Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/seth/smb

Browse source 
# Conflicts:
#	testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
#	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
#	testing/btest/Baseline/plugins.hooks/output
#	testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
#	testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
This commit is contained in:
Seth Hall 2016-07-30 01:58:23 -04:00
commit da7ec8064b
416 changed files with 27341 additions and 26258 deletions
Download patch file Download diff file Expand all files Collapse all files

90
CHANGES
View file

@ -1,4 +1,94 @@
2.4-723 | 2016-07-26 15:04:26 -0700
* Add error events to input framework. (Johanna Amann)
This change introduces error events for Table and Event readers.
Users can now specify an event that is called when an info,
warning, or error is emitted by their input reader. This can,
e.g., be used to raise notices in case errors occur when reading
an important input stream.
Example:
event error_event(desc: Input::TableDescription, msg: string, level: Reporter::Level)
{
...
}
event bro_init()
{
Input::add_table([$source="a", $error_ev=error_event, ...]);
}
Addresses BIT-1181.
* Calling Error() in an input reader now automatically will disable
the reader and return a failure in the Update/Heartbeat calls.
(Johanna Amann)
* Convert all errors in the ASCII formatter into warnings (to show
that they are non-fatal. (Johanna Amann)
* Enable SQLite shared cache mode. This allows all threads accessing
the same database to share sqlite objects. See
https://www.sqlite.org/sharedcache.html. Addresses BIT-1325.
(Johanna Amann)
* NetControl: Adjust default priority of ACTION_DROP hook to standad
level. (Johanna Amann)
* Fix types when constructing SYN_packet record. Fixes BIT-1650.
(Grant Moyer).
2.4-715 | 2016-07-23 07:27:05 -0700
* SQLite writer: Remove unused string formatting function. (Johanna Amann)
* Deprecated the ElasticSearch log writer. (Johanna Amann)
2.4-709 | 2016-07-15 09:05:20 -0700
* Change Bro's hashing for short inputs and Bloomfilters from H3 to
Siphash, which produces much better results for HLL in particular.
(Johanna Amann)
* Fix a long-standing bug which truncated hash values to 32-bit on
most machines. (Johanna Amann)
* Fixes to HLL. Addresses BIT-1612. (Johanna Amann)
* Add test checking the quality of HLL. (Johanna Amann)
* Remove the -K/-J options for setting keys. (Johanna Amann)
* SSL: Fix memory management problem. (Johanna Amann)
2.4-693 | 2016-07-12 11:29:17 -0700
* Change TCP analysis to process connections without the initial SYN as
non-partial connections. Addresses BIT-1492. (Robin Sommer).
2.4-691 | 2016-07-12 09:58:38 -0700
* SSL: add support for signature_algorithms extension. (Johanna
Amann)
2.4-688 | 2016-07-11 11:10:33 -0700
* Disable broker by default. To enable it, use --enable-broker.
Addresses BIT-1645. (Daniel Thayer)
2.4-686 | 2016-07-08 19:14:43 -0700
* Added flagging of retransmission to the connection history.
Addresses BIT-977. (Robin Sommer)
2.4-683 | 2016-07-08 14:55:04 -0700
* Extendign connection history field to flag with '^' when Bro flips
a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
2.4-680 | 2016-07-06 09:18:21 -0700
* Remove ack_above_hole() event, which was a subset of content_gap

35
NEWS
View file

@ -13,16 +13,21 @@ New Dependencies
- Bro now requires a compiler with C++11 support for building the
source code.
- Bro now requires the C++ Actor Framework, CAF, which must be
installed first. See http://actor-framework.org.
- Bro now requires Python instead of Perl to compile the source code.
- The pcap buffer size can set through the new option Pcap::bufsize.
- When enabling Broker (which is disabled by default), Bro now requires
version 0.14 of the C++ Actor Framework.
Log Changes
-----------
- Connections
- The 'history' field gains two new flags: '^' indicates that Bro
heuristically flipped to direction of the connection. 't/T' indicates
the first TCP payload retransmission from originator or responder,
respectively.
- DNS
- New 'rtt' field to indicate the round trip time between when a
@ -62,6 +67,10 @@ New Functionality
STARTTLS sessions, handing them over to TLS analysis. The analyzer
does not yet analyze any further IMAP/XMPP content.
- The new event ssl_extension_signature_algorithm allows access to the
TLS signature_algorithms extension that lists client supported signature
and hash algorithm pairs.
- Bro now tracks VLAN IDs. To record them inside the connection log,
load protocols/conn/vlan-logging.bro.
@ -133,6 +142,11 @@ New Functionality
- redis: An experimental log writer for Redis.
- tcprs: An TCP-level analyzer detecting retransmissions, reordering, and more.
- The pcap buffer size can be set through the new option Pcap::bufsize.
- Input framework readers Table and Event can now define a custom
event to receive logging messages.
Changed Functionality
---------------------
@ -157,6 +171,12 @@ Changed Functionality
filled out in the first place) has been split into to
"orig_filenames" and "resp_filenames".
- TCP analysis was changed to process connections without the initial
SYN packet. In the past, connections without a full handshake were
treated as partial, meaning that most application-layer analyzers
would refuse to inspect the payload. Now, Bro will consider these
connections as complete and all analyzers will process them notmally.
Removed Functionality
---------------------
@ -168,6 +188,9 @@ Removed Functionality
- The event ack_above_hole() has been removed, as it was a subset
of content_gap() and led to plenty noise.
- The command line options --set-seed and --md5-hashkey have been
removed.
Deprecated Functionality
------------------------
@ -177,6 +200,10 @@ Deprecated Functionality
decode_base64() and encode_base64(), which take an optional
parameter to change the Base64 alphabet.
- The ElasticSearch log writer hasn't been maintained for a while
and is now deprecated. It will be removed with the next release.
Bro 2.4
=======

2
VERSION
View file

@ -1 +1 @@
2.4-680
2.4-723

2
aux/broctl

@ -1 +1 @@
Subproject commit 9319932eb10a902ada7e8bc08da21f9beed8ca4b
Subproject commit b7932813c6bc8a711334bdf2c4beecd7c5e351ca

2
aux/plugins

@ -1 +1 @@
Subproject commit dbacbe51ce5d07f61ccfea3256616408351b6481
Subproject commit 3aef01c600b29e936348798bc27bdfb57ddf4053

20
configure vendored
View file

@ -41,7 +41,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--enable-perftools-debug use Google's perftools for debugging
--enable-jemalloc link against jemalloc
--enable-ruby build ruby bindings for broccoli (deprecated)
--disable-broker disable use of the Broker communication library
--enable-broker enable use of the Broker communication library
(requires C++ Actor Framework)
--disable-broccoli don't build or install the Broccoli library
--disable-broctl don't install Broctl
--disable-auxtools don't build or install auxiliary tools
@ -57,10 +58,10 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--with-flex=PATH path to flex executable
--with-bison=PATH path to bison executable
--with-python=PATH path to Python executable
--with-caf=PATH path to C++ Actor Framework installation
(a required Broker dependency)
Optional Packages in Non-Standard Locations:
--with-caf=PATH path to C++ Actor Framework installation
(a required Broker dependency)
--with-geoip=PATH path to the libGeoIP install root
--with-perftools=PATH path to Google Perftools install root
--with-jemalloc=PATH path to jemalloc install root
@ -121,13 +122,12 @@ append_cache_entry BRO_ROOT_DIR PATH $prefix
append_cache_entry PY_MOD_INSTALL_DIR PATH $prefix/lib/broctl
append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
append_cache_entry BRO_ETC_INSTALL_DIR PATH $prefix/etc
append_cache_entry BROKER_PYTHON_HOME PATH $prefix
append_cache_entry BROKER_PYTHON_BINDINGS BOOL false
append_cache_entry ENABLE_DEBUG BOOL false
append_cache_entry ENABLE_PERFTOOLS BOOL false
append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
append_cache_entry ENABLE_JEMALLOC BOOL false
append_cache_entry ENABLE_BROKER BOOL true
append_cache_entry ENABLE_BROKER BOOL false
append_cache_entry BinPAC_SKIP_INSTALL BOOL true
append_cache_entry BUILD_SHARED_LIBS BOOL true
append_cache_entry INSTALL_AUX_TOOLS BOOL true
@ -162,7 +162,7 @@ while [ $# -ne 0 ]; do
append_cache_entry BRO_ROOT_DIR PATH $optarg
append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg/lib/broctl
if [ -z "$user_disabled_broker" ]; then
if [ -n "$user_enabled_broker" ]; then
append_cache_entry BROKER_PYTHON_HOME PATH $optarg
fi
;;
@ -199,10 +199,12 @@ while [ $# -ne 0 ]; do
--enable-jemalloc)
append_cache_entry ENABLE_JEMALLOC BOOL true
;;
--enable-broker)
append_cache_entry ENABLE_BROKER BOOL true
append_cache_entry BROKER_PYTHON_HOME PATH $prefix
user_enabled_broker="true"
;;
--disable-broker)
append_cache_entry ENABLE_BROKER BOOL false
remove_cache_entry BROKER_PYTHON_HOME
user_disabled_broker="true"
;;
--disable-broccoli)
append_cache_entry INSTALL_BROCCOLI BOOL false

1
doc/components/bro-plugins/elasticsearch-deprecated/README.rst Symbolic link
View file

@ -0,0 +1 @@
../../../../aux/plugins/elasticsearch-deprecated/README

1
doc/components/bro-plugins/elasticsearch/README.rst
View file

@ -1 +0,0 @@
../../../../aux/plugins/elasticsearch/README

8
doc/install/install.rst
View file

@ -32,7 +32,6 @@ before you begin:
* Libz
* Bash (for BroControl)
* Python (for BroControl)
* C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
To build Bro from source, the following additional dependencies are required:
@ -47,8 +46,6 @@ To build Bro from source, the following additional dependencies are required:
* zlib headers
* Python
To install CAF, first download the source code of the required version from: https://github.com/actor-framework/actor-framework/releases
To install the required dependencies, you can use:
* RPM/RedHat-based Linux:
@ -98,12 +95,12 @@ To install the required dependencies, you can use:
component).
OS X comes with all required dependencies except for CMake_, SWIG_,
OpenSSL, and CAF. (OpenSSL used to be part of OS X versions 10.10
and OpenSSL. (OpenSSL used to be part of OS X versions 10.10
and older, for which it does not need to be installed manually. It
was removed in OS X 10.11). Distributions of these dependencies can
likely be obtained from your preferred Mac OS X package management
system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for
Homebrew, the ``cmake``, ``swig``, ``openssl`` and ``caf`` packages
Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages
provide the required dependencies.
@ -113,6 +110,7 @@ Optional Dependencies
Bro can make use of some optional libraries and tools if they are found at
build time:
* C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
* LibGeoIP (for geolocating IP addresses)
* sendmail (enables Bro and BroControl to send mail)
* curl (used by a Bro script that implements active HTTP)

6
doc/logs/index.rst
View file

@ -197,7 +197,7 @@ file:
Often times log files from multiple sources are stored in UTC time to
allow easy correlation. Converting the timestamp from a log file to
UTC can be accomplished with the ``-u`` option:
UTC can be accomplished with the ``-u`` option:
.. btest:: using_bro
@ -227,7 +227,7 @@ trip. A common progression of review includes correlating a session
across multiple log files. As a connection is processed by Bro, a
unique identifier is assigned to each session. This unique identifier
is generally included in any log file entry associated with that
connection and can be used to cross-reference different log files.
connection and can be used to cross-reference different log files.
A simple example would be to cross-reference a UID seen in a
``conn.log`` file. Here, we're looking for the connection with the
@ -244,7 +244,7 @@ crossreference that with the UIDs in the ``http.log`` file.
.. btest:: using_bro
@TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep VW0XPVINV8a"
@TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11"
As you can see there are two HTTP ``GET`` requests within the
session that Bro identified and logged. Given that HTTP is a stream

22
scripts/base/frameworks/input/main.bro
View file

@ -103,6 +103,17 @@ export {
## it is skipped.
pred: function(typ: Input::Event, left: any, right: any): bool &optional;
## Error event that is raised when an information, warning or error
## is raised by the input stream. If the level is error, the stream will automatically
## be closed.
## The event receives the Input::TableDescription as the first argument, the
## message as the second argument and the Reporter::Level as the third argument.
##
## The event is raised like if it had been declared as follows:
## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
error_ev: any &optional;
## A key/value table that will be passed to the reader.
## Interpretation of the values is left to the reader, but
## usually they will be used for configuration purposes.
@ -146,6 +157,17 @@ export {
## all fields, or each field value as a separate argument).
ev: any;
## Error event that is raised when an information, warning or error
## is raised by the input stream. If the level is error, the stream will automatically
## be closed.
## The event receives the Input::EventDescription as the first argument, the
## message as the second argument and the Reporter::Level as the third argument.
##
## The event is raised like it had been declared as follows:
## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
error_ev: any &optional;
## A key/value table that will be passed to the reader.
## Interpretation of the values is left to the reader, but
## usually they will be used for configuration purposes.

10
scripts/base/frameworks/netcontrol/catch-and-release.bro
View file

@ -125,6 +125,14 @@ export {
## the inserted block.
global get_catch_release_info: function(a: addr) : BlockInfo;
## Event is raised when catch and release cases management of an IP address because no
## activity was seen within the watch_until period.
##
## a: The address that is no longer being managed.
##
## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
global catch_release_forgotten: event(a: addr, bi: BlockInfo);
## If true, catch_release_seen is called on the connection originator in new_connection,
## connection_established, partial_connection, connection_attempt, connection_rejected,
## connection_reset and connection_pending
@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval
{
local log = populate_log_record(idx, t[idx], FORGOTTEN);
Log::write(CATCH_RELEASE, log);
event NetControl::catch_release_forgotten(idx, t[idx]);
}
@endif

2
scripts/base/frameworks/notice/actions/drop.bro
View file

@ -19,7 +19,7 @@ export {
};
}
hook notice(n: Notice::Info)
hook notice(n: Notice::Info) &priority=-5
{
if ( ACTION_DROP in n$actions )
{

16
scripts/base/frameworks/reporter/main.bro
View file

@ -17,22 +17,14 @@ export {
## The reporter logging stream identifier.
redef enum Log::ID += { LOG };
## An indicator of reporter message severity.
type Level: enum {
## Informational, not needing specific attention.
INFO,
## Warning of a potential problem.
WARNING,
## A non-fatal error that should be addressed, but doesn't
## terminate program execution.
ERROR
};
## The record type which contains the column fields of the reporter log.
type Info: record {
## The network time at which the reporter event was generated.
ts: time &log;
## The severity of the reporter message.
## The severity of the reporter message. Levels are INFO for informational
## messages, not needing specific attention; WARNING for warning of a potential
## problem, and ERROR for a non-fatal error that should be addressed, but doesn't
## terminate program execution.
level: Level &log;
## An info/warning/error message that could have either been
## generated from the internal Bro core or at the scripting-layer.

