Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into fastpath

Browse source
This commit is contained in:
Jon Siwek 2011-12-20 11:45:50 -06:00
commit eeceb14c1a
116 changed files with 1095 additions and 884 deletions
Download patch file Download diff file Expand all files Collapse all files

82
CHANGES
View file

@ -1,4 +1,86 @@
2.0-beta-145 | 2011-12-19 11:37:15 -0800
* Empty fields are now logged as "(empty)" by default. (Robin
Sommer)
* In log headers, only escape information when necessary. (Robin
Sommer)
2.0-beta-139 | 2011-12-19 07:06:29 -0800
* The hostname notice email extension works now, plus a general
mechanism for adding delayed information to notices. (Seth Hall)
* Fix &default fields in records not being initialized in coerced
assignments. Addresses #722. (Jon Siwek)
* Make log headers include the type of data stored inside a set or
vector ("vector[string]"). (Bernhard Amann)
2.0-beta-126 | 2011-12-18 15:18:05 -0800
* DNS updates. (Seth Hall)
- Fixed some bugs with capturing data in the base DNS script.
- Answers and TTLs are now vectors.
- A warning that was being generated (dns_reply_seen_after_done)
from transaction ID reuse is fixed.
* SSL updates. (Seth Hall)
- Added is_orig fields to the SSL events and adapted script.
- Added a field named last_alert to the SSL log.
- The x509_certificate function has an is_orig field now instead
of is_server and its position in the argument list has moved.
- A bit of reorganization and cleanup in the core analyzer. (Seth
Hall)
2.0-beta-121 | 2011-12-18 15:10:15 -0800
* Enable warnings for malformed Broxygen xref roles. (Jon Siwek)
* Fix Broxygen confusing scoped IDs at start of line as function
parameter. (Jon Siwek)
* Allow Broxygen markup "##<" for more general use. (Jon Siwek)
2.0-beta-116 | 2011-12-16 02:38:27 -0800
* Cleanup some misc Broxygen css/js stuff. (Jon Siwek)
* Add search box to Broxygen docs. Fixes #726. (Jon Siwek)
* Fixed major bug with cluster synchronization, which was not
working. (Seth Hall)
* Fix missing action in notice policy for looking up GeoIP data.
(Jon Siwek)
* Better persistent state configuration warning messages (fixes
#433). (Jon Siwek)
* Renaming HTTP::SQL_Injection_Attack_Against to
HTTP::SQL_Injection_Victim. (Seth Hall).
* Fixed DPD signatures for IRC. Fixes #311. (Seth Hall)
* Removing Off_Port_Protocol_Found notice. (Seth Hall)
* Teach Broxygen to more generally reference attribute values by name. (Jon Siwek)
* SSH::Interesting_Hostname_Login cleanup. Fixes #664. (Seth Hall)
* Fixed bug that was causing the malware hash registry script to
break. (Seth Hall)
* Remove remnant of libmagic optionality. (Jon Siwek)
2.0-beta-98 | 2011-12-07 08:12:08 -0800
* Adapting test-suite's diff-all so that it expands globs in both

2
VERSION
View file

@ -1 +1 @@
2.0-beta-98
2.0-beta-145

2
aux/binpac

@ -1 +1 @@
Subproject commit 82bd9613fb869e44f5f0d7929bdd9a88cde84077
Subproject commit e94d92b01f327655fd2061157942b95ae75b5f0f

2
aux/bro-aux

@ -1 +1 @@
Subproject commit 4d387ce660468b44df99d4c87d6016ae4ed2fdc4
Subproject commit f6b92bf5732c26e54eb4387efadc612663980389

2
aux/broccoli

@ -1 +1 @@
Subproject commit 05d51b55dd5a8430151cff74f7876bd73385d5cd
Subproject commit d7b8a43759bfcbe1381d132d8ab388937e52a6d4

2
aux/broctl

@ -1 +1 @@
Subproject commit 406c689c88997c4459eaf36bd2c65bce2e847c2d
Subproject commit a42e4d133b94622c612055047f8534d5122e6e88

2
cmake

@ -1 +1 @@
Subproject commit f0f7958639bb921985c1f58f1186da4b49b5d54d
Subproject commit 0c0a4697687df7f17c09391a1d0d95b25297a662

9
doc/_static/broxygen-extra.css vendored
View file

@ -1,7 +1,3 @@
.highlight {
background-color: #ffffff;
}
h1 {
font-weight: bold;
font-size: 32px;
@ -13,3 +9,8 @@ h1 {
color: #000;
border-bottom: 0px;
}
th.field-name
{
white-space:nowrap;
}

