From dc0ecf98111ac6eb199163540cd61af2c569a080 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 27 Aug 2021 14:49:15 -0700 Subject: [PATCH] Add Teredo packet analyzer, disable old analyzer --- scripts/base/frameworks/tunnels/main.zeek | 4 +- scripts/base/packet-protocols/__load__.zeek | 1 + .../packet-protocols/teredo/__load__.zeek | 1 + .../base/packet-protocols/teredo/main.zeek | 28 ++ scripts/base/protocols/tunnels/dpd.sig | 6 - src/IPAddr.cc | 107 +++++-- src/IPAddr.h | 18 +- src/RE.h | 4 +- src/analyzer/protocol/CMakeLists.txt | 2 +- src/packet_analysis/protocol/CMakeLists.txt | 1 + .../protocol/teredo/CMakeLists.txt | 7 + src/packet_analysis/protocol/teredo/Plugin.cc | 26 ++ src/packet_analysis/protocol/teredo/Teredo.cc | 280 ++++++++++++++++++ src/packet_analysis/protocol/teredo/Teredo.h | 106 +++++++ .../protocol/teredo/events.bif | 55 ++++ .../protocol/teredo/functions.bif | 20 ++ src/session/Manager.cc | 43 +-- .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 5 +- testing/btest/Baseline/plugins.hooks/output | 45 ++- .../alarm-mail.txt | 2 +- .../Baseline/signatures.dpd/dpd-ipv4.out | 2 +- .../Baseline/signatures.dpd/dpd-ipv6.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv4.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv6.out | 2 +- 25 files changed, 683 insertions(+), 91 deletions(-) create mode 100644 scripts/base/packet-protocols/teredo/__load__.zeek create mode 100644 scripts/base/packet-protocols/teredo/main.zeek create mode 100644 src/packet_analysis/protocol/teredo/CMakeLists.txt create mode 100644 src/packet_analysis/protocol/teredo/Plugin.cc create mode 100644 src/packet_analysis/protocol/teredo/Teredo.cc create mode 100644 src/packet_analysis/protocol/teredo/Teredo.h create mode 100644 src/packet_analysis/protocol/teredo/events.bif create mode 100644 src/packet_analysis/protocol/teredo/functions.bif diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index 11b7a90470..7cf4f82e40 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -90,15 +90,13 @@ export { global finalize_tunnel: Conn::RemovalHook; } -const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { teredo_ports, gtpv1_ports }; +redef likely_server_ports += { gtpv1_ports }; event zeek_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]); - Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 312db9f3b0..f82027f6d1 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -24,3 +24,4 @@ @load base/packet-protocols/ayiya @load base/packet-protocols/geneve @load base/packet-protocols/vxlan +@load base/packet-protocols/teredo diff --git a/scripts/base/packet-protocols/teredo/__load__.zeek b/scripts/base/packet-protocols/teredo/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/teredo/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/teredo/main.zeek b/scripts/base/packet-protocols/teredo/main.zeek new file mode 100644 index 0000000000..5bba5c9243 --- /dev/null +++ b/scripts/base/packet-protocols/teredo/main.zeek @@ -0,0 +1,28 @@ +module PacketAnalyzer::TEREDO; + +# This needs to be loaded here so the functions are available. Function BIFs normally aren't +# loaded until after the packet analysis init scripts are run, and then zeek complains it +# can't find the function. +@load base/bif/plugins/Zeek_Teredo.functions.bif + +# Needed for port registration for BPF +@load base/frameworks/analyzer/main + +export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; +} + +const teredo_ports = { 3544/udp }; +redef likely_server_ports += { teredo_ports }; + +event zeek_init() &priority=20 + { + PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO); + PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, teredo_ports); + } + +event connection_state_remove(c: connection) + { + remove_teredo_connection(c$id); + } diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig index 552e0c9170..d4d3b533bc 100644 --- a/scripts/base/protocols/tunnels/dpd.sig +++ b/scripts/base/protocols/tunnels/dpd.sig @@ -1,8 +1,2 @@ # Provide DPD signatures for tunneling protocols that otherwise # wouldn't be detected at all. - -signature dpd_teredo { - ip-proto = udp - payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/ - enable "teredo" -} diff --git a/src/IPAddr.cc b/src/IPAddr.cc index a957ce4d10..5cb3f4a998 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -24,8 +24,93 @@ namespace detail ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t, bool