17
scripts/base/init-bare.bro
View file

@ -3434,6 +3434,23 @@ export {
};
}
module SSL;
export {
type SignatureAndHashAlgorithm: record {
HashAlgorithm: count; ##< Hash algorithm number
SignatureAlgorithm: count; ##< Signature algorithm number
};
}
module GLOBAL;
## A vector of Signature and Hash Algorithms.
##
## .. todo:: We need this type definition only for declaring builtin functions
## via ``bifcl``. We should extend ``bifcl`` to understand composite types
## directly and then remove this alias.
type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
module X509;
export {
type Certificate: record {

2
scripts/base/protocols/conn/main.bro
View file

@ -87,8 +87,10 @@ export {
## f packet with FIN bit set
## r packet with RST bit set
## c packet with a bad checksum
## t packet with retransmitted payload
## i inconsistent packet (e.g. FIN+RST bits set)
## q multi-flag packet (SYN+FIN or SYN+RST bits set)
## ^ connection direction was flipped by Bro's heuristic
## ====== ====================================================
##
## If the event comes from the originator, the letter is in

21
scripts/base/protocols/ssl/consts.bro
View file

@ -57,6 +57,27 @@ export {
[2] = "fatal",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
## Mapping between numeric codes and human readable strings for hash
## algorithms.
const hash_algorithms: table[count] of string = {
[0] = "none",
[1] = "md5",
[2] = "sha1",
[3] = "sha224",
[4] = "sha256",
[5] = "sha384",
[6] = "sha512",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
## Mapping between numeric codes and human readable strings for signature
## algorithms.
const signature_algorithms: table[count] of string = {
[0] = "anonymous",
[1] = "rsa",
[2] = "dsa",
[3] = "ecdsa",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
## Mapping between numeric codes and human readable strings for alert
## descriptions.
const alert_descriptions: table[count] of string = {

2
src/3rdparty

@ -1 +1 @@
Subproject commit f1eaca0e085a8b37ec6a32c7e1b0e9571414a2e3
Subproject commit 0bbd6e8fd0e1ad6dc3002244d11c79d4bc63831d

1
src/CMakeLists.txt
View file

@ -348,6 +348,7 @@ set(bro_SRCS
PacketDumper.cc
strsep.c
modp_numtoa.c
siphash24.c
threading/BasicThread.cc
threading/Formatter.cc

2
src/Conn.cc
View file

@ -773,6 +773,8 @@ void Connection::FlipRoles()
root_analyzer->FlipRoles();
analyzer_mgr->ApplyScheduledAnalyzers(this);
AddHistory('^');
}
unsigned int Connection::MemoryAllocation() const

143
src/H3.h
View file

@ -1,143 +0,0 @@
// Copyright 2004, 2005
// The Regents of the University of California
// All Rights Reserved
//
// Permission to use, copy, modify and distribute any part of this
// h3.h file, without fee, and without a written agreement is hereby
// granted, provided that the above copyright notice, this paragraph
// and the following paragraphs appear in all copies.
//
// IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY
// PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
// DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS
// SOFTWARE, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF
// THE POSSIBILITY OF SUCH DAMAGE.
//
// THE SOFTWARE PROVIDED HEREIN IS ON AN "AS IS" BASIS, AND THE
// UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION TO PROVIDE MAINTENANCE,
// SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. THE UNIVERSITY
// OF CALIFORNIA MAKES NO REPRESENTATIONS AND EXTENDS NO WARRANTIES
// OF ANY KIND, EITHER IMPLIED OR EXPRESS, INCLUDING, BUT NOT LIMITED
// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
// PARTICULAR PURPOSE, OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE
// ANY PATENT, TRADEMARK OR OTHER RIGHTS.
//
// The h3.h file is developed by the CoralReef development team at the
// University of California, San Diego under the Cooperative Association
// for Internet Data Analysis (CAIDA) Program. Support for this effort was
// provided by the CAIDA grant NCR-9711092, DARPA NGI Contract
// N66001-98-2-8922, DARPA NMS Grant N66001-01-1-8909, NSF Grant ANI-013710
// and by CAIDA members.
//
// Report bugs and suggestions to coral-bugs@caida.org.
// H3 hash function family
// C++ template implementation by Ken Keys (kkeys@caida.org)
//
// Usage:
// #include <h3.h>
// const H3<T, N> h;
// T hashval = h(data, size [, offset]);
// (T) is the type to be returned by the hash function; must be an integral
// type, e.g. uint32_t.
// (N) is the size of the data in bytes (if data is a struct, beware of
// padding).
// The hash function hashes the (size) bytes of the data pointed to by (data),
// starting at (offset). Note: offset affects the hash value, so
// h(data, size, offset) is not the same as h(data+offset, size, 0).
// Typically (size) is N and (offset) is 0, but other values can be used to
// hash a substring of the data. Hashes of substrings can be bitwise-XOR'ed
// together to get the same result as hashing the full string.
// Any number of hash functions can be created by creating new instances of H3,
// with the same or different template parameters. The hash function
// constructor takes a seed as argument which defaults to a call to
// bro_random().
#ifndef H3_H
#define H3_H
#include <climits>
#include <cstring>
// The number of values representable by a byte.
#define H3_BYTE_RANGE (UCHAR_MAX+1)
template <typename T, int N>
class H3 {
public:
H3()
{
Init(false, 0);
}
H3(T seed)
{
Init(true, seed);
}
void Init(bool have_seed, T seed)
{
T bit_lookup[N * CHAR_BIT];
for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ )
{
bit_lookup[bit] = 0;
for ( size_t i = 0; i < sizeof(T)/2; i++ )
{
seed = have_seed ? bro_prng(seed) : bro_random();
// assume random() returns at least 16 random bits
bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF);
}
}
for ( size_t byte = 0; byte < N; byte++ )
{
for ( unsigned val = 0; val < H3_BYTE_RANGE; val++ )
{
byte_lookup[byte][val] = 0;
for ( size_t bit = 0; bit < CHAR_BIT; bit++ )
// Does this mean byte_lookup[*][0] == 0? -RP
if (val & (1 << bit))
byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit];
}
}
}
T operator()(const void* data, size_t size, size_t offset = 0) const
{
const unsigned char *p = static_cast<const unsigned char*>(data);
T result = 0;
// loop optmized with Duff's Device
unsigned n = (size + 7) / 8;
switch ( size % 8 ) {
case 0: do { result ^= byte_lookup[offset++][*p++];
case 7: result ^= byte_lookup[offset++][*p++];
case 6: result ^= byte_lookup[offset++][*p++];
case 5: result ^= byte_lookup[offset++][*p++];
case 4: result ^= byte_lookup[offset++][*p++];
case 3: result ^= byte_lookup[offset++][*p++];
case 2: result ^= byte_lookup[offset++][*p++];
case 1: result ^= byte_lookup[offset++][*p++];
} while ( --n > 0 );
}
return result;
}
friend bool operator==(const H3& x, const H3& y)
{
return ! std::memcmp(x.byte_lookup, y.byte_lookup, N * H3_BYTE_RANGE);
}
friend bool operator!=(const H3& x, const H3& y)
{
return ! (x == y);
}
private:
T byte_lookup[N][H3_BYTE_RANGE];
};
#endif //H3_H

16
src/Hash.cc
View file

@ -18,15 +18,15 @@
#include "bro-config.h"
#include "Hash.h"
#include "Reporter.h"
#include "H3.h"
const H3<hash_t, UHASH_KEY_SIZE>* h3;
#include "siphash24.h"
void init_hash_function()
{
// Make sure we have already called init_random_seed().
ASSERT(hmac_key_set);
h3 = new H3<hash_t, UHASH_KEY_SIZE>();
if ( ! (hmac_key_set && siphash_key_set) )
reporter->InternalError("Bro's hash functions aren't fully initialized");
}
HashKey::HashKey(bro_int_t i)
@ -166,12 +166,14 @@ hash_t HashKey::HashBytes(const void* bytes, int size)
{
if ( size <= UHASH_KEY_SIZE )
{
// H3 doesn't check if size is zero
return ( size == 0 ) ? 0 : (*h3)(bytes, size);
hash_t digest;
siphash(&digest, (const uint8_t *)bytes, size, shared_siphash_key);
return digest;
}
// Fall back to HMAC/MD5 for longer data (which is usually rare).
hash_t digest[16];
assert(sizeof(hash_t) == 8);
hash_t digest[2]; // 2x hash_t (uint64) = 128 bits = 32 hex chars = sizeof md5
hmac_md5(size, (const unsigned char*) bytes, (unsigned char*) digest);
return digest[0];
}

3
src/Hash.h
View file

@ -81,7 +81,8 @@ protected:
void* key;
int is_our_dynamic;
int size, hash;
int size;
hash_t hash;
};
extern void init_hash_function();

4
src/Reporter.cc
View file

@ -300,7 +300,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
{
va_list aq;
va_copy(aq, ap);
int n = vsnprintf(buffer, size, fmt, aq);
int n = safe_vsnprintf(buffer, size, fmt, aq);
va_end(aq);
if ( postfix )
@ -321,7 +321,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
if ( postfix )
// Note, if you change this fmt string, adjust the additional
// buffer size above.
sprintf(buffer + strlen(buffer), " [%s]", postfix);
safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix);
if ( event && via_events && ! in_error_handler )
{

5
src/Reporter.h
View file

@ -32,12 +32,7 @@ protected:
InterpreterException() {}
};
// Check printf-style variadic arguments if we can.
#if __GNUC__
#define FMT_ATTR __attribute__((format(printf, 2, 3))) // sic! 1st is "this" I guess.
#else
#define FMT_ATTR
#endif
class Reporter {
public:

3
src/Sessions.cc
View file

@ -1232,6 +1232,9 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
conn->SetTransport(tproto);
if ( flip )
conn->AddHistory('^');
if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
{
conn->Done();

1
src/analyzer/protocol/ssl/CMakeLists.txt
View file

@ -5,6 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
bro_plugin_begin(Bro SSL)
bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
bro_plugin_bif(types.bif)
bro_plugin_bif(events.bif)
bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac
proc-client-hello.pac

23
src/analyzer/protocol/ssl/events.bif
View file

@ -83,7 +83,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension_ec_point_formats
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name
## ssl_extension_server_name ssl_extension_signature_algorithm
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@ -99,7 +99,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@ -116,9 +116,26 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
## Generated for an Signature Algorithms extension. This TLS extension
## is defined in :rfc:`5246` and sent by the client in the initial
## handshake. It gives the list of signature and hash algorithms supported by the
## client.
##
## c: The connection.
##
## is_orig: True if event is raised for originator side of the connection.
##
## signature_algorithms: List of supported signature and hash algorithm pairs.
##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## ssl_session_ticket_handshake ssl_extension
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
## ssl_extension_server_name ssl_server_curve
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
## Generated if a named curve is chosen by the server for an SSL/TLS connection.
## The curve is sent by the server in the ServerKeyExchange message as defined
## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.

24
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -102,6 +102,26 @@ refine connection Handshake_Conn += {
return true;
%}
function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
%{
VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
if ( supported_signature_algorithms )
{
for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i )
{
RecordVal* el = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
el->Assign(0, new Val((*supported_signature_algorithms)[i]->HashAlgorithm(), TYPE_COUNT));
el->Assign(1, new Val((*supported_signature_algorithms)[i]->SignatureAlgorithm(), TYPE_COUNT));
slist->Assign(i, el);
}
}
BifEvent::generate_ssl_extension_signature_algorithm(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, slist);
return true;
%}
function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool
%{
VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
@ -247,6 +267,10 @@ refine typeattr EllipticCurves += &let {
proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list);
};
refine typeattr SignatureAlgorithm += &let {
proc : bool = $context.connection.proc_signature_algorithm(rec, supported_signature_algorithms);
}
refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
proc : bool = $context.connection.proc_apnl(rec, protocol_name_list);
};

11
src/analyzer/protocol/ssl/tls-handshake-protocol.pac
View file

@ -458,6 +458,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0);
# EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
default -> data: bytestring &restofdata;
};
} &length=data_len+4 &exportsourcedata;
@ -501,6 +502,16 @@ type EcPointFormats(rec: HandshakeRecord) = record {
point_format_list: uint8[length];
};
type SignatureAndHashAlgorithm() = record {
HashAlgorithm: uint8;
SignatureAlgorithm: uint8;
}
type SignatureAlgorithm(rec: HandshakeRecord) = record {
length: uint16;
supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
}
type EllipticCurves(rec: HandshakeRecord) = record {
length: uint16;
elliptic_curve_list: uint16[length/2];

5
src/analyzer/protocol/ssl/tls-handshake.pac
View file

@ -3,6 +3,11 @@
%include binpac.pac
%include bro.pac
%extern{
#include "types.bif.h"
#include "events.bif.h"
%}
analyzer TLSHandshake withcontext {
connection: Handshake_Conn;
flow: Handshake_Flow;

5
src/analyzer/protocol/ssl/types.bif Normal file
View file

@ -0,0 +1,5 @@
module SSL;
type SignatureAndHashAlgorithm: record;
module GLOBAL;

30
src/analyzer/protocol/tcp/TCP.cc
View file

@ -105,11 +105,11 @@ static RecordVal* build_syn_packet_val(int is_orig, const IP_Hdr* ip,
v->Assign(0, new Val(is_orig, TYPE_BOOL));
v->Assign(1, new Val(int(ip->DF()), TYPE_BOOL));
v->Assign(2, new Val(int(ip->TTL()), TYPE_INT));
v->Assign(3, new Val((ip->TotalLen()), TYPE_INT));
v->Assign(4, new Val(ntohs(tcp->th_win), TYPE_INT));
v->Assign(2, new Val((ip->TTL()), TYPE_COUNT));
v->Assign(3, new Val((ip->TotalLen()), TYPE_COUNT));
v->Assign(4, new Val(ntohs(tcp->th_win), TYPE_COUNT));
v->Assign(5, new Val(winscale, TYPE_INT));
v->Assign(6, new Val(MSS, TYPE_INT));
v->Assign(6, new Val(MSS, TYPE_COUNT));
v->Assign(7, new Val(SACK, TYPE_BOOL));
return v;
@ -424,7 +424,7 @@ void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
reassembling = 1;
}
const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data,
const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data,
int& len, int& caplen)
{
const struct tcphdr* tp = (const struct tcphdr*) data;
@ -761,6 +761,17 @@ void TCP_Analyzer::UpdateInactiveState(double t,
// consider the ack as forming a partial
// connection.
;
else if ( flags.ACK() && peer->state == TCP_ENDPOINT_ESTABLISHED )
{
// No SYN packet from originator but SYN/ACK from
// responder, and now a pure ACK. Problably means we
// just missed that initial SYN. Let's not treat it
// as partial and instead establish the connection.
endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
is_partial = 0;
}
else
{
endpoint->SetState(TCP_ENDPOINT_PARTIAL);
@ -1165,7 +1176,7 @@ static void update_ack_seq(TCP_Endpoint* endpoint, uint32 ack_seq)
// Returns the difference between last_seq and the last sequence
// seen by the endpoint (may be negative).
static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
TCP_Flags flags)
TCP_Flags flags, int len)
{
int32 delta_last = seq_delta(last_seq, endpoint->LastSeq());
@ -1194,9 +1205,8 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
// ## endpoint->last_seq = last_seq;
endpoint->UpdateLastSeq(last_seq);
else if ( delta_last <= 0 )
{ // ### ++retransmit, unless this is a pure ack
}
else if ( delta_last < 0 && len > 0 )
endpoint->CheckHistory(HIST_RXMIT, 'T');
return delta_last;
}
@ -1334,7 +1344,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
peer->AckReceived(rel_ack);
}
int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags);
int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags, len);
endpoint->last_time = current_timestamp;
int do_close;