309
doc/_static/default.css_t vendored
View file

@ -1,309 +0,0 @@
/*
* default.css_t
* ~~~~~~~~~~~~~
*
* Sphinx stylesheet -- default theme.
*
* :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
* :license: BSD, see LICENSE for details.
*
*/
@import url("basic.css");
/* -- page layout ----------------------------------------------------------- */
body {
font-family: {{ theme_bodyfont }};
font-size: 100%;
background-color: {{ theme_footerbgcolor }};
color: #000;
margin: 0;
padding: 0;
}
div.document {
background-color: {{ theme_sidebarbgcolor }};
}
div.documentwrapper {
float: left;
width: 100%;
}
div.bodywrapper {
margin: 0 0 0 {{ theme_sidebarwidth|toint }}px;
}
div.body {
background-color: {{ theme_bgcolor }};
color: {{ theme_textcolor }};
padding: 0 20px 30px 20px;
}
{%- if theme_rightsidebar|tobool %}
div.bodywrapper {
margin: 0 {{ theme_sidebarwidth|toint }}px 0 0;
}
{%- endif %}
div.footer {
color: {{ theme_footertextcolor }};
background-color: {{ theme_footerbgcolor }};
width: 100%;
padding: 9px 0 9px 0;
text-align: center;
font-size: 75%;
}
div.footer a {
color: {{ theme_footertextcolor }};
text-decoration: underline;
}
div.related {
background-color: {{ theme_relbarbgcolor }};
line-height: 30px;
color: {{ theme_relbartextcolor }};
}
div.related a {
color: {{ theme_relbarlinkcolor }};
}
div.sphinxsidebar {
{%- if theme_stickysidebar|tobool %}
top: 30px;
bottom: 0;
margin: 0;
position: fixed;
overflow: auto;
height: auto;
{%- endif %}
{%- if theme_rightsidebar|tobool %}
float: right;
{%- if theme_stickysidebar|tobool %}
right: 0;
{%- endif %}
{%- endif %}
}
{%- if theme_stickysidebar|tobool %}
/* this is nice, but it it leads to hidden headings when jumping
to an anchor */
/*
div.related {
position: fixed;
}
div.documentwrapper {
margin-top: 30px;
}
*/
{%- endif %}
div.sphinxsidebar h3 {
font-family: {{ theme_bodyfont }};
color: {{ theme_sidebartextcolor }};
font-size: 1.4em;
font-weight: normal;
margin: 0;
padding: 0;
}
div.sphinxsidebar h3 a {
color: {{ theme_sidebartextcolor }};
}
div.sphinxsidebar h4 {
font-family: {{ theme_bodyfont }};
color: {{ theme_sidebartextcolor }};
font-size: 1.3em;
font-weight: normal;
margin: 5px 0 0 0;
padding: 0;
}
div.sphinxsidebar p {
color: {{ theme_sidebartextcolor }};
}
div.sphinxsidebar p.topless {
margin: 5px 10px 10px 10px;
}
div.sphinxsidebar ul {
margin: 10px;
padding: 0;
color: {{ theme_sidebartextcolor }};
}
div.sphinxsidebar a {
color: {{ theme_sidebarlinkcolor }};
}
div.sphinxsidebar input {
border: 1px solid {{ theme_sidebarlinkcolor }};
font-family: sans-serif;
font-size: 1em;
}
{% if theme_collapsiblesidebar|tobool %}
/* for collapsible sidebar */
div#sidebarbutton {
background-color: {{ theme_sidebarbtncolor }};
}
{% endif %}
/* -- hyperlink styles ------------------------------------------------------ */
a {
color: {{ theme_linkcolor }};
text-decoration: none;
}
a:visited {
color: {{ theme_visitedlinkcolor }};
text-decoration: none;
}
{% if theme_externalrefs|tobool %}
a.external {
text-decoration: none;
border-bottom: 1px dashed {{ theme_linkcolor }};
}
a.external:hover {
text-decoration: none;
border-bottom: none;
}
a.external:visited {
text-decoration: none;
border-bottom: 1px dashed {{ theme_visitedlinkcolor }};
}
{% endif %}
/* -- body styles ----------------------------------------------------------- */
div.body h1,
div.body h2,
div.body h3,
div.body h4,
div.body h5,
div.body h6 {
font-family: {{ theme_bodyfont }};
background-color: #ffffff;
font-weight: normal;
color: {{ theme_headtextcolor }};
border-bottom: 1px solid #aaa;
margin: 20px -20px 10px -20px;
padding: 3px 0 3px 10px;
}
div.body h1 {
font-family: {{ theme_headfont }};
text-align: center;
border-bottom: none;
}
div.body h1 { margin-top: 0; font-size: 200%; }
div.body h2 { font-size: 160%; }
div.body h3 { font-size: 140%; }
div.body h4 { font-size: 120%; }
div.body h5 { font-size: 110%; }
div.body h6 { font-size: 100%; }
a.headerlink {
color: {{ theme_headlinkcolor }};
font-size: 0.8em;
padding: 0 4px 0 4px;
text-decoration: none;
}
a.headerlink:hover {
background-color: {{ theme_headlinkcolor }};
color: white;
}
div.admonition p.admonition-title + p {
display: inline;
}
div.admonition p {
margin-bottom: 5px;
}
div.admonition pre {
margin-bottom: 5px;
}
div.admonition ul, div.admonition ol {
margin-bottom: 5px;
}
div.note {
background-color: #eee;
border: 1px solid #ccc;
}
div.seealso {
background-color: #ffc;
border: 1px solid #ff6;
}
div.warning {
background-color: #ffe4e4;
border: 1px solid #f66;
}
p.admonition-title {
display: inline;
}
p.admonition-title:after {
content: ":";
}
pre {
padding: 5px;
background-color: {{ theme_codebgcolor }};
color: {{ theme_codetextcolor }};
line-height: 120%;
border: 1px solid #ac9;
border-left: none;
border-right: none;
}
tt {
background-color: #ecf0f3;
padding: 0 1px 0 1px;
font-size: 0.95em;
}
th {
background-color: #ede;
}
.warning tt {
background: #efc2c2;
}
.note tt {
background: #d6d6d6;
}
.viewcode-back {
font-family: {{ theme_bodyfont }};
}
div.viewcode-block:target {
background-color: #f4debf;
border-top: 1px solid #ac9;
border-bottom: 1px solid #ac9;
}
th.field-name
{
white-space:nowrap;
}

64
doc/_static/showhide.js vendored
View file

@ -1,64 +0,0 @@
// make literal blocks corresponding to identifier initial values
// hidden by default
$(document).ready(function() {
var showText='(Show Value)';
var hideText='(Hide Value)';
var is_visible = false;
// select field-list tables that come before a literal block
tables = $('.highlight-python').prev('table.docutils.field-list');
tables.find('th.field-name').filter(function(index) {
return $(this).html() == "Default :";
}).next().append('<a href="#" class="toggleLink">'+showText+'</a>');
// hide all literal blocks that follow a field-list table
tables.next('.highlight-python').hide();
// register handler for clicking a "toggle" link
$('a.toggleLink').click(function() {
is_visible = !is_visible;
$(this).html( (!is_visible) ? showText : hideText);
// the link is inside a <table><tbody><tr><td> and the next
// literal block after the table is the literal block that we want
// to show/hide
$(this).parent().parent().parent().parent().next('.highlight-python').slideToggle('fast');
// override default link behavior
return false;
});
});
// make "Private Interface" sections hidden by default
$(document).ready(function() {
var showText='Show Private Interface (for internal use)';
var hideText='Hide Private Interface';
var is_visible = false;
// insert show/hide links
$('#private-interface').children(":first-child").after('<a href="#" class="privateToggle">'+showText+'</a>');
// wrap all sub-sections in a new div that can be hidden/shown
$('#private-interface').children(".section").wrapAll('<div class="private" />');
// hide the given class
$('.private').hide();
// register handler for clicking a "toggle" link
$('a.privateToggle').click(function() {
is_visible = !is_visible;
$(this).html( (!is_visible) ? showText : hideText);
$('.private').slideToggle('fast');
// override default link behavior
return false;
});
});

13
doc/_templates/layout.html vendored
View file

@ -73,6 +73,19 @@
</div>
{% endif %}
{%- if pagename != "search" %}
<div id="searchbox" style="display: none" class="widget">
<h3 class="widgettitle">{{ _('Search') }}</h3>
<form class="search" action="{{ pathto('search') }}" method="get">
<input type="text" name="q" />
<input type="submit" value="{{ _('Search') }}" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
{%- endif %}
</div>
</div>

3
doc/scripts/example.bro
View file

@ -183,8 +183,7 @@ export {
## Summarize "an_event" here.
## Give more details about "an_event" here.
## Example::an_event should not be confused as a parameter
##
## Example::an_event should not be confused as a parameter.
## name: describe the argument here
global an_event: event(name: string);

5
scripts/base/frameworks/logging/writers/ascii.bro
View file

@ -19,8 +19,9 @@ export {
## Separator between set elements.
const set_separator = "," &redef;
## String to use for empty fields.
const empty_field = "-" &redef;
## String to use for empty fields. This should be different from
## *unset_field* to make the output non-ambigious.
const empty_field = "(empty)" &redef;
## String to use for an unset &optional field.
const unset_field = "-" &redef;

25
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -2,7 +2,12 @@
module Notice;
# This probably doesn't actually work due to the async lookup_addr.
# We have to store references to the notices here because the when statement
# clones the frame which doesn't give us access to modify values outside
# of it's execution scope. (we get a clone of the notice instead of a
# reference to the original notice)
global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
event Notice::notice(n: Notice::Info) &priority=10
{
if ( ! n?$src && ! n?$dst )
@ -12,21 +17,31 @@ event Notice::notice(n: Notice::Info) &priority=10