one_way) - : transport(t) { + Init(src, dst, src_port, dst_port, t, one_way); + } + +ConnKey::ConnKey(const ConnTuple& id) + { + Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way); + } + +ConnKey& ConnKey::operator=(const ConnKey& rhs) + { + if ( this == &rhs ) + return *this; + + // Because of padding in the object, this needs to memset to clear out + // the extra memory used by padding. Otherwise, the session key stuff + // doesn't work quite right. + memset(this, 0, sizeof(ConnKey)); + + memcpy(&ip1, &rhs.ip1, sizeof(in6_addr)); + memcpy(&ip2, &rhs.ip2, sizeof(in6_addr)); + port1 = rhs.port1; + port2 = rhs.port2; + transport = rhs.transport; + valid = rhs.valid; + + return *this; + } + +ConnKey::ConnKey(Val* v) + { + const auto& vt = v->GetType(); + if ( ! IsRecord(vt->Tag()) ) + { + valid = false; + return; + } + + RecordType* vr = vt->AsRecordType(); + auto vl = v->As(); + + int orig_h, orig_p; // indices into record's value list + int resp_h, resp_p; + + if ( vr == id::conn_id ) + { + orig_h = 0; + orig_p = 1; + resp_h = 2; + resp_p = 3; + } + else + { + // While it's not a conn_id, it may have equivalent fields. + orig_h = vr->FieldOffset("orig_h"); + resp_h = vr->FieldOffset("resp_h"); + orig_p = vr->FieldOffset("orig_p"); + resp_p = vr->FieldOffset("resp_p"); + + if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) + { + valid = false; + return; + } + + // ### we ought to check that the fields have the right + // types, too. + } + + const IPAddr& orig_addr = vl->GetFieldAs(orig_h); + const IPAddr& resp_addr = vl->GetFieldAs(resp_h); + + auto orig_portv = vl->GetFieldAs(orig_p); + auto resp_portv = vl->GetFieldAs(resp_p); + + Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()), + htons((unsigned short)resp_portv->Port()), orig_portv->PortType(), false); + } + +void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, + TransportProto t, bool one_way) + { + // Because of padding in the object, this needs to memset to clear out + // the extra memory used by padding. Otherwise, the session key stuff + // doesn't work quite right. + memset(this, 0, sizeof(ConnKey)); + // Lookup up connection based on canonical ordering, which is // the smaller of and // followed by the other. @@ -43,25 +128,9 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16 port1 = dst_port; port2 = src_port; } - } -ConnKey::ConnKey(const ConnTuple& id) - : ConnKey(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way) - { - } - -ConnKey& ConnKey::operator=(const ConnKey& rhs) - { - if ( this == &rhs ) - return *this; - - memcpy(&ip1, &rhs.ip1, sizeof(in6_addr)); - memcpy(&ip2, &rhs.ip2, sizeof(in6_addr)); - port1 = rhs.port1; - port2 = rhs.port2; - transport = rhs.transport; - - return *this; + transport = t; + valid = true; } } // namespace detail diff --git a/src/IPAddr.h b/src/IPAddr.h index 6295e7af1d..ea4ed9ac08 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -17,24 +17,28 @@ namespace zeek class String; struct ConnTuple; +class Val; namespace detail { class HashKey; -struct ConnKey +class ConnKey { +public: in6_addr ip1; in6_addr ip2; - uint16_t port1; - uint16_t port2; - TransportProto transport; + uint16_t port1 = 0; + uint16_t port2 = 0; + TransportProto transport = TRANSPORT_UNKNOWN; + bool valid = true; ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, TransportProto t, bool one_way); ConnKey(const ConnTuple& conn); ConnKey(const ConnKey& rhs) { *this = rhs; } + ConnKey(Val* v); bool operator<(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) < 0; } bool operator<=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) <= 0; } @@ -44,6 +48,10 @@ struct ConnKey bool operator>(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) > 0; } ConnKey& operator=(const ConnKey& rhs); + +private: + void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, + TransportProto t, bool one_way); }; using ConnIDKey [[deprecated("Remove in v5.1. Use zeek::detail::ConnKey.")]] = ConnKey; @@ -430,7 +438,7 @@ public: static const IPAddr v6_unspecified; private: - friend struct detail::ConnKey; + friend class detail::ConnKey; friend class IPPrefix; /** diff --git a/src/RE.h b/src/RE.h index c9461685d5..06fdd5f391 100644 --- a/src/RE.h +++ b/src/RE.h @@ -109,6 +109,7 @@ public: // in an attempt to match at least one character. int Match(const char* s); int Match(const String* s); + int Match(const u_char* bv, int n); int LongestMatch(const char* s); int LongestMatch(const