Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge

Browse source
This commit is contained in:
Seth Hall 2012-12-06 11:07:35 -05:00
commit dda36672ac
26 changed files with 443 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

48
CHANGES
View file

@ -1,4 +1,52 @@
2.1-209 | 2012-12-05 16:44:04 -0800
* Adapting the HTTP request line parsing to only accept methods
consisting of letters [A-Za-z]. (Robin Sommer)
2.1-207 | 2012-12-05 15:47:32 -0800
* Reporting warnings if kill/waitpid fail in communication system.
(Bill Parker)
* Replace() bzero with memset(). (Bill Parker)
* Merge remote-tracking branch 'vlad/topic/vladg/http-verbs'
* vlad/topic/vladg/http-verbs:
A test for HTTP methods, including some horribly illegal requests.
Remove hardcoded HTTP verbs from the analyzer (#741)
I added a "bad_HTTP_request" weird for HTTP request lines that don't
have more than a single word.
Closes #741. (Robin Sommer)
* A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu)
* Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu)
2.1-203 | 2012-12-05 14:36:56 -0800
* Fix segfault: Synchronization of state between connecting peers
now skips over identifiers that aren't initialized with a value
yet. Addresses #66. (Jon Siwek)
* Fix segfault: Delete correct entry in error case in input
framework. (Bernhard Amann)
* Bad record constructor initializers now give an error. Addresses
#34. (Jon Siwek)
* Invalid vector indices now generate error message. Addresses #24.
(Jon Siwek)
* Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek)
* Interpreter exceptions occurring in "when" blocks are now handled.
Addresses #779 (Jon Siwek)
2.1-195 | 2012-12-03 14:50:33 -0800
* Catching out-of-memory in patricia tree code. (Bill Parker)

2
CMakeLists.txt
View file

@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
if (INSTALL_BROCTL)
# CPack RPM Generator may not automatically detect this
set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0")
set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
endif ()
# If this CMake project is a sub-project of another, we will not

2
VERSION
View file

@ -1 +1 @@
2.1-195
2.1-209

2
aux/broccoli

@ -1 +1 @@
Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192
Subproject commit 06682dbb15d26d2688bdc9ad76efec17d38dc80f

16
scripts/base/protocols/http/main.bro
View file

@ -95,6 +95,19 @@ export {
"PROXY-CONNECTION",
} &redef;
## A list of HTTP methods. Other methods will generate a weird. Note
## that the HTTP analyzer will only accept methods consisting solely
## of letters ``[A-Za-z]``.
const http_methods: set[string] = {
"GET", "POST", "HEAD", "OPTIONS",
"PUT", "DELETE", "TRACE", "CONNECT",
# HTTP methods for distributed authoring:
"PROPFIND", "PROPPATCH", "MKCOL",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH"
} &redef;
## Event that can be handled to access the HTTP record as it is sent on
## to the logging framework.
global log_http: event(rec: Info);
@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string,
c$http$method = method;
c$http$uri = unescaped_URI;
if ( method !in http_methods )
event conn_weird("unknown_HTTP_method", c, method);
}
event http_reply(c: connection, version: string, code: count, reason: string) &priority=5

24
src/Expr.cc
View file

@ -2950,16 +2950,12 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
if ( IsError() )
return 0;
if ( v1->Type()->Tag() == TYPE_VECTOR )
{
Val* v = v1->AsVectorVal()->Lookup(v2);
// ### dangerous - this can silently fail larger operations
// due to a missing element
return v ? v->Ref() : 0;
}
Val* v = 0;
TableVal* v_tbl = v1->AsTableVal();
Val* v = v_tbl->Lookup(v2);
if ( v1->Type()->Tag() == TYPE_VECTOR )
v = v1->AsVectorVal()->Lookup(v2);
else
v = v1->AsTableVal()->Lookup(v2);
if ( v )
return v->Ref();
@ -3290,7 +3286,11 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
{
RecordVal* rv = Eval(0)->AsRecordVal();
Val* v = Eval(0);
if ( v )
{
RecordVal* rv = v->AsRecordVal();
RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
if ( ar )
@ -3298,13 +3298,11 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
Unref(rv);
return ar;
}
}
else
{
Error("bad record initializer");
return 0;
}
}
Val* RecordConstructorExpr::Fold(Val* v) const
{