if ( ACTION_EMAIL !in n$actions )
return;
# I'm not recovering gracefully from the when statements because I want
# the notice framework to detect that something has exceeded the maximum
# allowed email delay and tell the user.
local uid = unique_id("");
tmp_notice_storage[uid] = n;
local output = "";
if ( n?$src )
{
add n$email_delay_tokens["hostnames-src"];
when ( local src_name = lookup_addr(n$src) )
{
output = string_cat("orig_h/src hostname: ", src_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output;
output = string_cat("orig/src hostname: ", src_name, "\n");
tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
}
}
if ( n?$dst )
{
add n$email_delay_tokens["hostnames-dst"];
when ( local dst_name = lookup_addr(n$dst) )
{
output = string_cat("resp_h/dst hostname: ", dst_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output;
output = string_cat("resp/dst hostname: ", dst_name, "\n");
tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
}
}
}

42
scripts/base/frameworks/notice/main.bro
View file

@ -96,7 +96,13 @@ export {
## expand on notices that are being emailed. The normal way to add text
## is to extend the vector by handling the :bro:id:`Notice::notice`
## event and modifying the notice in place.
email_body_sections: vector of string &default=vector();
email_body_sections: vector of string &optional;
## Adding a string "token" to this set will cause the notice framework's
## built-in emailing functionality to delay sending the email until
## either the token has been removed or the email has been delayed
## for :bro:id:`max_email_delay`.
email_delay_tokens: set[string] &optional;
## This field is to be provided when a notice is generated for the
## purpose of deduplicating notices. The identifier string should
@ -203,6 +209,8 @@ export {
const reply_to = "" &redef;
## Text string prefixed to the subject of all emails sent out.
const mail_subject_prefix = "[Bro]" &redef;
## The maximum amount of time a plugin can delay email from being sent.
const max_email_delay = 15secs &redef;
## A log postprocessing function that implements emailing the contents
## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
@ -347,11 +355,35 @@ function email_headers(subject_desc: string, dest: string): string
return header_text;
}
event delay_sending_email(n: Notice::Info, dest: string, extend: bool)
{
email_notice_to(n, dest, extend);
}
function email_notice_to(n: Notice::Info, dest: string, extend: bool)
{
if ( reading_traces() || dest == "" )
return;
if ( extend )
{
if ( |n$email_delay_tokens| > 0 )
{
# If we still are within the max_email_delay, keep delaying.
if ( n$ts + max_email_delay > network_time() )
{
schedule 1sec { delay_sending_email(n, dest, extend) };
return;
}
else
{
event reporter_info(network_time(),
fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
"");
}
}
}
local email_text = email_headers(fmt("%s", n$note), dest);
# First off, finish the headers and include the human readable messages
@ -377,9 +409,10 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
# Add the extended information if it's requested.
if ( extend )
{
email_text = string_cat(email_text, "\nEmail Extensions\n");
email_text = string_cat(email_text, "----------------\n");
for ( i in n$email_body_sections )
{
email_text = string_cat(email_text, "******************\n");
email_text = string_cat(email_text, n$email_body_sections[i], "\n");
}
}
@ -475,6 +508,11 @@ function apply_policy(n: Notice::Info)
if ( ! n?$actions )
n$actions = set();
if ( ! n?$email_body_sections )
n$email_body_sections = vector();
if ( ! n?$email_delay_tokens )
n$email_delay_tokens = set();
if ( ! n?$policy_items )
n$policy_items = set();

26
scripts/base/protocols/dns/main.bro
View file

@ -24,8 +24,8 @@ export {
RD: bool &log &default=F;
RA: bool &log &default=F;
Z: count &log &default=0;
TTL: interval &log &optional;
answers: set[string] &log &optional;
answers: vector of string &log &optional;
TTLs: vector of interval &log &optional;
## This value indicates if this request/response pair is ready to be logged.
ready: bool &default=F;
@ -102,7 +102,13 @@ function new_session(c: connection, trans_id: count): Info
function set_session(c: connection, msg: dns_msg, is_query: bool)
{
if ( ! c?$dns_state || msg$id !in c$dns_state$pending )
{
c$dns_state$pending[msg$id] = new_session(c, msg$id);
# Try deleting this transaction id from the set of finished answers.
# Sometimes hosts will reuse ports and transaction ids and this should
# be considered to be a legit scenario (although bad practice).
delete c$dns_state$finished_answers[msg$id];
}
c$dns = c$dns_state$pending[msg$id];
@ -134,20 +140,23 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
{
set_session(c, msg, F);
c$dns$AA = msg$AA;
c$dns$RA = msg$RA;
c$dns$TTL = ans$TTL;
if ( ans$answer_type == DNS_ANS )
{
c$dns$AA = msg$AA;
c$dns$RA = msg$RA;
if ( msg$id in c$dns_state$finished_answers )
event conn_weird("dns_reply_seen_after_done", c, "");
if ( reply != "" )
{
if ( ! c$dns?$answers )
c$dns$answers = set();
add c$dns$answers[reply];
c$dns$answers = vector();
c$dns$answers[|c$dns$answers|] = reply;
if ( ! c$dns?$TTLs )
c$dns$TTLs = vector();
c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
}
if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers )
@ -164,7 +173,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
if ( c$dns$ready )
{
Log::write(DNS::LOG, c$dns);
add c$dns_state$finished_answers[c$dns$trans_id];
# This record is logged and no longer pending.
delete c$dns_state$pending[c$dns$trans_id];
}

41
scripts/base/protocols/ssl/consts.bro
View file

@ -13,6 +13,44 @@ export {
[TLSv11] = "TLSv11",
} &default="UNKNOWN";
const alert_levels: table[count] of string = {
[1] = "warning",
[2] = "fatal",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
const alert_descriptions: table[count] of string = {
[0] = "close_notify",
[10] = "unexpected_message",
[20] = "bad_record_mac",
[21] = "decryption_failed",
[22] = "record_overflow",
[30] = "decompression_failure",
[40] = "handshake_failure",
[41] = "no_certificate",
[42] = "bad_certificate",
[43] = "unsupported_certificate",
[44] = "certificate_revoked",
[45] = "certificate_expired",
[46] = "certificate_unknown",
[47] = "illegal_parameter",
[48] = "unknown_ca",
[49] = "access_denied",
[50] = "decode_error",
[51] = "decrypt_error",
[60] = "export_restriction",
[70] = "protocol_version",
[71] = "insufficient_security",
[80] = "internal_error",
[90] = "user_canceled",
[100] = "no_renegotiation",
[110] = "unsupported_extension",
[111] = "certificate_unobtainable",
[112] = "unrecognized_name",
[113] = "bad_certificate_status_response",
[114] = "bad_certificate_hash_value",
[115] = "unknown_psk_identity",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
# http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
const extensions: table[count] of string = {
[0] = "server_name",
@ -526,8 +564,7 @@ export {
[30] = "akid issuer serial mismatch",
[31] = "keyusage no certsign",
[32] = "unable to get crl issuer",
[33] = "unhandled critical extension"
[33] = "unhandled critical extension",
};
}

18
scripts/base/protocols/ssl/main.bro
View file

@ -16,6 +16,7 @@ export {
subject: string &log &optional;
not_valid_before: time &log &optional;
not_valid_after: time &log &optional;
last_alert: string &log &optional;
cert: string &optional;
cert_chain: vector of string &optional;
@ -112,10 +113,14 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, session
c$ssl$cipher = cipher_desc[cipher];
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=5
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=5
{
set_session(c);
# We aren't doing anything with client certificates yet.
if ( is_orig )
return;
if ( chain_idx == 0 )
{
# Save the primary cert.
@ -133,14 +138,21 @@ event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: co
}
}
event ssl_extension(c: connection, code: count, val: string) &priority=5
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
{
set_session(c);
if ( extensions[code] == "server_name" )
if ( is_orig && extensions[code] == "server_name" )
c$ssl$server_name = sub_bytes(val, 6, |val|);
}
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
{
set_session(c);
c$ssl$last_alert = alert_descriptions[desc];
}
event ssl_established(c: connection) &priority=5
{
set_session(c);

4
scripts/policy/protocols/ssl/cert-hash.bro
View file

@ -10,11 +10,11 @@ export {
};
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=4
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
{
# We aren't tracking client certificates yet and we are also only tracking
# the primary cert. Watch that this came from an SSL analyzed session too.
if ( ! is_server || chain_idx != 0 || ! c?$ssl )
if ( is_orig || chain_idx != 0 || ! c?$ssl )
return;
c$ssl$cert_hash = md5_hash(der_cert);

5
scripts/policy/protocols/ssl/expiring-certs.bro
View file

