mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Add IPv6 support to signature header conditions.
- "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets. They must be written in colon-hexadecimal representation and enclosed in square brackets (e.g. [fe80::1]). Addresses #774. - "icmp6" is now a valid protocol for use with "ip-proto" and "header" conditions. This allows signatures to be written that can match against ICMPv6 payloads. Addresses #880. - "ip6" is now a valid protocol for use with the "header" condition. (also the "ip-proto" condition, but it results in a no-op in that case since signatures apply only to the inner-most IP packet when packets are tunneled). This allows signatures to match specifically against IPv6 packets (whereas "ip" only matches against IPv4 packets). - "ip-proto" conditions can now match against IPv6 packets. Before, IPv6 packets were just silently ignored which meant DPD based on signatures did not function for IPv6 -- protocol analyzers would only get attached to a connection over IPv6 based on the well-known ports set in the "dpd_config" table.
This commit is contained in:
Jon Siwek
parent
2915e04db4
commit
e835a55229
132 changed files with 1731 additions and 124 deletions
|
|
@ -83,9 +83,8 @@ Header Conditions
|
|||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
Header conditions limit the applicability of the signature to a subset
|
||||
of traffic that contains matching packet headers. For TCP, this match
|
||||
is performed only for the first packet of a connection. For other
|
||||
protocols, it is done on each individual packet.
|
||||
of traffic that contains matching packet headers. This type of matching
|
||||
is performed only for the first packet of a connection.
|
||||
|
||||
There are pre-defined header conditions for some of the most used
|
||||
header fields. All of them generally have the format ``<keyword> <cmp>
|
||||
|
|
@ -95,14 +94,22 @@ one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``; and
|
|||
against. The following keywords are defined:
|
||||
|
||||
``src-ip``/``dst-ip <cmp> <address-list>``
|
||||
Source and destination address, respectively. Addresses can be
|
||||
given as IP addresses or CIDR masks.
|
||||
Source and destination address, respectively. Addresses can be given
|
||||
as IPv4 or IPv6 addresses or CIDR masks. For IPv6 addresses/masks
|
||||
the colon-hexadecimal representation of the address must be enclosed
|
||||
in square brackets (e.g. ``[fe80::1]`` or ``[fe80::0]/16``).
|
||||
|
||||
``src-port``/``dst-port`` ``<int-list>``
|
||||
``src-port``/``dst-port <cmp> <int-list>``
|
||||
Source and destination port, respectively.
|
||||
|
||||
``ip-proto tcp|udp|icmp``
|
||||
IP protocol.
|
||||
``ip-proto <cmp> tcp|udp|icmp|icmp6|ip|ip6``
|
||||
IPv4 header's Protocol field or the Next Header field of the final
|
||||
IPv6 header (i.e. either Next Header field in the fixed IPv6 header
|
||||
if no extension headers are present or that field from the last
|
||||
extension header in the chain). Note that the IP-in-IP forms of
|
||||
tunneling are automatically decapsulated by default and signatures
|
||||
apply to only the inner-most packet, so specifying ``ip`` or ``ip6``
|
||||
is a no-op.
|
||||
|
||||
For lists of multiple values, they are sequentially compared against
|
||||
the corresponding header field. If at least one of the comparisons
|
||||
|
|
@ -116,20 +123,22 @@ condition can be defined either as
|
|||
|
||||
header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>
|
||||
|
||||
This compares the value found at the given position of the packet
|
||||
header with a list of values. ``offset`` defines the position of the
|
||||
value within the header of the protocol defined by ``proto`` (which
|
||||
can be ``ip``, ``tcp``, ``udp`` or ``icmp``). ``size`` is either 1, 2,
|
||||
or 4 and specifies the value to have a size of this many bytes. If the
|
||||
optional ``& <integer>`` is given, the packet's value is first masked
|
||||
with the integer before it is compared to the value-list. ``cmp`` is
|
||||
one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``. ``value-list`` is
|
||||
a list of comma-separated integers similar to those described above.
|
||||
The integers within the list may be followed by an additional ``/
|
||||
mask`` where ``mask`` is a value from 0 to 32. This corresponds to the
|
||||
CIDR notation for netmasks and is translated into a corresponding
|
||||
bitmask applied to the packet's value prior to the comparison (similar
|
||||
to the optional ``& integer``).
|
||||
This compares the value found at the given position of the packet header
|
||||
with a list of values. ``offset`` defines the position of the value
|
||||
within the header of the protocol defined by ``proto`` (which can be
|
||||
``ip``, ``ip6``, ``tcp``, ``udp``, ``icmp`` or ``icmp6``). ``size`` is
|
||||
either 1, 2, or 4 and specifies the value to have a size of this many
|
||||
bytes. If the optional ``& <integer>`` is given, the packet's value is
|
||||
first masked with the integer before it is compared to the value-list.
|
||||
``cmp`` is one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``.
|
||||
``value-list`` is a list of comma-separated integers similar to those
|
||||
described above. The integers within the list may be followed by an
|
||||
additional ``/ mask`` where ``mask`` is a value from 0 to 32. This
|
||||
corresponds to the CIDR notation for netmasks and is translated into a
|
||||
corresponding bitmask applied to the packet's value prior to the
|
||||
comparison (similar to the optional ``& integer``). IPv6 address values
|
||||
are not allowed in the value-list, though you can still inspect any 1,
|
||||
2, or 4 byte section of an IPv6 header using this keyword.
|
||||
|
||||
Putting it all together, this is an example condition that is
|
||||
equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
|
||||
|
|
@ -138,8 +147,8 @@ equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``:
|
|||
|
||||
header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24
|
||||
|
||||
Internally, the predefined header conditions are in fact just
|
||||
short-cuts and mapped into a generic condition.