String* s); @@ -136,7 +137,6 @@ protected: void AddPat(const char* pat, const char* orig_fmt, const char* app_fmt); bool MatchAll(const u_char* bv, int n); - int Match(const u_char* bv, int n); match_type mt; int multiline; @@ -228,6 +228,8 @@ public: int MatchPrefix(const String* s) { return re_exact->LongestMatch(s); } int MatchPrefix(const u_char* s, int n) { return re_exact->LongestMatch(s, n); } + bool Match(const u_char* s, int n) { return re_anywhere->Match(s, n); } + const char* PatternText() const { return re_exact->PatternText(); } const char* AnywherePatternText() const { return re_anywhere->PatternText(); } diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index d6b42fa28e..bbc5048718 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -41,7 +41,7 @@ add_subdirectory(ssh) add_subdirectory(ssl) add_subdirectory(syslog) add_subdirectory(tcp) -add_subdirectory(teredo) +#add_subdirectory(teredo) #add_subdirectory(vxlan) add_subdirectory(xmpp) add_subdirectory(zip) diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index 53a1d8e161..f4c3490963 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -25,3 +25,4 @@ add_subdirectory(iptunnel) add_subdirectory(ayiya) add_subdirectory(geneve) add_subdirectory(vxlan) +add_subdirectory(teredo) diff --git a/src/packet_analysis/protocol/teredo/CMakeLists.txt b/src/packet_analysis/protocol/teredo/CMakeLists.txt new file mode 100644 index 0000000000..949d4beaf7 --- /dev/null +++ b/src/packet_analysis/protocol/teredo/CMakeLists.txt @@ -0,0 +1,7 @@ +include(ZeekPlugin) + +zeek_plugin_begin(Zeek Teredo) +zeek_plugin_cc(Teredo.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_bif(functions.bif) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/teredo/Plugin.cc b/src/packet_analysis/protocol/teredo/Plugin.cc new file mode 100644 index 0000000000..a4f6782458 --- /dev/null +++ b/src/packet_analysis/protocol/teredo/Plugin.cc @@ -0,0 +1,26 @@ +// See the file in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/packet_analysis/Component.h" +#include "zeek/packet_analysis/protocol/teredo/Teredo.h" + +namespace zeek::plugin::detail::Zeek_Teredo + { + +class Plugin : public zeek::plugin::Plugin + { +public: + zeek::plugin::Configuration Configure() override + { + AddComponent(new zeek::packet_analysis::Component( + "Teredo", zeek::packet_analysis::teredo::TeredoAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Teredo"; + config.description = "Teredo packet analyzer"; + return config; + } + } plugin; + + } // namespace zeek::plugin::detail::Zeek_Teredo diff --git a/src/packet_analysis/protocol/teredo/Teredo.cc b/src/packet_analysis/protocol/teredo/Teredo.cc new file mode 100644 index 0000000000..fc755be951 --- /dev/null +++ b/src/packet_analysis/protocol/teredo/Teredo.cc @@ -0,0 +1,280 @@ +#include "zeek/packet_analysis/protocol/teredo/Teredo.h" + +#include "zeek/Conn.h" +#include "zeek/IP.h" +#include "zeek/RE.h" +#include "zeek/Reporter.h" +#include "zeek/RunState.h" +#include "zeek/TunnelEncapsulation.h" +#include "zeek/ZeekString.h" +#include "zeek/packet_analysis/protocol/ip/IP.h" +#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h" +#include "zeek/packet_analysis/protocol/teredo/events.bif.h" + +namespace zeek::packet_analysis::teredo + { + +namespace detail + { + +bool TeredoEncapsulation::DoParse(const u_char* data, size_t& len, bool found_origin, + bool found_auth) + { + if ( len < 2 ) + { + Weird("truncated_Teredo"); + return false; + } + + uint16_t tag = ntohs((*((const uint16_t*)data))); + + if ( tag == 0 ) + { + // Origin Indication + if ( found_origin ) + // can't have multiple origin indications + return false; + + if ( len < 8 ) + { + Weird("truncated_Teredo_origin_indication"); + return false; + } + + origin_indication = data; + len -= 8; + data += 8; + return DoParse(data, len, true, found_auth); + } + + else if ( tag == 1 ) + { + // Authentication + if ( found_origin || found_auth ) + // can't have multiple authentication headers and can't come after + // an origin indication + return false; + + if ( len < 4 ) + { + Weird("truncated_Teredo_authentication"); + return false; + } + + uint8_t id_len = data[2]; + uint8_t au_len = data[3]; + uint16_t tot_len = 4 + id_len + au_len + 8 + 1; + + if ( len < tot_len ) + { + Weird("truncated_Teredo_authentication"); + return false; + } + + auth = data; + len -= tot_len; + data += tot_len; + return DoParse(data, len, found_origin, true); + } + + else