@ -33,10 +33,11 @@ export {
const notify_when_cert_expiring_in = 30days &redef;
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{
# If this isn't the host cert or we aren't interested in the server, just return.
if ( chain_idx != 0 ||
if ( is_orig ||
chain_idx != 0 ||
! c$ssl?$cert_hash ||
! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
return;

4
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -44,10 +44,10 @@ event bro_init() &priority=5
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
}
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3
event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{
# Make sure this is the server cert and we have a hash for it.
if ( chain_idx != 0 || ! c$ssl?$cert_hash )
if ( is_orig || chain_idx != 0 || ! c$ssl?$cert_hash )
return;
local host = c$id$resp_h;

74
src/Desc.cc
View file

@ -41,8 +41,7 @@ ODesc::ODesc(desc_type t, BroFile* arg_f)
do_flush = 1;
include_stats = 0;
indent_with_spaces = 0;
escape = 0;
escape_len = 0;
escape = false;
}
ODesc::~ODesc()
@ -56,10 +55,9 @@ ODesc::~ODesc()
free(base);
}
void ODesc::SetEscape(const char* arg_escape, int len)
void ODesc::EnableEscaping()
{
escape = arg_escape;
escape_len = len;
escape = true;
}
void ODesc::PushIndent()
@ -228,6 +226,25 @@ static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned
return 0;
}
pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
{
pair<const char*, size_t> p(find_first_unprintable(this, bytes, n), 1);
string str(bytes, n);
list<string>::const_iterator it;
for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
{
size_t pos = str.find(*it);
if ( pos != string::npos && (p.first == 0 || bytes + pos < p.first) )
{
p.first = bytes + pos;
p.second = it->size();
}
}
return p;
}
void ODesc::AddBytes(const void* bytes, unsigned int n)
{
if ( ! escape )
@ -241,45 +258,30 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
while ( s < e )
{
const char* t1 = (const char*) memchr(s, escape[0], e - s);
if ( ! t1 )
t1 = e;
const char* t2 = find_first_unprintable(this, s, t1 - s);
if ( t2 && t2 < t1 )
pair<const char*, size_t> p = FirstEscapeLoc(s, e - s);
if ( p.first )
{
AddBytesRaw(s, p.first - s);
if ( p.second == 1 )
{
AddBytesRaw(s, t2 - s);
char hex[6] = "\\x00";
hex[2] = hex_chars[((*t2) & 0xf0) >> 4];
hex[3] = hex_chars[(*t2) & 0x0f];
hex[2] = hex_chars[((*p.first) & 0xf0) >> 4];
hex[3] = hex_chars[(*p.first) & 0x0f];
AddBytesRaw(hex, 4);
s = t2 + 1;
continue;
}
if ( memcmp(t1, escape, escape_len) != 0 )
break;
AddBytesRaw(s, t1 - s);
for ( int i = 0; i < escape_len; ++i )
else
{
char hex[5] = "\\x00";
hex[2] = hex_chars[((*t1) & 0xf0) >> 4];
hex[3] = hex_chars[(*t1) & 0x0f];
AddBytesRaw(hex, 4);
++t1;
string esc_str = get_escaped_string(string(p.first, p.second), true);
AddBytesRaw(esc_str.c_str(), esc_str.size());
}
s = t1;
s = p.first + p.second;
}
if ( s < e )
else
{
AddBytesRaw(s, e - s);
break;
}
}
}
void ODesc::AddBytesRaw(const void* bytes, unsigned int n)

28
src/Desc.h
View file

@ -4,6 +4,8 @@
#define descriptor_h
#include <stdio.h>
#include <list>
#include <utility>
#include "BroString.h"
typedef enum {
@ -48,8 +50,13 @@ public:
void SetFlush(int arg_do_flush) { do_flush = arg_do_flush; }
// The string passed in must remain valid as long as this object lives.
void SetEscape(const char* escape, int len);
void EnableEscaping();
void AddEscapeSequence(const char* s) { escape_sequences.push_back(s); }
void AddEscapeSequence(const char* s, size_t n)
{ escape_sequences.push_back(string(s, n)); }
void RemoveEscapeSequence(const char* s) { escape_sequences.remove(s); }
void RemoveEscapeSequence(const char* s, size_t n)
{ escape_sequences.remove(string(s, n)); }
void PushIndent();
void PopIndent();
@ -133,6 +140,19 @@ protected:
void OutOfMemory();
/**
* Returns the location of the first place in the bytes to be hex-escaped.
*
* @param bytes the starting memory address to start searching for
* escapable character.
* @param n the maximum number of bytes to search.
* @return a pair whose first element represents a starting memory address
* to be escaped up to the number of characters indicated by the
* second element. The first element may be 0 if nothing is
* to be escaped.
*/
pair<const char*, size_t> FirstEscapeLoc(const char* bytes, size_t n);
desc_type type;
desc_style style;
@ -140,8 +160,8 @@ protected:
unsigned int offset; // where we are in the buffer
unsigned int size; // size of buffer in bytes
int escape_len; // number of bytes in to escape sequence
const char* escape; // bytes to escape on output
bool escape; // escape unprintable characters in output?
list<string> escape_sequences; // additional sequences of chars to escape
BroFile* f; // or the file we're using.

10
src/Expr.cc
View file

@ -359,7 +359,7 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
if ( id )
::Ref(id);
else
reporter->Warning("persistent state config changed: unserialized unknown global name");
reporter->Warning("configuration changed: unserialized unknown global name from persistent state");
delete [] name;
}
@ -4052,9 +4052,17 @@ Val* RecordCoerceExpr::Fold(Val* v) const
val->Assign(i, rhs);
}
else
{
const Attr* def =
Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_DEFAULT);
if ( def )
val->Assign(i, def->AttrExpr()->Eval(0));
else
val->Assign(i, 0);
}
}
return val;
}

14
src/LogMgr.cc
View file

@ -81,16 +81,18 @@ struct LogMgr::Stream {
bool LogField::Read(SerializationFormat* fmt)
{
int t;
int st;
bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type"));
bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type") && fmt->Read(&st, "subtype") );
type = (TypeTag) t;
subtype = (TypeTag) st;
return success;
}
bool LogField::Write(SerializationFormat* fmt) const
{
return (fmt->Write(name, "name") && fmt->Write((int)type, "type"));
return (fmt->Write(name, "name") && fmt->Write((int)type, "type") && fmt->Write((int)subtype, "subtype"));
}
LogVal::~LogVal()
@ -707,6 +709,14 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
LogField* field = new LogField();
field->name = new_path;
field->type = t->Tag();
if ( field->type == TYPE_TABLE )
{
field->subtype = t->AsSetType()->Indices()->PureType()->Tag();
}
else if ( field->type == TYPE_VECTOR )
{
field->subtype = t->AsVectorType()->YieldType()->Tag();
}
filter->fields[filter->num_fields - 1] = field;
}

6
src/LogMgr.h
View file

@ -15,10 +15,12 @@ class SerializationFormat;
struct LogField {
string name;
TypeTag type;
// inner type of sets
TypeTag subtype;
LogField() { }
LogField() { subtype = TYPE_VOID; }
LogField(const LogField& other)
: name(other.name), type(other.type) { }
: name(other.name), type(other.type), subtype(other.subtype) { }
// (Un-)serialize.
bool Read(SerializationFormat* fmt);

54
src/LogWriterAscii.cc
View file

@ -6,27 +6,6 @@
#include "LogWriterAscii.h"
#include "NetVar.h"
/**
* Takes a string, escapes each character into its equivalent hex code (\x##), and
* returns a string containing all escaped values.
*
* @param str string to escape
* @return A std::string containing a list of escaped hex values of the form \x##
*/
static string get_escaped_string(const std::string& str)
{
char tbuf[16];
string esc = "";
for ( size_t i = 0; i < str.length(); ++i )
{
snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
esc += tbuf;
}
return esc;
}
LogWriterAscii::LogWriterAscii()
{
file = 0;
@ -59,7 +38,8 @@ LogWriterAscii::LogWriterAscii()
memcpy(header_prefix, BifConst::LogAscii::header_prefix->Bytes(),
header_prefix_len);
desc.SetEscape(separator, separator_len);
desc.EnableEscaping();
desc.AddEscapeSequence(separator, separator_len);
}
LogWriterAscii::~LogWriterAscii()
@ -102,13 +82,19 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
{
string str = string(header_prefix, header_prefix_len)
+ "separator " // Always use space as separator here.
+ get_escaped_string(string(separator, separator_len))
+ get_escaped_string(string(separator, separator_len), false)
+ "\n";
if( fwrite(str.c_str(), str.length(), 1, file) != 1 )
goto write_error;
if ( ! WriteHeaderField("path", path) )
if ( ! (WriteHeaderField("set_separator", get_escaped_string(
string(set_separator, set_separator_len), false)) &&
WriteHeaderField("empty_field", get_escaped_string(
string(empty_field, empty_field_len), false)) &&
WriteHeaderField("unset_field", get_escaped_string(
string(unset_field, unset_field_len), false)) &&
WriteHeaderField("path", get_escaped_string(path, false))) )
goto write_error;
string names;
@ -125,6 +111,12 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
const LogField* field = fields[i];
names += field->name;
types += type_name(field->type);
if ( (field->type == TYPE_TABLE) || (field->type == TYPE_VECTOR) )
{
types += "[";
types += type_name(field->subtype);
types += "]";
}
}
if ( ! (WriteHeaderField("fields", names)
@ -238,14 +230,19 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
break;
}