|
||||
Note that the analogous example for IPv6 isn't currently possible since
|
||||
4 bytes is the max width of a value that can be compared.
|
||||
|
||||
Content Conditions
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
35
src/IPAddr.h
35
src/IPAddr.h
|
|
@ -342,6 +342,21 @@ public:
|
|||
return memcmp(&addr1.in6, &addr2.in6, sizeof(in6_addr)) < 0;
|
||||
}
|
||||
|
||||
friend bool operator<=(const IPAddr& addr1, const IPAddr& addr2)
|
||||
{
|
||||
return addr1 < addr2 || addr1 == addr2;
|
||||
}
|
||||
|
||||
friend bool operator>=(const IPAddr& addr1, const IPAddr& addr2)
|
||||
{
|
||||
return ! ( addr1 < addr2 );
|
||||
}
|
||||
|
||||
friend bool operator>(const IPAddr& addr1, const IPAddr& addr2)
|
||||
{
|
||||
return ! ( addr1 <= addr2 );
|
||||
}
|
||||
|
||||
/** Converts the address into the type used internally by the
|
||||
* inter-thread communication.
|
||||
*/
|
||||
|
|
@ -583,6 +598,11 @@ public:
|
|||
return net1.Prefix() == net2.Prefix() && net1.Length() == net2.Length();
|
||||
}
|
||||
|
||||
friend bool operator!=(const IPPrefix& net1, const IPPrefix& net2)
|
||||
{
|
||||
return ! (net1 == net2);
|
||||
}
|
||||
|
||||
/**
|
||||
* Comparison operator IP prefixes. This defines a well-defined order for
|
||||
* IP prefix. However, the order does not necessarily corresponding to their
|
||||
|
|
@ -600,6 +620,21 @@ public:
|
|||
return false;
|
||||
}
|
||||
|
||||
friend bool operator<=(const IPPrefix& net1, const IPPrefix& net2)
|
||||
{
|
||||
return net1 < net2 || net1 == net2;
|
||||
}
|
||||
|
||||
friend bool operator>=(const IPPrefix& net1, const IPPrefix& net2)
|
||||
{
|
||||
return ! (net1 < net2 );
|
||||
}
|
||||
|
||||
friend bool operator>(const IPPrefix& net1, const IPPrefix& net2)
|
||||
{
|
||||
return ! ( net1 <= net2 );
|
||||
}
|
||||
|
||||
private:
|
||||
IPAddr prefix; // We store it as an address with the non-prefix bits masked out via Mask().
|
||||
uint8_t length; // The bit length of the prefix relative to full IPv6 addr.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
#include <algorithm>
|
||||
#include <functional>
|
||||
|
||||
#include "config.h"
|
||||
|
||||
|
|
@ -41,6 +42,23 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
|
|||
level = 0;
|
||||
}
|
||||
|
||||
RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v)
|
||||
{
|
||||
prot = arg_prot;
|
||||
offset = 0;
|
||||
size = 0;
|
||||
comp = arg_comp;
|
||||
vals = new maskedvalue_list;
|
||||
prefix_vals = arg_v;
|
||||
sibling = 0;
|
||||
child = 0;
|
||||
pattern_rules = 0;
|
||||
pure_rules = 0;
|
||||
ruleset = new IntSet;
|
||||
id = ++idcounter;
|
||||
level = 0;
|
||||
}
|
||||
|
||||
Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
|
||||
const RuleEndpointState* state) const
|
||||
{
|
||||
|
|
@ -63,6 +81,8 @@ RuleHdrTest::RuleHdrTest(RuleHdrTest& h)
|
|||
loop_over_list(*h.vals, i)
|
||||
vals->append(new MaskedValue(*(*h.vals)[i]));
|
||||
|
||||
prefix_vals = h.prefix_vals;
|
||||
|
||||
for ( int j = 0; j < Rule::TYPES; ++j )
|
||||
{
|
||||
loop_over_list(h.psets[j], k)
|
||||
|
|
@ -114,6 +134,10 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h)
|
|||
(*vals)[i]->mask != (*h.vals)[i]->mask )
|
||||
return false;
|
||||
|
||||
for ( size_t i = 0; i < prefix_vals.size(); ++i )
|
||||
if ( ! (prefix_vals[i] == h.prefix_vals[i]) )
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -129,6 +153,9 @@ void RuleHdrTest::PrintDebug()
|
|||
fprintf(stderr, " 0x%08x/0x%08x",
|
||||
(*vals)[i]->val, (*vals)[i]->mask);
|
||||
|
||||
for ( size_t i = 0; i < prefix_vals.size(); ++i )
|
||||
fprintf(stderr, " %s", prefix_vals[i].AsString().c_str());
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
|
||||
|
|
@ -410,29 +437,129 @@ static inline uint32 getval(const u_char* data, int size)
|
|||
}
|
||||
|
||||
|
||||
// A line which can be inserted into the macros below for debugging
|
||||
// fprintf(stderr, "%.06f %08x & %08x %s %08x\n", network_time, v, (mvals)[i]->mask, #op, (mvals)[i]->val);
|
||||
|
||||
// Evaluate a value list (matches if at least one value matches).
|
||||
#define DO_MATCH_OR( mvals, v, op ) \
|
||||
{ \
|
||||
loop_over_list((mvals), i) \
|
||||
{ \
|
||||
if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val ) \
|
||||
goto match; \
|
||||
} \
|
||||
goto no_match; \
|
||||
template <typename FuncT>
|
||||
static inline bool match_or(const maskedvalue_list& mvals, uint32 v, FuncT comp)
|
||||
{
|
||||
loop_over_list(mvals, i)
|
||||
{
|
||||
if ( comp(v & mvals[i]->mask, mvals[i]->val) )
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// Evaluate a prefix list (matches if at least one value matches).