43
src/HTTP.cc
View file

@ -1118,36 +1118,31 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
{
const char* request_method_str = 0;
const char* end_of_request = 0;
const char* rest = 0;
static const char* http_methods[] = {
"GET", "POST", "HEAD",
int request_method_len = 0;
"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT",
get_word(end_of_line - line, line, request_method_len, request_method_str);
// HTTP methods for distributed authoring.
"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
if ( request_method_len == 0 )
goto error;
"SEARCH",
end_of_request = request_method_str + request_method_len;
0,
};
int i;
for ( i = 0; http_methods[i]; ++i )
if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
break;
if ( ! http_methods[i] )
for ( const char* p = request_method_str; p < end_of_request; p++ )
{
// Weird("HTTP_unknown_method");
if ( RequestExpected() )
HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
return 0;
// The method must consist of only letters.
if ( (*p < 'a' || *p > 'z') && (*p < 'A' || *p > 'Z') )
goto error;
}
request_method = new StringVal(http_methods[i]);
rest = skip_whitespace(end_of_request, end_of_line);
if ( rest == end_of_request )
// End of line already reached. Most likely a DPD failure.
goto error;
request_method = new StringVal(request_method_len, request_method_str);
if ( ! ParseRequest(rest, end_of_line) )
reporter->InternalError("HTTP ParseRequest failed");
@ -1157,6 +1152,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
unescaped_URI->AsString()->Len(), true, true, true, true);
return 1;
error:
reporter->Weird(Conn(), "bad_HTTP_request");
return 0;
}
int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)

27
src/RemoteSerializer.cc
View file

@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer()
{
if ( child_pid )
{
kill(child_pid, SIGKILL);
waitpid(child_pid, 0, 0);
if ( kill(child_pid, SIGKILL) < 0 )
reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno));
else if ( waitpid(child_pid, 0, 0) < 0 )
reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno));
}
delete io;
@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info)
for ( ; index < sync_ids.length(); ++index )
{
if ( ! sync_ids[index]->ID_Val() )
{
#ifdef DEBUG
DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n",
sync_ids[index]->Name());
#endif
continue;
}
cont->SaveContext();
StateAccess sa(OP_ASSIGN, sync_ids[index],
@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg)
reporter->Error("%s", msg);
closed = true;
kill(child_pid, SIGQUIT);
if ( kill(child_pid, SIGQUIT) < 0 )
reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno));
child_pid = 0;
using_communication = false;
io->Clear();
@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer)
{
int status;
addrinfo hints, *res, *res0;
bzero(&hints, sizeof(hints));
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_protocol = IPPROTO_TCP;
@ -4095,7 +4109,7 @@ bool SocketComm::Listen()
{
int status, on = 1;
addrinfo hints, *res, *res0;
bzero(&hints, sizeof(hints));
memset(&hints, 0, sizeof(hints));
IPAddr listen_ip(listen_if);
@ -4360,7 +4374,8 @@ void SocketComm::Kill()
CloseListenFDs();
kill(getpid(), SIGTERM);
if ( kill(getpid(), SIGTERM) < 0 )
Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno)));
while ( 1 )
; // loop until killed

