diff --git a/CHANGES b/CHANGES index 76e09d27c1..5533616d04 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,38 @@ +2.3-419 | 2015-02-13 09:10:44 -0600 + + * BIT-1011: Update the SOCKS analyzer to support user/pass login. + (Nicolas Retrain, Seth Hall, Jon Siwek) + + - Add a new field to socks.log: "password". + - Two new events: "socks_login_userpass_request" and + "socks_login_userpass_reply". + - Two new weirds for unsupported SOCKS authentication method or + version. + - A new test for authenticated socks traffic. + +2.3-416 | 2015-02-12 12:18:42 -0600 + + * Submodule update - newest sqlite version (Johanna Amann) + + * Fix use of deprecated gperftools headers. (Jon Siwek) + +2.3-413 | 2015-02-08 18:23:05 -0800 + + * Fixing analyzer tag types for some Files::* functions. (Robin Sommer) + + * Changing load order for plugin scripts. (Robin Sommer) + +2.3-411 | 2015-02-05 10:05:48 -0600 + + * Fix file analysis of files with total size below the bof_buffer size + never delivering content to stream analyzers. (Seth Hall) + + * Add/fix log fields in x509 diff canonifier. (Jon Siwek) + + * "id" not defined for debug code when using -DPROFILE_BRO_FUNCTIONS + (Mike Smiley) + 2.3-406 | 2015-02-03 17:02:45 -0600 * Add x509 canonifier to a unit test. (Jon Siwek) diff --git a/VERSION b/VERSION index 15530c9394..acf1555244 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-406 +2.3-419 diff --git a/aux/bro-aux b/aux/bro-aux index 0b713c027d..3714d3594c 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 0b713c027d3efaaca50e5df995c02656175573cd +Subproject commit 3714d3594ce0d2b8a757c04e6e7d901d6b559915 diff --git a/aux/broccoli b/aux/broccoli index d43cc790e5..420c5b42c0 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit d43cc790e5b8709b5e032e52ad0e00936494739b +Subproject commit 420c5b42c0c90f22fc7a862fc491c8e554d05381 diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index e335d4be9d..94a46578c0 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -267,7 +267,7 @@ export { ## mts: The set of MIME types, each in the form "foo/bar" (case-insensitive). ## ## Returns: True if the MIME types were successfully registered. - global register_for_mime_types: function(tag: Analyzer::Tag, mts: set[string]) : bool; + global register_for_mime_types: function(tag: Files::Tag, mts: set[string]) : bool; ## Registers a MIME type for an analyzer. If a future file with this type is seen, ## the analyzer will be automatically assigned to parsing it. The function *adds* @@ -278,20 +278,20 @@ export { ## mt: The MIME type in the form "foo/bar" (case-insensitive). ## ## Returns: True if the MIME type was successfully registered. - global register_for_mime_type: function(tag: Analyzer::Tag, mt: string) : bool; + global register_for_mime_type: function(tag: Files::Tag, mt: string) : bool; ## Returns a set of all MIME types currently registered for a specific analyzer. ## ## tag: The tag of the analyzer. ## ## Returns: The set of MIME types. - global registered_mime_types: function(tag: Analyzer::Tag) : set[string]; + global registered_mime_types: function(tag: Files::Tag) : set[string]; ## Returns a table of all MIME-type-to-analyzer mappings currently registered. ## ## Returns: A table mapping each analyzer to the set of MIME types ## registered for it. - global all_registered_mime_types: function() : table[Analyzer::Tag] of set[string]; + global all_registered_mime_types: function() : table[Files::Tag] of set[string]; ## Event that can be handled to access the Info record as it is sent on ## to the logging framework. @@ -306,8 +306,8 @@ redef record fa_file += { global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table(); # Store the MIME type to analyzer mappings. -global mime_types: table[Analyzer::Tag] of set[string]; -global mime_type_to_analyzers: table[string] of set[Analyzer::Tag]; +global mime_types: table[Files::Tag] of set[string]; +global mime_type_to_analyzers: table[string] of set[Files::Tag]; global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table(); @@ -401,7 +401,7 @@ function register_protocol(tag: Analyzer::Tag, reg: ProtoRegistration): bool return result; } -function register_for_mime_types(tag: Analyzer::Tag, mime_types: set[string]) : bool +function register_for_mime_types(tag: Files::Tag, mime_types: set[string]) : bool { local rc = T; @@ -414,7 +414,7 @@ function register_for_mime_types(tag: Analyzer::Tag, mime_types: set[string]) : return rc; } -function register_for_mime_type(tag: Analyzer::Tag, mt: string) : bool +function register_for_mime_type(tag: Files::Tag, mt: string) : bool { if ( tag !in mime_types ) { @@ -431,12 +431,12 @@ function register_for_mime_type(tag: Analyzer::Tag, mt: string) : bool return T; } -function registered_mime_types(tag: Analyzer::Tag) : set[string] +function registered_mime_types(tag: Files::Tag) : set[string] { return tag in mime_types ? mime_types[tag] : set(); } -function all_registered_mime_types(): table[Analyzer::Tag] of set[string] +function all_registered_mime_types(): table[Files::Tag] of set[string] { return mime_types; } @@ -451,7 +451,7 @@ function describe(f: fa_file): string return handler$describe(f); } -event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool) &priority=5 +event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5 { if ( tag !in registered_protocols ) return; diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index 713161d442..e052962888 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -16,8 +16,10 @@ export { id: conn_id &log; ## Protocol version of SOCKS. version: count &log; - ## Username for the proxy if extracted from the network. + ## Username used to request a login to the proxy. user: string &log &optional; + ## Password used to request a login to the proxy. + password: string &log &optional; ## Server status for the attempt at using the proxy. status: string &log &optional; ## Client requested SOCKS address. Could be an address, a name @@ -91,3 +93,21 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres if ( "SOCKS" in c$service ) Log::write(SOCKS::LOG, c$socks); } + +event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5 + { + # Authentication only possible with the version 5. + set_session(c, 5); + + c$socks$user = user; + c$socks$password = password; + } + +event socks_login_userpass_reply(c: connection, code: count) &priority=5 + { + # Authentication only possible with the version 5. + set_session(c, 5); + + c$socks$status = v5_status[code]; + } + diff --git a/src/3rdparty b/src/3rdparty index 7e15efe9d2..f2e34d731e 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9 +Subproject commit f2e34d731ed29bb993fbb065846faa342a8c824f diff --git a/src/Func.cc b/src/Func.cc index d66e9c71fa..693a4535d4 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -323,7 +323,7 @@ int BroFunc::IsPure() const Val* BroFunc::Call(val_list* args, Frame* parent) const { #ifdef PROFILE_BRO_FUNCTIONS - DEBUG_MSG("Function: %s\n", id->Name()); + DEBUG_MSG("Function: %s\n", Name()); #endif SegmentProfiler(segment_logger, location); diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc index e678528f35..ec1e85653b 100644 --- a/src/analyzer/protocol/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -57,8 +57,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) // with the rest of the conneciton. // // Note that we assume that no payload data arrives before both endpoints - // are done with there part of the SOCKS protocol. - + // are done with their part of the SOCKS protocol. if ( ! pia ) { pia = new pia::PIA_TCP(Conn()); diff --git a/src/analyzer/protocol/socks/events.bif b/src/analyzer/protocol/socks/events.bif index 4f1f8ad1cd..224f570817 100644 --- a/src/analyzer/protocol/socks/events.bif +++ b/src/analyzer/protocol/socks/events.bif @@ -27,3 +27,19 @@ event socks_request%(c: connection, version: count, request_type: count, sa: SOC ## p: The destination port for the proxied traffic. event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); +## Generated when a SOCKS client performs username and password based login. +## +## c: The parent connection of the proxy. +## +## user: The given username. +## +## password: The given password. +event socks_login_userpass_request%(c: connection, user: string, password: string%); + +## Generated when a SOCKS server replies to a username/password login attempt. +## +## c: The parent connection of the proxy. +## +## code: The response code for the attempted login. +event socks_login_userpass_reply%(c: connection, code: count%); + diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index db98b3f4b3..b8c4165a54 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -148,6 +148,37 @@ refine connection SOCKS_Conn += { return true; %} + function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool + %{ + StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin()); + StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin()); + + BifEvent::generate_socks_login_userpass_request(bro_analyzer(), + bro_analyzer()->Conn(), + user, pass); + return true; + %} + + function socks5_unsupported_authentication_method(auth_method: uint8): bool + %{ + reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_method_%d", auth_method)); + return true; + %} + + function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool + %{ + reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d_%d", auth_method, version)); + return true; + %} + + function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool + %{ + BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), + bro_analyzer()->Conn(), + ${reply.code}); + return true; + %} + function version_error(version: uint8): bool %{ bro_analyzer()->ProtocolViolation(fmt("unsupported/unknown SOCKS version %d", version)); @@ -176,3 +207,22 @@ refine typeattr SOCKS5_Request += &let { refine typeattr SOCKS5_Reply += &let { proc: bool = $context.connection.socks5_reply(this); }; + +refine typeattr SOCKS5_Auth_Negotiation_Reply += &let { +}; + +refine typeattr SOCKS5_Auth_Request_UserPass_v1 += &let { + proc: bool = $context.connection.socks5_auth_request_userpass(this); +}; + +refine typeattr SOCKS5_Auth_Reply_UserPass_v1 += &let { + proc: bool = $context.connection.socks5_auth_reply_userpass(this); +}; + +refine typeattr SOCKS5_Unsupported_Authentication_Method += &let { + proc: bool = $context.connection.socks5_unsupported_authentication_method($context.connection.v5_auth_method()); +}; + +refine typeattr SOCKS5_Unsupported_Authentication_Version += &let { + proc: bool = $context.connection.socks5_unsupported_authentication_version($context.connection.v5_auth_method(), version); +}; diff --git a/src/analyzer/protocol/socks/socks-protocol.pac b/src/analyzer/protocol/socks/socks-protocol.pac index 05ca4bc861..d9c31d2377 100644 --- a/src/analyzer/protocol/socks/socks-protocol.pac +++ b/src/analyzer/protocol/socks/socks-protocol.pac @@ -1,10 +1,15 @@ +type SOCKS_Message(is_orig: bool) = case $context.connection.v5_in_auth_sub_negotiation() of { + true -> auth: SOCKS5_Auth_Message(is_orig); + false -> msg: SOCKS_Version(is_orig); +}; + type SOCKS_Version(is_orig: bool) = record { version: uint8; msg: case version of { - 4 -> socks4_msg: SOCKS4_Message(is_orig); - 5 -> socks5_msg: SOCKS5_Message(is_orig); - default -> socks_msg_fail: SOCKS_Version_Error(version); + 4 -> socks4_msg: SOCKS4_Message(is_orig); + 5 -> socks5_msg: SOCKS5_Message(is_orig); + default -> socks_msg_fail: SOCKS_Version_Error(version); }; }; @@ -14,10 +19,11 @@ type SOCKS_Version_Error(version: uint8) = record { # SOCKS5 Implementation type SOCKS5_Message(is_orig: bool) = case $context.connection.v5_past_authentication() of { - true -> msg: SOCKS5_Real_Message(is_orig); false -> auth: SOCKS5_Auth_Negotiation(is_orig); + true -> msg: SOCKS5_Real_Message(is_orig); }; + type SOCKS5_Auth_Negotiation(is_orig: bool) = case is_orig of { true -> req: SOCKS5_Auth_Negotiation_Request; false -> rep: SOCKS5_Auth_Negotiation_Reply; @@ -31,7 +37,61 @@ type SOCKS5_Auth_Negotiation_Request = record { type SOCKS5_Auth_Negotiation_Reply = record { selected_auth_method: uint8; } &let { + in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(selected_auth_method == 0 || selected_auth_method == 0xff ? false : true); past_auth = $context.connection.set_v5_past_authentication(); + set_auth = $context.connection.set_v5_auth_method(selected_auth_method); +}; + +type SOCKS5_Auth_Message(is_orig: bool) = case is_orig of { + true -> req: SOCKS5_Auth_Request; + false -> rep: SOCKS5_Auth_Reply; +}; + +type SOCKS5_Auth_Request = case $context.connection.v5_auth_method() of { + 0x02 -> userpass : SOCKS5_Auth_Request_UserPass; + default -> unsupported : SOCKS5_Unsupported_Authentication_Method; +}; + +type SOCKS5_Unsupported_Authentication_Method = record { + crap: bytestring &restofdata; +}; + +type SOCKS5_Unsupported_Authentication_Version(version: uint8) = record { + crap: bytestring &restofdata; +}; + +type SOCKS5_Auth_Request_UserPass = record { + version: uint8; + msg: case version of { + 1 -> v1: SOCKS5_Auth_Request_UserPass_v1; + default -> unsupported: SOCKS5_Unsupported_Authentication_Version(version); + }; +}; + +type SOCKS5_Auth_Request_UserPass_v1 = record { + ulen : uint8; + username : bytestring &length=ulen; + plen : uint8; + password : bytestring &length=plen; +}; + +type SOCKS5_Auth_Reply = case $context.connection.v5_auth_method() of { + 0x02 -> userpass : SOCKS5_Auth_Reply_UserPass; + default -> unsupported : SOCKS5_Unsupported_Authentication_Method; +} &let { + in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(false); +}; + +type SOCKS5_Auth_Reply_UserPass = record { + version: uint8; + msg: case version of { + 1 -> v1: SOCKS5_Auth_Reply_UserPass_v1; + default -> unsupported: SOCKS5_Unsupported_Authentication_Version(version); + }; +}; + +type SOCKS5_Auth_Reply_UserPass_v1 = record { + code : uint8; }; type SOCKS5_Real_Message(is_orig: bool) = case is_orig of { @@ -55,10 +115,10 @@ type SOCKS5_Address = record { } &byteorder = bigendian; type SOCKS5_Request = record { - command: uint8; - reserved: uint8; - remote_name: SOCKS5_Address; - port: uint16; + command : uint8; + reserved : uint8; + remote_name : SOCKS5_Address; + port : uint16; } &byteorder = bigendian; type SOCKS5_Reply = record { @@ -98,13 +158,28 @@ type SOCKS4_Reply = record { refine connection SOCKS_Conn += { %member{ + bool v5_in_auth_sub_negotiation_; bool v5_authenticated_; + uint8 selected_auth_method_; %} %init{ + v5_in_auth_sub_negotiation_ = false; v5_authenticated_ = false; + selected_auth_method_ = 255; %} + function v5_in_auth_sub_negotiation(): bool + %{ + return v5_in_auth_sub_negotiation_; + %} + + function set_v5_in_auth_sub_negotiation(b: bool): bool + %{ + v5_in_auth_sub_negotiation_ = b; + return true; + %} + function v5_past_authentication(): bool %{ return v5_authenticated_; @@ -115,5 +190,16 @@ refine connection SOCKS_Conn += { v5_authenticated_ = true; return true; %} + + function set_v5_auth_method(method: uint8): bool + %{ + selected_auth_method_ = method; + return true; + %} + + function v5_auth_method(): uint8 + %{ + return selected_auth_method_; + %} }; diff --git a/src/analyzer/protocol/socks/socks.pac b/src/analyzer/protocol/socks/socks.pac index a9c4099508..9aed2820af 100644 --- a/src/analyzer/protocol/socks/socks.pac +++ b/src/analyzer/protocol/socks/socks.pac @@ -20,7 +20,7 @@ connection SOCKS_Conn(bro_analyzer: BroAnalyzer) { %include socks-protocol.pac flow SOCKS_Flow(is_orig: bool) { - datagram = SOCKS_Version(is_orig) withcontext(connection, this); + datagram = SOCKS_Message(is_orig) withcontext(connection, this); }; %include socks-analyzer.pac diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 50617f27b6..c90c9f2413 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -492,18 +492,22 @@ void File::EndOfFile() if ( done ) return; - if ( ! did_mime_type && - LookupFieldDefaultCount(missing_bytes_idx) == 0 ) - DetectMIME(); - - analyzers.DrainModifications(); - if ( file_reassembler ) { file_reassembler->Flush(); - analyzers.DrainModifications(); } + // Mark the bof_buffer as full in case it isn't yet + // so that the whole thing can be flushed out to + // any stream analyzers. + if ( ! bof_buffer.full ) + { + bof_buffer.full = true; + DeliverStream((const u_char*) "", 0); + } + + analyzers.DrainModifications(); + done = true; file_analysis::Analyzer* a = 0; diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 2ca34d94f3..ab0b85676b 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -172,7 +172,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ // Load {bif,scripts}/__load__.bro automatically. - string init = dir + "scripts/__load__.bro"; + string init = dir + "lib/bif/__load__.bro"; if ( is_file(init) ) { @@ -180,7 +180,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ scripts_to_load.push_back(init); } - init = dir + "lib/bif/__load__.bro"; + init = dir + "scripts/__load__.bro"; if ( is_file(init) ) { diff --git a/src/util.h b/src/util.h index db77888c16..50c33d5608 100644 --- a/src/util.h +++ b/src/util.h @@ -48,8 +48,8 @@ #endif #ifdef USE_PERFTOOLS_DEBUG -#include -#include +#include +#include extern HeapLeakChecker* heap_checker; #endif diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index 0882718f03..f7b33992ea 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0) [http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|- [http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|- [http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|- -[packet_filter] 1412721099.419280|bro|ip or not ip|T|T -[socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688 +[packet_filter] 1423781675.402129|bro|ip or not ip|T|T +[socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log new file mode 100644 index 0000000000..cebe140bda --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2015-02-05-13-55-41 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - +#close 2015-02-05-13-55-41 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log new file mode 100644 index 0000000000..cc5fa80191 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/socks.