|
||||
template <typename FuncT>
|
||||
static inline bool match_or(const vector<IPPrefix>& prefixes, const IPAddr& a,
|
||||
FuncT comp)
|
||||
{
|
||||
for ( size_t i = 0; i < prefixes.size(); ++i )
|
||||
{
|
||||
IPAddr masked(a);
|
||||
masked.Mask(prefixes[i].LengthIPv6());
|
||||
if ( comp(masked, prefixes[i].Prefix()) )
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// Evaluate a value list (doesn't match if any value matches).
|
||||
#define DO_MATCH_NOT_AND( mvals, v, op ) \
|
||||
{ \
|
||||
loop_over_list((mvals), i) \
|
||||
{ \
|
||||
if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val ) \
|
||||
goto no_match; \
|
||||
} \
|
||||
goto match; \
|
||||
template <typename FuncT>
|
||||
static inline bool match_not_and(const maskedvalue_list& mvals, uint32 v,
|
||||
FuncT comp)
|
||||
{
|
||||
loop_over_list(mvals, i)
|
||||
{
|
||||
if ( comp(v & mvals[i]->mask, mvals[i]->val) )
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// Evaluate a prefix list (doesn't match if any value matches).
|
||||
template <typename FuncT>
|
||||
static inline bool match_not_and(const vector<IPPrefix>& prefixes,
|
||||
const IPAddr& a, FuncT comp)
|
||||
{
|
||||
for ( size_t i = 0; i < prefixes.size(); ++i )
|
||||
{
|
||||
IPAddr masked(a);
|
||||
masked.Mask(prefixes[i].LengthIPv6());
|
||||
if ( comp(masked, prefixes[i].Prefix()) )
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static inline bool compare(const maskedvalue_list& mvals, uint32 v,
|
||||
RuleHdrTest::Comp comp)
|
||||
{
|
||||
switch ( comp ) {
|
||||
case RuleHdrTest::EQ:
|
||||
return match_or(mvals, v, std::equal_to<uint32>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::NE:
|
||||
return match_not_and(mvals, v, std::equal_to<uint32>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::LT:
|
||||
return match_or(mvals, v, std::less<uint32>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::GT:
|
||||
return match_or(mvals, v, std::greater<uint32>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::LE:
|
||||
return match_or(mvals, v, std::less_equal<uint32>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::GE:
|
||||
return match_or(mvals, v, std::greater_equal<uint32>());
|
||||
break;
|
||||
|
||||
default:
|
||||
reporter->InternalError("unknown comparison type");
|
||||
break;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a,
|
||||
RuleHdrTest::Comp comp)
|
||||
{
|
||||
switch ( comp ) {
|
||||
case RuleHdrTest::EQ:
|
||||
return match_or(prefixes, a, std::equal_to<IPAddr>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::NE:
|
||||
return match_not_and(prefixes, a, std::equal_to<IPAddr>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::LT:
|
||||
return match_or(prefixes, a, std::less<IPAddr>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::GT:
|
||||
return match_or(prefixes, a, std::greater<IPAddr>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::LE:
|
||||
return match_or(prefixes, a, std::less_equal<IPAddr>());
|
||||
break;
|
||||
|
||||
case RuleHdrTest::GE:
|
||||
return match_or(prefixes, a, std::greater_equal<IPAddr>());
|
||||
break;
|
||||
|
||||
default:
|
||||
reporter->InternalError("unknown comparison type");
|
||||
break;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
|
||||
|
|
@ -492,65 +619,51 @@ RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
|
|||
|
||||
if ( ip )
|
||||
{
|
||||
// Get start of transport layer.
|
||||
const u_char* transport = ip->Payload();
|
||||
|
||||
// Descend the RuleHdrTest tree further.
|
||||
for ( RuleHdrTest* h = hdr_test->child; h;
|
||||
h = h->sibling )
|
||||
{
|
||||
const u_char* data;
|
||||
bool match = false;
|
||||
|
||||
// Evaluate the header test.
|
||||
switch ( h->prot ) {
|
||||
case RuleHdrTest::NEXT:
|
||||
match = compare(*h->vals, ip->NextProto(), h->comp);
|
||||
break;
|
||||
|
||||
case RuleHdrTest::IP:
|
||||
data = (const u_char*) ip->IP4_Hdr();
|
||||
if ( ! ip->IP4_Hdr() )
|
||||
continue;
|
||||
match = compare(*h->vals, getval((const u_char*)ip->IP4_Hdr() + h->offset, h->size), h->comp);
|
||||
break;
|
||||
|
||||
case RuleHdrTest::IPv6:
|
||||
if ( ! ip->IP6_Hdr() )
|
||||
continue;
|
||||
match = compare(*h->vals, getval((const u_char*)ip->IP6_Hdr() + h->offset, h->size), h->comp);
|
||||
break;
|
||||
|
||||
case RuleHdrTest::ICMP:
|
||||
case RuleHdrTest::ICMPv6:
|
||||
case RuleHdrTest::TCP:
|
||||
case RuleHdrTest::UDP:
|
||||
data = transport;
|
||||
match = compare(*h->vals, getval(ip->Payload() + h->offset, h->size), h->comp);
|
||||
break;
|
||||
|
||||
case RuleHdrTest::IPSrc:
|
||||
match = compare(h->prefix_vals, ip->IPHeaderSrcAddr(), h->comp);
|
||||
break;
|
||||
|
||||
case RuleHdrTest::IPDst:
|
||||
match = compare(h->prefix_vals, ip->IPHeaderDstAddr(), h->comp);
|
||||
break;
|
||||
|
||||
default:
|
||||
data = 0;
|
||||
reporter->InternalError("unknown protocol");
|
||||
break;
|
||||
}
|
||||
|
||||
// ### data can be nil here if it's an
|
||||
// IPv6 packet and we're doing an IP test.