1
src/analyzer/protocol/tcp/TCP_Endpoint.h
View file

@ -187,6 +187,7 @@ public:
#define HIST_ACK_PKT 0x20
#define HIST_MULTI_FLAG_PKT 0x40
#define HIST_CORRUPT_PKT 0x80
#define HIST_RXMIT 0x100
int CheckHistory(uint32 mask, char code);
void AddHistory(char code);

215
src/input/Manager.cc
View file

@ -67,6 +67,7 @@ public:
EnumVal* type;
ReaderFrontend* reader;
TableVal* config;
EventHandlerPtr error_event;
RecordVal* description;
@ -78,7 +79,7 @@ protected:
Manager::Stream::Stream(StreamType t)
: name(), removed(), stream_type(t), type(), reader(), config(),
description()
error_event(), description()
{
}
@ -103,7 +104,6 @@ public:
unsigned int num_idx_fields;
unsigned int num_val_fields;
bool want_record;
EventHandlerPtr table_event;
TableVal* tab;
RecordType* rtype;
@ -129,7 +129,7 @@ public:
bool want_record;
EventStream();
~EventStream();
~EventStream();
};
class Manager::AnalysisStream: public Manager::Stream {
@ -432,6 +432,13 @@ bool Manager::CreateEventStream(RecordVal* fval)
else
assert(false);
Val* error_event_val = fval->Lookup("error_ev", true);
Func* error_event = error_event_val ? error_event_val->AsFunc() : nullptr;
Unref(error_event_val);
if ( ! CheckErrorEventTypes(stream_name, error_event, false) )
return false;
vector<Field*> fieldsV; // vector, because UnrollRecordType needs it
bool status = (! UnrollRecordType(&fieldsV, fields, "", allow_file_func));
@ -459,6 +466,7 @@ bool Manager::CreateEventStream(RecordVal* fval)
stream->num_fields = fieldsV.size();
stream->fields = fields->Ref()->AsRecordType();
stream->event = event_registry->Lookup(event->Name());
stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
stream->want_record = ( want_record->InternalInt() == 1 );
Unref(want_record); // ref'd by lookupwithdefault
@ -558,8 +566,6 @@ bool Manager::CreateTableStream(RecordVal* fval)
}
}
Val* event_val = fval->Lookup("ev", true);
Func* event = event_val ? event_val->AsFunc() : 0;
Unref(event_val);
@ -628,9 +634,15 @@ bool Manager::CreateTableStream(RecordVal* fval)
}
assert(want_record->InternalInt() == 1 || want_record->InternalInt() == 0);
}
Val* error_event_val = fval->Lookup("error_ev", true);
Func* error_event = error_event_val ? error_event_val->AsFunc() : nullptr;
Unref(error_event_val);
if ( ! CheckErrorEventTypes(stream_name, error_event, true) )
return false;
vector<Field*> fieldsV; // vector, because we don't know the length beforehands
bool status = (! UnrollRecordType(&fieldsV, idx, "", false));
@ -678,6 +690,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
stream->rtype = val ? val->AsRecordType() : 0;
stream->itype = idx->AsRecordType();
stream->event = event ? event_registry->Lookup(event->Name()) : 0;
stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr;
stream->currDict = new PDict(InputHash);
stream->currDict->SetDeleteFunc(input_hash_delete_func);
stream->lastDict = new PDict(InputHash);
@ -698,6 +711,54 @@ bool Manager::CreateTableStream(RecordVal* fval)
return true;
}
bool Manager::CheckErrorEventTypes(std::string stream_name, Func* ev, bool table)
{
if ( ev == nullptr )
return true;
FuncType* etype = ev->FType()->AsFuncType();
if ( etype->Flavor() != FUNC_FLAVOR_EVENT )
{
reporter->Error("Input stream %s: Error event is a function, not an event", stream_name.c_str());
return false;
}
const type_list* args = etype->ArgTypes()->Types();
if ( args->length() != 3 )
{
reporter->Error("Input stream %s: Error event must take 3 arguments", stream_name.c_str());
return false;
}
if ( table && ! same_type((*args)[0], BifType::Record::Input::TableDescription, 0) )
{
reporter->Error("Input stream %s: Error event's first attribute must be of type Input::TableDescription", stream_name.c_str());
return false;
}
if ( ! table && ! same_type((*args)[0], BifType::Record::Input::EventDescription, 0) )
{
reporter->Error("Input stream %s: Error event's first attribute must be of type Input::EventDescription", stream_name.c_str());
return false;
}
if ( (*args)[1]->Tag() != TYPE_STRING )
{
reporter->Error("Input stream %s: Error event's second attribute must be of type string", stream_name.c_str());
return false;
}
if ( ! same_type((*args)[2], BifType::Enum::Reporter::Level, 0) )
{
reporter->Error("Input stream %s: Error event's third attribute must be of type Reporter::Level", stream_name.c_str());
return false;
}
return true;
}
bool Manager::CreateAnalysisStream(RecordVal* fval)
{
RecordType* rtype = fval->Type()->AsRecordType();
@ -1054,7 +1115,7 @@ int Manager::SendEntryTable(Stream* i, const Value* const *vals)
if ( idxhash == 0 )
{
reporter->Error("Could not hash line. Ignoring");
Warning(i, "Could not hash line. Ignoring");
return stream->num_val_fields + stream->num_idx_fields;
}
@ -1719,7 +1780,7 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
Val* retptr = stream->tab->Delete(idxval);
success = ( retptr != 0 );
if ( ! success )
reporter->Error("Internal error while deleting values from input table");
Warning(i, "Internal error while deleting values from input table");
else
Unref(retptr);
}
@ -1771,6 +1832,9 @@ bool Manager::CallPred(Func* pred_func, const int numvals, ...)
return result;
}
// Raise everything in here as warnings so it is passed to scriptland without
// looking "fatal". In addition to these warnings, ReaderBackend will queue
// one reporter message.
bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals)
{
Stream *i = FindStream(reader);
@ -1783,7 +1847,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
EventHandler* handler = event_registry->Lookup(name.c_str());
if ( handler == 0 )
{
reporter->Error("Event %s not found", name.c_str());
Warning(i, "Event %s not found", name.c_str());
delete_value_ptr_array(vals, num_vals);
return false;
}
@ -1797,7 +1861,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
int num_event_vals = type->NumFields();
if ( num_vals != num_event_vals )
{
reporter->Error("Wrong number of values for event %s", name.c_str());
Warning(i, "Wrong number of values for event %s", name.c_str());
delete_value_ptr_array(vals, num_vals);
return false;
}
@ -2315,7 +2379,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
if ( index == -1 )
{
reporter->Error("Value not '%s' for stream '%s' is not a valid enum.",
Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
enum_string.c_str(), i->name.c_str());
have_error = true;
@ -2367,3 +2431,132 @@ void Manager::Terminate()
}
}
void Manager::Info(ReaderFrontend* reader, const char* msg)
{
Stream *i = FindStream(reader);
if ( !i )
{
reporter->Error("Stream not found in Info; lost message: %s", msg);
return;
}
ErrorHandler(i, ErrorType::INFO, false, "%s", msg);
}
void Manager::Warning(ReaderFrontend* reader, const char* msg)
{
Stream *i = FindStream(reader);
if ( !i )
{
reporter->Error("Stream not found in Warning; lost message: %s", msg);
return;
}
ErrorHandler(i, ErrorType::WARNING, false, "%s", msg);
}
void Manager::Error(ReaderFrontend* reader, const char* msg)
{
Stream *i = FindStream(reader);
if ( !i )
{
reporter->Error("Stream not found in Error; lost message: %s", msg);
return;
}
ErrorHandler(i, ErrorType::ERROR, false, "%s", msg);
}
void Manager::Info(const Stream* i, const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
ErrorHandler(i, ErrorType::INFO, true, fmt, ap);
va_end(ap);
}
void Manager::Warning(const Stream* i, const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
ErrorHandler(i, ErrorType::WARNING, true, fmt, ap);
va_end(ap);
}
void Manager::Error(const Stream* i, const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
ErrorHandler(i, ErrorType::ERROR, true, fmt, ap);
va_end(ap);
}
void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
ErrorHandler(i, et, reporter_send, fmt, ap);
va_end(ap);
}
void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap)
{
char* buf;
int n = vasprintf(&buf, fmt, ap);
if ( n < 0 || buf == nullptr )
{
reporter->InternalError("Could not format error message %s for stream %s", fmt, i->name.c_str());
return;
}
// send our script level error event
if ( i->error_event )
{
EnumVal* ev;
switch (et)
{
case ErrorType::INFO:
ev = new EnumVal(BifEnum::Reporter::INFO, BifType::Enum::Reporter::Level);
break;
case ErrorType::WARNING:
ev = new EnumVal(BifEnum::Reporter::WARNING, BifType::Enum::Reporter::Level);
break;
case ErrorType::ERROR:
ev = new EnumVal(BifEnum::Reporter::ERROR, BifType::Enum::Reporter::Level);
break;
default:
reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
}
StringVal* message = new StringVal(buf);
SendEvent(i->error_event, 3, i->description->Ref(), message, ev);
}
if ( reporter_send )
{
switch (et)
{
case ErrorType::INFO:
reporter->Info("%s", buf);
break;
case ErrorType::WARNING:
reporter->Warning("%s", buf);
break;
case ErrorType::ERROR:
reporter->Error("%s", buf);
break;
default:
reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
}
}
free(buf);
}

23
src/input/Manager.h
View file

@ -109,6 +109,7 @@ protected:
friend class ReaderClosedMessage;
friend class DisableMessage;
friend class EndOfDataMessage;
friend class ReaderErrorMessage;
// For readers to write to input stream in direct mode (reporting
// new/deleted values directly). Functions take ownership of
@ -143,6 +144,13 @@ protected:
// stream is still received.
bool RemoveStreamContinuation(ReaderFrontend* reader);
// Signal Informational messages, warnings and errors. These will be
// passed to the error function in scriptland. Note that the messages
// are not passed to reporter - this is done in ReaderBackend.
void Info(ReaderFrontend* reader, const char* msg);
void Warning(ReaderFrontend* reader, const char* msg);
void Error(ReaderFrontend* reader, const char* msg);
/**
* Deletes an existing input stream.
*
@ -165,6 +173,11 @@ private:
bool CreateStream(Stream*, RecordVal* description);
// Check if the types of the error_ev event are correct. If table is
// true, check for tablestream type, otherwhise check for eventstream
// type.
bool CheckErrorEventTypes(std::string stream_name, Func* error_event, bool table);
// SendEntry implementation for Table stream.
int SendEntryTable(Stream* i, const threading::Value* const *vals);
@ -219,6 +232,16 @@ private:
// Converts a Bro ListVal to a RecordVal given the record type.
RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position);
// Internally signal errors, warnings, etc.
// These are sent on to input scriptland and reporter.log
void Info(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
void Warning(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
void Error(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
enum class ErrorType { INFO, WARNING, ERROR };
void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap);
Stream* FindStream(const string &name);
Stream* FindStream(ReaderFrontend* reader);

70
src/input/ReaderBackend.cc
View file

@ -78,6 +78,26 @@ private:
Value* *val;
};
class ReaderErrorMessage : public threading::OutputMessage<ReaderFrontend>
{
public:
enum Type {
INFO, WARNING, ERROR
};
ReaderErrorMessage(ReaderFrontend* reader, Type arg_type, const char* arg_msg)
: threading::OutputMessage<ReaderFrontend>("ReaderErrorMessage", reader)
{ type = arg_type; msg = copy_string(arg_msg); }
virtual ~ReaderErrorMessage() { delete [] msg; }
virtual bool Process();
private:
const char* msg;
Type type;
};
class SendEntryMessage : public threading::OutputMessage<ReaderFrontend> {
public:
SendEntryMessage(ReaderFrontend* reader, Value* *val)
@ -136,7 +156,6 @@ public:
private:
};
class DisableMessage : public threading::OutputMessage<ReaderFrontend>
{
public:
@ -156,6 +175,27 @@ public:
}
};
bool ReaderErrorMessage::Process()
{
switch ( type ) {
case INFO:
input_mgr->Info(Object(), msg);
break;
case WARNING:
input_mgr->Warning(Object(), msg);
break;
case ERROR:
input_mgr->Error(Object(), msg);
break;
}
return true;
}
using namespace input;
ReaderBackend::ReaderBackend(ReaderFrontend* arg_frontend) : MsgThread()
@ -266,11 +306,16 @@ bool ReaderBackend::Update()
if ( ! success )
DisableFrontend();
return success;
return ! disabled; // always return failure if we have been disabled in the meantime
}
void ReaderBackend::DisableFrontend()
{
// We might already have been disabled - e.g., due to a call to
// error. In that case, ignore this...
if ( disabled )
return;
// We also set disabled here, because there still may be other
// messages queued and we will dutifully ignore these from now.
disabled = true;
@ -285,4 +330,25 @@ bool ReaderBackend::OnHeartbeat(double network_time, double current_time)
return DoHeartbeat(network_time, current_time);
}
void ReaderBackend::Info(const char* msg)
{
SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::INFO, msg));
MsgThread::Info(msg);
}
void ReaderBackend::Warning(const char* msg)
{
SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::WARNING, msg));
MsgThread::Warning(msg);
}
void ReaderBackend::Error(const char* msg)
{
SendOut(new ReaderErrorMessage(frontend, ReaderErrorMessage::ERROR, msg));
MsgThread::Error(msg);
// Force errors to be fatal.
DisableFrontend();
}
}

21
src/input/ReaderBackend.h
View file

@ -63,7 +63,7 @@ public:
* an argument to callbacks. One must not otherwise access the
* frontend, it's running in a different thread.
*/
ReaderBackend(ReaderFrontend* frontend);
explicit ReaderBackend(ReaderFrontend* frontend);
/**
* Destructor.
@ -186,8 +186,22 @@ public:
int NumFields() const { return num_fields; }
// Overridden from MsgThread.
virtual bool OnHeartbeat(double network_time, double current_time);
virtual bool OnFinish(double network_time);
bool OnHeartbeat(double network_time, double current_time) override;
bool OnFinish(double network_time) override;
void Info(const char* msg) override;
void Warning(const char* msg) override;
/**
* Reports an error in the child thread. For input readers, it is assumed
* that Info and Warnings do not cause the read operation to fail (they might
* signal that, e.g., a single line was ignored).
*
* It is assumed that Errors are not recoverable. Calling the Error function
* will return the error back to scriptland and also *automatically* causes
* the current reader to be disabled and torn down.
*/
void Error(const char* msg) override;
protected:
// Methods that have to be overwritten by the individual readers
@ -325,7 +339,6 @@ protected:
*/
void EndCurrentSend();
private:
// Frontend that instantiated us. This object must not be accessed
// from this class, it's running in a different thread!

