Enable GridFTP detection by default. Track/log SSL client certs.

In the *service* field of connection records, GridFTP control channels are labeled as "gridftp" and data channels as "gridftp-data". Added *client_subject* and *client_issuer_subject* as &log'd fields to SSL::Info record. Also added *client_cert* and *client_cert_chain* fields to track client cert chain.
2025-10-05 08:08:19 +00:00 · 2012-10-08 11:38:29 -05:00 · 2012-10-08 11:38:29 -05:00 · e34f6d9e3b
commit e34f6d9e3b
parent d0b249a731
15 changed files with 238 additions and 132 deletions
--- a/doc/scripts/DocSourcesList.cmake
+++ b/doc/scripts/DocSourcesList.cmake
@ -69,6 +69,7 @@ rest_target(${psd} base/protocols/conn/polling.bro)
 rest_target(${psd} base/protocols/dns/consts.bro)
 rest_target(${psd} base/protocols/dns/main.bro)
 rest_target(${psd} base/protocols/ftp/file-extract.bro)
 rest_target(${psd} base/protocols/ftp/gridftp.bro)
 rest_target(${psd} base/protocols/ftp/main.bro)
 rest_target(${psd} base/protocols/ftp/utils-commands.bro)
 rest_target(${psd} base/protocols/http/file-extract.bro)
@ -123,7 +124,6 @@ rest_target(${psd} policy/protocols/conn/weirds.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
 rest_target(${psd} policy/protocols/ftp/detect.bro)
 rest_target(${psd} policy/protocols/ftp/gridftp-data-detection.bro)
 rest_target(${psd} policy/protocols/ftp/software.bro)
 rest_target(${psd} policy/protocols/http/detect-MHR.bro)
 rest_target(${psd} policy/protocols/http/detect-intel.bro)
--- a/scripts/base/protocols/ftp/load.bro
+++ b/scripts/base/protocols/ftp/load.bro
@ -1,3 +1,4 @@
@load ./utils-commands
@load ./main
-@load ./file-extract
+@load ./file-extract
@load ./gridftp
--- a/scripts/base/protocols/ftp/gridftp.bro
+++ b/scripts/base/protocols/ftp/gridftp.bro
@ -0,0 +1,106 @@
 ##! A detection script for GridFTP data and control channels.
 ##!
 ##! GridFTP control channels are identified by FTP control channels
 ##! that successfully negotiate the GSSAPI method of an AUTH request
 ##! and for which the exchange involved an encoded TLS/SSL handshake,
 ##! indicating the GSI mechanism for GSSAPI was used.  This analysis
 ##! is all supported internally, this script simple adds the "gridftp"
 ##! label to the *service* field of the control channel's
 ##! :bro:type:`connection` record.
 ##!
 ##! GridFTP data channels are identified by a heuristic that relies on
 ##! the fact that default settings for GridFTP clients typically
 ##! mutally authenticate the data channel with TLS/SSL and negotiate a
 ##! NULL bulk cipher (no encryption).  Connections with those
 ##! attributes are then polled for two minutes with decreasing frequency
 ##! to check if the transfer sizes are large enough to indicate a
 ##! GridFTP ata channel that would be undesireable to analyze further
 ##! (e.g. stop TCP reassembly).  A side effect is that true connection
 ##! sizes are not logged, but at the benefit of saving CPU cycles that
 ##! otherwise go to analyzing the large (and likely benign) connections.
@load ./main
@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
 module GridFTP;
 export {
 	## Number of bytes transferred before guessing a connection is a
 	## GridFTP data channel.
 	const size_threshold = 1073741824 &redef;
 	## Max number of times to check whether a connection's size exceeds the
 	## :bro:see:`GridFTP::size_threshold`.
 	const max_poll_count = 15 &redef;
 	## Whether to skip further processing of the GridFTP data channel once
 	## detected, which may help performance.
 	const skip_data = T &redef;
 	## Base amount of time between checking whether a GridFTP data connection
 	## has transferred more than :bro:see:`GridFTP::size_threshold` bytes.
 	const poll_interval = 1sec &redef;
 	## The amount of time the base :bro:see:`GridFTP::poll_interval` is
 	## increased by each poll interval.  Can be used to make more frequent
 	## checks at the start of a connection and gradually slow down.
 	const poll_interval_increase = 1sec &redef;
 	## Raised when a GridFTP data channel is detected.
 	##
 	## c: The connection pertaining to the GridFTP data channel.
 	global data_channel_detected: event(c: connection);