if ( ((tag & 0xf000) >> 12) == 6 ) + { + // IPv6 + if ( len < 40 ) + { + Weird("truncated_IPv6_in_Teredo"); + return false; + } + + // There's at least a possible IPv6 header, we'll decide what to do + // later if the payload length field doesn't match the actual length + // of the packet. + inner_ip = data; + return true; + } + + return false; + } + +RecordValPtr TeredoEncapsulation::BuildVal(const std::shared_ptr& inner) const + { + static auto teredo_hdr_type = id::find_type("teredo_hdr"); + static auto teredo_auth_type = id::find_type("teredo_auth"); + static auto teredo_origin_type = id::find_type("teredo_origin"); + + auto teredo_hdr = make_intrusive(teredo_hdr_type); + + if ( auth ) + { + auto teredo_auth = make_intrusive(teredo_auth_type); + uint8_t id_len = *((uint8_t*)(auth + 2)); + uint8_t au_len = *((uint8_t*)(auth + 3)); + uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len))); + uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8)); + teredo_auth->Assign(0, new String(auth + 4, id_len, true)); + teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true)); + teredo_auth->Assign(2, nonce); + teredo_auth->Assign(3, conf); + teredo_hdr->Assign(0, std::move(teredo_auth)); + } + + if ( origin_indication ) + { + auto teredo_origin = make_intrusive(teredo_origin_type); + uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF; + uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF; + teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP)); + teredo_origin->Assign(1, make_intrusive(htonl(addr))); + teredo_hdr->Assign(1, std::move(teredo_origin)); + } + + teredo_hdr->Assign(2, inner->ToPktHdrVal()); + return teredo_hdr; + } + + } // namespace detail + +TeredoAnalyzer::TeredoAnalyzer() : zeek::packet_analysis::Analyzer("TEREDO") + { + // The pattern matching below is based on this old DPD signature + // signature dpd_teredo { + // ip-proto = udp + // payload + // /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/ + // enable "teredo" + // } + + pattern_re = std::make_unique(zeek::detail::MATCH_EXACTLY, + 1); + pattern_re->AddPat("^(\\x00\\x00)|(\\x00\\x01)|([\\x60-\\x6f].{7}((\\x20\\x01\\x00\\x00)).{28})" + "|([\\x60-\\x6f].{23}((\\x20\\x01\\x00\\x00))).{12}"); + pattern_re->Compile(); + } + +bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + if ( ! BifConst::Tunnel::enable_teredo ) + return false; + + // Teredo always comes from a UDP connection, which means that session should always + // be valid and always be a connection. Store this off for the span of the + // processing so that it can be used for other things. Return a weird if we didn't + // have a session stored. + if ( ! packet->session ) + { + Analyzer::Weird("teredo_missing_connection"); + return false; + } + else if ( AnalyzerViolated(packet->session) ) + return false; + + if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) + { + Analyzer::Weird("exceeded_tunnel_max_depth", packet); + return false; + } + + conn = static_cast(packet->session); + zeek::detail::ConnKey conn_key = conn->Key(); + + OrigRespMap::iterator or_it = orig_resp_map.find(conn_key); + if ( or_it == orig_resp_map.end() ) + or_it = orig_resp_map.insert(or_it, {conn_key, {}}); + + detail::TeredoEncapsulation te(this); + if ( ! te.Parse(data, len) ) + { + AnalyzerViolation("Bad Teredo encapsulation", conn, (const char*)data, len); + return false; + } + + // TODO: i'm not sure about this. on the one hand, we do some error checking with the result + // but on the other hand we duplicate this work here. maybe this header could just be stored + // and reused in the IP analyzer somehow? + std::shared_ptr inner = nullptr; + int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner); + if ( rslt > 0 ) + { + if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 ) + // Teredo bubbles having data after IPv6 header isn't strictly a + // violation, but a little weird. + Weird("Teredo_bubble_with_payload", true); + else + { + AnalyzerViolation("Teredo payload length", conn, (const char*)data, len); + return false; + } + } + + if ( rslt == 0 || rslt > 0 ) + { + if ( packet->is_orig ) + or_it->second.valid_orig = true; + else + or_it->second.valid_resp = true; + + Confirm(or_it->second.valid_orig, or_it->second.valid_resp); + } + else + { + AnalyzerViolation("Truncated Teredo or invalid inner IP version", conn, (const char*)data, + len); + return false; + } + + ValPtr teredo_hdr; + + if ( teredo_packet ) + { + teredo_hdr = te.BuildVal(inner); + packet->session->EnqueueEvent(teredo_packet, nullptr, packet->session->GetVal(), + teredo_hdr); + } + + if ( te.Authentication() && teredo_authentication ) + { + if ( ! teredo_hdr ) + teredo_hdr = te.BuildVal(inner); + + packet->session->EnqueueEvent(teredo_authentication, nullptr, packet->session->GetVal(), + teredo_hdr); + } + + if ( te.OriginIndication() && teredo_origin_indication ) + { + if ( ! teredo_hdr ) + teredo_hdr = te.BuildVal(inner); + + packet->session->EnqueueEvent(teredo_origin_indication, nullptr, packet->session->GetVal(), + teredo_hdr); + } + + if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble ) + { + if ( ! teredo_hdr ) + teredo_hdr = te.BuildVal(inner); + + packet->session->EnqueueEvent(teredo_bubble, nullptr, packet->session->GetVal(), + teredo_hdr); + } + + int encap_index = 0; + auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( + packet, &encap_index, nullptr, len, te.InnerIP(), DLT_RAW, BifEnum::Tunnel::TEREDO, + GetAnalyzerTag()); + + return ForwardPacket(len, te.InnerIP(), inner_packet.get()); + } + +bool TeredoAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet) + { + if ( ! BifConst::Tunnel::enable_teredo ) + return false; + + if ( ! pattern_re->Match(data, len) ) + return false; + + return true; + } + + } // namespace zeek::packet_analysis::teredo diff --git a/src/packet_analysis/protocol/teredo/Teredo.h b/src/packet_analysis/protocol/teredo/Teredo.h new file mode 100644 index 0000000000..82bd150a17 --- /dev/null +++ b/src/packet_analysis/protocol/teredo/Teredo.h @@ -0,0 +1,106 @@ +#pragma once + +#include + +#include "zeek/Conn.h" +#include "zeek/NetVar.h" +#include "zeek/RE.h" +#include "zeek/Reporter.h" +#include "zeek/packet_analysis/Analyzer.h" + +namespace zeek::packet_analysis::teredo + { + +class TeredoAnalyzer final : public packet_analysis::Analyzer + { +public: + TeredoAnalyzer(); + ~TeredoAnalyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + + /** + * Emits a weird only if the analyzer has previously been able to + * decapsulate a Teredo packet in both directions or if *force* param is + * set, since otherwise the weirds could happen frequently enough to be less + * than helpful. The *force* param is meant for cases where just one side + * has a valid encapsulation and so the weird would be informative. + */ + void Weird(const char* name, bool force = false) const + { + if ( AnalyzerConfirmed(conn) || force ) + reporter->Weird(conn, name, "", GetAnalyzerName()); + } + + /** + * If the delayed confirmation option is set, then a valid encapsulation + * seen from both end points is required before confirming. + */ + void Confirm(bool valid_orig, bool valid_resp) + { + if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) ) + { + AnalyzerConfirmation(conn); + } + } + + bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) override; + + void RemoveConnection(const zeek::detail::ConnKey& conn_key) { orig_resp_map.erase(conn_key); } + +protected: + Connection* conn = nullptr; + + struct OrigResp + { + bool valid_orig = false; + bool valid_resp = false; + bool confirmed = false; + }; + using OrigRespMap = std::map; + OrigRespMap orig_resp_map; + + std::unique_ptr pattern_re; + }; + +namespace detail + { + +class TeredoEncapsulation + { +public: + explicit TeredoEncapsulation(const TeredoAnalyzer* ta) : analyzer(ta) { } + + /** + * Returns whether input data parsed as a valid Teredo encapsulation type. + * If it was valid, the len argument is decremented appropriately. + */ + bool Parse(const u_char* data, size_t& len) { return DoParse(data, len, false, false); } + + const u_char* InnerIP() const { return inner_ip; } + + const u_char* OriginIndication() const { return origin_indication; } + + const u_char* Authentication() const { return auth; } + + RecordValPtr BuildVal(const std::shared_ptr& inner) const; + +private: + bool DoParse(const u_char* data, size_t& len, bool found_orig, bool found_au); + + void Weird(const char* name) const { analyzer->Weird(name); } + + const u_char* inner_ip = nullptr; + const u_char* origin_indication = nullptr; + const u_char* auth = nullptr; + const TeredoAnalyzer* analyzer = nullptr; + }; + + } // namespace detail + + } // namespace zeek::packet_analysis::teredo diff --git a/src/packet_analysis/protocol/teredo/events.bif b/src/packet_analysis/protocol/teredo/events.bif new file mode 100644 index 0000000000..080eb1bf6e --- /dev/null +++ b/src/packet_analysis/protocol/teredo/events.bif @@ -0,0 +1,55 @@ +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_packet%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo authentication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_authentication%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo origin indication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); + +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated +## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_bubble%(outer: connection, inner: teredo_hdr%); + diff --git a/src/packet_analysis/protocol/teredo/functions.bif b/src/packet_analysis/protocol/teredo/functions.bif new file mode 100644 index 0000000000..8607712ca5 --- /dev/null +++ b/src/packet_analysis/protocol/teredo/functions.bif @@ -0,0 +1,20 @@ +module PacketAnalyzer::TEREDO; + +%%{ +#include "zeek/Conn.h" +#include "zeek/session/Manager.h" +#include "zeek/packet_analysis/Manager.h" +#include "zeek/packet_analysis/protocol/teredo/Teredo.h" +%%} + +function remove_teredo_connection%(cid: conn_id%) : bool + %{ + zeek::packet_analysis::AnalyzerPtr teredo = zeek::packet_mgr->GetAnalyzer("Teredo"); + if ( teredo ) + { + zeek::detail::ConnKey conn_key(cid); + static_cast(teredo.get())->RemoveConnection(conn_key); + } + + return zeek::val_mgr->True(); + %} diff --git a/src/session/Manager.cc b/src/session/Manager.cc index 2fdb05c4e4..3ed9d9741d 100644 --- a/src/session/Manager.cc +++ b/src/session/Manager.cc @@ -101,48 +101,11 @@ void Manager::Done() { } Connection* Manager::FindConnection(Val* v) { - const auto& vt = v->GetType(); - if ( ! IsRecord(vt->Tag()) ) + zeek::detail::ConnKey conn_key(v); + + if ( ! conn_key.valid ) return nullptr; - RecordType* vr = vt->AsRecordType(); - auto vl = v->As(); - - int orig_h, orig_p; // indices into record's value list - int resp_h, resp_p; - - if ( vr == id::conn_id ) - { - orig_h = 0; - orig_p = 1; - resp_h = 2; - resp_p = 3; - } - else - { - // While it's not a conn_id, it may have equivalent fields. - orig_h = vr->FieldOffset("orig_h"); - resp_h = vr->FieldOffset("resp_h"); - orig_p = vr->FieldOffset("orig_p"); - resp_p = vr->FieldOffset("resp_p"); - - if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 ) - return nullptr; - - // ### we ought to check that the fields have the right - // types, too. - } - - const IPAddr& orig_addr = vl->GetFieldAs(orig_h); - const IPAddr& resp_addr = vl->GetFieldAs(resp_h); - - auto orig_portv = vl->GetFieldAs(orig_p); - auto resp_portv = vl->GetFieldAs(resp_p); - - zeek::detail::ConnKey conn_key(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()), - htons((unsigned short)resp_portv->Port()), - orig_portv->PortType(), false); - return FindConnection(conn_key); } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index be14ccb46b..81552f328f 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -73,6 +73,9 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/geneve/main.zeek scripts/base/packet-protocols/vxlan/__load__.zeek scripts/base/packet-protocols/vxlan/main.zeek + scripts/base/packet-protocols/teredo/__load__.zeek + scripts/base/packet-protocols/teredo/main.zeek + build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek - build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index bab747594c..f215057ab1 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -73,6 +73,9 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/geneve/main.zeek scripts/base/packet-protocols/vxlan/__load__.zeek scripts/base/packet-protocols/vxlan/main.zeek + scripts/base/packet-protocols/teredo/__load__.zeek + scripts/base/packet-protocols/teredo/main.zeek + build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek - build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 30cef0ae06..d0f098c5fb 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -59,7 +59,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 993/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> @@ -122,7 +121,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 993/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> @@ -151,7 +149,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSH, {22/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Broker::__set_metrics_export_endpoint_name, , ()) -> 0.000000 MetaHookPost CallFunction(Broker::__set_metrics_export_interval, , (1.0 sec)) -> @@ -580,9 +577,11 