2
src/input/readers/ascii/Ascii.cc
View file

@ -341,7 +341,7 @@ bool Ascii::DoUpdate()
if ( val == 0 )
{
Error(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str()));
Warning(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str()));
error = true;
break;
}

4
src/input/readers/sqlite/SQLite.cc
View file

@ -75,6 +75,10 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
return false;
}
// Allow connections to same DB to use single data/schema cache. Also
// allows simultaneous writes to one file.
sqlite3_enable_shared_cache(1);
if ( Info().mode != MODE_MANUAL )
{
Error("SQLite only supports manual reading mode.");

10
src/logging/WriterBackend.h
View file

@ -38,7 +38,7 @@ public:
* @param name A descriptive name for writer's type (e.g., \c Ascii).
*
*/
WriterBackend(WriterFrontend* frontend);
explicit WriterBackend(WriterFrontend* frontend);
/**
* Destructor.
@ -248,8 +248,12 @@ public:
bool FinishedRotation();
// Overridden from MsgThread.
virtual bool OnHeartbeat(double network_time, double current_time);
virtual bool OnFinish(double network_time);
bool OnHeartbeat(double network_time, double current_time) override;
bool OnFinish(double network_time) override;
// Let the compiler know that we are aware that there is a virtual
// info function in the base.
using MsgThread::Info;
protected:
friend class FinishMessage;

19
src/logging/writers/sqlite/SQLite.cc
View file

@ -120,6 +120,10 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields,
return false;
}
// Allow connections to same DB to use single data/schema cache. Also
// allows simultaneous writes to one file.
sqlite3_enable_shared_cache(1);
num_fields = arg_num_fields;
fields = arg_fields;
@ -232,21 +236,6 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields,
return true;
}
// Format String
char* SQLite::FS(const char* format, ...)
{
char* buf;
va_list al;
va_start(al, format);
int n = vasprintf(&buf, format, al);
va_end(al);
assert(n >= 0);
return buf;
}
int SQLite::AddParams(Value* val, int pos)
{
if ( ! val->present )

1
src/logging/writers/sqlite/SQLite.h
View file

@ -38,7 +38,6 @@ private:
int AddParams(threading::Value* val, int pos);
string GetTableType(int, int);
char* FS(const char* format, ...);
const threading::Field* const * fields; // raw mapping
unsigned int num_fields;

18
src/main.cc
View file

@ -190,8 +190,6 @@ void usage()
fprintf(stderr, " -G|--load-seeds <file> | load seeds from given file\n");
fprintf(stderr, " -H|--save-seeds <file> | save seeds to given file\n");
fprintf(stderr, " -I|--print-id <ID name> | print out given ID\n");
fprintf(stderr, " -J|--set-seed <seed> | set the random number seed\n");
fprintf(stderr, " -K|--md5-hashkey <hashkey> | set key for MD5-keyed hashing\n");
fprintf(stderr, " -N|--print-plugins | print available plugins and exit (-NN for verbose)\n");
fprintf(stderr, " -P|--prime-dns | prime DNS\n");
fprintf(stderr, " -Q|--time | print execution time summary to stderr\n");
@ -459,7 +457,6 @@ int main(int argc, char** argv)
char* debug_streams = 0;
int parse_only = false;
int bare_mode = false;
int seed = 0;
int dump_cfg = false;
int to_xml = 0;
int do_watchdog = 0;
@ -491,8 +488,6 @@ int main(int argc, char** argv)
{"force-dns", no_argument, 0, 'F'},
{"load-seeds", required_argument, 0, 'G'},
{"save-seeds", required_argument, 0, 'H'},
{"set-seed", required_argument, 0, 'J'},
{"md5-hashkey", required_argument, 0, 'K'},
{"print-plugins", no_argument, 0, 'N'},
{"prime-dns", no_argument, 0, 'P'},
{"time", no_argument, 0, 'Q'},
@ -546,7 +541,7 @@ int main(int argc, char** argv)
opterr = 0;
char opts[256];
safe_strncpy(opts, "B:e:f:G:H:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFNPQSWabdghv",
safe_strncpy(opts, "B:e:f:G:H:I:i:n:p:R:r:s:T:t:U:w:x:X:z:CFNPQSWabdghv",
sizeof(opts));
#ifdef USE_PERFTOOLS_DEBUG
@ -661,15 +656,6 @@ int main(int argc, char** argv)
id_name = optarg;
break;
case 'J':
seed = atoi(optarg);
break;
case 'K':
MD5((const u_char*) optarg, strlen(optarg), shared_hmac_md5_key);
hmac_key_set = 1;
break;
case 'N':
++print_plugins;
break;
@ -760,7 +746,7 @@ int main(int argc, char** argv)
}
#endif
init_random_seed(seed, (seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
init_random_seed((seed_load_file && *seed_load_file ? seed_load_file : 0) , seed_save_file);
// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
init_hash_function();

128
src/probabilistic/CardinalityCounter.cc
View file

@ -28,10 +28,9 @@ int CardinalityCounter::OptimalB(double error, double confidence) const
return answer;
}
void CardinalityCounter::Init(uint64 size)
void CardinalityCounter::Init(uint64_t size)
{
m = size;
buckets = new uint8_t[m];
// The following magic values are taken directly out of the
// description of the HyperLogLog algorithn.
@ -51,60 +50,83 @@ void CardinalityCounter::Init(uint64 size)
else
reporter->InternalError("Invalid size %" PRIu64 ". Size either has to be 16, 32, 64 or bigger than 128", size);
for ( uint64 i = 0; i < m; i++ )
buckets[i] = 0;
double calc_p = log2(m);
if ( trunc(calc_p) != calc_p )
reporter->InternalError("Invalid size %" PRIu64 ". Size either has to be a power of 2", size);
p = calc_p;
buckets.reserve(m);
for ( uint64_t i = 0; i < m; i++ )
buckets.push_back(0);
assert(buckets.size() == m);
V = m;
}
CardinalityCounter::CardinalityCounter(CardinalityCounter& other)
: buckets(other.buckets)
{
Init(other.GetM());
Merge(&other);
V = other.V;
alpha_m = other.alpha_m;
m = other.m;
p = other.p;
}
CardinalityCounter::CardinalityCounter(CardinalityCounter&& o)
{
V = o.V;
alpha_m = o.alpha_m;
m = o.m;
p = o.p;
o.m = 0;
buckets = std::move(o.buckets);
}
CardinalityCounter::CardinalityCounter(double error_margin, double confidence)
{
int b = OptimalB(error_margin, confidence);
Init((uint64) pow(2, b));
assert(b == p);
}
CardinalityCounter::CardinalityCounter(uint64 size)
CardinalityCounter::CardinalityCounter(uint64_t size)
{
Init(size);
}
CardinalityCounter::CardinalityCounter(uint64 arg_size, uint64 arg_V, double arg_alpha_m)
CardinalityCounter::CardinalityCounter(uint64_t arg_size, uint64_t arg_V, double arg_alpha_m)
{
m = arg_size;
buckets = new uint8_t[m];
buckets.reserve(m);
for ( uint64_t i = 0; i < m; i++ )
buckets.push_back(0);
alpha_m = arg_alpha_m;
V = arg_V;
p = log2(m);
}
CardinalityCounter::~CardinalityCounter()
{
delete [] buckets;
}
uint8_t CardinalityCounter::Rank(uint64 hash_modified) const
uint8_t CardinalityCounter::Rank(uint64_t hash_modified) const
{
uint8_t answer = 0;
hash_modified = (uint64)(hash_modified / m);
hash_modified *= 2;
do {
hash_modified = (uint64)(hash_modified / 2);
answer++;
} while ( hash_modified % 2 == 0);
hash_modified = hash_modified >> p;
int answer = 64 - p - CardinalityCounter::flsll(hash_modified) + 1;
assert(answer > 0 && answer < 64);
return answer;
}
void CardinalityCounter::AddElement(uint64 hash)
void CardinalityCounter::AddElement(uint64_t hash)
{
uint64 index = hash % m;
uint64_t index = hash % m;
hash = hash-index;
if( buckets[index] == 0 )
@ -118,7 +140,7 @@ void CardinalityCounter::AddElement(uint64 hash)
/**
* Estimate the size by using the the "raw" HyperLogLog estimate. Then,
* check if it's too "large" or "small" because the raw estimate doesn't
* check if it's too "large" or "small" because the raw estimate doesn't
* do well in those cases.
* Thus, we correct for those errors as specified in the paper.
*
@ -149,7 +171,7 @@ bool CardinalityCounter::Merge(CardinalityCounter* c)
if ( m != c->GetM() )
return false;
uint8_t* temp = c->GetBuckets();
const vector<uint8_t> temp = c->GetBuckets();
V = 0;
@ -165,12 +187,12 @@ bool CardinalityCounter::Merge(CardinalityCounter* c)
return true;
}
uint8_t* CardinalityCounter::GetBuckets()
const vector<uint8_t> &CardinalityCounter::GetBuckets() const
{
return buckets;
}
uint64 CardinalityCounter::GetM() const
uint64_t CardinalityCounter::GetM() const
{
return m;
}
@ -192,7 +214,7 @@ bool CardinalityCounter::Serialize(SerialInfo* info) const
CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
{
uint64_t m;
uint64 V;
uint64_t V;
double alpha_m;
bool valid = true;
@ -202,13 +224,13 @@ CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
CardinalityCounter* c = new CardinalityCounter(m, V, alpha_m);
uint8_t* buckets = c->buckets;
vector<uint8_t>& buckets = c->buckets;
for ( unsigned int i = 0; i < m; i++ )
{
char c;
valid &= UNSERIALIZE(&c);
buckets[i] = (uint8)c;
buckets[i] = (uint8_t)c;
}
if ( ! valid )
@ -219,3 +241,51 @@ CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
return c;
}
/**
* The following function is copied from libc/string/flsll.c from the FreeBSD source
* tree. Original copyright message follows
*/
/*-
* Copyright (c) 1990, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* Find Last Set bit
*/
int
CardinalityCounter::flsll(uint64_t mask)
{
int bit;
if (mask == 0)
return (0);
for (bit = 1; mask != 1; bit++)
mask = (uint64_t)mask >> 1;
return (bit);
}

38
src/probabilistic/CardinalityCounter.h
View file

@ -28,13 +28,18 @@ public:
*
* @param confidence confidence of the error. Default: 0.95
*/
CardinalityCounter(double error_margin, double confidence = 0.95);
explicit CardinalityCounter(double error_margin, double confidence = 0.95);
/**
* Copy-Constructor
*/
CardinalityCounter(CardinalityCounter& other);
/**
* Move-Constructor
*/
CardinalityCounter(CardinalityCounter&& o);
/**
* Constructor for a known number of buckets.
*
@ -43,7 +48,7 @@ public:
*
* @param size number of buckets to create
*/
CardinalityCounter(uint64 size);
explicit CardinalityCounter(uint64_t size);
/**
* Destructor.
@ -58,7 +63,7 @@ public:
*
* @param hash 64-bit hash value of the element to be added
*/
void AddElement(uint64 hash);
void AddElement(uint64_t hash);
/**
* Get the current estimated number of elements in the data
@ -104,7 +109,7 @@ protected:
*
* @return Number of buckets
*/
uint64 GetM() const;
uint64_t GetM() const;
/**
* Returns the buckets array that holds all of the rough cardinality
@ -114,21 +119,21 @@ protected:
*
* @return Array containing cardinality estimates
*/
uint8_t* GetBuckets();
const std::vector<uint8_t>& GetBuckets() const;
private:
/**
* Constructor used when unserializing, i.e., all parameters are
* known.
*/
CardinalityCounter(uint64 size, uint64 V, double alpha_m);
explicit CardinalityCounter(uint64_t size, uint64_t V, double alpha_m);
/**
* Helper function with code used jointly by multiple constructors.
*
* @param arg_size: number of buckets that need to be kept
*/
void Init(uint64 arg_size);
void Init(uint64_t arg_size);
/**
* This function calculates the smallest value of b that will
@ -150,22 +155,28 @@ private:
int OptimalB(double error, double confidence) const;
/**
* Determines at which index (counted from the back) the first one-bit
* Determines at which index (counted from the front) the first one-bit
* appears. The last b bits have to be 0 (the element has to be divisible
* by m), hence they are ignored.
* by m), hence they are ignored. Always adds 1 to the result. This is the
* rho function from the original algorithm.
*
* @param hash_modified hash value
*
* @returns index of first one-bit
*/
uint8_t Rank(uint64 hash_modified) const;
uint8_t Rank(uint64_t hash_modified) const;
/**
* flsll from FreeBSD; especially Linux does not have this.
*/
static int flsll(uint64_t mask);
/**
* This is the number of buckets that will be stored. The standard
* error is 1.04/sqrt(m), so the actual cardinality will be the
* estimate +/- 1.04/sqrt(m) with approximately 68% probability.
*/
uint64 m;
uint64_t m;
/**
* These are the actual buckets that are storing an estimate of the
@ -173,7 +184,7 @@ private:
* appears in the bitstring and that location is at most 65, so not
* that many bits are needed to store it.
*/
uint8_t* buckets;
std::vector<uint8_t> buckets;
/**
* There are some state constants that need to be kept track of to
@ -181,8 +192,9 @@ private:
* buckets that are 0 and this is used in the small error correction.
* alpha_m is a multiplicative constant used in the algorithm.
*/
uint64 V;
uint64_t V;
double alpha_m;
int p; // the log2 of m
};
}