desc->AddEscapeSequence(set_separator, set_separator_len);
for ( int j = 0; j < val->val.set_val.size; j++ )
{
if ( j > 0 )
desc->AddN(set_separator, set_separator_len);
desc->AddRaw(set_separator, set_separator_len);
if ( ! DoWriteOne(desc, val->val.set_val.vals[j], field) )
{
desc->RemoveEscapeSequence(set_separator, set_separator_len);
return false;
}
}
desc->RemoveEscapeSequence(set_separator, set_separator_len);
break;
}
@ -258,14 +255,19 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
break;
}
desc->AddEscapeSequence(set_separator, set_separator_len);
for ( int j = 0; j < val->val.vector_val.size; j++ )
{
if ( j > 0 )
desc->AddN(set_separator, set_separator_len);
desc->AddRaw(set_separator, set_separator_len);
if ( ! DoWriteOne(desc, val->val.vector_val.vals[j], field) )
{
desc->RemoveEscapeSequence(set_separator, set_separator_len);
return false;
}
}
desc->RemoveEscapeSequence(set_separator, set_separator_len);
break;
}

10
src/event.bif
View file

@ -279,13 +279,13 @@ event ssh_server_version%(c: connection, version: string%);
event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
event ssl_extension%(c: connection, code: count, val: string%);
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
event ssl_established%(c: connection%);
event ssl_alert%(c: connection, level: count, desc: count%);
event x509_certificate%(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string%);
event x509_extension%(c: connection, data: string%);
event x509_error%(c: connection, err: count%);
event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%);
event x509_extension%(c: connection, is_orig: bool, data: string%);
event x509_error%(c: connection, is_orig: bool, err: count%);
event stp_create_endp%(c: connection, e: int, is_orig: bool%);
event stp_resume_endp%(e: int%);

20
src/ssl-analyzer.pac
View file

@ -22,11 +22,17 @@
}
};
string orig_label(bool is_orig);
void free_X509(void *);
X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
%}
%code{
string orig_label(bool is_orig)
{
return string(is_orig ? "originator" :"responder");
}
void free_X509(void* cert)
{
X509_free((X509*) cert);
@ -117,7 +123,7 @@ refine connection SSL_Conn += {
function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
%{
BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
level, desc);
${rec.is_orig}, level, desc);
return true;
%}
@ -200,11 +206,11 @@ refine connection SSL_Conn += {
return true;
%}
function proc_ssl_extension(type: int, data: bytestring) : bool
function proc_ssl_extension(rec: SSLRecord, type: int, data: bytestring) : bool
%{
if ( ssl_extension )
BifEvent::generate_ssl_extension(bro_analyzer(),
bro_analyzer()->Conn(), type,
bro_analyzer()->Conn(), ${rec.is_orig}, type,
new StringVal(data.length(), (const char*) data.data()));
return true;
%}
@ -231,7 +237,7 @@ refine connection SSL_Conn += {
if ( ! pTemp )
{
BifEvent::generate_x509_error(bro_analyzer(), bro_analyzer()->Conn(),
ERR_get_error());
${rec.is_orig}, ERR_get_error());
return false;
}
@ -257,8 +263,8 @@ refine connection SSL_Conn += {
StringVal* der_cert = new StringVal(cert.length(), (const char*) cert.data());
BifEvent::generate_x509_certificate(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig},
pX509Cert,
! ${rec.is_orig},
i, certificates->size(),
der_cert);
@ -284,7 +290,7 @@ refine connection SSL_Conn += {
StringVal* value = new StringVal(length, (char*)pBuffer);
BifEvent::generate_x509_extension(bro_analyzer(),
bro_analyzer()->Conn(), value);
bro_analyzer()->Conn(), ${rec.is_orig}, value);
OPENSSL_free(pBuffer);
}
}
@ -445,5 +451,5 @@ refine typeattr CiphertextRecord += &let {
}
refine typeattr SSLExtension += &let {
proc : bool = $context.connection.proc_ssl_extension(type, data);
proc : bool = $context.connection.proc_ssl_extension(rec, type, data);
};

27
src/ssl-protocol.pac
View file

@ -22,7 +22,6 @@ type uint24 = record {
};
string state_label(int state_nr);
string orig_label(bool is_orig);
double get_time_from_asn1(const ASN1_TIME * atime);
string handshake_type_label(int type);
%}
@ -35,7 +34,7 @@ type SSLRecord(is_orig: bool) = record {
head2 : uint8;
head3 : uint8;
head4 : uint8;
rec : RecordText(this, is_orig)[] &length=length, &requires(content_type);
rec : RecordText(this)[] &length=length, &requires(content_type);
} &length = length+5, &byteorder=bigendian,
&let {
version : int =
@ -54,25 +53,25 @@ type SSLRecord(is_orig: bool) = record {
};
};
type RecordText(rec: SSLRecord, is_orig: bool) = case $context.connection.state() of {
type RecordText(rec: SSLRecord) = case $context.connection.state() of {
STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
-> ciphertext : CiphertextRecord(rec, is_orig);
-> ciphertext : CiphertextRecord(rec);
default
-> plaintext : PlaintextRecord(rec, is_orig);
-> plaintext : PlaintextRecord(rec);
};
type PossibleEncryptedHandshake(rec: SSLRecord, is_orig: bool) = case $context.connection.state() of {
type PossibleEncryptedHandshake(rec: SSLRecord) = case $context.connection.state() of {
# Deal with encrypted handshakes before the server cipher spec change.
STATE_CLIENT_FINISHED, STATE_CLIENT_ENCRYPTED
-> ct : CiphertextRecord(rec, is_orig);
-> ct : CiphertextRecord(rec);
default -> hs : Handshake(rec);
};
type PlaintextRecord(rec: SSLRecord, is_orig: bool) = case rec.content_type of {
type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
CHANGE_CIPHER_SPEC -> ch_cipher : ChangeCipherSpec(rec);
ALERT -> alert : Alert(rec);
HANDSHAKE -> handshake : PossibleEncryptedHandshake(rec, is_orig);
HANDSHAKE -> handshake : PossibleEncryptedHandshake(rec);
APPLICATION_DATA -> app_data : ApplicationData(rec);
V2_ERROR -> v2_error : V2Error(rec);
V2_CLIENT_HELLO -> v2_client_hello : V2ClientHello(rec);
@ -81,7 +80,7 @@ type PlaintextRecord(rec: SSLRecord, is_orig: bool) = case rec.content_type of {
default -> unknown_record : UnknownRecord(rec);
};
type SSLExtension = record {
type SSLExtension(rec: SSLRecord) = record {
type: uint16;
data_len: uint16;
data: bytestring &length=data_len;
@ -156,10 +155,6 @@ enum AnalyzerState {
}
}
string orig_label(bool is_orig)
{
return string(is_orig ? "originator" :"responder");
}
double get_time_from_asn1(const ASN1_TIME * atime)
{
@ -389,7 +384,7 @@ type ClientHello(rec: SSLRecord) = record {
# This weirdness is to deal with the possible existence or absence
# of the following fields.
ext_len: uint16[] &until($element == 0 || $element != 0);
extensions : SSLExtension[] &until($input.length() == 0);
extensions : SSLExtension(rec)[] &until($input.length() == 0);
} &let {
state_changed : bool =
$context.connection.transition(STATE_INITIAL,
@ -663,7 +658,7 @@ type UnknownRecord(rec: SSLRecord) = record {
state_changed : bool = $context.connection.lost_track();
};
type CiphertextRecord(rec: SSLRecord, is_orig: bool) = record {
type CiphertextRecord(rec: SSLRecord) = record {
cont : bytestring &restofdata &transient;
} &let {
state_changed : bool =

31
src/util.cc
View file

@ -41,6 +41,37 @@
#include "Net.h"
#include "Reporter.h"
/**
* Takes a string, escapes characters into equivalent hex codes (\x##), and
* returns a string containing all escaped values.
*
* @param str string to escape
* @param escape_all If true, all characters are escaped. If false, only
* characters are escaped that are either whitespace or not printable in
* ASCII.
* @return A std::string containing a list of escaped hex values of the form
* \x## */
std::string get_escaped_string(const std::string& str, bool escape_all)
{
char tbuf[16];
string esc = "";
for ( size_t i = 0; i < str.length(); ++i )
{
char c = str[i];
if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
{
snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
esc += tbuf;
}
else
esc += c;
}
return esc;
}
char* copy_string(const char* s)
{
char* c = new char[strlen(s)+1];

2
src/util.h
View file

@ -89,6 +89,8 @@ void delete_each(T* t)
delete *it;
}
std::string get_escaped_string(const std::string& str, bool escape_all);
extern char* copy_string(const char* s);
extern int streq(const char* s1, const char* s2);

4
testing/btest/Baseline/bifs.records_fields/out
View file

@ -1,6 +1,6 @@
[a=42, b=<uninitialized>, c=<uninitialized>, d=Bar]
[a=42, b=Foo, c=<uninitialized>, d=Bar]
{
[b] = [type_name=record, log=F, value=<uninitialized>, default_val=Foo],
[b] = [type_name=record, log=F, value=Foo, default_val=Foo],
[d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>],
[c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>],
[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>]

21
testing/btest/Baseline/core.expr-exception/reporter.log
View file

@ -1,13 +1,16 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#fields ts level message location
#types time enum string string