|
||||
if ( ! data )
|
||||
continue;
|
||||
|
||||
// Sorry for the hidden gotos :-)
|
||||
switch ( h->comp ) {
|
||||
case RuleHdrTest::EQ:
|
||||
DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), ==);
|
||||
|
||||
case RuleHdrTest::NE:
|
||||
DO_MATCH_NOT_AND(*h->vals, getval(data + h->offset, h->size), ==);
|
||||
|
||||
case RuleHdrTest::LT:
|
||||
DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <);
|
||||
|
||||
case RuleHdrTest::GT:
|
||||
DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >);
|
||||
|
||||
case RuleHdrTest::LE:
|
||||
DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <=);
|
||||
|
||||
case RuleHdrTest::GE:
|
||||
DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >=);
|
||||
|
||||
default:
|
||||
reporter->InternalError("unknown comparision type");
|
||||
}
|
||||
|
||||
no_match:
|
||||
continue;
|
||||
|
||||
match:
|
||||
if ( match )
|
||||
tests.append(h);
|
||||
}
|
||||
}
|
||||
|
|
@ -1050,8 +1163,11 @@ static Val* get_bro_val(const char* label)
|
|||
}
|
||||
|
||||
|
||||
// Converts an atomic Val and appends it to the list
|
||||
static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
|
||||
// Converts an atomic Val and appends it to the list. For subnet types,
|
||||
// if the prefix_vector param isn't null, appending to that is preferred
|
||||
// over appending to the masked val list.
|
||||
static bool val_to_maskedval(Val* v, maskedvalue_list* append_to,
|
||||
vector<IPPrefix>* prefix_vector)
|
||||
{
|
||||
MaskedValue* mval = new MaskedValue;
|
||||
|
||||
|
|
@ -1070,6 +1186,14 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
|
|||
break;
|
||||
|
||||
case TYPE_SUBNET:
|
||||
{
|
||||
if ( prefix_vector )
|
||||
{
|
||||
prefix_vector->push_back(v->AsSubNet());
|
||||
delete mval;
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
const uint32* n;
|
||||
uint32 m[4];
|
||||
|
|
@ -1082,13 +1206,12 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
|
|||
bool is_v4_mask = m[0] == 0xffffffff &&
|
||||
m[1] == m[0] && m[2] == m[0];
|
||||
|
||||
if ( v->AsSubNet().Prefix().GetFamily() == IPv4 &&
|
||||
is_v4_mask )
|
||||
|
||||
if ( v->AsSubNet().Prefix().GetFamily() == IPv4 && is_v4_mask )
|
||||
{
|
||||
mval->val = ntohl(*n);
|
||||
mval->mask = m[3];
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
rules_error("IPv6 subnets not supported");
|
||||
|
|
@ -1096,6 +1219,7 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
|
|||
mval->mask = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
@ -1108,7 +1232,8 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
|
|||
return true;
|
||||
}
|
||||
|
||||
void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
|
||||
void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
|
||||
vector<IPPrefix>* prefix_vector)
|
||||
{
|
||||
Val* v = get_bro_val(id);
|
||||
if ( ! v )
|
||||
|
|
@ -1118,7 +1243,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
|
|||
{
|
||||
val_list* vals = v->AsTableVal()->ConvertToPureList()->Vals();
|
||||
loop_over_list(*vals, i )
|
||||
if ( ! val_to_maskedval((*vals)[i], append_to) )
|
||||
if ( ! val_to_maskedval((*vals)[i], append_to, prefix_vector) )
|
||||
{
|
||||
delete_vals(vals);
|
||||
return;
|
||||
|
|
@ -1128,7 +1253,7 @@ void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
|
|||
}
|
||||
|
||||
else
|
||||
val_to_maskedval(v, append_to);
|
||||
val_to_maskedval(v, append_to, prefix_vector);
|
||||
}
|
||||
|
||||
char* id_to_str(const char* id)
|
||||
|
|
|
|||
|
|
@ -2,7 +2,9 @@
|
|||
#define sigs_h
|
||||
|
||||
#include <limits.h>
|
||||
#include <vector>
|
||||
|
||||
#include "IPAddr.h"
|
||||
#include "BroString.h"
|
||||
#include "List.h"
|
||||
#include "RE.h"
|
||||
|
|
@ -59,17 +61,19 @@ declare(PList, BroString);
|
|||
typedef PList(BroString) bstr_list;
|
||||
|
||||
// Get values from Bro's script-level variables.