55
src/probabilistic/Hasher.cc
View file

@ -5,18 +5,21 @@
#include "Hasher.h"
#include "NetVar.h"
#include "digest.h"
#include "Serializer.h"
#include "digest.h"
#include "siphash24.h"
using namespace probabilistic;
uint64 Hasher::MakeSeed(const void* data, size_t size)
Hasher::seed_t Hasher::MakeSeed(const void* data, size_t size)
{
u_char buf[SHA256_DIGEST_LENGTH];
uint64 tmpseed;
seed_t tmpseed;
SHA256_CTX ctx;
sha256_init(&ctx);
assert(sizeof(tmpseed) == 16);
if ( data )
sha256_update(&ctx, data, size);
@ -56,7 +59,10 @@ bool Hasher::DoSerialize(SerialInfo* info) const
if ( ! SERIALIZE(static_cast<uint16>(k)) )
return false;
return SERIALIZE(static_cast<uint64>(seed));
if ( ! SERIALIZE(static_cast<uint64>(seed.h1)) )
return false;
return SERIALIZE(static_cast<uint64>(seed.h2));
}
bool Hasher::DoUnserialize(UnserialInfo* info)
@ -70,8 +76,11 @@ bool Hasher::DoUnserialize(UnserialInfo* info)
k = serial_k;
assert(k > 0);
uint64 serial_seed;
if ( ! UNSERIALIZE(&serial_seed) )
seed_t serial_seed;
if ( ! UNSERIALIZE(&serial_seed.h1) )
return false;
if ( ! UNSERIALIZE(&serial_seed.h2) )
return false;
seed = serial_seed;
@ -79,14 +88,18 @@ bool Hasher::DoUnserialize(UnserialInfo* info)
return true;
}
Hasher::Hasher(size_t arg_k, size_t arg_seed)
Hasher::Hasher(size_t arg_k, seed_t arg_seed)
{
k = arg_k;
seed = arg_seed;
}
UHF::UHF(size_t arg_seed)
: h(arg_seed)
UHF::UHF()
{
memset(&seed, 0, sizeof(seed));
}
UHF::UHF(Hasher::seed_t arg_seed)
{
seed = arg_seed;
}
@ -96,8 +109,14 @@ UHF::UHF(size_t arg_seed)
// times.
Hasher::digest UHF::hash(const void* x, size_t n) const
{
assert(sizeof(Hasher::seed_t) == SIPHASH_KEYLEN);
if ( n <= UHASH_KEY_SIZE )
return n == 0 ? 0 : h(x, n);
{
hash_t outdigest;
siphash(&outdigest, reinterpret_cast<const uint8_t*>(x), n, reinterpret_cast<const uint8_t*>(&seed));
return outdigest;
}
unsigned char d[16];
MD5(reinterpret_cast<const unsigned char*>(x), n, d);
@ -111,11 +130,15 @@ Hasher::digest UHF::hash(const void* x, size_t n) const
return *reinterpret_cast<const Hasher::digest*>(d);
}
DefaultHasher::DefaultHasher(size_t k, size_t seed)
DefaultHasher::DefaultHasher(size_t k, Hasher::seed_t seed)
: Hasher(k, seed)
{
for ( size_t i = 1; i <= k; ++i )
hash_functions.push_back(UHF(Seed() + bro_prng(i)));
{
seed_t s = Seed();
s.h1 += bro_prng(i);
hash_functions.push_back(UHF(s));
}
}
Hasher::digest_vector DefaultHasher::Hash(const void* x, size_t n) const
@ -158,12 +181,16 @@ bool DefaultHasher::DoUnserialize(UnserialInfo* info)
hash_functions.clear();
for ( size_t i = 0; i < K(); ++i )
hash_functions.push_back(UHF(Seed() + bro_prng(i)));
{
Hasher::seed_t s = Seed();
s.h1 += bro_prng(i);
hash_functions.push_back(UHF(s));
}
return true;
}
DoubleHasher::DoubleHasher(size_t k, size_t seed)
DoubleHasher::DoubleHasher(size_t k, seed_t seed)
: Hasher(k, seed), h1(seed + bro_prng(1)), h2(seed + bro_prng(2))
{
}

39
src/probabilistic/Hasher.h
View file

@ -4,7 +4,6 @@
#define PROBABILISTIC_HASHER_H
#include "Hash.h"
#include "H3.h"
#include "SerialObj.h"
namespace probabilistic {
@ -17,6 +16,15 @@ class Hasher : public SerialObj {
public:
typedef hash_t digest;
typedef std::vector<digest> digest_vector;
struct seed_t {
uint64_t h1;
uint64_t h2;
friend seed_t operator+(seed_t lhs, const uint64_t rhs) {
lhs.h1 += rhs;
return lhs;
}
};
/**
* Creates a valid hasher seed from an arbitrary string.
@ -30,7 +38,7 @@ public:
*
* @return A seed suitable for hashers.
*/
static uint64 MakeSeed(const void* data, size_t size);
static seed_t MakeSeed(const void* data, size_t size);
/**
* Destructor.
@ -89,7 +97,7 @@ public:
/**
* Returns the seed used to construct the hasher.
*/
size_t Seed() const { return seed; }
seed_t Seed() const { return seed; }
bool Serialize(SerialInfo* info) const;
static Hasher* Unserialize(UnserialInfo* info);
@ -106,11 +114,11 @@ protected:
*
* @param arg_seed The seed for the hasher.
*/
Hasher(size_t arg_k, size_t arg_seed);
Hasher(size_t arg_k, seed_t arg_seed);
private:
size_t k;
size_t seed;
seed_t seed;
};
/**
@ -120,12 +128,17 @@ private:
class UHF {
public:
/**
* Constructs an H3 hash function seeded with a given seed and an
* Default constructor with zero seed.
*/
UHF();
/**
* Constructs an hash function seeded with a given seed and an
* optional extra seed to replace the initial Bro seed.
*
* @param arg_seed The seed to use for this instance.
*/
UHF(size_t arg_seed = 0);
UHF(Hasher::seed_t arg_seed);
template <typename T>
Hasher::digest operator()(const T& x) const
@ -159,7 +172,8 @@ public:
friend bool operator==(const UHF& x, const UHF& y)
{
return x.h == y.h;
return (x.seed.h1 == y.seed.h1) &&
(x.seed.h2 == y.seed.h2);
}
friend bool operator!=(const UHF& x, const UHF& y)
@ -168,10 +182,9 @@ public:
}
private:
static size_t compute_seed(size_t seed);
static size_t compute_seed(Hasher::seed_t seed);
H3<Hasher::digest, UHASH_KEY_SIZE> h;
size_t seed;
Hasher::seed_t seed;
};
@ -188,7 +201,7 @@ public:
*
* @param seed The seed for the hasher.
*/
DefaultHasher(size_t k, size_t seed);
DefaultHasher(size_t k, Hasher::seed_t seed);
// Overridden from Hasher.
virtual digest_vector Hash(const void* x, size_t n) const final;
@ -216,7 +229,7 @@ public:
*
* @param seed The seed for the hasher.
*/
DoubleHasher(size_t k, size_t seed);
DoubleHasher(size_t k, Hasher::seed_t seed);
// Overridden from Hasher.
virtual digest_vector Hash(const void* x, size_t n) const final;

8
src/probabilistic/bloom-filter.bif
View file

@ -42,7 +42,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
size_t cells = BasicBloomFilter::M(fp, capacity);
size_t optimal_k = BasicBloomFilter::K(cells, capacity);
size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
name->Len());
const Hasher* h = new DoubleHasher(optimal_k, seed);
@ -66,7 +66,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
##
## Returns: A Bloom filter handle.
##
## .. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add
## .. bro:see:: bloomfilter_basic_init bloomfilter_counting_init bloomfilter_add
## bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
function bloomfilter_basic_init2%(k: count, cells: count,
name: string &default=""%): opaque of bloomfilter
@ -82,7 +82,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
return 0;
}
size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
name->Len());
const Hasher* h = new DoubleHasher(k, seed);
@ -121,7 +121,7 @@ function bloomfilter_counting_init%(k: count, cells: count, max: count,
return 0;
}
size_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
Hasher::seed_t seed = Hasher::MakeSeed(name->Len() > 0 ? name->Bytes() : 0,
name->Len());
const Hasher* h = new DefaultHasher(k, seed);

166
src/siphash24.c Normal file
View file

@ -0,0 +1,166 @@
/*
SipHash reference C implementation
Copyright (c) 2012-2014 Jean-Philippe Aumasson
<jeanphilippe.aumasson@gmail.com>
Copyright (c) 2012-2014 Daniel J. Bernstein <djb@cr.yp.to>
To the extent possible under law, the author(s) have dedicated all copyright
and related and neighboring rights to this software to the public domain
worldwide. This software is distributed without any warranty.
You should have received a copy of the CC0 Public Domain Dedication along
with
this software. If not, see
<http://creativecommons.org/publicdomain/zero/1.0/>.
*/
#include <stdint.h>
#include <stdio.h>
#include <string.h>
/* default: SipHash-2-4 */
#define cROUNDS 2
#define dROUNDS 4
#define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b))))
#define U32TO8_LE(p, v) \
(p)[0] = (uint8_t)((v)); \
(p)[1] = (uint8_t)((v) >> 8); \
(p)[2] = (uint8_t)((v) >> 16); \
(p)[3] = (uint8_t)((v) >> 24);
#define U64TO8_LE(p, v) \
U32TO8_LE((p), (uint32_t)((v))); \
U32TO8_LE((p) + 4, (uint32_t)((v) >> 32));
#define U8TO64_LE(p) \
(((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) | \
((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | \
((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | \
((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56))
#define SIPROUND \
do { \
v0 += v1; \
v1 = ROTL(v1, 13); \
v1 ^= v0; \
v0 = ROTL(v0, 32); \
v2 += v3; \
v3 = ROTL(v3, 16); \
v3 ^= v2; \
v0 += v3; \
v3 = ROTL(v3, 21); \
v3 ^= v0; \
v2 += v1; \
v1 = ROTL(v1, 17); \
v1 ^= v2; \
v2 = ROTL(v2, 32); \
} while (0)
#ifdef SIPHASHDEBUG
#define TRACE \
do { \
printf("(%3d) v0 %08x %08x\n", (int)inlen, (uint32_t)(v0 >> 32), \
(uint32_t)v0); \
printf("(%3d) v1 %08x %08x\n", (int)inlen, (uint32_t)(v1 >> 32), \
(uint32_t)v1); \
printf("(%3d) v2 %08x %08x\n", (int)inlen, (uint32_t)(v2 >> 32), \
(uint32_t)v2); \
printf("(%3d) v3 %08x %08x\n", (int)inlen, (uint32_t)(v3 >> 32), \
(uint32_t)v3); \
} while (0)
#else
#define TRACE
#endif
// [Bro] We turn this into an internal function. siphash.h defines a wrapper.
int _siphash(uint8_t *out, const uint8_t *in, uint64_t inlen, const uint8_t *k) {
/* "somepseudorandomlygeneratedbytes" */
uint64_t v0 = 0x736f6d6570736575ULL;
uint64_t v1 = 0x646f72616e646f6dULL;
uint64_t v2 = 0x6c7967656e657261ULL;
uint64_t v3 = 0x7465646279746573ULL;
uint64_t b;
uint64_t k0 = U8TO64_LE(k);
uint64_t k1 = U8TO64_LE(k + 8);
uint64_t m;
int i;
const uint8_t *end = in + inlen - (inlen % sizeof(uint64_t));
const int left = inlen & 7;
b = ((uint64_t)inlen) << 56;
v3 ^= k1;
v2 ^= k0;
v1 ^= k1;
v0 ^= k0;
#ifdef DOUBLE
v1 ^= 0xee;
#endif
for (; in != end; in += 8) {
m = U8TO64_LE(in);
v3 ^= m;
TRACE;
for (i = 0; i < cROUNDS; ++i)
SIPROUND;
v0 ^= m;
}
switch (left) {
case 7:
b |= ((uint64_t)in[6]) << 48;
case 6:
b |= ((uint64_t)in[5]) << 40;
case 5:
b |= ((uint64_t)in[4]) << 32;
case 4:
b |= ((uint64_t)in[3]) << 24;
case 3:
b |= ((uint64_t)in[2]) << 16;
case 2:
b |= ((uint64_t)in[1]) << 8;
case 1:
b |= ((uint64_t)in[0]);
break;
case 0:
break;
}
v3 ^= b;
TRACE;
for (i = 0; i < cROUNDS; ++i)
SIPROUND;
v0 ^= b;
#ifndef DOUBLE
v2 ^= 0xff;
#else
v2 ^= 0xee;
#endif
TRACE;
for (i = 0; i < dROUNDS; ++i)
SIPROUND;
b = v0 ^ v1 ^ v2 ^ v3;
U64TO8_LE(out, b);
#ifdef DOUBLE
v1 ^= 0xdd;
TRACE;
for (i = 0; i < dROUNDS; ++i)
SIPROUND;
b = v0 ^ v1 ^ v2 ^ v3;
U64TO8_LE(out + 8, b);
#endif
return 0;
}

18
src/siphash24.h Normal file
View file

@ -0,0 +1,18 @@
#ifndef SIPHASH24_H
#define SIPHASH24_H
#define SIPHASH_KEYLEN 16
#define SIPHASH_HASHLEN 8
extern "C" {
int _siphash(uint8_t *out, const uint8_t *in, uint64_t inlen, const uint8_t *k);
}
// [Bro] Wrapper for better type-safety.
inline void siphash(uint64_t* digest, const uint8_t *in, uint64_t inlen, const uint8_t* key)
{
_siphash((uint8_t*)digest, in, inlen, key);
}
#endif

2
src/threading/Formatter.h
View file

@ -23,7 +23,7 @@ public:
* internal formatting.
*
*/
Formatter(threading::MsgThread* t);
explicit Formatter(threading::MsgThread* t);
/**
* Destructor.

24
src/threading/MsgThread.h
View file

@ -64,7 +64,7 @@ public:
*
* @param msg The message. It will be prefixed with the thread's name.
*/
void Info(const char* msg);
virtual void Info(const char* msg);
/**
* Reports a warning from the child thread that may indicate a
@ -73,9 +73,14 @@ public:
*
* Only the child thread may call this method.
*
* Can be overriden in derived classed to hook into the error handling
* but must should generally also call the parent implementation. Note
* that this method is always called by the child thread and must not access
* data or datastructures of the main thread directly.
*
* @param msg The message. It will be prefixed with the thread's name.
*/
void Warning(const char* msg);
virtual void Warning(const char* msg);
/**
* Reports a non-fatal error from the child thread. The main thread
@ -84,9 +89,14 @@ public:
*
* Only the child thread may call this method.
*
* Can be overriden in derived classed to hook into the error handling
* but must should generally also call the parent implementation. Note
* that this method is always called by the child thread and must not access
* data or datastructures of the main thread directly.
*
* @param msg The message. It will be prefixed with the thread's name.
*/
void Error(const char* msg);
virtual void Error(const char* msg);
/**
* Reports a fatal error from the child thread. The main thread will
@ -223,10 +233,10 @@ protected:
* Overriden from BasicThread.
*
*/
virtual void Run();
virtual void OnWaitForStop();
virtual void OnSignalStop();
virtual void OnKill();
void Run() override;
void OnWaitForStop() override;
void OnSignalStop() override;
void OnKill() override;
private:
/**