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> @@ -632,6 +631,7 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> @@ -646,6 +646,7 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> 0.000000 MetaHookPost CallFunction(PacketFilter::install, , ()) -> @@ -676,6 +677,7 @@ 0.000000 MetaHookPost CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> 0.000000 MetaHookPost CallFunction(global_ids, , ()) -> 0.000000 MetaHookPost CallFunction(network_time, , ()) -> +0.000000 MetaHookPost CallFunction(port_to_count, , (3544/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (4789/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (5072/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (6081/udp)) -> @@ -804,6 +806,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> -1 @@ -921,6 +924,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/active-http, <...>/active-http.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/addrs, <...>/addrs.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1 @@ -1029,6 +1033,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/syslog, <...>/syslog) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/tcp, <...>/tcp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/teredo, <...>/teredo) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/time, <...>/time.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/tunnels, <...>/tunnels) -> -1 @@ -1175,6 +1180,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, ) @@ -1292,6 +1298,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, ) @@ -1400,6 +1407,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/teredo, <...>/teredo) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, ) @@ -1496,7 +1504,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 993/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) @@ -1559,7 +1566,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 993/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) @@ -1588,7 +1594,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSH, {22/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {563<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Broker::__set_metrics_export_endpoint_name, , ()) 0.000000 MetaHookPre CallFunction(Broker::__set_metrics_export_interval, , (1.0 sec)) @@ -2017,9 +2022,11 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) @@ -2069,6 +2076,7 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) @@ -2083,6 +2091,7 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) 0.000000 MetaHookPre CallFunction(PacketFilter::install, , ()) @@ -2113,6 +2122,7 @@ 0.000000 MetaHookPre CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(global_ids, , ()) 0.000000 MetaHookPre CallFunction(network_time, , ()) +0.000000 MetaHookPre CallFunction(port_to_count, , (3544/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (4789/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (5072/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (6081/udp)) @@ -2241,6 +2251,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) @@ -2358,6 +2369,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/active-http, <...>/active-http.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/addrs, <...>/addrs.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/analyzer, <...>/analyzer) @@ -2466,6 +2478,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/syslog, <...>/syslog) 0.000000 MetaHookPre LoadFile(0, base<...>/tcp, <...>/tcp) +0.000000 MetaHookPre LoadFile(0, base<...>/teredo, <...>/teredo) 0.000000 MetaHookPre LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/time, <...>/time.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/tunnels, <...>/tunnels) @@ -2612,6 +2625,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) @@ -2729,6 +2743,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) @@ -2837,6 +2852,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/syslog, <...>/syslog) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/tcp, <...>/tcp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/teredo, <...>/teredo) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/time, <...>/time.