1300475168.783842 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.915940 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.916118 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.918295 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952193 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952228 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.954761 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.962628 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475169.780331 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.783842 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.915940 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.916118 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.918295 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952193 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952228 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.954761 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.962628 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475169.780331 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8

3
testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
#types time string addr port addr port enum string interval count count string bool count string count count count count

20
testing/btest/Baseline/core.print-bpf-filters-ipv4/output
View file

@ -1,20 +1,32 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1320367155.152502 - not ip6 T T
1324314285.981347 - not ip6 T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1320367155.379066 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) T T
1324314286.168294 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1320367155.601980 - port 42 T T
1324314286.350780 - port 42 T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1320367155.826539 - port 56730 T T
1324314286.530768 - port 56730 T T

2
testing/btest/Baseline/core.reporter-error-in-handler/output
View file

@ -1,2 +1,2 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2])
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2])
1st error printed on script level

2
testing/btest/Baseline/core.reporter-fmt-strings/output
View file

@ -1 +1 @@
error in /Users/jsiwek/tmp/bro/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s))
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s))

2
testing/btest/Baseline/core.reporter-parse-error/output
View file

@ -1 +1 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE"
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE"

2
testing/btest/Baseline/core.reporter-runtime-error/output
View file

@ -1 +1 @@
error in /Users/seth/bro.git9/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1])
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1])

6
testing/btest/Baseline/core.reporter-type-mismatch/output
View file

@ -1,3 +1,3 @@
error in string and /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42)
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string)
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42))
error in string and /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42)
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string)
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42))

12
testing/btest/Baseline/core.reporter/logger-test.log
View file

@ -1,6 +1,6 @@
reporter_info|init test-info|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000
reporter_warning|init test-warning|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000
reporter_error|init test-error|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000
reporter_info|done test-info|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000
reporter_warning|done test-warning|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000
reporter_error|done test-error|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000
reporter_info|init test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000
reporter_warning|init test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000
reporter_error|init test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000
reporter_info|done test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000
reporter_warning|done test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000
reporter_error|done test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000

6
testing/btest/Baseline/core.reporter/output
View file

@ -1,3 +1,3 @@
/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info
warning in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning
error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error
/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info
warning in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning
error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error

3
testing/btest/Baseline/core.vlan-mpls/conn.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
#types time string addr port addr port enum string interval count count string bool count string count count count count

3
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path loaded_scripts
#fields name
#types string

3
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path loaded_scripts
#fields name
#types string

3
testing/btest/Baseline/doc.autogen-reST-example/example.rst
View file

@ -219,8 +219,7 @@ Events
Summarize "an_event" here.
Give more details about "an_event" here.
Example::an_event should not be confused as a parameter
Example::an_event should not be confused as a parameter.
:param name: describe the argument here

6
testing/btest/Baseline/istate.broccoli/bro.log
View file

@ -1,3 +1,3 @@
ping received, seq 0, 1303093042.542125 at src, 1303093042.583423 at dest,
ping received, seq 1, 1303093043.543167 at src, 1303093043.544026 at dest,
ping received, seq 2, 1303093044.544115 at src, 1303093044.545008 at dest,
ping received, seq 0, 1324314397.698781 at src, 1324314397.699240 at dest,
ping received, seq 1, 1324314398.698905 at src, 1324314398.699094 at dest,
ping received, seq 2, 1324314399.699012 at src, 1324314399.699231 at dest,

7
testing/btest/Baseline/istate.events-ssl/receiver.http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1319568535.914761 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1324314406.995958 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events-ssl/sender.http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1319568535.914761 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1324314406.995958 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events/receiver.http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1319568558.542142 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1324314415.616486 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events/sender.http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1319568558.542142 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1324314415.616486 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

4
testing/btest/Baseline/language.record-default-coercion/out Normal file
View file

@ -0,0 +1,4 @@
[a=13, c=13, v=[]]
0
[a=13, c=13, v=[test]]
1

2
testing/btest/Baseline/language.wrong-delete-field/output
View file

@ -1 +1 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a)
error in /Users/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a)

27
testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
View file

@ -1,16 +1,19 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path communication
#fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message
#types time string string string addr port string string
1322788789.351248 bro parent - - - info [#1/127.0.0.1:47757] added peer
1322788789.354851 bro child - - - info [#1/127.0.0.1:47757] connected
1322788789.354956 bro parent - - - info [#1/127.0.0.1:47757] peer connected
1322788789.354956 bro parent - - - info [#1/127.0.0.1:47757] phase: version
1322788789.355429 bro script - - - info connection established
1322788789.355429 bro script - - - info requesting events matching /^?(NOTHING)$?/
1322788789.355429 bro script - - - info accepting state
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake
1322788789.355967 bro parent - - - info warning: no events to request
1322788789.355967 bro parent - - - info terminating...
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] closing connection
1324314302.411344 bro parent - - - info [#1/127.0.0.1:47757] added peer
1324314302.414978 bro child - - - info [#1/127.0.0.1:47757] connected
1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] peer connected
1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] phase: version
1324314302.417446 bro script - - - info connection established
1324314302.417446 bro script - - - info requesting events matching /^?(NOTHING)$?/
1324314302.417446 bro script - - - info accepting state
1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake
1324314302.418003 bro parent - - - info warning: no events to request
1324314302.418003 bro parent - - - info terminating...
1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro
1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] closing connection

7
testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log
View file

@ -1,6 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh-new-default
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 failure US
1324314313.140603 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314313.140603 1.2.3.4 1234 2.3.4.5 80 failure US

5
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x7c
#separator |
#set_separator|,
#empty_field|(empty)
#unset_field|-
#path|ssh
#fields|data|data2
#types|string|string

15
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log
View file

@ -1,9 +1,12 @@
PREFIX<>separator \x7c
PREFIX<>separator |
PREFIX<>set_separator|,
PREFIX<>empty_field|EMPTY
PREFIX<>unset_field|NOT-SET
PREFIX<>path|ssh
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
PREFIX<>types|time|addr|port|addr|port|string|string|bool
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
1324314313.345323|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T

5
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields x y z
#types string string string
\x2d - -
\x2d - (empty)

7
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html - -

8
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields ss
#types table[string]
CC,AA,\x2c,\x2c\x2c

15
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x7c\x7c
#separator ||
#set_separator||,
#empty_field||(empty)
#unset_field||-
#path||ssh
#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
#types||time||addr||port||addr||port||string||string
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||success||unknown
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||failure||US
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||failure||MX
1324314313.899736||1.2.3.4||1234||2.3.4.5||80||success||unknown
1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||US
1324314313.899736||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
1324314313.899736||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||MX

10
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log
View file

@ -1,5 +1,5 @@
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|unknown
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|US
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|UK
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|BR
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|MX
1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|unknown
1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|US
1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|UK
1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|BR
1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|MX

3
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields data
#types time

3
testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields status country a1 b1 b2
#types string string count count count

3
testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields status country
#types string string

13
testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure US
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success BR
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314314.443785 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure US
1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314314.443785 1.2.3.4 1234 2.3.4.5 80 success BR
1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure MX

4
testing/btest/Baseline/scripts.base.frameworks.logging.events/output
View file

@ -1,2 +1,2 @@
[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=<uninitialized>]
[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US]
[t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=unknown]
[t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US]

3
testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields id.orig_p id.resp_h id.resp_p status country
#types port addr port string string

5
testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields t f
#types time file
1315167053.585834 Foo.log
1324314314.940195 Foo.log

13
testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields t id.orig_h
#types time addr
1315167053.694473 1.2.3.4
1315167053.694473 1.2.3.4
1315167053.694473 1.2.3.4
1315167053.694473 1.2.3.4
1315167053.694473 1.2.3.4
1324314315.040480 1.2.3.4
1324314315.040480 1.2.3.4
1324314315.040480 1.2.3.4
1324314315.040480 1.2.3.4
1324314315.040480 1.2.3.4

3
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path local
#fields ts id.orig_h
#types time addr

3
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path remote
#fields ts id.orig_h
#types time addr

35
testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output
View file

@ -6,37 +6,58 @@ static-prefix-1-US.log
static-prefix-2-MX2.log
static-prefix-2-UK.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-BR
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success BR
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 success BR
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-MX3
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX3
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX3
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-unknown
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 success unknown
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-1-MX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-1-US
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure US
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure US
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-2-MX2
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX2
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX2
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-2-UK
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure UK

5
testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 failure US
1324314315.498365 1.2.3.4 1234 2.3.4.5 80 failure US

5
testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.success
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 success -
1324314315.498365 1.2.3.4 1234 2.3.4.5 80 success unknown

7
testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field EMPTY
#unset_field -
#path test
#fields b i e c p sn a d t iv s sc ss se vc ve
#types bool int enum count port subnet addr double time interval string table table table vector vector
T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315167054.320958 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY
#types bool int enum count port subnet addr double time interval string table[count] table[string] table[string] vector[count] vector[string]
T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1324314315.880694 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY

9
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
View file

@ -1,7 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure US
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure MX

13
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success -
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure US
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success BR
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure MX

7
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
View file

@ -1,6 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.success
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success -
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success BR

7
testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log
View file

@ -1,6 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure US
1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure UK

9
testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log
View file

@ -1,7 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure BR
1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure US
1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure BR

3
testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out
View file

@ -18,11 +18,14 @@ custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, pat
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
#empty_field (empty)
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#path test
#path test2
#separator \x09
#set_separator ,
#types time addr port addr port
#unset_field -
1299466805.000000 10.0.0.1 20 10.0.0.2 1024
1299470395.000000 10.0.0.2 20 10.0.0.3 0
1299470405.000000 10.0.0.1 20 10.0.0.2 1025

30
testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out
View file

@ -10,6 +10,9 @@ test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
> test.2011-03-07-03-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -17,6 +20,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299470395.000000 10.0.0.2 20 10.0.0.3 0