|
||||
extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to);
|
||||
extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to,
|
||||
vector<IPPrefix>* prefix_vector = 0);
|
||||
extern char* id_to_str(const char* id);
|
||||
extern uint32 id_to_uint(const char* id);
|
||||
|
||||
class RuleHdrTest {
|
||||
public:
|
||||
enum Comp { LE, GE, LT, GT, EQ, NE };
|
||||
enum Prot { NOPROT, IP, ICMP, TCP, UDP };
|
||||
enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst };
|
||||
|
||||
RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
|
||||
Comp arg_comp, maskedvalue_list* arg_vals);
|
||||
RuleHdrTest(Prot arg_prot, Comp arg_comp, vector<IPPrefix> arg_v);
|
||||
~RuleHdrTest();
|
||||
|
||||
void PrintDebug();
|
||||
|
|
@ -86,6 +90,7 @@ private:
|
|||
Prot prot;
|
||||
Comp comp;
|
||||
maskedvalue_list* vals;
|
||||
vector<IPPrefix> prefix_vals; // for use with IPSrc/IPDst comparisons
|
||||
uint32 offset;
|
||||
uint32 size;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,13 +1,27 @@
|
|||
%{
|
||||
#include <stdio.h>
|
||||
#include <netinet/in.h>
|
||||
#include <vector>
|
||||
#include "config.h"
|
||||
#include "RuleMatcher.h"
|
||||
#include "Reporter.h"
|
||||
#include "IPAddr.h"
|
||||
#include "net_util.h"
|
||||
|
||||
extern void begin_PS();
|
||||
extern void end_PS();
|
||||
|
||||
Rule* current_rule = 0;
|
||||
const char* current_rule_file = 0;
|
||||
|
||||
static uint8_t mask_to_len(uint32_t mask)
|
||||
{
|
||||
if ( mask == 0xffffffff ) return 32;
|
||||
uint32_t x = ~mask + 1;
|
||||
uint8_t len;
|
||||
for ( len = 0; len < 32 && (! (x & (1<<len))); ++len );
|
||||
return len;
|
||||
}
|
||||
%}
|
||||
|
||||
%token TOK_COMP
|
||||
|
|
@ -21,6 +35,7 @@ const char* current_rule_file = 0;
|
|||
%token TOK_IDENT
|
||||
%token TOK_INT
|
||||
%token TOK_IP
|
||||
%token TOK_IP6
|
||||
%token TOK_IP_OPTIONS
|
||||
%token TOK_IP_OPTION_SYM
|
||||
%token TOK_IP_PROTO
|
||||
|
|
@ -49,7 +64,9 @@ const char* current_rule_file = 0;
|
|||
%type <hdr_test> hdr_expr
|
||||
%type <range> range rangeopt
|
||||
%type <vallist> value_list
|
||||
%type <prefix_val_list> prefix_value_list
|
||||
%type <mval> TOK_IP value
|
||||
%type <prefixval> TOK_IP6 prefix_value
|
||||
%type <prot> TOK_PROT
|
||||
%type <ptype> TOK_PATTERN_TYPE
|
||||
|
||||
|
|
@ -57,6 +74,8 @@ const char* current_rule_file = 0;
|
|||
Rule* rule;
|
||||
RuleHdrTest* hdr_test;
|
||||
maskedvalue_list* vallist;
|
||||
vector<IPPrefix>* prefix_val_list;
|
||||
IPPrefix* prefixval;
|
||||
|
||||
bool bl;
|
||||
int val;
|
||||
|
|
@ -91,11 +110,11 @@ rule_attr_list:
|
|||
;
|
||||
|
||||
rule_attr:
|
||||
TOK_DST_IP TOK_COMP value_list
|
||||
TOK_DST_IP TOK_COMP prefix_value_list
|
||||
{
|
||||
current_rule->AddHdrTest(new RuleHdrTest(
|
||||
RuleHdrTest::IP, 16, 4,
|
||||
(RuleHdrTest::Comp) $2, $3));
|
||||
RuleHdrTest::IPDst,
|
||||
(RuleHdrTest::Comp) $2, *($3)));
|
||||
}
|
||||
|
||||
| TOK_DST_PORT TOK_COMP value_list
|
||||
|
|
@ -123,10 +142,14 @@ rule_attr:
|
|||
{
|
||||
int proto = 0;
|
||||
switch ( $3 ) {
|
||||
case RuleHdrTest::ICMP: proto = 1; break;
|
||||
case RuleHdrTest::ICMP: proto = IPPROTO_ICMP; break;
|
||||
case RuleHdrTest::ICMPv6: proto = IPPROTO_ICMPV6; break;
|
||||
// signature matching against outer packet headers of IP-in-IP
|
||||
// tunneling not supported, so do a no-op there
|
||||
case RuleHdrTest::IP: proto = 0; break;
|
||||
case RuleHdrTest::TCP: proto = 6; break;
|
||||
case RuleHdrTest::UDP: proto = 17; break;
|
||||
case RuleHdrTest::IPv6: proto = 0; break;
|
||||
case RuleHdrTest::TCP: proto = IPPROTO_TCP; break;
|
||||
case RuleHdrTest::UDP: proto = IPPROTO_UDP; break;
|
||||
default:
|
||||
rules_error("internal_error: unknown protocol");
|
||||
}
|
||||
|
|
@ -140,16 +163,20 @@ rule_attr:
|
|||
val->mask = 0xffffffff;
|
||||
vallist->append(val);
|
||||
|
||||
// offset & size params are dummies, actual next proto value in
|
||||
// header is retrieved dynamically via IP_Hdr::NextProto()
|
||||
current_rule->AddHdrTest(new RuleHdrTest(
|
||||
RuleHdrTest::IP, 9, 1,
|
||||
RuleHdrTest::NEXT, 0, 0,
|
||||
(RuleHdrTest::Comp) $2, vallist));
|
||||
}
|
||||
}
|
||||
|
||||
| TOK_IP_PROTO TOK_COMP value_list
|
||||
{
|
||||
// offset & size params are dummies, actual next proto value in
|