 	## The initial criteria used to determine whether to start polling
 	## the connection for the :bro:see:`GridFTP::size_threshold` to have
 	## been exceeded.  This is called in a :bro:see:`ssl_established` event
 	## handler and by default looks for both a client and server certificate
 	## and for a NULL bulk cipher.  One way in which this function could be
 	## redefined is to make it also consider client/server certificate issuer
 	## subjects.
 	##
 	## c: The connection which may possibly be a GridFTP data channel.
 	##
 	## Returns: true if the connection should be further polled for an
 	##          exceeded :bro:see:`GridFTP::size_threshold`, else false.
 	const data_channel_initial_criteria: function(c: connection): bool &redef;
 }
 function size_callback(c: connection, cnt: count): interval
 	{
 	if ( c$orig$size > size_threshold || c$resp$size > size_threshold )
 		{
 		add c$service["gridftp-data"];
 		event GridFTP::data_channel_detected(c);
 		if ( skip_data )
 			skip_further_processing(c$id);
 		return -1sec;
 		}
 	if ( cnt >= max_poll_count ) return -1sec;
 	return poll_interval + poll_interval_increase * cnt;
 	}
 event ssl_established(c: connection) &priority=5
 	{
 	# Add service label to control channels.
 	if ( "FTP" in c$service )
 		add c$service["gridftp"];
 	}
 function data_channel_initial_criteria(c: connection): bool
 	{
 	return ( c?$ssl && c$ssl?$client_subject && c$ssl?$subject &&
 	         c$ssl?$cipher && /WITH_NULL/ in c$ssl$cipher );
 	}
 event ssl_established(c: connection) &priority=-3
 	{
 	# By default GridFTP data channels do mutual authentication and
 	# negotiate a cipher suite with a NULL bulk cipher.
 	if ( data_channel_initial_criteria(c) )
 		ConnPolling::watch(c, size_callback, 0, 0secs);
 	}
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -30,17 +30,28 @@ export {
 		issuer_subject:   string           &log &optional;
 		## NotValidBefore field value from the server certificate.
 		not_valid_before: time             &log &optional;
-		## NotValidAfter field value from the serve certificate.
+		## NotValidAfter field value from the server certificate.
 		not_valid_after:  time             &log &optional;
 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
-		
+
 		## Subject of the X.509 certificate offered by the client.
 		client_subject:          string           &log &optional;
 		## Subject of the signer of the X.509 certificate offered by the client.
 		client_issuer_subject:   string           &log &optional;
 		## Full binary server certificate stored in DER format.
 		cert:             string           &optional;
-		## Chain of certificates offered by the server to validate its 
+		## Chain of certificates offered by the server to validate its
 		## complete signing chain.
 		cert_chain:       vector of string &optional;
 		## Full binary client certificate stored in DER format.
 		client_cert:             string           &optional;
 		## Chain of certificates offered by the client to validate its 
 		## complete signing chain.
 		client_cert_chain:       vector of string &optional;
 		## The analyzer ID used for the analyzer instance attached
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
@ -107,7 +118,8 @@ redef likely_server_ports += {
 function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
-		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector()];
+		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector(),
 		         $client_cert_chain=vector()];
 	}
 function finish(c: connection)
@ -141,23 +153,40 @@ event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: coun
 	# We aren't doing anything with client certificates yet.
 	if ( is_orig )
 		return;
 	if ( chain_idx == 0 )
 		{
-		# Save the primary cert.
+		if ( chain_idx == 0 )
-		c$ssl$cert = der_cert;
+			{
 			# Save the primary cert.
 			c$ssl$client_cert = der_cert;
-		# Also save other certificate information about the primary cert.
+			# Also save other certificate information about the primary cert.
-		c$ssl$subject = cert$subject;
+			c$ssl$client_subject = cert$subject;
-		c$ssl$issuer_subject = cert$issuer;
+			c$ssl$client_issuer_subject = cert$issuer;
-		c$ssl$not_valid_before = cert$not_valid_before;
+			}
-		c$ssl$not_valid_after = cert$not_valid_after;
+		else
 			{
 			# Otherwise, add it to the cert validation chain.
 			c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = der_cert;
 			}
 		}
 	else
 		{
-		# Otherwise, add it to the cert validation chain.
+		if ( chain_idx == 0 )
-		c$ssl$cert_chain[|c$ssl$cert_chain|] = der_cert;
+			{
 			# Save the primary cert.
 			c$ssl$cert = der_cert;
 			# Also save other certificate information about the primary cert.
 			c$ssl$subject = cert$subject;
 			c$ssl$issuer_subject = cert$issuer;
 			c$ssl$not_valid_before = cert$not_valid_before;
 			c$ssl$not_valid_after = cert$not_valid_after;
 			}
 		else
 			{
 			# Otherwise, add it to the cert validation chain.
 			c$ssl$cert_chain[|c$ssl$cert_chain|] = der_cert;
 			}
 		}
 	}
--- a/scripts/policy/protocols/ftp/gridftp-data-detection.bro
+++ b/scripts/policy/protocols/ftp/gridftp-data-detection.bro
@ -1,83 +0,0 @@
 ##! A detection script for GridFTP data channels.  The heuristic used to
 ##! identify a GridFTP data channel relies on the fact that default
 ##! setting for GridFTP clients typically mutually authenticate the data
 ##! channel with SSL and negotiate a NULL bulk cipher (no encryption).