22
src/threading/formatters/Ascii.cc
View file

@ -232,7 +232,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
val->val.int_val = 0;
else
{
GetThread()->Error(GetThread()->Fmt("Field: %s Invalid value for boolean: %s",
GetThread()->Warning(GetThread()->Fmt("Field: %s Invalid value for boolean: %s",
name.c_str(), start));
goto parse_error;
}
@ -273,7 +273,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
size_t pos = unescaped.find("/");
if ( pos == unescaped.npos )
{
GetThread()->Error(GetThread()->Fmt("Invalid value for subnet: %s", start));
GetThread()->Warning(GetThread()->Fmt("Invalid value for subnet: %s", start));
goto parse_error;
}
@ -348,7 +348,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
if ( pos >= length )
{
GetThread()->Error(GetThread()->Fmt("Internal error while parsing set. pos %d >= length %d."
GetThread()->Warning(GetThread()->Fmt("Internal error while parsing set. pos %d >= length %d."
" Element: %s", pos, length, element.c_str()));
error = true;
break;
@ -357,7 +357,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
threading::Value* newval = ParseValue(element, name, subtype);
if ( newval == 0 )
{
GetThread()->Error("Error while reading set or vector");
GetThread()->Warning("Error while reading set or vector");
error = true;
break;
}
@ -375,7 +375,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
lvals[pos] = ParseValue("", name, subtype);
if ( lvals[pos] == 0 )
{
GetThread()->Error("Error while trying to add empty set element");
GetThread()->Warning("Error while trying to add empty set element");
goto parse_error;
}
@ -394,7 +394,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
if ( pos != length )
{
GetThread()->Error(GetThread()->Fmt("Internal error while parsing set: did not find all elements: %s", start));
GetThread()->Warning(GetThread()->Fmt("Internal error while parsing set: did not find all elements: %s", start));
goto parse_error;
}
@ -402,7 +402,7 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
}
default:
GetThread()->Error(GetThread()->Fmt("unsupported field format %d for %s", type,
GetThread()->Warning(GetThread()->Fmt("unsupported field format %d for %s", type,
name.c_str()));
goto parse_error;
}
@ -419,13 +419,13 @@ bool Ascii::CheckNumberError(const char* start, const char* end) const
threading::MsgThread* thread = GetThread();
if ( end == start && *end != '\0' ) {
thread->Error(thread->Fmt("String '%s' contained no parseable number", start));
thread->Warning(thread->Fmt("String '%s' contained no parseable number", start));
return true;
}
if ( end - start == 0 && *end == '\0' )
{
thread->Error("Got empty string for number field");
thread->Warning("Got empty string for number field");
return true;
}
@ -434,13 +434,13 @@ bool Ascii::CheckNumberError(const char* start, const char* end) const
if ( errno == EINVAL )
{
thread->Error(thread->Fmt("String '%s' could not be converted to a number", start));
thread->Warning(thread->Fmt("String '%s' could not be converted to a number", start));
return true;
}
else if ( errno == ERANGE )
{
thread->Error(thread->Fmt("Number '%s' out of supported range.", start));
thread->Warning(thread->Fmt("Number '%s' out of supported range.", start));
return true;
}

10
src/types.bif
View file

@ -170,3 +170,13 @@ type gtp_rai: record;
type gtp_qos_profile: record;
type gtp_private_extension: record;
type gtp_gsn_addr: record;
module Reporter;
enum Level %{
INFO = 0,
WARNING = 1,
ERROR = 2,
%}
module GLOBAL;

40
src/util.cc
View file

@ -695,9 +695,12 @@ std::string strstrip(std::string s)
return s;
}
int hmac_key_set = 0;
bool hmac_key_set = false;
uint8 shared_hmac_md5_key[16];
bool siphash_key_set = false;
uint8 shared_siphash_key[SIPHASH_KEYLEN];
void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16])
{
if ( ! hmac_key_set )
@ -789,19 +792,20 @@ void bro_srandom(unsigned int seed)
srandom(seed);
}
void init_random_seed(uint32 seed, const char* read_file, const char* write_file)
void init_random_seed(const char* read_file, const char* write_file)
{
static const int bufsiz = 16;
static const int bufsiz = 20;
uint32 buf[bufsiz];
memset(buf, 0, sizeof(buf));
int pos = 0; // accumulates entropy
bool seeds_done = false;
uint32 seed = 0;
if ( read_file )
{
if ( ! read_random_seeds(read_file, &seed, buf, bufsiz) )
reporter->Error("Could not load seeds from file '%s'.\n",
read_file);
reporter->FatalError("Could not load seeds from file '%s'.\n",
read_file);
else
seeds_done = true;
}
@ -812,12 +816,13 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
gettimeofday((struct timeval *)(buf + pos), 0);
pos += sizeof(struct timeval) / sizeof(uint32);
// use urandom. For reasons see e.g. http://www.2uo.de/myths-about-urandom/
#if defined(O_NONBLOCK)
int fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
int fd = open("/dev/urandom", O_RDONLY | O_NONBLOCK);
#elif defined(O_NDELAY)
int fd = open("/dev/random", O_RDONLY | O_NDELAY);
int fd = open("/dev/urandom", O_RDONLY | O_NDELAY);
#else
int fd = open("/dev/random", O_RDONLY);
int fd = open("/dev/urandom", O_RDONLY);
#endif
if ( fd >= 0 )
@ -835,12 +840,7 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
}
if ( pos < bufsiz )
{
buf[pos++] = getpid();
if ( pos < bufsiz )
buf[pos++] = getuid();
}
reporter->FatalError("Could not read enough random data from /dev/urandom. Wanted %d, got %d", bufsiz, pos);
if ( ! seed )
{
@ -864,8 +864,16 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file
if ( ! hmac_key_set )
{
MD5((const u_char*) buf, sizeof(buf), shared_hmac_md5_key);
hmac_key_set = 1;
assert(sizeof(buf) - 16 == 64);
MD5((const u_char*) buf, sizeof(buf) - 16, shared_hmac_md5_key); // The last 128 bits of buf are for siphash
hmac_key_set = true;
}
if ( ! siphash_key_set )
{
assert(sizeof(buf) - 64 == SIPHASH_KEYLEN);
memcpy(shared_siphash_key, reinterpret_cast<const char*>(buf) + 64, SIPHASH_KEYLEN);
siphash_key_set = true;
}
if ( write_file && ! write_random_seeds(write_file, seed, buf, bufsiz) )

18
src/util.h
View file

@ -23,13 +23,9 @@
#include <string.h>
#include <stdarg.h>
#include <libgen.h>
#include "bro-config.h"
#if __STDC__
#define myattribute __attribute__
#else
#define myattribute(x)
#endif
#include "bro-config.h"
#include "siphash24.h"
#ifdef DEBUG
@ -163,7 +159,7 @@ extern const char* fmt_bytes(const char* data, int len);
// Note: returns a pointer into a shared buffer.
extern const char* fmt(const char* format, ...)
myattribute((format (printf, 1, 2)));
__attribute__((format (printf, 1, 2)));
extern const char* fmt_access_time(double time);
extern bool ensure_intermediate_dirs(const char* dirname);
@ -181,10 +177,11 @@ extern std::string strreplace(const std::string& s, const std::string& o, const
// Remove all leading and trailing white space from string.
extern std::string strstrip(std::string s);
extern bool hmac_key_set;
extern uint8 shared_hmac_md5_key[16];
extern bool siphash_key_set;
extern uint8 shared_siphash_key[SIPHASH_KEYLEN];
extern int hmac_key_set;
extern unsigned char shared_hmac_md5_key[16];
extern void hmac_md5(size_t size, const unsigned char* bytes,
unsigned char digest[16]);
@ -194,8 +191,7 @@ extern void hmac_md5(size_t size, const unsigned char* bytes,
// over the "seed" argument. If write_file is given, the seeds are written
// to that file.
//
extern void init_random_seed(uint32 seed, const char* load_file,
const char* write_file);
extern void init_random_seed(const char* load_file, const char* write_file);
// Retrieves the initial seed computed after the very first call to
// init_random_seed(). Repeated calls to init_random_seed() will not affect

16
testing/btest/Baseline/bifs.bloomfilter-seed/output
View file

@ -1,8 +1,8 @@
bf1, global_seed, 11979365913534242684
bf2, global_seed, 12550100962110750449
bf3, my_seed, 12550100962110750449
bf4, my_seed, 945716460325754659
bf1, global_seed, 12550100962110750449
bf2, global_seed, 945716460325754659
bf3, my_seed, 12550100962110750449
bf4, my_seed, 945716460325754659
bf1, global_seed, 4955302038280957656
bf2, global_seed, 11260532077783130352
bf3, my_seed, 4955302038280957656
bf4, my_seed, 11260532077783130352
bf1, global_seed, 4955302038280957656
bf2, global_seed, 11260532077783130352
bf3, my_seed, 4955302038280957656
bf4, my_seed, 11260532077783130352

1
testing/btest/Baseline/bifs.bloomfilter/output
View file

@ -13,7 +13,6 @@ error: false-positive rate must take value between 0 and 1
1
1
1, fp
1, fp
1
1
1

10
testing/btest/Baseline/bifs.decode_base64_conn/weird.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2015-08-31-03-09-20
#open 2016-07-13-16-12-36
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1254722767.875996 CjhGID4nQcgTWjvg4c 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831787.861602 CPbrpk1qSsw6ESzHV4 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831799.610433 C7XEbhP654jzLoe3a 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
#close 2015-08-31-03-09-20
1254722767.875996 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831787.861602 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831799.610433 C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
#close 2016-07-13-16-12-36

12
testing/btest/Baseline/bifs.filter_subnet_table/output
View file

@ -1,16 +1,16 @@
{
10.0.0.0/8,
10.2.0.2/31,
10.2.0.0/16
10.2.0.0/16,
10.2.0.2/31
}
{
[10.0.0.0/8] = a,
[10.2.0.2/31] = c,
[10.2.0.0/16] = b
[10.2.0.0/16] = b,
[10.2.0.2/31] = c
}
{
[10.0.0.0/8] = a,
[10.3.0.0/16] = e
[10.3.0.0/16] = e,
[10.0.0.0/8] = a
}
{

3
testing/btest/Baseline/bifs.hll_large_estimate/out Normal file
View file

@ -0,0 +1,3 @@
Ok error
171249.90868
Ok error

20
testing/btest/Baseline/bifs.matching_subnets/output
View file

@ -1,16 +1,16 @@
{
10.0.0.0/8,
10.3.0.0/16,
10.2.0.2/31,
2607:f8b0:4007:807::/64,
10.2.0.0/16,
5.2.0.0/32,
5.5.0.0/25,
10.1.0.0/16,
5.0.0.0/8,
2607:f8b0:4007:807::200e/128,
7.2.0.0/32,
2607:f8b0:4008:807::/64
10.3.0.0/16,
2607:f8b0:4007:807::200e/128,
10.0.0.0/8,
2607:f8b0:4007:807::/64,
10.1.0.0/16,
5.2.0.0/32,
10.2.0.0/16,
2607:f8b0:4008:807::/64,
10.2.0.2/31,
5.5.0.0/25
}
[10.2.0.2/31, 10.2.0.0/16, 10.0.0.0/8]
[2607:f8b0:4007:807::200e/128, 2607:f8b0:4007:807::/64]

12
testing/btest/Baseline/bifs.netbios-functions/out
View file

@ -1,8 +1,8 @@
MARTIN
3
WORKGROUP
27
ISATAP
0
\x01\x02__MSBROWSE__\x02
1
WORKGROUP
27
MARTIN
3
ISATAP
0

6
testing/btest/Baseline/bifs.rand/out
View file

@ -1,6 +1,6 @@
985
474
738
20
484
137
4
634
473

12
testing/btest/Baseline/bifs.rand/out.2
View file

@ -1,6 +1,6 @@
985
474
738
974
371
638
20
484
137
263
217
243

4
testing/btest/Baseline/bifs.records_fields/out
View file

@ -1,8 +1,8 @@
[a=42, b=Foo, c=<uninitialized>, d=Bar]
{
[b] = [type_name=record, log=F, value=Foo, default_val=Foo],
[d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>],
[c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>],
[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>]
[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>],
[d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>]
}
F

12
testing/btest/Baseline/bifs.unique_id/out
View file

@ -1,6 +1,6 @@
A-56gKBmhBBB6
B-PjbroujOxH4
C-N4zgPFAv3J
D-R8BqVlcp23e
E-duYdXg7bTa3
F-FSX5JvMaA88
A-rFj3eGxkRR5
B-q3FkxySjt2a
C-Chd8EgFWk2j
D-NHNewIpRB26
E-V26Y5PaLbW3
F-xUIu5RK8w0f

10
testing/btest/Baseline/core.bits_per_uid/128
View file

@ -1,9 +1,9 @@
CUWkUyAuUGXfarKYeMETxOg
Ck6kgXLOoSKlnQcgTWjvg4c
C2NNAAAHZBl4GS1DHFjwGM9
CecCbjYTWM3dVm5giqnMf4h
Fj3nTWNjezo6G6xBmyo58Tf
Cj4u32Pc5bifTEfuqmmG4bh
C6CWH0ZufRpfPJpwUYZZ6gc
F4VAnSiNGSQhKEoCPd4zuQd
CFrJExwHcSal5OKnoww6xl4
CIdXDQc8a0ud0MLrsMUOJi2
FaJg8mtdsS86cWjSe4spPPl
C3PKsZ2Uye21VW0XPVINV8a
Cae9B2GP1sJiMLUfNB0cl11
FvBr89nD30GgGAp3wgtm6qf

10
testing/btest/Baseline/core.bits_per_uid/256
View file

@ -1,9 +1,9 @@
CUWkUyAuUGXfarKYeMETxOg
Ck6kgXLOoSKlnQcgTWjvg4c
C2NNAAAHZBl4GS1DHFjwGM9
CecCbjYTWM3dVm5giqnMf4h
Fj3nTWNjezo6G6xBmyo58Tf
Cj4u32Pc5bifTEfuqmmG4bh
C6CWH0ZufRpfPJpwUYZZ6gc
F4VAnSiNGSQhKEoCPd4zuQd
CFrJExwHcSal5OKnoww6xl4
CIdXDQc8a0ud0MLrsMUOJi2
FaJg8mtdsS86cWjSe4spPPl
C3PKsZ2Uye21VW0XPVINV8a
Cae9B2GP1sJiMLUfNB0cl11
FvBr89nD30GgGAp3wgtm6qf

10
testing/btest/Baseline/core.bits_per_uid/32
View file

@ -1,9 +1,9 @@
CXWv6p30
CCyvnA30
CHhAvV0
CRQjp520
F75yAm10
CjhGID40
ClEkJM20
FmGk6O30
CdfHBz20
CHZeJD30
Fuh3fj10
CCvvfg30
C4J4Th30
Ftwuyy30

10
testing/btest/Baseline/core.bits_per_uid/64
View file

@ -1,9 +1,9 @@
CUWkUyAuUGXf0
CarKYeMETxOg0
C2NNAAAHZBl40
CGS1DHFjwGM90
Fj3nTWNjezo60
Ck6kgXLOoSKl0
CecCbjYTWM3d0
F4VAnSiNGSQh0
CnQcgTWjvg4c0
CVm5giqnMf4h0
FaJg8mtdsS860
Cj4u32Pc5bif0
C6CWH0ZufRpf0
FvBr89nD30Gg0