> test.2011-03-07-04-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -24,6 +30,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299473995.000000 10.0.0.2 20 10.0.0.3 1
> test.2011-03-07-05-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -31,6 +40,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299477595.000000 10.0.0.2 20 10.0.0.3 2
> test.2011-03-07-06-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -38,6 +50,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299481195.000000 10.0.0.2 20 10.0.0.3 3
> test.2011-03-07-07-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -45,6 +60,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299484795.000000 10.0.0.2 20 10.0.0.3 4
> test.2011-03-07-08-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -52,6 +70,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299488395.000000 10.0.0.2 20 10.0.0.3 5
> test.2011-03-07-09-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -59,6 +80,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299491995.000000 10.0.0.2 20 10.0.0.3 6
> test.2011-03-07-10-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -66,6 +90,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299495595.000000 10.0.0.2 20 10.0.0.3 7
> test.2011-03-07-11-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port
@ -73,6 +100,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299499195.000000 10.0.0.2 20 10.0.0.3 8
> test.2011-03-07-12-00-05.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port

13
testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path /dev/stdout
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure US
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success BR
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314328.844271 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure US
1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314328.844271 1.2.3.4 1234 2.3.4.5 80 success BR
1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure MX

13
testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure US
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success BR
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure MX
1324314328.950525 1.2.3.4 1234 2.3.4.5 80 success unknown
1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure US
1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure UK
1324314328.950525 1.2.3.4 1234 2.3.4.5 80 success BR
1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure MX

7
testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field EMPTY
#unset_field -
#path ssh
#fields b i e c p sn a d t iv s sc ss se vc ve f
#types bool int enum count port subnet addr double time interval string table table table vector vector func
T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
#types bool int enum count port subnet addr double time interval string table[count] table[string] table[string] vector[count] vector[string] func
T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1324314329.051618 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}

3
testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log
View file

@ -1,4 +1,7 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path testing
#fields a.val1 a.val2 b
#types count count count

5
testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#fields vec
#types vector
#types vector[string]
-,2,-,-,5

9
testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
View file

@ -1,7 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path metrics
#fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count
1317950616.401733 TEST_METRIC foo-bar 6.5.4.3 - - 4
1317950616.401733 TEST_METRIC foo-bar 1.2.3.4 - - 6
1317950616.401733 TEST_METRIC foo-bar 7.2.1.5 - - 2
1324314335.570789 TEST_METRIC foo-bar 6.5.4.3 - - 4
1324314335.570789 TEST_METRIC foo-bar 1.2.3.4 - - 6
1324314335.570789 TEST_METRIC foo-bar 7.2.1.5 - - 2

9
testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
View file

@ -1,7 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path metrics
#fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count
1315167083.455574 TEST_METRIC foo-bar 6.5.4.3 - - 2
1315167083.455574 TEST_METRIC foo-bar 1.2.3.4 - - 3
1315167083.455574 TEST_METRIC foo-bar 7.2.1.5 - - 1
1324314344.807073 TEST_METRIC foo-bar 6.5.4.3 - - 2
1324314344.807073 TEST_METRIC foo-bar 1.2.3.4 - - 3
1324314344.807073 TEST_METRIC foo-bar 7.2.1.5 - - 1

7
testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum string string addr addr port count string table table interval bool string string string double double addr string subnet
1316952194.679491 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 - - - - - - 1.2.3.4 - -
#types time string addr port addr port enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1324314350.184962 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - -

9
testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log
View file

@ -1,6 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum string string addr addr port count string table table interval bool string string string double double addr string subnet
1316952223.891502 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 - - - - - - 1.2.3.4 - -
1316952223.891502 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 - - - - - - 6.5.4.3 - -
#types time string addr port addr port enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1324314359.357148 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - -
1324314359.357148 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 6.5.4.3 - -

7
testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum string string addr addr port count string table table interval bool string string string double double addr string subnet
1316952264.931290 - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - -
#types time string addr port addr port enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1324314363.721823 - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - -

7
testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum string string addr addr port count string table table interval bool string string string double double addr string subnet
1316950574.408256 - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 - - - - - - - - -
#types time string addr port addr port enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1324314378.560010 - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - -

7
testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum string string addr addr port count string table table interval bool string string string double double
1316950497.513136 - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 - - - - - -
#types time string addr port addr port enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1324314387.663586 - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -

7
testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - - - - - text/html - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - (empty) - - - text/html - -

7
testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
View file

@ -1,5 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat

15
testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - - - - - FAKE_MIME - -
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - - - - - FAKE_MIME - -
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - - - - - FAKE_MIME - -
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - - - - - image/png e0029eea80812e9a8e57b8d05d52938a -
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - - - - - image/png 30aa926344f58019d047e85ba049ca1e -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - FAKE_MIME - -
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - FAKE_MIME - -
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - FAKE_MIME - -
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - image/png e0029eea80812e9a8e57b8d05d52938a -
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - image/png 30aa926344f58019d047e85ba049ca1e -

15
testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
View file

@ -1,9 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string file
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - - - - - - -
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - - - - - - -
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - - - - - - -
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - - - - - - -
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - - - - - - -
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string file
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - - -
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - - -
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - - -
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - - -
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - - -

Some files were not shown because too many files have changed in this diff Show more