18
src/Trigger.cc
View file

@ -217,8 +217,15 @@ bool Trigger::Eval()
Name());
Unref(v);
v = 0;
stmt_flow_type flow;
try
{
v = body->Exec(f, flow);
}
catch ( InterpreterException& e )
{ /* Already reported. */ }
if ( is_return )
{
@ -300,7 +307,14 @@ void Trigger::Timeout()
{
stmt_flow_type flow;
Frame* f = frame->Clone();
Val* v = timeout_stmts->Exec(f, flow);
Val* v = 0;
try
{
v = timeout_stmts->Exec(f, flow);
}
catch ( InterpreterException& e )
{ /* Already reported. */ }
if ( is_return )
{
@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger)
void Trigger::Cache(const CallExpr* expr, Val* v)
{
if ( disabled )
if ( disabled || ! v )
return;
ValCache::iterator i = cache.find(expr);

2
src/input/readers/Ascii.cc
View file

@ -572,7 +572,7 @@ bool Ascii::DoUpdate()
// array structure.
for ( int i = 0; i < fpos; i++ )
delete fields[fpos];
delete fields[i];
delete [] fields;
continue;

12
testing/btest/Baseline/core.dns-interpreter-exceptions/out Normal file
View file

@ -0,0 +1,12 @@
1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 28: field value missing [p$ip]
1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 49: field value missing [p$ip]
1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 39: field value missing [p$ip]
1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 12: field value missing [p$ip]
timeout g(), F
timeout g(), T
timeout
g() done, no exception, T
localhost resolved
localhost resolved from f(), T
localhost resolved from f(), F
f() done, no exception, T

1
testing/btest/Baseline/istate.sync/receiver.vars.log
View file

@ -31,3 +31,4 @@ file "test2" of string
6667/tcp
[2, 20, 3, 4]
[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
122112

1
testing/btest/Baseline/istate.sync/sender.vars.log
View file

@ -31,3 +31,4 @@ file "test2" of string
6667/tcp
[2, 20, 3, 4]
[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
122112

7
testing/btest/Baseline/language.invalid_index/out Normal file
View file

@ -0,0 +1,7 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2])
foo[0], 42
foo2[0], 13
done

3
testing/btest/Baseline/language.record-bad-ctor/out Normal file
View file

@ -0,0 +1,3 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf)
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf)
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf])

4
testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline Normal file
View file

@ -0,0 +1,4 @@
error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number
error: ../input.log/Input::READER_ASCII: Could not convert line ' l' to Val. Ignoring line.
received termination signal
>>>

3
testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out Normal file
View file

@ -0,0 +1,3 @@
{
[] = [c=5]
}

58
testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log Normal file
View file

@ -0,0 +1,58 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2012-12-06-00-55-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - -
1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - -
1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - -
1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - -
1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.328583 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 0 - - - - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328895.375116 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.500315 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 0 - - - - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - -
1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
#close 2012-12-06-00-55-28

61
testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log Normal file
View file

@ -0,0 +1,61 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2012-12-06-00-55-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1354328874.278822 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328874.321792 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328882.908690 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328882.949510 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328887.094494 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro
1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.141058 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.183942 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.226199 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.267625 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.328583 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.375116 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.396634 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.438812 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.500315 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328903.614145 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328903.656369 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328911.832856 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328911.876341 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328920.052085 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328920.094072 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.266693 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.308714 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.476011 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.518204 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328932.734579 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328932.776609 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 unmatched_HTTP_reply - F bro
#close 2012-12-06-00-55-28

BIN
testing/btest/Traces/http-methods.trace Normal file
View file

Binary file not shown.

