diff --git a/doc b/doc index cf54d5ce41..53208a715f 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit cf54d5ce4131eb1e41ce108dc297116275ff02f7 +Subproject commit 53208a715f76067e56d7897ac3bbf67aefab72fe diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index 3b5ffb6a4e..2817ee04f4 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -54,6 +54,10 @@ export { ## trouble to help identify which node is having trouble. peer: string &log &optional &default=peer_description; + ## The source of the weird. When reported by an analyzer, this + ## should be the name of the analyzer. + source: string &log &optional; + ## This field is to be provided when a weird is generated for ## the purpose of deduplicating weirds. The identifier string ## should be unique for a single instance of the weird. This field @@ -257,7 +261,7 @@ export { ## This table is used to track identifier and name pairs that should be ## temporarily ignored because the problem has already been reported. - ## This helps reduce the volume of high volume weirds by only allowing + ## This helps reduce the volume of high volume weirds by only allowing ## a unique weird every ``create_expire`` interval. global weird_ignore: set[string, string] &create_expire=10min &redef; @@ -400,16 +404,19 @@ function weird(w: Weird::Info) } # The following events come from core generated weirds typically. -event conn_weird(name: string, c: connection, addl: string) +event conn_weird(name: string, c: connection, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $conn=c, $identifier=id_string(c$id)); if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string) +event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $uid=uid, $id=id, $identifier=id_string(id)); @@ -417,10 +424,13 @@ event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string) if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event flow_weird(name: string, src: addr, dst: addr, addl: string) +event flow_weird(name: string, src: addr, dst: addr, addl: string, source: string) { # We add the source and destination as port 0/unknown because that is # what fits best here. @@ -432,25 +442,34 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string) if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event net_weird(name: string, addl: string) +event net_weird(name: string, addl: string, source: string) { local i = Info($ts=network_time(), $name=name); if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event file_weird(name: string, f: fa_file, addl: string) +event file_weird(name: string, f: fa_file, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $addl=f$id); if ( addl != "" ) i$addl += fmt(": %s", addl); + if ( source != "" ) + i$source = source; + weird(i); } diff --git a/src/Conn.cc b/src/Conn.cc index 93a2f94520..8baf383cfb 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -530,10 +530,10 @@ void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a, event_mgr.Enqueue(f, std::move(args), util::detail::SOURCE_LOCAL, a ? a->GetID() : 0, this); } -void Connection::Weird(const char* name, const char* addl) +void Connection::Weird(const char* name, const char* addl, const char* source) { weird = 1; - reporter->Weird(this, name, addl ? addl : ""); + reporter->Weird(this, name, addl ? addl : "", source ? source : ""); } void Connection::AddTimer(timer_func timer, double t, bool do_expire, diff --git a/src/Conn.h b/src/Conn.h index a99456ce33..d3f75fcac4 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -238,7 +238,7 @@ public: EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args) { return EnqueueEvent(h, analyzer, zeek::Args{std::forward(args)...}); } - void Weird(const char* name, const char* addl = ""); + void Weird(const char* name, const char* addl = "", const char* source = ""); bool DidWeird() const { return weird != 0; } // Cancel all associated timers. diff --git a/src/Reporter.cc b/src/Reporter.cc index abea82b3ae..241c8aa050 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -396,7 +396,7 @@ bool Reporter::PermitExpiredConnWeird(const char* name, const RecordVal& conn_id return false; } -void Reporter::Weird(const char* name, const char* addl) +void Reporter::Weird(const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -406,10 +406,10 @@ void Reporter::Weird(const char* name, const char* addl) return; } - WeirdHelper(net_weird, {new StringVal(addl)}, "%s", name); + WeirdHelper(net_weird, {new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) +void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -424,11 +424,11 @@ void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) return; } - WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl)}, + WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(Connection* conn, const char* name, const char* addl) +void Reporter::Weird(Connection* conn, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -443,12 +443,12 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl) return; } - WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)}, + WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, - const char* name, const char* addl) +void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, const char* name, + const char* addl, const char* source) { UpdateWeirdStats(name); @@ -463,11 +463,11 @@ void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, } WeirdHelper(expired_conn_weird, - {conn_id.release(), uid.release(), new StringVal(addl)}, + {conn_id.release(), uid.release(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl) +void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -482,7 +482,7 @@ void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, c } WeirdHelper(flow_weird, - {new AddrVal(orig), new AddrVal(resp), new StringVal(addl)}, + {new AddrVal(orig), new AddrVal(resp), new StringVal(addl), new StringVal(source)}, "%s", name); } diff --git a/src/Reporter.h b/src/Reporter.h index 494bed79cd..a3036d4a85 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -95,12 +95,15 @@ public: // Report a traffic weirdness, i.e., an unexpected protocol situation // that may lead to incorrectly processing a connnection. - void Weird(const char* name, const char* addl = ""); // Raises net_weird(). - void Weird(file_analysis::File* f, const char* name, const char* addl = ""); // Raises file_weird(). - void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird(). + void Weird(const char* name, const char* addl = "", const char* source = ""); // Raises net_weird(). + void Weird(file_analysis::File* f, const char* name, + const char* addl = "", const char* source = ""); // Raises file_weird(). + void Weird(Connection* conn, const char* name, + const char* addl = "", const char* source = ""); // Raises conn_weird(). void Weird(RecordValPtr conn_id, StringValPtr uid, - const char* name, const char* addl = ""); // Raises expired_conn_weird(). - void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl = ""); // Raises flow_weird(). + const