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) @@ -2933,7 +2949,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) -0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS) @@ -2996,7 +3011,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) -0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp}) @@ -3025,7 +3039,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) -0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name() 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec) @@ -3453,9 +3466,11 @@ 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp) +0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}) +0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP) @@ -3505,6 +3520,7 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE) @@ -3519,6 +3535,7 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA) +0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) 0.000000 | HookCallFunction PacketFilter::install() @@ -3549,6 +3566,7 @@ 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction global_ids() 0.000000 | HookCallFunction network_time() +0.000000 | HookCallFunction port_to_count(3544/udp) 0.000000 | HookCallFunction port_to_count(4789/udp) 0.000000 | HookCallFunction port_to_count(5072/udp) 0.000000 | HookCallFunction port_to_count(6081/udp) @@ -3677,6 +3695,7 @@ 0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek 0.000000 | HookLoadFile ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek +0.000000 | HookLoadFile ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek @@ -3806,6 +3825,7 @@ 0.000000 | HookLoadFile base<...>/CPP-load.bif <...>/CPP-load.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek +0.000000 | HookLoadFile base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFile base<...>/active-http <...>/active-http.zeek 0.000000 | HookLoadFile base<...>/addrs <...>/addrs.zeek 0.000000 | HookLoadFile base<...>/analyzer <...>/analyzer @@ -3914,6 +3934,7 @@ 0.000000 | HookLoadFile base<...>/supervisor.bif <...>/supervisor.bif.zeek 0.000000 | HookLoadFile base<...>/syslog <...>/syslog 0.000000 | HookLoadFile base<...>/tcp <...>/tcp +0.000000 | HookLoadFile base<...>/teredo <...>/teredo 0.000000 | HookLoadFile base<...>/thresholds <...>/thresholds.zeek 0.000000 | HookLoadFile base<...>/time <...>/time.zeek 0.000000 | HookLoadFile base<...>/tunnels <...>/tunnels @@ -4048,6 +4069,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek @@ -4177,6 +4199,7 @@ 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek +0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek 0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek 0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek 0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer @@ -4285,6 +4308,7 @@ 0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek 0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog 0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp +0.000000 | HookLoadFileExtended base<...>/teredo <...>/teredo 0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek 0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek 0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels @@ -4782,6 +4806,7 @@ XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> +XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(filter_change_tracking, , ()) -> @@ -4819,6 +4844,7 @@ XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) +XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(filter_change_tracking, , ()) @@ -4857,6 +4883,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG) XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) +XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]) XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt index 3b64f8ef57..fda4f6d244 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -> 2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid CHhAvVGS1DHFjwGM9) +> 2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid ClEkJM2Vm5giqnMf4h) test # 141.42.64.125 = 125.190.109.199 = diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index 06997a6c09..26470a7fdf 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 3 +|Analyzer::all_registered_ports()|, 4 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index 8bcf84d4a5..40ce076959 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 3 +|Analyzer::all_registered_ports()|, 4 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index 2cde803f33..123f40020a 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 3 +|Analyzer::all_registered_ports()|, 4 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index 2cde803f33..123f40020a 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 3 +|Analyzer::all_registered_ports()|, 4