 ##! Connections with those attributes are then polled for two minutes
 ##! with decreasing frequency to check if the transfer sizes are large
 ##! enough to indicate a GridFTP data channel that would be undesireable
 ##! to analyze further (e.g. TCP reassembly no longer occurs).  A side
 ##! effect is that true connection sizes are not logged, but at the
 ##! benefit of saving CPU cycles that otherwise go to analyzing such
 ##! large (and hopefully benign) connections.
@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
 module GridFTP;
 export {
 	## Number of bytes transferred before guessing a connection is a 
 	## GridFTP data channel.
 	const size_threshold = 1073741824 &redef;
 	## Max number of times to check whether a connection's size exceeds the
 	## :bro:see:`GridFTP::size_threshold`.
 	const max_poll_count = 15 &redef;
 	## Whether to skip further processing of the GridFTP data channel once
 	## detected, which may help performance.
 	const skip_data = T &redef;
 	## Base amount of time between checking whether a GridFTP connection
 	## has transferred more than :bro:see:`GridFTP::size_threshold` bytes.
 	const poll_interval = 1sec &redef;
 	## The amount of time the base :bro:see:`GridFTP::poll_interval` is
 	## increased by each poll interval.  Can be used to make more frequent
 	## checks at the start of a connection and gradually slow down.
 	const poll_interval_increase = 1sec &redef;
 }
 redef enum Notice::Type += {
 	Data_Channel
 };
 redef record SSL::Info += {
 	## Indicates a client certificate was sent in the SSL handshake.
 	saw_client_cert: bool &optional;
 };
 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
 	{
 	if ( is_orig && c?$ssl )
 		c$ssl$saw_client_cert = T;
 	}
 function size_callback(c: connection, cnt: count): interval
 	{
 	if ( c$orig$size > size_threshold || c$resp$size > size_threshold )
 		{
 		local msg = fmt("GridFTP data channel over threshold %d bytes",
 		                size_threshold);
 		NOTICE([$note=Data_Channel, $msg=msg, $conn=c]);
 		if ( skip_data )
 			skip_further_processing(c$id);
 		return -1sec;
 		}
 	if ( cnt >= max_poll_count ) return -1sec;
 	return poll_interval + poll_interval_increase * cnt;
 	}
 event ssl_established(c: connection)
 	{
 	# By default GridFTP data channels do mutual authentication and
 	# negotiate a cipher suite with a NULL bulk cipher.
 	if ( c?$ssl && c$ssl?$saw_client_cert && c$ssl?$subject &&
 	     c$ssl?$cipher && /WITH_NULL/ in c$ssl$cipher )
 		{
 		ConnPolling::watch(c, size_callback, 0, 0secs);
 		}
 	}
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -34,7 +34,6 @@
@load protocols/dns/auth-addl.bro
@load protocols/dns/detect-external-names.bro
@load protocols/ftp/detect.bro
@load protocols/ftp/gridftp-data-detection.bro
@load protocols/ftp/software.bro
@load protocols/http/detect-intel.bro
@load protocols/http/detect-MHR.bro
--- a/testing/btest/Baseline/core.print-bpf-filters/output
+++ b/testing/btest/Baseline/core.print-bpf-filters/output
@ -3,38 +3,38 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-07-27-19-14-29
+#open	2012-10-08-16-16-08
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1343416469.508262	-	ip or not ip	T	T
+1349712968.812610	-	ip or not ip	T	T
-#close	2012-07-27-19-14-29
+#close	2012-10-08-16-16-08
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-07-27-19-14-29
+#open	2012-10-08-16-16-09
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1343416469.888870	-	(((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21 and port 2811)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
+1349712969.042094	-	(((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 995)) or (tcp port 22)) or (port 21 and port 2811)) or (tcp port 25 or tcp port 587)) or (tcp port 614)) or (tcp port 990)) or (port 6667)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
-#close	2012-07-27-19-14-29
+#close	2012-10-08-16-16-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-07-27-19-14-30
+#open	2012-10-08-16-16-09
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1343416470.252918	-	port 42	T	T
+1349712969.270826	-	port 42	T	T
-#close	2012-07-27-19-14-30
+#close	2012-10-08-16-16-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-07-27-19-14-30
+#open	2012-10-08-16-16-09
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1343416470.614962	-	port 56730	T	T
+1349712969.499878	-	port 56730	T	T
-#close	2012-07-27-19-14-30
+#close	2012-10-08-16-16-09
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -85,6 +85,11 @@ scripts/base/init-default.bro
    scripts/base/protocols/ftp/./utils-commands.bro
    scripts/base/protocols/ftp/./main.bro