10
testing/btest/Baseline/core.bits_per_uid/96
View file

@ -1,9 +1,9 @@
CXWv6p3arKYeMETxOg
CjhGID4nQcgTWjvg4c
CHhAvVGS1DHFjwGM9
ClEkJM2Vm5giqnMf4h
F75yAm1G6xBmyo58Tf
CCvvfg3TEfuqmmG4bh
C4J4Th3PJpwUYZZ6gc
FmGk6O3KEoCPd4zuQd
CsRx2w45OKnoww6xl4
CtPZjS20MLrsMUOJi2
Fuh3fj1cWjSe4spPPl
CRJuHdVW0XPVINV8a
CUM0KZ3MLUfNB0cl11
Ftwuyy3GAp3wgtm6qf

58
testing/btest/Baseline/core.checksums/bad.out
View file

@ -3,101 +3,101 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-04
#open 2016-07-13-16-12-42
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784981.078396 - - - - - bad_IP_checksum - F bro
#close 2016-06-15-20-38-04
#close 2016-07-13-16-12-42
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-06
#open 2016-07-13-16-12-42
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784885.686428 CXWv6p3arKYeMETxOg 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F bro
#close 2016-06-15-20-38-06
1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-42
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-08
#open 2016-07-13-16-12-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784933.501023 CXWv6p3arKYeMETxOg 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F bro
#close 2016-06-15-20-38-08
1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-43
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-10
#open 2016-07-13-16-12-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075363.536871 CXWv6p3arKYeMETxOg 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F bro
#close 2016-06-15-20-38-10
1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-43
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-11
#open 2016-07-13-16-12-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
1332785210.013051 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F bro
#close 2016-06-15-20-38-12
1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-44
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-13
#open 2016-07-13-16-12-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
1332782580.798420 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F bro
#close 2016-06-15-20-38-13
1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-44
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-15
#open 2016-07-13-16-12-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
1334075111.800086 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F bro
#close 2016-06-15-20-38-15
1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-45
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-16
#open 2016-07-13-16-12-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785250.469132 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F bro
#close 2016-06-15-20-38-17
1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-45
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-18
#open 2016-07-13-16-12-46
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332781342.923813 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F bro
#close 2016-06-15-20-38-18
1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-46
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-20
#open 2016-07-13-16-12-46
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334074939.467194 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-06-15-20-38-20
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-47

30
testing/btest/Baseline/core.checksums/good.out
View file

@ -3,68 +3,68 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-20
#open 2016-07-13-16-12-46
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334074939.467194 CXWv6p3arKYeMETxOg 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-06-15-20-38-20
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-47
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-27
#open 2016-07-13-16-12-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
#close 2016-06-15-20-38-27
#close 2016-07-13-16-12-49
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-28
#open 2016-07-13-16-12-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
#close 2016-06-15-20-38-29
#close 2016-07-13-16-12-49
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-30
#open 2016-07-13-16-12-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-06-15-20-38-30
#close 2016-07-13-16-12-50
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-30
#open 2016-07-13-16-12-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-06-15-20-38-30
#close 2016-07-13-16-12-50
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-30
#open 2016-07-13-16-12-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-06-15-20-38-30
#close 2016-07-13-16-12-50
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-06-15-20-38-30
#open 2016-07-13-16-12-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-06-15-20-38-30
#close 2016-07-13-16-12-50

86
testing/btest/Baseline/core.conn-uid/output
View file

@ -1,43 +1,43 @@
[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CXWv6p3arKYeMETxOg
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], CjhGID4nQcgTWjvg4c
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CCvvfg3TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CsRx2w45OKnoww6xl4
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CRJuHdVW0XPVINV8a
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CRJuHdVW0XPVINV8a
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], CPbrpk1qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], C6pKV8GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], CIPOse170MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C7XEbhP654jzLoe3a
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CJ3xTn1c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], CMXxB5GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], Caby8b1slFea8xwSmb
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], Che1bq3i2rO3KD1Syg
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3SfNE4BWaU4aSuwkc
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], CEle3f3zno26fFZkrh
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], CwSkQu4eWZCH7OONC1
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], CfTOmO0HKorjr8Zp7
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CzA03V1VcgagLjnO92
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CyAhVIzHqb7t7kv28
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Cab0vO1xNYSS2hJkle
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], Cx2FqO23omNawSNrxj
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], Cx3C534wEyF3OvvcQe
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CkDsfG2YIeWJmXWNWj
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], CUKS0W3HFYOnBqSE5e
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], CRrfvP2lalMAYOCLhj
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], Cn78a440HlxuyZKs6f
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CJ3xTn1c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C7XEbhP654jzLoe3a
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3SfNE4BWaU4aSuwkc
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CyAhVIzHqb7t7kv28
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CzA03V1VcgagLjnO92
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CkDsfG2YIeWJmXWNWj
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], Cn78a440HlxuyZKs6f
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CUof3F2yAIid8QS3dk
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CUof3F2yAIid8QS3dk
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CojBOU3CXcLHl1r6x1
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], CJzVQRGJrX6V15ik7
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], ClAbxY1nmdjCuo0Le2
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], CwG0BF1VXE0gWgs78
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], CisNaL1Cm73CiNOmcg
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], CBQnJn22qN8TOeeZil
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], CbEsuD3dgDDngdlbKf
[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], CHhAvVGS1DHFjwGM9
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], ClEkJM2Vm5giqnMf4h
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], C4J4Th3PJpwUYZZ6gc
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CtPZjS20MLrsMUOJi2
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], CUM0KZ3MLUfNB0cl11
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], CmES5u32sYpV7JYN
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], CP5puj4I8PtEU4qzYg
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], C37jN32gN3y3AZzyf6
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], C0LAHyvtKSQHyJxIl
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], CFLRIC3zaTU1loLGxh
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], C9rXSW3KSpTYvPrlI1
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], C9mvWx3ezztgzcexV7
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], CNnMIj2QSd84NKf7U3
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], C7fIlMZDuRiqjpYbb
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], CpmdRlaUoJLN3uIRa
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], C1Xkzz2MaGtLrc1Tla
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], CqlVyW1YwZ15RhTBc4
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], CBA8792iHmnhPLksKa
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], CGLPPc35OzDQij1XX8
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CwjjYJ2WqgTbAqiHl6
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], C3eiCBGOLw3VtHfOj
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Ck51lg1bScffFj34Ri
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CtxTCR2Yer0FR1tIBg
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CykQaM33ztNt0csB9a
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], CLNN1k2QMum1aexUK7
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], CiyBAq1bBLNaTiTAc
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], CFSwNi4CNGxcuffo49
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], Cipfzj1BEnhejw8cGf
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], CV5WJ42jPYbNW9JNWf
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], CPhDKt12KQPUVbQz06
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], CAnFrb2Cvxr5T7quOc
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], C8rquZ3DjgNW06JGLl
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], CzrZOtXqhwwndQva3
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], CaGCc13FffXe6RkQl9

4
testing/btest/Baseline/core.fake_dns/out
View file

@ -1,7 +1,7 @@
{
1d59:20f4:b44b:27a8:2bd:77c4:f053:6f5a,
50cd:1a9a:1837:5803:9b08:41aa:738c:3f0b,
477c:8c51:4f4f:61ec:9981:1259:86b8:8987,
1d59:20f4:b44b:27a8:2bd:77c4:f053:6f5a
477c:8c51:4f4f:61ec:9981:1259:86b8:8987
}
lookup_hostname_txt, fake_text_lookup_result_bro.wp.dg.cx
lookup_hostname, {

10
testing/btest/Baseline/core.history-flip/conn.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-07-13-17-58-11
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty)
#close 2016-07-13-17-58-11

10
testing/btest/Baseline/core.ipv6-frag/dns.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path dns
#open 2016-06-15-03-33-34
#open 2016-07-13-16-12-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1331084278.438444 CXWv6p3arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
1331084293.592245 CjhGID4nQcgTWjvg4c 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
1331084298.593081 CjhGID4nQcgTWjvg4c 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F
#close 2016-06-15-03-33-34
1331084278.438444 CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
1331084293.592245 ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
1331084298.593081 ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F
#close 2016-07-13-16-12-54

10
testing/btest/Baseline/core.mpls-in-vlan/conn.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-33
#open 2016-07-13-16-12-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1371685686.536606 CXWv6p3arKYeMETxOg 65.65.65.65 19244 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 257 0 0 (empty)
1371686961.156859 CjhGID4nQcgTWjvg4c 65.65.65.65 32828 65.65.65.65 80 tcp - - - - OTH - - 0 d 0 0 1 1500 (empty)
1371686961.479321 CCvvfg3TEfuqmmG4bh 65.65.65.65 61193 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 710 0 0 (empty)
#close 2015-02-23-21-32-33
1371685686.536606 CHhAvVGS1DHFjwGM9 65.65.65.65 19244 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 257 0 0 (empty)
1371686961.479321 C4J4Th3PJpwUYZZ6gc 65.65.65.65 61193 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 710 0 0 (empty)
1371686961.156859 ClEkJM2Vm5giqnMf4h 65.65.65.65 32828 65.65.65.65 80 tcp - - - - OTH - - 0 ^d 0 0 1 1500 (empty)
#close 2016-07-13-16-12-55

36
testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
View file

@ -3,23 +3,23 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-35
#open 2016-07-13-16-12-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1300475167.096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
1300475168.853899 CCvvfg3TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.854378 CsRx2w45OKnoww6xl4 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.854837 CRJuHdVW0XPVINV8a 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.857956 CPbrpk1qSsw6ESzHV4 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.858306 C6pKV8GSxOnSLghOa 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.858713 CIPOse170MGiRM1Qf4 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.891644 C7XEbhP654jzLoe3a 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.892037 CJ3xTn1c4Zw9TmAE05 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.892414 CMXxB5GvmoxJFXdTa 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.893988 Caby8b1slFea8xwSmb 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.894422 Che1bq3i2rO3KD1Syg 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.894787 C3SfNE4BWaU4aSuwkc 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.901749 CEle3f3zno26fFZkrh 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
1300475168.902195 CwSkQu4eWZCH7OONC1 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
1300475168.652003 CjhGID4nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp - - - - OTH - - 0 D 1 515 0 0 (empty)
#close 2015-02-23-21-32-35
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
1300475168.853899 C4J4Th3PJpwUYZZ6gc 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.854378 CtPZjS20MLrsMUOJi2 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.854837 CUM0KZ3MLUfNB0cl11 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.857956 CmES5u32sYpV7JYN 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.858306 CP5puj4I8PtEU4qzYg 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.858713 C37jN32gN3y3AZzyf6 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.891644 C3eiCBGOLw3VtHfOj 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.892037 CwjjYJ2WqgTbAqiHl6 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.892414 C0LAHyvtKSQHyJxIl 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.893988 CFLRIC3zaTU1loLGxh 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.894422 C9rXSW3KSpTYvPrlI1 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.894787 Ck51lg1bScffFj34Ri 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.901749 C9mvWx3ezztgzcexV7 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
1300475168.902195 CNnMIj2QSd84NKf7U3 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
1300475168.652003 ClEkJM2Vm5giqnMf4h 141.142.220.118 35634 208.80.152.2 80 tcp - - - - OTH - - 0 D 1 515 0 0 (empty)
#close 2016-07-13-16-12-55

6
testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-46
#open 2016-07-13-16-12-56
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1300475168.892936 CXWv6p3arKYeMETxOg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
#close 2015-02-23-21-32-46
1300475168.892936 CHhAvVGS1DHFjwGM9 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
#close 2016-07-13-16-12-56

6
testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2014-08-23-18-29-48
#open 2016-07-13-16-12-56
#fields ts node filter init success
#types time string string bool bool
1408818588.510297 bro port 50000 T T
#close 2014-08-23-18-29-48
1468426376.541368 bro port 50000 T T
#close 2016-07-13-16-12-56

18
testing/btest/Baseline/core.pppoe/conn.log
View file

@ -3,14 +3,14 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-47
#open 2016-07-13-16-12-57
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1284385418.014560 CPbrpk1qSsw6ESzHV4 fe80::c801:eff:fe88:8 547 fe80::ce05:eff:fe88:0 546 udp - 0.096000 192 0 S0 - - 0 D 2 288 0 0 (empty)
1284385417.962560 CRJuHdVW0XPVINV8a fe80::ce05:eff:fe88:0 546 ff02::1:2 547 udp - 0.078000 114 0 S0 - - 0 D 2 210 0 0 (empty)
1284385411.091560 CjhGID4nQcgTWjvg4c fe80::c801:eff:fe88:8 136 ff02::1 135 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
1284385411.035560 CXWv6p3arKYeMETxOg fe80::c801:eff:fe88:8 143 ff02::16 0 icmp - 0.835000 160 0 OTH - - 0 - 8 608 0 0 (empty)
1284385451.658560 C6pKV8GSxOnSLghOa fc00:0:2:100::1:1 128 fc00::1 129 icmp - 0.156000 260 260 OTH - - 0 - 5 500 5 500 (empty)
1284385413.027560 CsRx2w45OKnoww6xl4 fe80::c801:eff:fe88:8 134 fe80::ce05:eff:fe88:0 133 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
1284385412.963560 CCvvfg3TEfuqmmG4bh fe80::ce05:eff:fe88:0 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 48 0 0 (empty)
#close 2015-02-23-21-32-47
1284385417.962560 CUM0KZ3MLUfNB0cl11 fe80::ce05:eff:fe88:0 546 ff02::1:2 547 udp - 0.078000 114 0 S0 - - 0 D 2 210 0 0 (empty)
1284385418.014560 CmES5u32sYpV7JYN fe80::c801:eff:fe88:8 547 fe80::ce05:eff:fe88:0 546 udp - 0.096000 192 0 S0 - - 0 D 2 288 0 0 (empty)
1284385411.035560 CHhAvVGS1DHFjwGM9 fe80::c801:eff:fe88:8 143 ff02::16 0 icmp - 0.835000 160 0 OTH - - 0 - 8 608 0 0 (empty)
1284385451.658560 CP5puj4I8PtEU4qzYg fc00:0:2:100::1:1 128 fc00::1 129 icmp - 0.156000 260 260 OTH - - 0 - 5 500 5 500 (empty)
1284385412.963560 C4J4Th3PJpwUYZZ6gc fe80::ce05:eff:fe88:0 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 48 0 0 (empty)
1284385413.027560 CtPZjS20MLrsMUOJi2 fe80::c801:eff:fe88:8 134 fe80::ce05:eff:fe88:0 133 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
1284385411.091560 ClEkJM2Vm5giqnMf4h fe80::c801:eff:fe88:8 136 ff02::1 135 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
#close 2016-07-13-16-12-57

6
testing/btest/Baseline/core.print-bpf-filters/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-03-30-21-38-30
#open 2016-07-13-16-12-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1278600802.069419 CXWv6p3arKYeMETxOg 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 (empty)
#close 2015-03-30-21-38-30
1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 (empty)
#close 2016-07-13-16-12-59