char* name, const char* addl = "", const char* source = ""); // Raises expired_conn_weird(). + void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, + const char* addl = "", const char* source = ""); // Raises flow_weird(). // Syslog a message. This methods does nothing if we're running // offline from a trace. diff --git a/src/Sessions.cc b/src/Sessions.cc index ba8231d369..15dfb91cb1 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -681,7 +681,7 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port, return true; } -void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl) +void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl, const char* source) { const char* weird_name = name; @@ -694,12 +694,12 @@ void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl) if ( pkt->ip_hdr ) { - reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl); + reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl, source); return; } } - reporter->Weird(weird_name, addl); + reporter->Weird(weird_name, addl, source); } void NetSessions::Weird(const char* name, const IP_Hdr* ip, const char* addl) diff --git a/src/Sessions.h b/src/Sessions.h index 740590641f..634e1f549c 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -70,7 +70,7 @@ public: void GetStats(SessionStats& s) const; void Weird(const char* name, const Packet* pkt, - const char* addl = ""); + const char* addl = "", const char* source = ""); void Weird(const char* name, const IP_Hdr* ip, const char* addl = ""); diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index fa9ea1c414..0ff3971aa1 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -838,7 +838,7 @@ void Analyzer::EnqueueConnEvent(EventHandlerPtr f, Args args) void Analyzer::Weird(const char* name, const char* addl) { - conn->Weird(name, addl); + conn->Weird(name, addl, GetAnalyzerName()); } SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac index b36f8acb59..427a08c510 100644 --- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac +++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac @@ -21,7 +21,7 @@ flow AYIYA_Flow if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) { - zeek::reporter->Weird(c, "tunnel_depth"); + connection()->zeek_analyzer()->Weird("tunnel_depth"); return false; } @@ -34,7 +34,7 @@ flow AYIYA_Flow if ( ${pdu.next_header} != IPPROTO_IPV6 && ${pdu.next_header} != IPPROTO_IPV4 ) { - zeek::reporter->Weird(c, "ayiya_tunnel_non_ip"); + connection()->zeek_analyzer()->Weird("ayiya_tunnel_non_ip"); return false; } diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index 1d09dfdf98..7527df7360 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -119,6 +119,8 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig) void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bittorrent_peer_weird ) + + // TODO: why does bittorrent have a different set of weirds? EnqueueConnEvent(bittorrent_peer_weird, ConnVal(), val_mgr->Bool(orig), diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index f294f564b2..c044110584 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -190,8 +190,7 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( it != fb.end() ) { // We already had a first frag earlier. - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "multiple_first_fragments_in_dce_rpc_reassembly"); + connection()->zeek_analyzer()->Weird("multiple_first_fragments_in_dce_rpc_reassembly"); connection()->zeek_analyzer()->SetSkip(true); return false; } @@ -212,15 +211,13 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_many_dce_rpc_msgs_in_reassembly"); + connection()->zeek_analyzer()->Weird("too_many_dce_rpc_msgs_in_reassembly"); connection()->zeek_analyzer()->SetSkip(true); } if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_much_dce_rpc_fragment_data"); + connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data"); connection()->zeek_analyzer()->SetSkip(true); } @@ -235,8 +232,7 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_much_dce_rpc_fragment_data"); + connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data"); connection()->zeek_analyzer()->SetSkip(true); } diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index 25c5f8a9da..c595373496 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -655,7 +655,7 @@ flow GTPv1_Flow(is_orig: bool) if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) { - zeek::reporter->Weird(c, "tunnel_depth"); + a->Weird("tunnel_depth"); return false; } diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index efb6ed49c3..852581c2b6 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1262,11 +1262,11 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) return 1; bad_http_request_with_version: - reporter->Weird(Conn(), "bad_HTTP_request_with_version"); + Weird("bad_HTTP_request_with_version"); return 0; error: - reporter->Weird(Conn(), "bad_HTTP_request"); + Weird("bad_HTTP_request"); return 0; } diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index ca50de03a5..f4efdbbdaa 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -33,7 +33,7 @@ refine connection IMAP_Conn += { if ( is_orig && commands == "starttls" ) { if ( !client_starttls_id.empty() ) - zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS"); + zeek_analyzer()->Weird("IMAP: client sent duplicate StartTLS"); client_starttls_id = tags; } @@ -48,7 +48,7 @@ refine connection IMAP_Conn += { zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else - zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS"); + zeek_analyzer()->Weird("IMAP: server refused StartTLS"); } return true; diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index 341c90f224..f35790f583 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -539,7 +539,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data) else { if ( Conn()->FlagEvent(SINGULAR_LF) ) - Conn()->Weird("line_terminated_with_single_LF"); + Weird("line_terminated_with_single_LF"); buf[offset++] = c; } break; diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 8f6a090b39..0653497585 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -96,7 +96,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) case RSH_PRESUMED_REJECTED: if ( state == RSH_PRESUMED_REJECTED ) { - Conn()->Weird("rsh_text_after_rejected"); + Weird("rsh_text_after_rejected"); state = RSH_UNKNOWN; } @@ -140,7 +140,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rsh_Analyzer::BadProlog() { - Conn()->Weird("bad_rsh_prolog"); + Weird("bad_rsh_prolog"); state = RSH_UNKNOWN; } diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 7bd927d797..b943f04610 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -161,7 +161,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) if ( state == RLOGIN_LINE_MODE && peer->state == RLOGIN_PRESUMED_REJECTED ) { - Conn()->Weird("rlogin_text_after_rejected"); + Weird("rlogin_text_after_rejected"); state = RLOGIN_UNKNOWN; } @@ -203,7 +203,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rlogin_Analyzer::BadProlog() { - Conn()->Weird("bad_rlogin_prolog"); + Weird("bad_rlogin_prolog"); state = RLOGIN_UNKNOWN; } diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 2226c1aa7f..ec633341de 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -175,13 +175,13 @@ refine connection SOCKS_Conn += { function socks5_unsupported_authentication_method(auth_method: uint8): bool %{ - zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); + zeek_analyzer()->Weird("socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); return true; %} function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool %{ - zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); + zeek_analyzer()->Weird("socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); return true; %} diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index a82772d2b4..a739a35d05 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -1,38 +1,39 @@ - function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool - %{ - if ( certificates->size() == 0 ) - return true; - - zeek::ODesc common; - common.AddRaw("Analyzer::ANALYZER_SSL"); - common.Add(zeek_analyzer()->Conn()->StartTime()); - common.AddRaw(is_orig ? "T" : "F", 1); - zeek_analyzer()->Conn()->IDString(&common); - - static const string user_mime = "application/x-x509-user-cert"; - static const string ca_mime = "application/x-x509-ca-cert"; - - for ( unsigned int i = 0; i < certificates->size(); ++i ) - { - const bytestring& cert = (*certificates)[i]; - - if ( cert.length() <= 0 ) - { - zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate"); - continue; - } - - zeek::ODesc file_handle; - file_handle.Add(common.Description()); - file_handle.Add(i); - - string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - - zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), zeek_analyzer()->GetAnalyzerTag(), - zeek_analyzer()->Conn(), is_orig, - file_id, i == 0 ? user_mime : ca_mime); - zeek::file_mgr->EndOfFile(file_id); - } +function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool + %{ + if ( certificates->size() == 0 ) return true; - %} + + zeek::ODesc common; + common.AddRaw("Analyzer::ANALYZER_SSL"); + common.Add(zeek_analyzer()->Conn()->StartTime()); + common.AddRaw(is_orig ? "T" : "F", 1); + zeek_analyzer()->Conn()->IDString(&common); + + static const string user_mime = "application/x-x509-user-cert"; + static const string ca_mime = "application/x-x509-ca-cert"; + + for ( unsigned int i = 0; i < certificates->size(); ++i ) + { + const bytestring& cert = (*certificates)[i]; + + if ( cert.length() <= 0 ) + { + zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate", "", + zeek_analyzer()->GetAnalyzerName()); + continue; + } + + zeek::ODesc file_handle; + file_handle.Add(common.Description()); + file_handle.Add(i); + + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); + + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), is_orig, + file_id, i == 0 ? user_mime : ca_mime); + zeek::file_mgr->EndOfFile(file_id); + } + return true; + %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index f28ba40b76..9806fe31f1 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -322,7 +322,7 @@ refine connection Handshake_Conn += { } else if ( response.length() == 0 ) { - zeek::reporter->Weird(zeek_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message"); + zeek_analyzer()->Weird("SSL_zero_length_stapled_OCSP_message"); } return true; diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index 1e5953dfe2..679f8c1f37 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -263,7 +263,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) else { if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) ) - Conn()->Weird("line_terminated_with_single_LF"); + Weird("line_terminated_with_single_LF"); buf[offset++] = c; } break; @@ -282,7 +282,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) if ( last_char == '\r' ) if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) ) - Conn()->Weird("line_terminated_with_single_CR"); + Weird("line_terminated_with_single_CR"); last_char = c; } @@ -312,7 +312,7 @@ void ContentLine_Analyzer::CheckNUL() else { if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) ) - Conn()->Weird("NUL_in_line"); + Weird("NUL_in_line"); flag_NULs = false; } } diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index bea7dd0209..549612e501 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -461,20 +461,20 @@ static void update_window(TCP_Endpoint* endpoint, unsigned int window, } } -static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) +void TCP_Analyzer::SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const { if ( flags.RST() ) - endpoint->Conn()->Weird("TCP_christmas"); + endpoint->Conn()->Weird("TCP_christmas", "", GetAnalyzerName()); if ( flags.URG() ) - endpoint->Conn()->Weird("baroque_SYN"); + endpoint->Conn()->Weird("baroque_SYN", "", GetAnalyzerName()); if ( data_len > 0 ) // Not technically wrong according to RFC 793, but the other side // would be forced to buffer data until the handshake succeeds, and // that could be bad in some cases, e.g. SYN floods. // T/TCP definitely complicates this. - endpoint->Conn()->Weird("SYN_with_data"); + endpoint->Conn()->Weird("SYN_with_data", "", GetAnalyzerName()); } void TCP_Analyzer::UpdateInactiveState(double t, @@ -1097,7 +1097,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( flags.SYN() ) { - syn_weirds(flags, endpoint, len); + SynWeirds(flags, endpoint, len); RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp); init_window(endpoint, peer, flags, SYN_vals->GetField(5)->CoerceToInt(), base_seq, ack_seq); diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 705bb157f0..6197afbd1a 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -167,6 +167,9 @@ protected: static int get_segment_len(int payload_len, TCP_Flags flags); private: + + void SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const; + TCP_Endpoint* orig; TCP_Endpoint* resp; diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h index 41a82d9b01..8f57f72a9e 100644 --- a/src/analyzer/protocol/teredo/Teredo.h +++ b/src/analyzer/protocol/teredo/Teredo.h @@ -31,7 +31,7 @@ public: void Weird(const char* name, bool force = false) const { if ( ProtocolConfirmed() || force ) - reporter->Weird(Conn(), name); + reporter->Weird(Conn(), name, "", GetAnalyzerName()); } /** diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index a66a3b17fc..780c2573eb 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -51,7 +51,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth ) { - reporter->Weird(Conn(), "tunnel_depth"); + Weird("tunnel_depth"); return; } diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index 2520cbe6e2..7c0bfa9701 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -36,7 +36,7 @@ refine connection XMPP_Conn += { zeek::BifEvent::enqueue_xmpp_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else if ( !is_orig && token == "proceed" ) - zeek::reporter->Weird(zeek_analyzer()->Conn(), "XMPP: proceed without starttls"); + zeek_analyzer()->Weird("XMPP: proceed without starttls"); // printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str()); diff --git a/src/event.bif b/src/event.bif index a6829b833f..0c4bb8448a 100644 --- a/src/event.bif +++ b/src/event.bif @@ -453,12 +453,16 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird net_weird file_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event conn_weird%(name: string, c: connection, addl: string, source: string%); event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a specific connection whose @@ -482,12 +486,16 @@ event conn_weird%(name: string, c: connection, addl: string%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird net_weird file_weird conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string, source: string%); event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent @@ -507,12 +515,16 @@ event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%) ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: conn_weird net_weird file_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event flow_weird%(name: string, src: addr, dst: addr, addl: string, source: string%); event flow_weird%(name: string, src: addr, dst: addr, addl: string%); ## Generated for unexpected activity that is not tied to a specific connection @@ -527,12 +539,16 @@ event flow_weird%(name: string, src: addr, dst: addr, addl: string%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird file_weird conn_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event net_weird%(name: string, addl: string, source: string%); event net_weird%(name: string, addl: string%); ## Generated for unexpected activity that is tied to a file. @@ -548,12 +564,15 @@ event net_weird%(name: string, addl: string%); ## ## addl: Additional information related to the weird. ## +## source: The name of the file analyzer that generated the weird. +## ## .. zeek:see:: flow_weird net_weird conn_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event file_weird%(name: string, f: fa_file, addl: string, source: string%); event file_weird%(name: string, f: fa_file, addl: string%); ## Generated regularly for the purpose of profiling Zeek's processing. This event diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 997ef52b78..129393aee5 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -76,11 +76,6 @@ Packet::~Packet() delete [] data; } -void Packet::Weird(const char* name) - { - sessions->Weird(name, this); - } - RecordValPtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 43e2ed1b4f..6bf2a506e6 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -124,9 +124,6 @@ public: [[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]] RecordVal* BuildPktHdrVal() const; - // Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it. - void Weird(const char* name); - /** * Maximal length of a layer 2 address. */ diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index d6e053fa1a..50fa3b6182 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -135,7 +135,7 @@ void PktSrc::Info(const std::string& msg) void PktSrc::Weird(const std::string& msg, const Packet* p) { - sessions->Weird(msg.c_str(), p, nullptr); + sessions->Weird(msg.c_str(), p); } void PktSrc::InternalError(const std::string& msg) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 871e2c6e3f..d0662c9a67 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -5,6 +5,8 @@ #include "zeek/Dict.h" #include "zeek/DebugLogger.h" #include "zeek/RunState.h" +#include "zeek/Sessions.h" +#include "zeek/util.h" namespace zeek::packet_analysis { @@ -70,7 +72,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const } bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, - uint32_t identifier) const + uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); if ( ! inner_analyzer ) @@ -96,7 +98,8 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", GetAnalyzerName()); - packet->Weird("no_suitable_analyzer_found"); + + Weird("no_suitable_analyzer_found", packet); return true; } @@ -116,4 +119,9 @@ void Analyzer::RegisterProtocol(uint32_t identifier, AnalyzerPtr child) dispatcher.Register(identifier, std::move(child)); } -} +void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const + { + sessions->Weird(name, packet, addl, GetAnalyzerName()); + } + +} // namespace zeek::packet_analysis diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index a8da218a93..90a3508aca 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -148,6 +148,18 @@ protected: */ bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; + /** + * Reports a Weird with the analyzer's name included in the addl field. + * + * @param name The name of the weird. + * @param packet An optional pointer to a packet to be used for additional + * information in the weird output. + * @param addl An optional string containing additional information about + * the weird. If this is passed, the analyzer's name will be prepended to + * it before output. + */ + void Weird(const char* name, Packet* packet=nullptr, const char* addl="") const; + private: Tag tag; Dispatcher dispatcher; diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index 0edf0816dd..f63d385ed1 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -89,7 +89,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Check whether the header is complete. if ( sizeof(struct arp_pkthdr) > len ) { - packet->Weird("truncated_ARP"); + Weird("truncated_ARP", packet); return false; } @@ -100,7 +100,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) size_t min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; if ( min_length > len ) { - packet->Weird("truncated_ARP"); + Weird("truncated_ARP", packet); return false; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 42a620a83f..a64a5c0f7c 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -25,7 +25,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // to pull bytes out of it. if ( 16 >= len ) { - packet->Weird("truncated_ethernet_frame"); + Weird("truncated_ethernet_frame", packet); return false; } @@ -36,7 +36,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa if ( cfplen + 14 >= len ) { - packet->Weird("truncated_link_header_cfp"); + Weird("truncated_link_header_cfp", packet); return false; } @@ -60,7 +60,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa { if ( 16 >= len ) { - packet->Weird("truncated_ethernet_frame"); + Weird("truncated_ethernet_frame", packet); return false; } @@ -86,6 +86,6 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa } // Undefined (1500 < EtherType < 1536) - packet->Weird("undefined_ether_type"); + Weird("undefined_ether_type", packet); return false; } diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 7e8f8bf616..e296ab67e4 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -15,7 +15,7 @@ bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet if ( hdr_size >= len ) { - packet->Weird("FDDI_analyzer_failed"); + Weird("FDDI_analyzer_failed"); return false; } diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc index cb3516a50f..6a36442b93 100644 --- a/src/packet_analysis/protocol/gre/GRE.cc +++ b/src/packet_analysis/protocol/gre/GRE.cc @@ -51,13 +51,13 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! BifConst::Tunnel::enable_gre ) { - sessions->Weird("GRE_tunnel", packet); + Weird("GRE_tunnel", packet); return false; } if ( len < gre_header_len() ) { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } @@ -75,7 +75,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( gre_version != 0 && gre_version != 1 ) { - sessions->Weird("unknown_gre_version", packet, util::fmt("%d", gre_version)); + Weird("unknown_gre_version", packet, util::fmt("version=%d", gre_version)); return false; } @@ -92,7 +92,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -109,7 +109,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -132,7 +132,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) erspan_len += 8; else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -141,7 +141,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -152,7 +152,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( proto_typ != 0x880b ) { // Enhanced GRE payload must be PPP. - sessions->Weird("egre_protocol_type", packet, util::fmt("%d", proto_typ)); + Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ)); return false; } } @@ -162,20 +162,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // RFC 2784 deprecates the variable length routing field // specified by RFC 1701. It could be parsed here, but easiest // to just skip for now. - sessions->Weird("gre_routing", packet); + Weird("gre_routing", packet); return false; } if ( flags_ver & 0x0078 ) { // Expect last 4 bits of flags are reserved, undefined. - sessions->Weird("unknown_gre_flags", packet); + Weird("unknown_gre_flags", packet); return false; } if ( len < gre_len + ppp_len + eth_len + erspan_len ) { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } @@ -185,7 +185,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 ) { - sessions->Weird("non_ip_packet_in_encap", packet); + Weird("non_ip_packet_in_encap", packet); return false; } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 4a46046a90..d3ee996dc5 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -15,7 +15,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } @@ -47,7 +47,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } @@ -82,7 +82,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* len_80211 += 8; if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 8f66b79437..04d6702254 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -15,7 +15,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa { if ( 3 >= len ) { - packet->Weird("truncated_radiotap_header"); + Weird("truncated_radiotap_header", packet); return false; } @@ -24,7 +24,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa if ( rtheader_len >= len ) { - packet->Weird("truncated_radiotap_header"); + Weird("truncated_radiotap_header", packet); return false; } diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 90757dacd7..df3a9dfabc 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -35,7 +35,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header. if ( len < sizeof(struct ip) ) { - sessions->Weird("truncated_IP", packet); + Weird("truncated_IP", packet); return false; } @@ -56,7 +56,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( len < sizeof(struct ip6_hdr) ) { - sessions->Weird("truncated_IP", packet); + Weird("truncated_IP", packet); return false; } @@ -65,7 +65,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("unknown_ip_version", packet); + Weird("unknown_ip_version", packet); return false; } @@ -76,7 +76,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( total_len == 0 ) { // TCP segmentation offloading can zero out the ip_len field. - sessions->Weird("ip_hdr_len_zero", packet); + Weird("ip_hdr_len_zero", packet); // Cope with the zero'd out ip_len field by using the caplen. total_len = packet->cap_len - hdr_size; @@ -84,7 +84,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( packet->len < total_len + hdr_size ) { - sessions->Weird("truncated_IPv6", packet); + Weird("truncated_IPv6", packet); return false; } @@ -93,13 +93,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) uint16_t ip_hdr_len = packet->ip_hdr->HdrLen(); if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", packet); + Weird("invalid_IP_header_size", packet); return false; } if ( ip_hdr_len > len ) { - sessions->Weird("internally_truncated_header", packet); + Weird("internally_truncated_header", packet); return false; } @@ -107,7 +107,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( ip_hdr_len < sizeof(struct ip) ) { - sessions->Weird("IPv4_min_header_size", packet); + Weird("IPv4_min_header_size", packet); return false; } } @@ -115,7 +115,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( ip_hdr_len < sizeof(struct ip6_hdr) ) { - sessions->Weird("IPv6_min_header_size", packet); + Weird("IPv6_min_header_size", packet); return false; } } @@ -129,7 +129,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) ! zeek::id::find_val("ignore_checksums_nets")->Contains(packet->ip_hdr->IPHeaderSrcAddr()) && detail::in_cksum(reinterpret_cast(ip4), ip_hdr_len) != 0xffff ) { - sessions->Weird("bad_IP_checksum", packet); + Weird("bad_IP_checksum", packet); return false; } @@ -144,7 +144,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( len < total_len ) { - sessions->Weird("incompletely_captured_fragment", packet); + Weird("incompletely_captured_fragment", packet); // Don't try to reassemble, that's doomed. // Discard all except the first fragment (which @@ -174,7 +174,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", packet); + Weird("invalid_IP_header_size", packet); return false; } } @@ -203,7 +203,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff ) { - sessions->Weird("bad_MH_checksum", packet); + Weird("bad_MH_checksum", packet); return false; } @@ -211,7 +211,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal()); if ( packet->ip_hdr->NextProto() != IPPROTO_NONE ) - sessions->Weird("mobility_piggyback", packet); + Weird("mobility_piggyback", packet); return true; } @@ -249,7 +249,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! ( packet->encap && packet->encap->LastType() == BifEnum::Tunnel::TEREDO ) ) { - sessions->Weird("ipv6_no_next", packet); + Weird("ipv6_no_next", packet); return_val = false; } break; diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index a7455cb214..ca91c26a61 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -29,14 +29,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa if ( ! BifConst::Tunnel::enable_ip ) { - sessions->Weird("IP_tunnel", packet); + Weird("IP_tunnel", packet); return false; } if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { - sessions->Weird("exceeded_tunnel_max_depth", packet); + Weird("exceeded_tunnel_max_depth", packet); return