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path socks +#open 2015-02-05-16-13-12 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string string addr string port addr string port +1368517392.724989 CXWv6p3arKYeMETxOg 192.168.0.2 55951 192.168.0.1 1080 5 bob alice succeeded 192.168.0.2 - 22 192.168.0.1 - 55951 +#close 2015-02-05-16-13-12 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log new file mode 100644 index 0000000000..d53238df93 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth/tunnel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2015-02-05-16-13-12 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1368517392.728523 - 192.168.0.2 0 192.168.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER +#close 2015-02-05-16-13-12 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log index 148e4adf02..f69df31b66 100644 --- a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path socks -#open 2013-08-26-19-04-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status request.host request.name request_p bound.host bound.name bound_p -#types time string addr port addr port count string string addr string port addr string port -1340213015.276495 CjhGID4nQcgTWjvg4c 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688 -#close 2013-08-26-19-04-20 +#open 2015-02-05-17-39-14 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string string addr string port addr string port +1340213015.276495 CjhGID4nQcgTWjvg4c 10.0.0.55 53994 60.190.189.214 8124 5 - - succeeded - www.osnews.com 80 192.168.0.31 - 2688 +#close 2015-02-05-17-39-14 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log index d706a11da3..de7b26f875 100644 --- a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path socks -#open 2013-08-26-19-04-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status request.host request.name request_p bound.host bound.name bound_p -#types time string addr port addr port count string string addr string port addr string port -1340113261.914619 CXWv6p3arKYeMETxOg 10.0.0.50 59580 85.194.84.197 1080 5 - succeeded - www.google.com 443 0.0.0.0 - 443 -#close 2013-08-26-19-04-20 +#open 2015-02-05-17-39-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string string addr string port addr string port +1340113261.914619 CXWv6p3arKYeMETxOg 10.0.0.50 59580 85.194.84.197 1080 5 - - succeeded - www.google.com 443 0.0.0.0 - 443 +#close 2015-02-05-17-39-29 diff --git a/testing/btest/Traces/socks-auth.pcap b/testing/btest/Traces/socks-auth.pcap new file mode 100644 index 0000000000..1570e22947 Binary files /dev/null and b/testing/btest/Traces/socks-auth.pcap differ diff --git a/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro new file mode 100644 index 0000000000..0f7e23ddcf --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: btest-diff files.log + +@load frameworks/files/hash-all-files + +redef default_file_bof_buffer_size=5000; diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro new file mode 100644 index 0000000000..2123dc1d45 --- /dev/null +++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro @@ -0,0 +1,5 @@ +# @TEST-EXEC: bro -r $TRACES/socks-auth.pcap %INPUT +# @TEST-EXEC: btest-diff socks.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/protocols/socks diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names index 4863efc990..4534cb7d87 100755 --- a/testing/scripts/diff-remove-x509-names +++ b/testing/scripts/diff-remove-x509-names @@ -3,19 +3,25 @@ # A diff canonifier that removes all X.509 Distinguished Name subject fields # because that output can differ depending on installed OpenSSL version. -BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; cs_col = -1; ci_col = -1 } +BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; is_col = -1; cs_col = -1; ci_col = -1; cert_subj_col = -1; cert_issuer_col = -1 } /^#fields/ { for ( i = 2; i < NF; ++i ) { if ( $i == "subject" ) s_col = i-1; - if ( $i == "issuer_subject" ) + if ( $i == "issuer" ) i_col = i-1; + if ( $i == "issuer_subject" ) + is_col = i-1; if ( $i == "client_subject" ) cs_col = i-1; - if ( $i == "client_issuer_subject" ) + if ( $i == "client_issuer" ) ci_col = i-1; + if ( $i == "certificate.subject" ) + cert_subj_col = i-1; + if ( $i == "certificate.issuer" ) + cert_issuer_col = i-1; } } @@ -31,6 +37,12 @@ i_col >= 0 { $i_col = "+"; } +is_col >= 0 { + if ( $is_col != "-" ) + # Mark that it's set, but ignore content. + $is_col = "+"; +} + cs_col >= 0 { if ( $cs_col != "-" ) # Mark that it's set, but ignore content. @@ -43,6 +55,18 @@ ci_col >= 0 { $ci_col = "+"; } +cert_subj_col >= 0 { + if ( $cert_subj_col != "-" ) + # Mark that it's set, but ignore content. + $cert_subj_col = "+"; +} + +cert_issuer_col >= 0 { + if ( $cert_issuer_col != "-" ) + # Mark that it's set, but ignore content. + $cert_issuer_col = "+"; +} + { print; }