||||
// header is retrieved dynamically via IP_Hdr::NextProto()
|
||||
current_rule->AddHdrTest(new RuleHdrTest(
|
||||
RuleHdrTest::IP, 9, 1,
|
||||
RuleHdrTest::NEXT, 0, 0,
|
||||
(RuleHdrTest::Comp) $2, $3));
|
||||
}
|
||||
|
||||
|
|
@ -193,11 +220,11 @@ rule_attr:
|
|||
| TOK_SAME_IP
|
||||
{ current_rule->AddCondition(new RuleConditionSameIP()); }
|
||||
|
||||
| TOK_SRC_IP TOK_COMP value_list
|
||||
| TOK_SRC_IP TOK_COMP prefix_value_list
|
||||
{
|
||||
current_rule->AddHdrTest(new RuleHdrTest(
|
||||
RuleHdrTest::IP, 12, 4,
|
||||
(RuleHdrTest::Comp) $2, $3));
|
||||
RuleHdrTest::IPSrc,
|
||||
(RuleHdrTest::Comp) $2, *($3)));
|
||||
}
|
||||
|
||||
| TOK_SRC_PORT TOK_COMP value_list
|
||||
|
|
@ -254,6 +281,38 @@ value_list:
|
|||
}
|
||||
;
|
||||
|
||||
prefix_value_list:
|
||||
prefix_value_list ',' prefix_value
|
||||
{
|
||||
$$ = $1;
|
||||
$$->push_back(*($3));
|
||||
}
|
||||
| prefix_value_list ',' TOK_IDENT
|
||||
{
|
||||
$$ = $1;
|
||||
id_to_maskedvallist($3, 0, $1);
|
||||
}
|
||||
| prefix_value
|
||||
{
|
||||
$$ = new vector<IPPrefix>();
|
||||
$$->push_back(*($1));
|
||||
}
|
||||
| TOK_IDENT
|
||||
{
|
||||
$$ = new vector<IPPrefix>();
|
||||
id_to_maskedvallist($1, 0, $$);
|
||||
}
|
||||
;
|
||||
|
||||
prefix_value:
|
||||
TOK_IP
|
||||
{
|
||||
$$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host),
|
||||
mask_to_len($1.mask));
|
||||
}
|
||||
| TOK_IP6
|
||||
;
|
||||
|
||||
value:
|
||||
TOK_INT
|
||||
{ $$.val = $1; $$.mask = 0xffffffff; }
|
||||
|
|
|
|||
|
|
@ -1,24 +1,37 @@
|
|||
%{
|
||||
typedef unsigned int uint32;
|
||||
|
||||
#include <string.h>
|
||||
#include <string>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include "RuleMatcher.h"
|
||||
#include "IPAddr.h"
|
||||
#include "util.h"
|
||||
#include "rule-parse.h"
|
||||
|
||||
int rules_line_number = 0;
|
||||
|
||||
static string extract_ipv6(string s)
|
||||
{
|
||||
if ( s.substr(0, 3) == "[0x" )
|
||||
s = s.substr(3, s.find("]") - 3);
|
||||
else
|
||||
s = s.substr(1, s.find("]") - 1);
|
||||
return s;
|
||||
}
|
||||
%}
|
||||
|
||||
%x PS
|
||||
|
||||
OWS [ \t]*
|
||||
WS [ \t]+
|
||||
D [0-9]+
|
||||
H [0-9a-fA-F]+
|
||||
HEX {H}
|
||||
STRING \"([^\n\"]|\\\")*\"
|
||||
ID ([0-9a-zA-Z_-]+::)*[0-9a-zA-Z_-]+
|
||||
IP6 ("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]")
|
||||
RE \/(\\\/)?([^/]|[^\\]\\\/)*\/
|
||||
META \.[^ \t]+{WS}[^\n]+
|
||||
PID ([0-9a-zA-Z_-]|"::")+
|
||||
|
|
@ -34,6 +47,19 @@ PID ([0-9a-zA-Z_-]|"::")+
|
|||
\n ++rules_line_number;
|
||||
}
|
||||
|
||||
{IP6} {
|
||||
rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), 128);
|
||||
return TOK_IP6;
|
||||
}
|
||||
|
||||
{IP6}{OWS}"/"{OWS}{D} {
|
||||
char* l = strchr(yytext, '/');
|
||||
*l++ = '\0';
|
||||
int len = atoi(l);
|
||||
rules_lval.prefixval = new IPPrefix(IPAddr(extract_ipv6(yytext)), len);
|
||||
return TOK_IP6;
|
||||
}
|
||||
|
||||
[!\]\[{}&:,] return rules_text[0];
|
||||
|
||||
"<=" { rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
|
||||
|
|
@ -45,7 +71,9 @@ PID ([0-9a-zA-Z_-]|"::")+
|
|||
"!=" { rules_lval.val = RuleHdrTest::NE; return TOK_COMP; }
|
||||
|
||||
ip { rules_lval.val = RuleHdrTest::IP; return TOK_PROT; }
|
||||
ip6 { rules_lval.val = RuleHdrTest::IPv6; return TOK_PROT; }
|
||||
icmp { rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; }
|
||||
icmp6 { rules_lval.val = RuleHdrTest::ICMPv6; return TOK_PROT; }
|
||||
tcp { rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; }
|
||||
udp { rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; }
|
||||
|
||||
|
|
@ -123,7 +151,7 @@ http { rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
|
|||
ftp { rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; }
|
||||
finger { rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; }
|
||||
|
||||
{D}("."{D}){3}"/"{D} {
|
||||
{D}("."{D}){3}{OWS}"/"{OWS}{D} {
|
||||
char* s = strchr(yytext, '/');
|
||||
*s++ = '\0';
|
||||
|
||||
|
|
|
|||
79
testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
Normal file
79
testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
|
||||
ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
|
||||
ftp_request 141.142.220.235:50003 - USER anonymous
|
||||
ftp_reply 199.233.217.249:21 - 331 Guest login ok, type your name as password.