false; } @@ -52,11 +52,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // Check for a valid inner packet first. int result = sessions->ParseIPPacket(len, data, proto, inner); if ( result == -2 ) - sessions->Weird("invalid_inner_IP_version", packet); + Weird("invalid_inner_IP_version", packet); else if ( result < 0 ) - sessions->Weird("truncated_inner_IP", packet); + Weird("truncated_inner_IP", packet); else if ( result > 0 ) - sessions->Weird("inner_IP_payload_length_mismatch", packet); + Weird("inner_IP_payload_length_mismatch", packet); if ( result != 0 ) { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 35273cd961..77b5d780f4 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -14,7 +14,7 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa auto len_sll_hdr = sizeof(SLLHeader); if ( len_sll_hdr >= len ) { - packet->Weird("truncated_Linux_SLL_header"); + Weird("truncated_Linux_SLL_header", packet); return false; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 7314d507fa..b1394f6c18 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -18,7 +18,7 @@ bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index c7ae625784..dde1dfe11c 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -13,7 +13,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 4 >= len ) { - packet->Weird("truncated_nflog_header"); + Weird("truncated_nflog_header", packet); return false; } @@ -23,7 +23,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe if ( version != 0 ) { - packet->Weird("unknown_nflog_version"); + Weird("unknown_nflog_version", packet); return false; } @@ -38,7 +38,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 4 >= len ) { - packet->Weird("nflog_no_pcap_payload"); + Weird("nflog_no_pcap_payload", packet); return false; } @@ -66,7 +66,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe if ( tlv_len < 4 ) { - packet->Weird("nflog_bad_tlv_len"); + Weird("nflog_bad_tlv_len", packet); return false; } else diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 5a28c360c7..87fe28e844 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -13,7 +13,7 @@ bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("null_analyzer_failed"); + Weird("null_analyzer_failed", packet); return false; } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index 90214f7b76..83e66b2f22 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -13,7 +13,7 @@ bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* p { if ( 4 >= len ) { - packet->Weird("truncated_ppp_serial_header"); + Weird("truncated_ppp_serial_header", packet); return false; } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 7eac6d5736..d5d09f0f98 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -13,7 +13,7 @@ bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 8 >= len ) { - packet->Weird("truncated_pppoe_header"); + Weird("truncated_pppoe_header", packet); return false; } diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 2700d814db..cb685c3aa7 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -13,7 +13,7 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("truncated_VLAN_header"); + Weird("truncated_VLAN_header", packet); return false; } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index c17244b4dc..d8bcf990c8 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -25,7 +25,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) if ( data + cfplen + 14 >= end_of_data ) { - packet->Weird("truncated_link_header_cfp"); + Weird("truncated_link_header_cfp", packet); return false; } @@ -55,7 +55,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -73,7 +73,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 8 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -87,7 +87,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("non_ip_packet_in_pppoe_encapsulation"); + Weird("non_ip_packet_in_pppoe_encapsulation", packet); return false; } } @@ -111,7 +111,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("non_ip_packet_in_ethernet"); + Weird("non_ip_packet_in_ethernet", packet); return false; } } @@ -125,7 +125,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -136,7 +136,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) // We assume that what remains is IP if ( data + sizeof(struct ip) >= end_of_data ) { - packet->Weird("no_ip_in_mpls_payload"); + Weird("no_ip_in_mpls_payload", packet); return false; } @@ -149,7 +149,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("no_ip_in_mpls_payload"); + Weird("no_ip_in_mpls_payload", packet); return false; } } diff --git a/src/reporter.bif b/src/reporter.bif index 1aec934477..339243c8e0 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -91,9 +91,9 @@ function Reporter::fatal_error_with_core%(msg: string%): bool ## name: the name of the weird. ## ## Returns: Always true. -function Reporter::net_weird%(name: string%): bool +function Reporter::net_weird%(name: string, addl: string &default="", source: string &default=""%): bool %{ - reporter->Weird(name->CheckString()); + reporter->Weird(name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} @@ -106,9 +106,9 @@ function Reporter::net_weird%(name: string%): bool ## resp: the responder host associated with the weird. ## ## Returns: Always true. -function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool +function Reporter::flow_weird%(name: string, orig: addr, resp: addr, addl: string &default="", source: string &default=""%): bool %{ - reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString()); + reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} @@ -121,17 +121,17 @@ function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool ## addl: additional information to accompany the weird. ## ## Returns: Always true. -function Reporter::conn_weird%(name: string, c: connection, addl: string &default=""%): bool +function Reporter::conn_weird%(name: string, c: connection, addl: string &default="", source: string &default=""%): bool %{ if ( c ) - reporter->Weird(c, name->CheckString(), addl->CheckString()); + reporter->Weird(c, name->CheckString(), addl->CheckString(), source->CheckString()); else { auto connection_record = @ARG@[1]->AsRecordVal(); auto conn_id_val = connection_record->GetField("id"); auto uid_val = connection_record->GetField("uid"); reporter->Weird(conn_id_val, uid_val, - name->CheckString(), addl->CheckString()); + name->CheckString(), addl->CheckString(), source->CheckString()); } return zeek::val_mgr->True(); @@ -146,7 +146,7 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul ## addl: additional information to accompany the weird. ## ## Returns: true if the file was still valid, else false. -function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool +function Reporter::file_weird%(name: string, f: fa_file, addl: string &default="", source: string&default=""%): bool %{ auto fuid = f->AsRecordVal()->GetField(0)->AsStringVal(); auto file = zeek::file_mgr->LookupFile(fuid->CheckString()); @@ -154,7 +154,7 @@ function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=" if ( ! file ) return zeek::val_mgr->False(); - reporter->Weird(file, name->CheckString(), addl->CheckString()); + reporter->Weird(file, name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} diff --git a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log index cdee200f0b..82f7fa8a9b 100644 --- a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log +++ b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log @@ -1,12 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-01-59-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1254722767.875996 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -1437831787.861602 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -1437831799.610433 C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -#close 2019-06-07-01-59-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.checksums/bad.out b/testing/btest/Baseline/core.checksums/bad.out index df84841c36..5d1748a8e6 100644 --- a/testing/btest/Baseline/core.checksums/bad.out +++ b/testing/btest/Baseline/core.checksums/bad.out @@ -1,103 +1,104 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784981.078396 - 127.0.0.1 0 127.0.0.1 0 bad_IP_checksum - F zeek -#close 2020-10-14-18-44-07 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 127.0.0.1 0 127.0.0.1 0 bad_IP_checksum - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-09 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-09 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-10 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-10 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-10 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-10 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.checksums/good.out b/testing/btest/Baseline/core.checksums/good.out index d7116bca16..72eab9b642 100644 --- a/testing/btest/Baseline/core.checksums/good.out +++ b/testing/btest/Baseline/core.checksums/good.out @@ -1,70 +1,71 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log index 4274eb2986..97c99cf663 100644 --- a/testing/btest/Baseline/core.ip-broken-header/weird.log +++ b/testing/btest/Baseline/core.ip-broken-header/weird.log @@ -1,471 +1,472 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-45-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - - - - - unknown_ip_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 ip_hdr_len_zero - F zeek -1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek -1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F zeek -1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -#close 2020-10-14-18-45-20 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - - - - - unknown_ip_version - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.65.95 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.255.255 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.53.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.255.255.255 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 71.97.99.109 0 0.16.0.41 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 143.9.0.0 0 0.98.0.237 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 68.80.95.104 0 109.115.117.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.255.255.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/core.negative-time/weird.log index ccc9a520af..49c7011a3b 100644 --- a/testing/btest/Baseline/core.negative-time/weird.log +++ b/testing/btest/Baseline/core.negative-time/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-01-59-25 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1425182592.408334 - - - - - negative_packet_timestamp - F zeek -#close 2019-06-07-01-59-25 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - negative_packet_timestamp - F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 8c738a6546..882692db5e 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -1,81 +1,82 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334160095.895421 - - - - - truncated_IP - F zeek -#close 2020-10-14-19-20-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_IP - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334156241.519125 - - - - - truncated_IP - F zeek -#close 2020-10-14-19-20-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_IP - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334094648.590126 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 truncated_IPv6 - F zeek -#close 2020-10-14-19-20-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 truncated_IPv6 - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-17 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1338328954.078361 - 10.0.0.1 0 192.0.43.10 0 internally_truncated_header - F zeek -1338328954.099743 - 192.0.43.10 0 10.0.0.1 0 internally_truncated_header - F zeek -#close 2020-10-14-19-20-17 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 10.0.0.1 0 192.0.43.10 0 internally_truncated_header - F zeek - +XXXXXXXXXX.XXXXXX - 192.0.43.10 0 10.0.0.1 0 internally_truncated_header - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-18 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1404148886.981015 - - - - - truncated_ethernet_frame - F zeek -#close 2020-10-14-19-20-18 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_ethernet_frame - F zeek ETHERNET +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek -#close 2020-10-14-19-20-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek -#close 2020-10-14-19-20-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek -#close 2020-10-14-19-20-20 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek IP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output index bf3356a6df..86a3a3677e 100644 --- a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output @@ -1,20 +1,21 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F zeek -#close 2019-06-07-02-20-03 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -#close 2019-06-07-02-20-03 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log index cec0f48ddb..d1e4c93415 100644 --- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-06-17-36-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F zeek -1340127577.346849 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F zeek -#close 2020-07-06-17-36-24 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F zeek TEREDO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F zeek TEREDO +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log index a64ac860c3..03d7f6491d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-01-15-20-41-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1348168976.514202 CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 base64_illegal_encoding character 32 ignored by Base64 decoding F zeek -1348168976.514202 CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 ftp_adat_bad_first_token_encoding - F zeek -#close 2020-01-15-20-41-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 base64_illegal_encoding character 32 ignored