From dac96a6be3fc872c7c1e8158391e9015c7766d27 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Wed, 29 Apr 2020 11:22:42 -0400
Subject: [PATCH] Fixes a small bug in one signature with a duplicate name.

Also update a single failing test.
---
 .../frameworks/files/magic/executable.sig     |  2 +-
 testing/btest/Baseline/plugins.hooks/output   | 29 ++++++++++++-------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/executable.sig b/scripts/base/frameworks/files/magic/executable.sig
index af734169bc..b1dae5db8b 100644
--- a/scripts/base/frameworks/files/magic/executable.sig
+++ b/scripts/base/frameworks/files/magic/executable.sig
@@ -62,7 +62,7 @@ signature file-pyc-3-0 {
 
 
 # Python 3.1 bytecode
-signature file-pyc-3-2 {
+signature file-pyc-3-1 {
 	file-magic /^[\x45\x4f]\x0c\x0d\x0a/
 	file-mime "application/x-python-bytecode", 80
 }
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 7191af1720..52468ecb70 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -282,7 +282,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -463,7 +463,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -905,11 +905,14 @@
 0.000000   MetaHookPost  LoadFile(1, .<...>/archive.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/audio.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/dpd.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/executable.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/font.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/general.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/image.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/java.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/libmagic.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, .<...>/msoffice.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/office.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/programming.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/video.sig) -> -1
 0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
 0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
@@ -1200,7 +1203,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1381,7 +1384,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1823,11 +1826,14 @@
 0.000000   MetaHookPre   LoadFile(1, .<...>/archive.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/audio.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/dpd.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/executable.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/font.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/general.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/image.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/java.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/libmagic.sig)
-0.000000   MetaHookPre   LoadFile(1, .<...>/msoffice.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/office.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/programming.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/video.sig)
 0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
 0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
@@ -2117,7 +2123,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2298,7 +2304,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2573,6 +2579,7 @@
 0.000000 | HookLoadFile  .<...>/entities.zeek
 0.000000 | HookLoadFile  .<...>/event.bif.zeek
 0.000000 | HookLoadFile  .<...>/exec.zeek
+0.000000 | HookLoadFile  .<...>/executable.sig
 0.000000 | HookLoadFile  .<...>/file_analysis.bif.zeek
 0.000000 | HookLoadFile  .<...>/files.zeek
 0.000000 | HookLoadFile  .<...>/font.sig
@@ -2585,6 +2592,7 @@
 0.000000 | HookLoadFile  .<...>/info.zeek
 0.000000 | HookLoadFile  .<...>/input.bif.zeek
 0.000000 | HookLoadFile  .<...>/input.zeek
+0.000000 | HookLoadFile  .<...>/java.sig
 0.000000 | HookLoadFile  .<...>/last.zeek
 0.000000 | HookLoadFile  .<...>/libmagic.sig
 0.000000 | HookLoadFile  .<...>/log.zeek
@@ -2595,10 +2603,10 @@
 0.000000 | HookLoadFile  .<...>/messaging.bif.zeek
 0.000000 | HookLoadFile  .<...>/min.zeek
 0.000000 | HookLoadFile  .<...>/mozilla-ca-list.zeek
-0.000000 | HookLoadFile  .<...>/msoffice.sig
 0.000000 | HookLoadFile  .<...>/netstats.zeek
 0.000000 | HookLoadFile  .<...>/non-cluster.zeek
 0.000000 | HookLoadFile  .<...>/none.zeek
+0.000000 | HookLoadFile  .<...>/office.sig
 0.000000 | HookLoadFile  .<...>/openflow.zeek
 0.000000 | HookLoadFile  .<...>/option.bif.zeek
 0.000000 | HookLoadFile  .<...>/packetfilter.zeek
@@ -2611,6 +2619,7 @@
 0.000000 | HookLoadFile  .<...>/pools.zeek
 0.000000 | HookLoadFile  .<...>/postprocessors
 0.000000 | HookLoadFile  .<...>/pp-alarms.zeek
+0.000000 | HookLoadFile  .<...>/programming.sig
 0.000000 | HookLoadFile  .<...>/raw.zeek
 0.000000 | HookLoadFile  .<...>/reporter.bif.zeek
 0.000000 | HookLoadFile  .<...>/ryu.zeek
@@ -2747,7 +2756,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1587426643.829865, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1588173740.207808, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()