    scripts/base/protocols/ftp/./file-extract.bro
    scripts/base/protocols/ftp/./gridftp.bro
      scripts/base/protocols/ssl/__load__.bro
        scripts/base/protocols/ssl/./consts.bro
        scripts/base/protocols/ssl/./main.bro
        scripts/base/protocols/ssl/./mozilla-ca-list.bro
  scripts/base/protocols/http/__load__.bro
    scripts/base/protocols/http/./main.bro
    scripts/base/protocols/http/./utils.bro
@ -103,10 +108,6 @@ scripts/base/init-default.bro
    scripts/base/protocols/socks/./main.bro
  scripts/base/protocols/ssh/__load__.bro
    scripts/base/protocols/ssh/./main.bro
  scripts/base/protocols/ssl/__load__.bro
    scripts/base/protocols/ssl/./consts.bro
    scripts/base/protocols/ssl/./main.bro
    scripts/base/protocols/ssl/./mozilla-ca-list.bro
  scripts/base/protocols/syslog/__load__.bro
    scripts/base/protocols/syslog/./consts.bro
    scripts/base/protocols/syslog/./main.bro
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@ -0,0 +1,11 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	conn
 #open	2012-10-05-21-45-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
 1348168976.274919	UWkUyAuUGXf	192.168.57.103	60108	192.168.57.101	2811	tcp	ssl,ftp,gridftp	0.294743	4491	6659	SF	-	0	ShAdDaFf	22	5643	21	7759	(empty)
 1348168976.546371	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.011938	2135	3196	S1	-	0	ShADad	8	2559	6	3516	(empty)
 #close	2012-10-05-21-45-15
--- a/testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ftp.gridftp-data-dection/notice.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-10-01-17-11-05
+#open	2012-10-05-21-45-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
 #types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
 1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	-	-	-
-#close	2012-10-01-17-11-05
+#close	2012-10-05-21-45-15
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@ -0,0 +1,11 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2012-10-05-21-45-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string
 1348168976.508038	UWkUyAuUGXf	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
 1348168976.551422	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
 #close	2012-10-05-21-45-15
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2012-04-27-14-53-12
+#open	2012-10-08-16-18-56
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string
-1335538392.319381	UWkUyAuUGXf	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	-
+1335538392.319381	UWkUyAuUGXf	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	-	-	-
-#close	2012-04-27-14-53-16
+#close	2012-10-08-16-18-56
--- a/testing/btest/scripts/base/protocols/ftp/gridftp.test
+++ b/testing/btest/scripts/base/protocols/ftp/gridftp.test
@ -0,0 +1,21 @@
 # @TEST-EXEC: bro -r $TRACES/globus-url-copy.trace %INPUT
 # @TEST-EXEC: btest-diff notice.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
@load base/protocols/ftp/gridftp
 module GridFTP;
 redef size_threshold = 2;
 redef enum Notice::Type += {
    Data_Channel
 };
 event GridFTP::data_channel_detected(c: connection)
 	{
 	local msg = fmt("GridFTP data channel over threshold %d bytes",
 	                size_threshold);
 	NOTICE([$note=Data_Channel, $msg=msg, $conn=c]);
 	}
--- a/testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test
+++ b/testing/btest/scripts/policy/protocols/ftp/gridftp-data-dection.test
@ -1,6 +0,0 @@
 # @TEST-EXEC: bro -r $TRACES/globus-url-copy.trace %INPUT
 # @TEST-EXEC: btest-diff notice.log
@load protocols/ftp/gridftp-data-detection
 redef GridFTP::size_threshold = 2;
--- a/testing/scripts/diff-remove-x509-names
+++ b/testing/scripts/diff-remove-x509-names
@ -3,7 +3,7 @@
 # A diff canonifier that removes all X.509 Distinguished Name subject fields
 # because that output can differ depending on installed OpenSSL version.
-BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1 }
+BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; cs_col = -1; ci_col = -1 }
 /^#fields/ {
    for ( i = 2; i < NF; ++i )
@ -12,6 +12,10 @@ BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1 }
            s_col = i-1;
        if ( $i == "issuer_subject" )
            i_col = i-1;
        if ( $i == "client_subject" )
            cs_col = i-1;
        if ( $i == "client_issuer_subject" )
            ci_col = i-1;
        }
 }
@ -27,6 +31,18 @@ i_col >= 0 {
        $i_col = "+";
 }
 cs_col >= 0 {
    if ( $cs_col != "-" )
        # Mark that it's set, but ignore content.
        $cs_col = "+";
 }
 ci_col >= 0 {
    if ( $ci_col != "-" )
        # Mark that it's set, but ignore content.
        $ci_col = "+";
 }
 {
    print;
 }