18
testing/btest/Baseline/core.print-bpf-filters/output
View file

@ -3,28 +3,28 @@
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2015-03-30-21-38-29
#open 2016-07-13-16-12-57
#fields ts node filter init success
#types time string string bool bool
1427751509.034738 bro ip or not ip T T
#close 2015-03-30-21-38-29
1468426377.846975 bro ip or not ip T T
#close 2016-07-13-16-12-57
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2015-03-30-21-38-29
#open 2016-07-13-16-12-58
#fields ts node filter init success
#types time string string bool bool
1427751509.711080 bro port 42 T T
#close 2015-03-30-21-38-29
1468426378.362651 bro port 42 T T
#close 2016-07-13-16-12-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2015-03-30-21-38-30
#open 2016-07-13-16-12-58
#fields ts node filter init success
#types time string string bool bool
1427751510.380510 bro (vlan) and (ip or not ip) T T
#close 2015-03-30-21-38-30
1468426378.944945 bro (vlan) and (ip or not ip) T T
#close 2016-07-13-16-12-59

8
testing/btest/Baseline/core.q-in-q/conn.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-51
#open 2016-07-13-16-13-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1363900699.548138 CXWv6p3arKYeMETxOg 172.19.51.37 47808 172.19.51.63 47808 udp - 0.000100 36 0 S0 - - 0 D 2 92 0 0 (empty)
1363900699.549647 CjhGID4nQcgTWjvg4c 193.1.186.60 9875 224.2.127.254 9875 udp - 0.000139 552 0 S0 - - 0 D 2 608 0 0 (empty)
#close 2015-02-23-21-32-51
1363900699.548138 CHhAvVGS1DHFjwGM9 172.19.51.37 47808 172.19.51.63 47808 udp - 0.000100 36 0 S0 - - 0 D 2 92 0 0 (empty)
1363900699.549647 ClEkJM2Vm5giqnMf4h 193.1.186.60 9875 224.2.127.254 9875 udp - 0.000139 552 0 S0 - - 0 D 2 608 0 0 (empty)
#close 2016-07-13-16-13-00

8
testing/btest/Baseline/core.radiotap/conn.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2016-01-19-09-01-31
#open 2016-07-13-16-13-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1439902891.705224 CXWv6p3arKYeMETxOg 172.17.156.76 61738 208.67.220.220 53 udp dns 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty)
1439903050.580632 CjhGID4nQcgTWjvg4c fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 328 0 0 (empty)
#close 2016-01-19-09-01-31
1439902891.705224 CHhAvVGS1DHFjwGM9 172.17.156.76 61738 208.67.220.220 53 udp dns 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty)
1439903050.580632 ClEkJM2Vm5giqnMf4h fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 328 0 0 (empty)
#close 2016-07-13-16-13-00

10
testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-04-15-23-53-28
#open 2016-07-13-16-13-01
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1395939406.175845 CjhGID4nQcgTWjvg4c 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 (empty)
1395939411.361078 CCvvfg3TEfuqmmG4bh 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 (empty)
1395939399.984671 CXWv6p3arKYeMETxOg 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 (empty)
#close 2015-04-15-23-53-28
1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 (empty)
1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 (empty)
1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 (empty)
#close 2016-07-13-16-13-01

8
testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path files
#open 2015-04-15-23-53-28
#open 2016-07-13-16-13-01
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 CjhGID4nQcgTWjvg4c FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - -
1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 CCvvfg3TEfuqmmG4bh FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - -
#close 2015-04-15-23-53-28
1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 ClEkJM2Vm5giqnMf4h FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - -
1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 C4J4Th3PJpwUYZZ6gc FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - -
#close 2016-07-13-16-13-01

6
testing/btest/Baseline/core.tcp.miss-end-data/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-57
#open 2016-07-13-16-13-02
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1331764471.664131 CXWv6p3arKYeMETxOg 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 (empty)
#close 2015-02-23-21-32-57
1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 (empty)
#close 2016-07-13-16-13-02

10
testing/btest/Baseline/core.tcp.missing-syn/conn.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-07-13-17-58-31
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty)
#close 2016-07-13-17-58-31

10
testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-07-13-16-13-02
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADadtR 17 1250 22 28961 (empty)
#close 2016-07-13-16-13-03

43
testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log Normal file
View file

@ -0,0 +1,43 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2016-07-13-16-13-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 (empty)
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 (empty)
1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.858306 CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.858713 C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.891644 C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.892037 CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.892414 C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.893988 CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
1300475168.894422 C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
1300475168.894787 CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
1300475168.901749 CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
1300475168.902195 CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
1300475169.899438 Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 85 0 0 (empty)
1300475170.862384 CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
1300475171.675372 CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
1300475171.677081 CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
1300475173.116749 C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
1300475173.117362 CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
1300475173.153679 CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - - 0 D 1 78 0 0 (empty)
1300475169.780331 CFSwNi4CNGxcuffo49 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - - 0 ^h 0 0 1 48 (empty)
1300475168.892913 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
1300475168.724007 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
1300475168.855330 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
1300475168.855305 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
1300475168.652003 CtPZjS20MLrsMUOJi2 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
1300475168.902635 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
1300475168.859163 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
1300475168.892936 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
1300475168.895267 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
#close 2016-07-13-16-13-03

20
testing/btest/Baseline/core.tunnels.ayiya/conn.log
View file

@ -3,15 +3,15 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2016-01-15-18-40-13
#open 2016-07-13-16-13-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1257655301.595604 CIPOse170MGiRM1Qf4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - - 0 ShADad 10 3605 11 5329 CCvvfg3TEfuqmmG4bh
1257655296.585034 CCvvfg3TEfuqmmG4bh 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - - 0 Dd 21 5717 13 6473 (empty)
1257655293.629048 CXWv6p3arKYeMETxOg 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - - 0 d 0 0 1 176 (empty)
1257655296.585333 C6pKV8GSxOnSLghOa :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - - 0 - 1 64 0 0 CCvvfg3TEfuqmmG4bh
1257655293.629048 CjhGID4nQcgTWjvg4c 2001:4978:f:4c::1 128 2001:4978:f:4c::2 129 icmp - 23.834987 168 56 OTH - - 0 - 3 312 1 104 CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
1257655296.585188 CPbrpk1qSsw6ESzHV4 fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff00:2 130 icmp - 0.919988 32 0 OTH - - 0 - 2 144 0 0 CCvvfg3TEfuqmmG4bh
1257655296.585151 CRJuHdVW0XPVINV8a fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - - 0 - 2 144 0 0 CCvvfg3TEfuqmmG4bh
1257655296.585034 CsRx2w45OKnoww6xl4 fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - - 0 - 2 144 0 0 CCvvfg3TEfuqmmG4bh
#close 2016-01-15-18-40-13
1257655301.595604 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - - 0 ShADad 10 3605 11 5329 C4J4Th3PJpwUYZZ6gc
1257655296.585034 C4J4Th3PJpwUYZZ6gc 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - - 0 Dd 21 5717 13 6473 (empty)
1257655293.629048 CHhAvVGS1DHFjwGM9 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - - 0 ^d 0 0 1 176 (empty)
1257655296.585333 CP5puj4I8PtEU4qzYg :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - - 0 - 1 64 0 0 C4J4Th3PJpwUYZZ6gc
1257655296.585151 CUM0KZ3MLUfNB0cl11 fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - - 0 - 2 144 0 0 C4J4Th3PJpwUYZZ6gc
1257655296.585034 CtPZjS20MLrsMUOJi2 fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - - 0 - 2 144 0 0 C4J4Th3PJpwUYZZ6gc
1257655293.629048 ClEkJM2Vm5giqnMf4h 2001:4978:f:4c::1 128 2001:4978:f:4c::2 129 icmp - 23.834987 168 56 OTH - - 0 - 3 312 1 104 CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
1257655296.585188 CmES5u32sYpV7JYN fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff00:2 130 icmp - 0.919988 32 0 OTH - - 0 - 2 144 0 0 C4J4Th3PJpwUYZZ6gc
#close 2016-07-13-16-13-04

10
testing/btest/Baseline/core.tunnels.ayiya/http.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path http
#open 2016-06-15-05-35-59
#open 2016-07-13-16-13-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1257655301.652206 CIPOse170MGiRM1Qf4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - (empty) - - - - - - FYAtjT24MvCBUs5K5f - text/html
1257655302.514424 CIPOse170MGiRM1Qf4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - -
1257655303.603569 CIPOse170MGiRM1Qf4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - -
#close 2016-06-15-05-35-59
1257655301.652206 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - (empty) - - - - - - FYAtjT24MvCBUs5K5f - text/html
1257655302.514424 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - -
1257655303.603569 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ 1.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - (empty) - - - - - - - - -
#close 2016-07-13-16-13-04

12
testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
View file

@ -3,11 +3,11 @@
#empty_field (empty)
#unset_field -
#path tunnel
#open 2016-01-15-18-40-13
#open 2016-07-13-16-13-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1257655293.629048 CXWv6p3arKYeMETxOg 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
1257655296.585034 CCvvfg3TEfuqmmG4bh 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
1257655317.464035 CCvvfg3TEfuqmmG4bh 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
1257655317.464035 CXWv6p3arKYeMETxOg 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
#close 2016-01-15-18-40-13
1257655293.629048 CHhAvVGS1DHFjwGM9 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
1257655296.585034 C4J4Th3PJpwUYZZ6gc 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
1257655317.464035 C4J4Th3PJpwUYZZ6gc 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
1257655317.464035 CHhAvVGS1DHFjwGM9 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
#close 2016-07-13-16-13-04

10
testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-33-06
#open 2016-07-13-16-13-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1341436440.002928 CRJuHdVW0XPVINV8a 3.3.3.2 520 224.0.0.9 520 udp - 26.148268 48 0 S0 - - 0 D 2 104 0 0 CjhGID4nQcgTWjvg4c
1341436424.378840 CsRx2w45OKnoww6xl4 3.3.3.1 520 224.0.0.9 520 udp - 28.555457 168 0 S0 - - 0 D 2 224 0 0 CjhGID4nQcgTWjvg4c
1341436424.204043 CCvvfg3TEfuqmmG4bh 10.10.25.1 8 192.168.1.2 0 icmp - 42.380221 22464 22464 OTH - - 0 - 312 31200 312 31200 CjhGID4nQcgTWjvg4c
#close 2015-02-23-21-33-06
1341436424.378840 CtPZjS20MLrsMUOJi2 3.3.3.1 520 224.0.0.9 520 udp - 28.555457 168 0 S0 - - 0 D 2 224 0 0 ClEkJM2Vm5giqnMf4h
1341436440.002928 CUM0KZ3MLUfNB0cl11 3.3.3.2 520 224.0.0.9 520 udp - 26.148268 48 0 S0 - - 0 D 2 104 0 0 ClEkJM2Vm5giqnMf4h
1341436424.204043 C4J4Th3PJpwUYZZ6gc 10.10.25.1 8 192.168.1.2 0 icmp - 42.380221 22464 22464 OTH - - 0 - 312 31200 312 31200 ClEkJM2Vm5giqnMf4h
#close 2016-07-13-16-13-05

8
testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path tunnel
#open 2014-01-16-21-51-36
#open 2016-07-13-16-13-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1341436424.204043 CXWv6p3arKYeMETxOg 72.205.54.70 0 86.106.164.150 0 Tunnel::GRE Tunnel::DISCOVER
1341436424.204043 CjhGID4nQcgTWjvg4c 10.10.11.2 0 10.10.13.2 0 Tunnel::GRE Tunnel::DISCOVER
#close 2014-01-16-21-51-36
1341436424.204043 CHhAvVGS1DHFjwGM9 72.205.54.70 0 86.106.164.150 0 Tunnel::GRE Tunnel::DISCOVER
1341436424.204043 ClEkJM2Vm5giqnMf4h 10.10.11.2 0 10.10.13.2 0 Tunnel::GRE Tunnel::DISCOVER
#close 2016-07-13-16-13-05

18
testing/btest/Baseline/core.tunnels.gre/conn.log
View file

@ -3,14 +3,14 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-33-05
#open 2016-07-13-16-13-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1055289978.756932 CsRx2w45OKnoww6xl4 66.59.111.190 40264 172.28.2.3 22 tcp ssh 3.157831 952 1671 SF - - 0 ShAdDaFf 12 1584 10 2199 CXWv6p3arKYeMETxOg
1055289987.055189 CRJuHdVW0XPVINV8a 66.59.111.190 37675 172.28.2.3 53 udp dns 5.001141 66 0 S0 - - 0 D 2 122 0 0 CXWv6p3arKYeMETxOg
1055289996.849099 CIPOse170MGiRM1Qf4 66.59.111.190 123 129.170.17.4 123 udp - 0.072374 48 48 SF - - 0 Dd 1 76 1 76 CXWv6p3arKYeMETxOg
1055289973.849878 CCvvfg3TEfuqmmG4bh 66.59.111.190 123 18.26.4.105 123 udp - 0.074086 48 48 SF - - 0 Dd 1 76 1 76 CXWv6p3arKYeMETxOg
1055289992.849231 C6pKV8GSxOnSLghOa 66.59.111.190 123 66.59.111.182 123 udp - 0.056629 48 48 SF - - 0 Dd 1 76 1 76 CXWv6p3arKYeMETxOg
1055289968.793044 CjhGID4nQcgTWjvg4c 66.59.111.190 8 172.28.2.3 0 icmp - 3.061298 224 224 OTH - - 0 - 4 336 4 336 CXWv6p3arKYeMETxOg
1055289987.106744 CPbrpk1qSsw6ESzHV4 172.28.2.3 3 66.59.111.190 3 icmp - 4.994662 122 0 OTH - - 0 - 2 178 0 0 CXWv6p3arKYeMETxOg
#close 2015-02-23-21-33-05
1055289978.756932 CtPZjS20MLrsMUOJi2 66.59.111.190 40264 172.28.2.3 22 tcp ssh 3.157831 952 1671 SF - - 0 ShAdDaFf 12 1584 10 2199 CHhAvVGS1DHFjwGM9
1055289987.055189 CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp dns 5.001141 66 0 S0 - - 0 D 2 122 0 0 CHhAvVGS1DHFjwGM9
1055289973.849878 C4J4Th3PJpwUYZZ6gc 66.59.111.190 123 18.26.4.105 123 udp - 0.074086 48 48 SF - - 0 Dd 1 76 1 76 CHhAvVGS1DHFjwGM9
1055289992.849231 CP5puj4I8PtEU4qzYg 66.59.111.190 123 66.59.111.182 123 udp - 0.056629 48 48 SF - - 0 Dd 1 76 1 76 CHhAvVGS1DHFjwGM9
1055289996.849099 C37jN32gN3y3AZzyf6 66.59.111.190 123 129.170.17.4 123 udp - 0.072374 48 48 SF - - 0 Dd 1 76 1 76 CHhAvVGS1DHFjwGM9
1055289968.793044 ClEkJM2Vm5giqnMf4h 66.59.111.190 8 172.28.2.3 0 icmp - 3.061298 224 224 OTH - - 0 - 4 336 4 336 CHhAvVGS1DHFjwGM9
1055289987.106744 CmES5u32sYpV7JYN 172.28.2.3 3 66.59.111.190 3 icmp - 4.994662 122 0 OTH - - 0 - 2 178 0 0 CHhAvVGS1DHFjwGM9
#close 2016-07-13-16-13-05

Some files were not shown because too many files have changed in this diff Show more