|
||||
signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_server
|
||||
ftp_request 141.142.220.235:50003 - PASS test
|
||||
ftp_reply 199.233.217.249:21 - 230
|
||||
ftp_reply 199.233.217.249:21 - 0 The NetBSD Project FTP Server located in Redwood City, CA, USA
|
||||
ftp_reply 199.233.217.249:21 - 0 1 Gbps connectivity courtesy of , ,
|
||||
ftp_reply 199.233.217.249:21 - 0 Internet Systems Consortium WELCOME! /( )`
|
||||
ftp_reply 199.233.217.249:21 - 0 \ \___ / |
|
||||
ftp_reply 199.233.217.249:21 - 0 +--- Currently Supported Platforms ----+ /- _ `-/ '
|
||||
ftp_reply 199.233.217.249:21 - 0 | acorn[26,32], algor, alpha, amd64, | (/\/ \ \ /\
|
||||
ftp_reply 199.233.217.249:21 - 0 | amiga[,ppc], arc, atari, bebox, | / / | ` \
|
||||
ftp_reply 199.233.217.249:21 - 0 | cats, cesfic, cobalt, dreamcast, | O O ) / |
|
||||
ftp_reply 199.233.217.249:21 - 0 | evb[arm,mips,ppc,sh3], hp[300,700], | `-^--'`< '
|
||||
ftp_reply 199.233.217.249:21 - 0 | hpc[arm,mips,sh], i386, | (_.) _ ) /
|
||||
ftp_reply 199.233.217.249:21 - 0 | ibmnws, iyonix, luna68k, | .___/` /
|
||||
ftp_reply 199.233.217.249:21 - 0 | mac[m68k,ppc], mipsco, mmeye, | `-----' /
|
||||
ftp_reply 199.233.217.249:21 - 0 | mvme[m68k,ppc], netwinders, | <----. __ / __ \
|
||||
ftp_reply 199.233.217.249:21 - 0 | news[m68k,mips], next68k, ofppc, | <----|====O)))==) \) /====
|
||||
ftp_reply 199.233.217.249:21 - 0 | playstation2, pmax, prep, sandpoint, | <----' `--' `.__,' \
|
||||
ftp_reply 199.233.217.249:21 - 0 | sbmips, sgimips, shark, sparc[,64], | | |
|
||||
ftp_reply 199.233.217.249:21 - 0 | sun[2,3], vax, x68k, xen | \ /
|
||||
ftp_reply 199.233.217.249:21 - 0 +--------------------------------------+ ______( (_ / \_____
|
||||
ftp_reply 199.233.217.249:21 - 0 See our website at http://www.NetBSD.org/ ,' ,-----' | \
|
||||
ftp_reply 199.233.217.249:21 - 0 We log all FTP transfers and commands. `--{__________) (FL) \/
|
||||
ftp_reply 199.233.217.249:21 - 0 230-
|
||||
ftp_reply 199.233.217.249:21 - 0 EXPORT NOTICE
|
||||
ftp_reply 199.233.217.249:21 - 0
|
||||
ftp_reply 199.233.217.249:21 - 0 Please note that portions of this FTP site contain cryptographic
|
||||
ftp_reply 199.233.217.249:21 - 0 software controlled under the Export Administration Regulations (EAR).
|
||||
ftp_reply 199.233.217.249:21 - 0
|
||||
ftp_reply 199.233.217.249:21 - 0 None of this software may be downloaded or otherwise exported or
|
||||
ftp_reply 199.233.217.249:21 - 0 re-exported into (or to a national or resident of) Cuba, Iran, Libya,
|
||||
ftp_reply 199.233.217.249:21 - 0 Sudan, North Korea, Syria or any other country to which the U.S. has
|
||||
ftp_reply 199.233.217.249:21 - 0 embargoed goods.
|
||||
ftp_reply 199.233.217.249:21 - 0
|
||||
ftp_reply 199.233.217.249:21 - 0 By downloading or using said software, you are agreeing to the
|
||||
ftp_reply 199.233.217.249:21 - 0 foregoing and you are representing and warranting that you are not
|
||||
ftp_reply 199.233.217.249:21 - 0 located in, under the control of, or a national or resident of any
|
||||
ftp_reply 199.233.217.249:21 - 0 such country or on any such list.
|
||||
ftp_reply 199.233.217.249:21 - 230 Guest login ok, access restrictions apply.
|
||||
ftp_request 141.142.220.235:50003 - SYST
|
||||
ftp_reply 199.233.217.249:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320
|
||||
ftp_request 141.142.220.235:50003 - PASV
|
||||
ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,90)
|
||||
ftp_request 141.142.220.235:50003 - LIST
|
||||
ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
|
||||
ftp_reply 199.233.217.249:21 - 226 Transfer complete.
|
||||
ftp_request 141.142.220.235:50003 - TYPE I
|
||||
ftp_reply 199.233.217.249:21 - 200 Type set to I.
|
||||
ftp_request 141.142.220.235:50003 - PASV
|
||||
ftp_reply 199.233.217.249:21 - 227 Entering Passive Mode (199,233,217,249,221,91)
|
||||
ftp_request 141.142.220.235:50003 - RETR robots.txt
|
||||
ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
|
||||
ftp_reply 199.233.217.249:21 - 226 Transfer complete.
|
||||
ftp_request 141.142.220.235:50003 - TYPE A
|
||||
ftp_reply 199.233.217.249:21 - 200 Type set to A.
