-beta-126 | 2011-12-18 15:18:05 -0800
 
@@ -6148,11 +6156,11 @@
   * Fix order of include directories. (Jon Siwek)
 
   * Catch if logged vectors do not contain only atomic types.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-beta-47 | 2011-11-16 08:24:33 -0800
 
-  * Catch if logged sets do not contain only atomic types. (Bernhard
+  * Catch if logged sets do not contain only atomic types. (Johanna
     Amann)
 
   * Promote libz and libmagic to required dependencies. (Jon Siwek)

NEWS

@@ -51,6 +51,9 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- ``SSH::skip_processing_after_detection`` was removed. The functionality was
+  replaced by ``SSH::disable_analyzer_after_detection``.
+
 - Some script-level identifier have changed their names:
 
       snaplen                  -> Pcap::snaplen

VERSION

@@ -1 +1 @@
-2.4-299
+2.4-307

scripts/base/protocols/ssh/main.bro

@@ -46,11 +46,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
-	## packets after the initial SSH handshake. Helps with performance
-	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +69,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
+	if ( disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}

src/analyzer/protocol/http/HTTP.cc

@@ -1209,7 +1209,15 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	const char* end_of_method = get_HTTP_token(line, end_of_line);
 
 	if ( end_of_method == line )
+		{
+		// something went wrong with get_HTTP_token
+		// perform a weak test to see if the string "HTTP/"
+		// is found at the end of the RequestLine
+		if ( end_of_line - 9 >= line && strncasecmp(end_of_line - 9, " HTTP/", 6) == 0 )
+			goto bad_http_request_with_version;
+
 		goto error;
+	}
 
 	rest = skip_whitespace(end_of_method, end_of_line);
 
@@ -1230,6 +1238,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 
 	return 1;
 
+bad_http_request_with_version:
+	reporter->Weird(Conn(), "bad_HTTP_request_with_version");
+	return 0;
+
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;

testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1452204358.910557	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	1	-	-	-	-	1.1	-	0	14	200	OK	-	-	-	(empty)	-	-	-	-	-	FGec0Miu9FfcsYUT4	text/plain
+#close	2016-02-05-13-13-06

testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-03-07-21-06-28
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	bro
+#close	2016-03-07-21-06-28

testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-01-15-20-54-31
+#open	2016-03-07-21-06-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	bro
@@ -13,9 +13,9 @@
 1354328882.949510	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328887.094494	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.141058	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.226199	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.396634	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
@@ -33,4 +33,4 @@
 1354328924.518204	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.734579	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.776609	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
-#close	2016-01-15-20-54-32
+#close	2016-03-07-21-06-12

testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log

@@ -0,0 +1,34 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-03-07-21-31-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1324071333.493287	CXWv6p3arKYeMETxOg	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
+1409516196.337184	CjhGID4nQcgTWjvg4c	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	0.392307	3205	2129	S1	-	-	0	ShADad	12	3837	12	2761	(empty)
+1419870206.101883	CsRx2w45OKnoww6xl4	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
+1419870189.485611	CCvvfg3TEfuqmmG4bh	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	5.267866	4601	2805	S1	-	-	0	ShADad	22	5757	18	3749	(empty)
+1419996264.318569	CRJuHdVW0XPVINV8a	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	1.124642	1909	1161	S1	-	-	0	ShADad	16	2753	12	1793	(empty)
+1420588548.721272	CPbrpk1qSsw6ESzHV4	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
+1420590124.879760	C6pKV8GSxOnSLghOa	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
+1420590308.775525	CIPOse170MGiRM1Qf4	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
+1420590322.673363	C7XEbhP654jzLoe3a	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
+1420590636.473213	CJ3xTn1c4Zw9TmAE05	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
+1420590659.422161	CMXxB5GvmoxJFXdTa	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
+1420591379.650462	Caby8b1slFea8xwSmb	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
+1420599430.822385	Che1bq3i2rO3KD1Syg	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
+1420851448.309629	C3SfNE4BWaU4aSuwkc	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	2.046715	2421	3505	S1	-	-	0	ShADad	18	3369	13	4189	(empty)
+1420860616.400297	CwSkQu4eWZCH7OONC1	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	0.660753	3383	2645	S1	-	-	0	ShADad	18	4327	16	3485	(empty)
+1420860283.029061	CEle3f3zno26fFZkrh	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	7.498828	5479	2327	S1	-	-	0	ShADad	21	6579	18	3271	(empty)
+1420868281.639103	CfTOmO0HKorjr8Zp7	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
+1420917487.213378	CzA03V1VcgagLjnO92	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.213468	CyAhVIzHqb7t7kv28	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.220407	Cab0vO1xNYSS2hJkle	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	2.807865	3169	1329	S1	-	-	0	ShADad	19	4169	13	2013	(empty)
+1421006072.431795	Cx3C534wEyF3OvvcQe	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
+1421006072.001012	Cx2FqO23omNawSNrxj	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	2.408961	3469	1565	S1	-	-	0	ShAdDa	25	4805	16	2421	(empty)
+1421041176.944687	CkDsfG2YIeWJmXWNWj	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
+1421041299.738916	CUKS0W3HFYOnBqSE5e	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	0.538385	3517	3197	S1	-	-	0	ShADad	18	4461	16	4037	(empty)
+1421041526.312919	CRrfvP2lalMAYOCLhj	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	0.542213	3517	3197	S1	-	-	0	ShADad	17	4409	16	4037	(empty)
+#close	2016-03-07-21-31-43

testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+

testing/btest/scripts/base/protocols/ssh/basic.test

@@ -2,3 +2,4 @@
 
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
 # @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log