by Base64 decoding F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 ftp_adat_bad_first_token_encoding - F zeek FTP_ADAT +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log index 246fbdc751..c40e200e0a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-04 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1523627611.748118 CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 HTTP_range_not_matching_len - F zeek -#close 2020-04-30-00-47-04 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 HTTP_range_not_matching_len - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log index 5c04b34c37..bdbecc9688 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1452204358.172926 CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version - F zeek -#close 2020-04-30-00-47-07 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log index e363aa1cf3..3d9f1e995a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log @@ -1,36 +1,37 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1354328874.237327 ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F zeek -1354328874.278822 C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F zeek -1354328874.321792 CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F zeek -1354328882.908690 C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F zeek -1354328882.949510 C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F zeek -1354328887.094494 C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.141058 CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.183942 C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version - F zeek -1354328891.226199 Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.267625 C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek -1354328891.309065 CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328895.355012 C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328895.396634 CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek -1354328895.438812 CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek -1354328895.480865 CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328903.614145 CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek -1354328903.656369 CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek -1354328911.832856 Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek -1354328911.876341 CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek -1354328920.052085 CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek -1354328920.094072 CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.266693 CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.308714 CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.476011 CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.518204 CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek -1354328932.734579 CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek -1354328932.776609 CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek -#close 2020-04-30-00-47-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F zeek HTTP +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP +XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log index a95be12135..6d764d1be6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1362692526.939527 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 missing_HTTP_uri - F zeek -#close 2020-04-30-00-47-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 missing_HTTP_uri - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log index f2e97c1d1b..85edec0db9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F zeek -1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F zeek -#close 2020-04-30-00-47-21 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F zeek HTTP +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log index b6298a5dec..b603b26968 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log @@ -1,12 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-08-08-04-23-29 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek -1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek -1509735981.241042 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek -#close 2020-08-08-04-23-29 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek CONTENTLINE +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek IRC +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek IRC +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log index 82f82027e9..cfd8f7893e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-08-08-04-25-02 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1536797872.428637 CHhAvVGS1DHFjwGM9 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek -#close 2020-08-08-04-25-02 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek IRC +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc index f8bc8be53f..5ecb526505 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc @@ -1,6 +1,7 @@ #include "LLCDemo.h" -#include "Event.h" -#include "Val.h" +#include "zeek/Event.h" +#include "zeek/Val.h" +#include "zeek/Sessions.h" #include "events.bif.h" using namespace zeek::packet_analysis::PacketDemo; @@ -15,7 +16,7 @@ bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Rudimentary parsing of 802.2 LLC if ( 17 >= len ) { - packet->Weird("truncated_llc_header"); + sessions->Weird("truncated_llc_header", packet); return false; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h index a649970e85..f71e973c80 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h @@ -1,7 +1,7 @@ #pragma once -#include -#include +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" namespace zeek::packet_analysis::PacketDemo { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc index a1bb9af237..d1c3e348d0 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc @@ -1,6 +1,8 @@ #include "RawLayer.h" -#include "Event.h" -#include "Val.h" +#include "zeek/Event.h" +#include "zeek/Val.h" +#include "zeek/Sessions.h" + #include "events.bif.h" using namespace zeek::packet_analysis::PacketDemo; @@ -15,7 +17,7 @@ bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) constexpr auto layer_size = 21; if ( layer_size >= len ) { - packet->Weird("truncated_raw_layer"); + sessions->Weird("truncated_raw_layer", packet); return false; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h index bf47e933ab..fce732d347 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h @@ -1,7 +1,7 @@ #pragma once -#include -#include +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" namespace zeek::packet_analysis::PacketDemo { diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index c7c8fe63b4..89bdec14fe 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -96a87207c28441da667353eda00fe2266fa4f4cf +7c770801300b4999bb49f1e5ee38f3f26b918aec diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index acea080ffa..8f6625d647 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -4e8c53c07ff70e693c7366bf05680744ca3110c4 +02c6be7f8c98d7dd42469f266f78f9f9b5df3111