63
testing/btest/core/dns-interpreter-exceptions.bro Normal file
View file

@ -0,0 +1,63 @@
# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
# interpreter exceptions in "when" blocks shouldn't cause termination
global p: pkt_hdr;
function f(do_exception: bool): bool
{
return when ( local addrs = lookup_hostname("localhost") )
{
print "localhost resolved from f()", do_exception;
if ( do_exception )
print p$ip;
return T;
}
return F;
}
function g(do_exception: bool): bool
{
return when ( local addrs = lookup_hostname("localhost") )
{
print "shouldn't get here, g()", do_exception;
}
timeout 0 sec
{
print "timeout g()", do_exception;
if ( do_exception )
print p$ip;
return T;
}
return F;
}
event bro_init()
{
when ( local addrs = lookup_hostname("localhost") )
{
print "localhost resolved";
print p$ip;
}
when ( local addrs2 = lookup_hostname("localhost") )
{
print "shouldn't get here";
}
timeout 0 sec
{
print "timeout";
print p$ip;
}
when ( local b = f(T) )
print "f() exception done (shouldn't be printed)", b;
when ( local b2 = g(T) )
print "g() exception done (shouldn't be printed)", b2;
when ( local b3 = f(F) )
print "f() done, no exception", b3;
when ( local b4 = g(F) )
print "g() done, no exception", b4;
}

9
testing/btest/istate/sync.bro
View file

@ -1,7 +1,7 @@
# @TEST-SERIALIZE: comm
#
# @TEST-EXEC: btest-bg-run sender bro %INPUT ../sender.bro
# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro
# @TEST-EXEC: btest-bg-run sender bro -b %INPUT ../sender.bro
# @TEST-EXEC: btest-bg-run receiver bro -b %INPUT ../receiver.bro
# @TEST-EXEC: btest-bg-wait 20
#
# @TEST-EXEC: btest-diff sender/vars.log
@ -27,6 +27,7 @@ global foo13 = { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persiste
global foo14 = { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
global foo15 = 42/udp &persistent &synchronized;
global foo16: vector of count = [1,2,3] &persistent &synchronized;
global foo18: count &persistent &synchronized; # not initialized
type type1: record {
a: string;
@ -70,6 +71,7 @@ event bro_done()
print out, foo15;
print out, foo16;
print out, foo17;
print out, foo18;
}
@ -128,6 +130,7 @@ function modify()
delete foo17$e;
foo2 = 1234567;
foo18 = 122112;
}
@load frameworks/communication/listen
@ -148,6 +151,8 @@ redef Communication::nodes += {
@TEST-START-FILE receiver.bro
@load base/frameworks/communication
event bro_init()
{
capture_events("events.bst");

15
testing/btest/language/invalid_index.bro Normal file
View file

@ -0,0 +1,15 @@
# @TEST-EXEC: bro -b %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
global foo: vector of count = { 42 };
global foo2: table[count] of count = { [0] = 13 };
print "foo[0]", foo[0];
print "foo[1]", foo[1];
print "foo[2]", foo[2];
print "foo2[0]", foo2[0];
print "foo2[1]", foo2[1];
print "foo2[2]", foo2[2];
print "done";

8
testing/btest/language/record-bad-ctor.bro Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
# At least shouldn't crash Bro, just report the invalid record ctor.
global asdfasdf;
const blah = [$ports=asdfasdf];
print blah;

46
testing/btest/scripts/base/frameworks/input/invalidtext.bro Normal file
View file

@ -0,0 +1,46 @@
# (uses listen.bro just to ensure input sources are more reliably fully-read).
# @TEST-SERIALIZE: comm
#
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
# @TEST-EXEC: btest-bg-wait -k 5
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderrwithoutfirstline
@TEST-START-FILE input.log
#separator \x09
#fields i c
#types int count
l
5
@TEST-END-FILE
@load frameworks/communication/listen
global outfile: file;
module A;
type Idx: record {
i: string;
};
type Val: record {
c: count;
};
global servers: table[string] of Val = table();
event bro_init()
{
outfile = open("../out");
# first read in the old stuff into the table...
Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
Input::remove("ssh");
}
event Input::end_of_data(name: string, source:string)
{
print outfile, servers;
terminate();
}

9
testing/btest/scripts/base/protocols/http/http-methods.bro Normal file
View file

@ -0,0 +1,9 @@
# This tests that the HTTP analyzer handles strange HTTP methods properly.
#
# @TEST-EXEC: bro -r $TRACES/http-methods.trace %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff http.log
# The base analysis scripts are loaded by default.
#@load base/protocols/http