|
||||
ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,131,46
|
||||
ftp_reply 199.233.217.249:21 - 200 PORT command successful.
|
||||
ftp_request 141.142.220.235:50003 - LIST
|
||||
ftp_reply 199.233.217.249:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
|
||||
ftp_reply 199.233.217.249:21 - 226 Transfer complete.
|
||||
ftp_request 141.142.220.235:50003 - TYPE I
|
||||
ftp_reply 199.233.217.249:21 - 200 Type set to I.
|
||||
ftp_request 141.142.220.235:50003 - PORT 141,142,220,235,147,203
|
||||
ftp_reply 199.233.217.249:21 - 200 PORT command successful.
|
||||
ftp_request 141.142.220.235:50003 - RETR robots.txt
|
||||
ftp_reply 199.233.217.249:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
|
||||
ftp_reply 199.233.217.249:21 - 226 Transfer complete.
|
||||
ftp_request 141.142.220.235:50003 - QUIT
|
||||
ftp_reply 199.233.217.249:21 - 221
|
||||
ftp_reply 199.233.217.249:21 - 0 Data traffic for this session was 154 bytes in 2 files.
|
||||
ftp_reply 199.233.217.249:21 - 0 Total traffic for this session was 4037 bytes in 4 transfers.
|
||||
ftp_reply 199.233.217.249:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org.
|
||||
100
testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
Normal file
100
testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 331 Guest login ok, type your name as password.
|
||||
signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_server
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PASS test
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 230
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 The NetBSD Project FTP Server located in Redwood City, CA, USA
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 1 Gbps connectivity courtesy of , ,
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 Internet Systems Consortium WELCOME! /( )`
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 \ \___ / |
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 +--- Currently Supported Platforms ----+ /- _ `-/ '
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | acorn[26,32], algor, alpha, amd64, | (/\/ \ \ /\
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | amiga[,ppc], arc, atari, bebox, | / / | ` \
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | cats, cesfic, cobalt, dreamcast, | O O ) / |
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | evb[arm,mips,ppc,sh3], hp[300,700], | `-^--'`< '
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | hpc[arm,mips,sh], i386, | (_.) _ ) /
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | ibmnws, iyonix, luna68k, | .___/` /
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | mac[m68k,ppc], mipsco, mmeye, | `-----' /
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | mvme[m68k,ppc], netwinders, | <----. __ / __ \
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | news[m68k,mips], next68k, ofppc, | <----|====O)))==) \) /====
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | playstation2, pmax, prep, sandpoint, | <----' `--' `.__,' \
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | sbmips, sgimips, shark, sparc[,64], | | |
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 | sun[2,3], vax, x68k, xen | \ /
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 +--------------------------------------+ ______( (_ / \_____
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 See our website at http://www.NetBSD.org/ ,' ,-----' | \
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 We log all FTP transfers and commands. `--{__________) (FL) \/
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 230-
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 EXPORT NOTICE
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 Please note that portions of this FTP site contain cryptographic
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 software controlled under the Export Administration Regulations (EAR).
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 None of this software may be downloaded or otherwise exported or
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 re-exported into (or to a national or resident of) Cuba, Iran, Libya,
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 Sudan, North Korea, Syria or any other country to which the U.S. has
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 embargoed goods.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 By downloading or using said software, you are agreeing to the
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 foregoing and you are representing and warranting that you are not
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 located in, under the control of, or a national or resident of any
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 such country or on any such list.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 230 Guest login ok, access restrictions apply.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SYST
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 215 UNIX Type: L8 Version: NetBSD-ftpd 20100320
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - FEAT
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 211 Features supported
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 MDTM
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 MLST Type*;Size*;Modify*;Perm*;Unique*;
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 REST STREAM
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 SIZE
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 TVFS
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 211 End
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - PWD
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 257 "/" is the current directory.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57086|)
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57087|)
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - NLST
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for 'file list'.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE I
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to I.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 213 77
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPSV
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 229 Entering Extended Passive Mode (|||57088|)
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - SIZE robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 213 77
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49189|
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - RETR robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 150 Opening BINARY mode data connection for 'robots.txt' (77 bytes).
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - MDTM robots.txt
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 213 20090816112038
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - TYPE A
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 200 Type set to A.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49190|
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 200 EPRT command successful.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - LIST
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 150 Opening ASCII mode data connection for '/bin/ls'.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 226 Transfer complete.
|
||||
ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - QUIT
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 221
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 Data traffic for this session was 154 bytes in 2 files.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 0 Total traffic for this session was 4512 bytes in 5 transfers.
|
||||
ftp_reply [2001:470:4867:99::21]:21 - 221 Thank you for using the FTP service on ftp.NetBSD.org.
|
||||
3
testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
Normal file
3
testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
3
testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
Normal file
3
testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
dpd_config, {
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - dst-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - dst-port-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gt
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte1
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-gte2
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lt
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte1
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-lte2
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - dst-port-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip-mask
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - ip
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - ip6
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - val-mask
|
||||
1
testing/btest/Baseline/signatures.id-lookup/id.out
Normal file
1
testing/btest/Baseline/signatures.id-lookup/id.out
Normal file
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - id
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=128/icmp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=129/icmp] - icmp6
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - icmp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/tcp, resp_h=127.0.0.1, resp_p=80/tcp] - tcp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/tcp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=80/tcp] - tcp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - udp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - udp
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=192.168.1.100, orig_p=8/icmp, resp_h=192.168.1.101, resp_p=0/icmp] - src-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-eq
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne-list
|
||||
|
|
@ -0,0 +1 @@
|
|||
signature_match [orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=30000/udp, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=13000/udp] - src-ip-ne
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue