diff --git a/CHANGES b/CHANGES index 528c244503..4dafe93f43 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,116 @@ +2.3-278 | 2014-11-03 18:55:18 -0800 + + * Add new curves from draft-ietf-tls-negotiated-ff-dhe to SSL + analysis. (Johanna Amann) + +2.3-274 | 2014-10-31 17:45:25 -0700 + + * Adding call to new binpac::init() function. (Robin Sommer) + +2.3-272 | 2014-10-31 16:29:42 -0700 + + * Fix segfault if when statement's RHS is unitialized. Addresses + BIT-1176. (Jon Siwek) + + * Fix checking vector indices via "in". Addresses BIT-1280. (Jon + Siwek) + +2.3-268 | 2014-10-31 12:12:22 -0500 + + * BIT-1283: Fix crash when using &encrypt. (Jon Siwek) + +2.3-267 | 2014-10-31 10:35:02 -0500 + + * BIT-1284: Allow arbitrary when statement timeout expressions + (Jon Siwek) + +2.3-266 | 2014-10-31 09:21:28 -0500 + + * BIT-1166: Add configure options to fine tune local state dirs used + by BroControl. (Jon Siwek) + +2.3-264 | 2014-10-30 13:25:57 -0500 + + * Fix some minor Coverity Scan complaints. (Jon Siwek) + +2.3-263 | 2014-10-28 15:09:10 -0500 + + * Fix checking of fwrite return values (Johanna Amann) + +2.3-260 | 2014-10-27 12:54:17 -0500 + + * Fix errors/warnings when compiling with -std=c++11 (Jon Siwek) + +2.3-259 | 2014-10-27 10:04:04 -0500 + + * Documentation fixes. (Vicente Jimenez Aguilar and Stefano Azzalini) + +2.3-256 | 2014-10-24 15:33:45 -0700 + + * Adding missing test baseline. (Robin Sommer) + +2.3-255 | 2014-10-24 13:39:44 -0700 + + * Fixing unstable active-http test. (Robin Sommer) + +2.3-254 | 2014-10-24 11:40:51 -0700 + + * Fix active-http.bro to deal reliably with empty server responses, + which will now be passed back as empty files. (Christian Struck) + +2.3-248 | 2014-10-23 14:20:59 -0700 + + * Change order in which a plugin's scripts are loaded at startup. + (Robin Sommer) + +2.3-247 | 2014-10-21 13:42:38 -0700 + + * Updates to the SSL analyzer. (Johanna Amann) + + * Mark everything below 2048 bit as a weak key. + + * Fix notice suppression. + + * Add information about server-chosen protocol to ssl.log, if + provided by application_layer_next_protocol. + + * Add boolean flag to ssl.log signaling if a session was + resumed. Remove the (usually not really that useful) session + ID that the client sent. + +2.3-240 | 2014-10-21 13:36:33 -0700 + + * Fix Coverity-reported issues in DNP3 analyzer. (Seth Hall) + +2.3-238 | 2014-10-16 06:51:49 -0700 + + * Fix multipart HTTP/MIME entity file analysis so that (1) singular + CR or LF characters in multipart body content are no longer + converted to a full CRLF (thus corrupting the file) and (2) it + also no longer considers the CRLF before the multipart boundary as + part of the content. Addresses BIT-1235. (Jon Siwek) + +2.3-235 | 2014-10-15 10:20:47 -0500 + + * BIT-1273: Add error message for bad enum declaration syntax. + (Jon Siwek) + +2.3-234 | 2014-10-14 14:42:09 -0500 + + * Documentation fixes. (Steve Smoot) + +2.3-233 | 2014-10-09 16:00:27 -0500 + + * Change find-bro-logs unit test to follow symlinks. (Jon Siwek) + + * Add error checks and messages to a test script (Daniel Thayer) + +2.3-230 | 2014-10-08 08:15:17 -0700 + + * Further baseline normalization for plugin test portability. (Robin + Sommer) + 2.3-229 | 2014-10-07 20:18:11 -0700 * Fix for test portability. (Robin Sommer) diff --git a/VERSION b/VERSION index 67bae97864..5dd2c9f17c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-229 +2.3-278 diff --git a/aux/binpac b/aux/binpac index 3a4684801a..77a86591dc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 3a4684801aafa0558383199e9abd711650b53af9 +Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073 diff --git a/aux/bro-aux b/aux/bro-aux index 95afe42e74..977654dc51 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 95afe42e7474113a16cb2cb09ebdf8b552c59744 +Subproject commit 977654dc51ab08a2afde32241f108cdb4a581d8f diff --git a/aux/broccoli b/aux/broccoli index 33d0ed4a54..acb8fbe8e7 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 33d0ed4a54a6ecf08a0b5fe18831aa413b437066 +Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca diff --git a/aux/broctl b/aux/broctl index 2f808bc854..39e865dec9 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 2f808bc8541378b1a4953cca02c58c43945d154f +Subproject commit 39e865dec9611b9b53b609cbc8df519cebae0a1e diff --git a/cmake b/cmake index 03de0cc467..1316c07f70 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 03de0cc467d2334dcb851eddd843d59fef217909 +Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f diff --git a/configure b/configure index 5747586db8..2b1c568b26 100755 --- a/configure +++ b/configure @@ -24,6 +24,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --prefix=PREFIX installation directory [/usr/local/bro] --scriptdir=PATH root installation directory for Bro scripts [PREFIX/share/bro] + --localstatedir=PATH when using BroControl, path to store log files + and run-time data (within log/ and spool/ subdirs) + [PREFIX] + --spooldir=PATH when using BroControl, path to store run-time data + [PREFIX/spool] + --logdir=PATH when using BroControl, path to store log file + [PREFIX/logs] --conf-files-dir=PATH config files installation directory [PREFIX/etc] Optional Features: @@ -144,6 +151,15 @@ while [ $# -ne 0 ]; do append_cache_entry BRO_ETC_INSTALL_DIR PATH $optarg user_set_conffilesdir="true" ;; + --localstatedir=*) + append_cache_entry BRO_LOCAL_STATE_DIR PATH $optarg + ;; + --spooldir=*) + append_cache_entry BRO_SPOOL_DIR PATH $optarg + ;; + --logdir=*) + append_cache_entry BRO_LOG_DIR PATH $optarg + ;; --enable-debug) append_cache_entry ENABLE_DEBUG BOOL true ;; diff --git a/doc/scripting/data_struct_vector_declaration.bro b/doc/scripting/data_struct_vector_declaration.bro index d64754b97b..6d684d09b1 100644 --- a/doc/scripting/data_struct_vector_declaration.bro +++ b/doc/scripting/data_struct_vector_declaration.bro @@ -10,6 +10,6 @@ event bro_init() print fmt("contents of v1: %s", v1); print fmt("length of v1: %d", |v1|); - print fmt("contents of v1: %s", v2); + print fmt("contents of v2: %s", v2); print fmt("length of v2: %d", |v2|); } diff --git a/doc/scripting/data_type_pattern_01.bro b/doc/scripting/data_type_pattern_01.bro index 08378dd124..e57650a589 100644 --- a/doc/scripting/data_type_pattern_01.bro +++ b/doc/scripting/data_type_pattern_01.bro @@ -1,6 +1,6 @@ event bro_init() { - local test_string = "The quick brown fox jumped over the lazy dog."; + local test_string = "The quick brown fox jumps over the lazy dog."; local test_pattern = /quick|lazy/; if ( test_pattern in test_string ) diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index 559e131b8f..d18f87ac38 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -260,7 +260,7 @@ originating host is referenced by ``c$id$orig_h`` which if given a narrative relates to ``orig_h`` which is a member of ``id`` which is a member of the data structure referred to as ``c`` that was passed into the event handler. Given that the responder port -``c$id$resp_p`` is ``53/tcp``, it's likely that Bro's base HTTP scripts +``c$id$resp_p`` is ``80/tcp``, it's likely that Bro's base HTTP scripts can further populate the connection record. Let's load the ``base/protocols/http`` scripts and check the output of our script. diff --git a/pkg/make-deb-packages b/pkg/make-deb-packages index 432de8336a..0a435a756f 100755 --- a/pkg/make-deb-packages +++ b/pkg/make-deb-packages @@ -16,6 +16,7 @@ the 'dpkg-dev' package, please install it first. } prefix=/opt/bro +localstatedir=/var/opt/bro # During the packaging process, `dpkg-shlibs` will fail if used on a library # that links to other internal/project libraries unless an RPATH is used or @@ -31,7 +32,7 @@ cd .. ( cd build && make package ) # Full Bro package -./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package +./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package ( cd build && make package ) # Broccoli @@ -42,6 +43,6 @@ cd ../.. # Broctl cd aux/broctl -./configure --prefix=${prefix} --binary-package +./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package ( cd build && make package && mv *.deb ../../../build/ ) cd ../.. diff --git a/pkg/make-rpm-packages b/pkg/make-rpm-packages index 9560cc80ff..43b962f417 100755 --- a/pkg/make-rpm-packages +++ b/pkg/make-rpm-packages @@ -15,6 +15,7 @@ the 'rpm-build' package, please install it first. } prefix=/opt/bro +localstatedir=/var/opt/bro cd .. @@ -24,7 +25,7 @@ cd .. ( cd build && make package ) # Full Bro package -./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package +./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package ( cd build && make package ) # Broccoli @@ -35,6 +36,6 @@ cd ../.. # Broctl cd aux/broctl -./configure --prefix=${prefix} --binary-package +./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package ( cd build && make package && mv *.rpm ../../../build/ ) cd ../.. diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 54952988f0..278a2a37ae 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -158,6 +158,12 @@ export { [26] = "brainpoolP256r1", [27] = "brainpoolP384r1", [28] = "brainpoolP512r1", + # draft-ietf-tls-negotiated-ff-dhe-02 + [256] = "ffdhe2432", + [257] = "ffdhe3072", + [258] = "ffdhe4096", + [259] = "ffdhe6144", + [260] = "ffdhe8192", [0xFF01] = "arbitrary_explicit_prime_curves", [0xFF02] = "arbitrary_explicit_char2_curves" } &default=function(i: count):string { return fmt("unknown-%d", i); }; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index f1315f8c85..a1461db82d 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -12,7 +12,7 @@ export { ## Time when the SSL connection was first detected. ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. id: conn_id &log; ## SSL/TLS version that the server offered. @@ -25,9 +25,25 @@ export { ## indicates the server name that the client was requesting. server_name: string &log &optional; ## Session ID offered by the client for session resumption. - session_id: string &log &optional; + ## Not used for logging. + session_id: string &optional; + ## Flag to indicate if the session was resumed reusing + ## the key material exchanged in an earlier connection. + resumed: bool &log &default=F; + ## Flag to indicate if we saw a non-empty session ticket being + ## sent by the client using an empty session ID. This value + ## is used to determine if a session is being resumed. It's + ## not logged. + client_ticket_empty_session_seen: bool &default=F; + ## Flag to indicate if we saw a client key exchange message sent + ## by the client. This value is used to determine if a session + ## is being resumed. It's not logged. + client_key_exchange_seen: bool &default=F; ## Last alert that was seen during the connection. last_alert: string &log &optional; + ## Next protocol the server chose using the application layer + ## next protocol extension, if present. + next_protocol: string &log &optional; ## The analyzer ID used for the analyzer instance attached ## to each connection. It is not used for logging since it's a @@ -36,11 +52,11 @@ export { ## Flag to indicate if this ssl session has been established ## succesfully, or if it was aborted during the handshake. - established: bool &log &default=F; + established: bool &log &default=F; ## Flag to indicate if this record already has been logged, to ## prevent duplicates. - logged: bool &default=F; + logged: bool &default=F; }; ## The default root CA bundle. By default, the mozilla-ca-list.bro @@ -149,8 +165,11 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_ set_session(c); # Save the session_id if there is one set. - if ( session_id != /^\x00{32}$/ ) + if ( |session_id| > 0 && session_id != /^\x00{32}$/ ) + { c$ssl$session_id = bytestring_to_hexstr(session_id); + c$ssl$client_ticket_empty_session_seen = F; + } } event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 @@ -159,6 +178,9 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_ c$ssl$version = version_strings[version]; c$ssl$cipher = cipher_desc[cipher]; + + if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) ) + c$ssl$resumed = T; } event ssl_server_curve(c: connection, curve: count) &priority=5 @@ -180,6 +202,45 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) } } +event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec) + { + set_session(c); + + if ( is_orig ) + return; + + if ( |protocols| > 0 ) + c$ssl$next_protocol = protocols[0]; + } + +event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5 + { + set_session(c); + + if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE ) + c$ssl$client_key_exchange_seen = T; + } + +# Extension event is fired _before_ the respective client or server hello. +# Important for client_ticket_empty_session_seen. +event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5 + { + set_session(c); + + if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 ) + # In this case, we might have an empty ID. Set back to F in client_hello event + # if it is not empty after all. + c$ssl$client_ticket_empty_session_seen = T; + } + +event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 + { + set_session(c); + + if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen ) + c$ssl$resumed = T; + } + event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 { set_session(c); diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.bro index 9f62e7bbaa..5dc512408a 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.bro @@ -65,12 +65,14 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string cmd = fmt("%s -m %.0f", cmd, r$max_time); if ( r?$client_data ) - cmd = fmt("%s -d -", cmd); + cmd = fmt("%s -d @-", cmd); if ( r?$addl_curl_args ) cmd = fmt("%s %s", cmd, r$addl_curl_args); cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url)); + # Make sure file will exist even if curl did not write one. + cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile)); return cmd; } diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 12f5a0087b..f38bf82978 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -106,6 +106,15 @@ event Input::end_of_data(name: string, source:string) local track_file = parts[2]; + # If the file is empty, still add it to the result$files table. This is needed + # because it is expected that the file was read even if it was empty. + local result = results[name]; + if ( ! result?$files ) + result$files = table(); + + if ( track_file !in result$files ) + result$files[track_file] = vector(); + Input::remove(name); if ( name !in pending_files ) diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro index f11fb9da5e..e849c3c06c 100644 --- a/scripts/policy/protocols/ssl/weak-keys.bro +++ b/scripts/policy/protocols/ssl/weak-keys.bro @@ -22,7 +22,7 @@ export { ## The minimal key length in bits that is considered to be safe. Any shorter ## (non-EC) key lengths will trigger the notice. - const notify_minimal_key_length = 1024 &redef; + const notify_minimal_key_length = 2048 &redef; ## Warn if the DH key length is smaller than the certificate key length. This is ## potentially unsafe because it gives a wrong impression of safety due to the @@ -56,7 +56,7 @@ event ssl_established(c: connection) &priority=3 NOTICE([$note=Weak_Key, $msg=fmt("Host uses weak certificate with %d bit key", key_length), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) + $identifier=cat(c$id$resp_h, c$id$resp_h, key_length) ]); } @@ -66,12 +66,12 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri return; local key_length = |Ys| * 8; # key length in bits - + if ( key_length < notify_minimal_key_length ) NOTICE([$note=Weak_Key, $msg=fmt("Host uses weak DH parameters with %d key bits", key_length), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) + $identifier=cat(c$id$resp_h, c$id$resp_p, key_length) ]); if ( notify_dh_length_shorter_cert_length && @@ -86,7 +86,7 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p) + $identifier=cat(c$id$resp_h, c$id$resp_p) ]); } } diff --git a/src/Brofiler.cc b/src/Brofiler.cc index 777be52217..e7d8c8fdeb 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -96,7 +96,7 @@ bool Brofiler::WriteStats() map, uint64 >::const_iterator it; for ( it = usage_map.begin(); it != usage_map.end(); ++it ) { - fprintf(f, "%"PRIu64"%c%s%c%s\n", it->second, delim, + fprintf(f, "%" PRIu64"%c%s%c%s\n", it->second, delim, it->first.first.c_str(), delim, it->first.second.c_str()); } diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc index 2c049ba803..11fd258d09 100644 --- a/src/DNS_Mgr.cc +++ b/src/DNS_Mgr.cc @@ -214,7 +214,7 @@ DNS_Mapping::DNS_Mapping(FILE* f) char req_buf[512+1], name_buf[512+1]; int is_req_host; - if ( sscanf(buf, "%lf %d %512s %d %512s %d %d %"PRIu32, &creation_time, + if ( sscanf(buf, "%lf %d %512s %d %512s %d %d %" PRIu32, &creation_time, &is_req_host, req_buf, &failed, name_buf, &map_type, &num_addrs, &req_ttl) != 8 ) return; @@ -360,7 +360,7 @@ void DNS_Mapping::Clear() void DNS_Mapping::Save(FILE* f) const { - fprintf(f, "%.0f %d %s %d %s %d %d %"PRIu32"\n", creation_time, req_host != 0, + fprintf(f, "%.0f %d %s %d %s %d %d %" PRIu32"\n", creation_time, req_host != 0, req_host ? req_host : req_addr.AsString().c_str(), failed, (names && names[0]) ? names[0] : "*", map_type, num_addrs, req_ttl); diff --git a/src/Expr.cc b/src/Expr.cc index 4a29c11cb5..c7ea906865 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -636,7 +636,7 @@ Val* BinaryExpr::Eval(Frame* f) const return v_result; } - if ( is_vec1 || is_vec2 ) + if ( IsVector(Type()->Tag()) && (is_vec1 || is_vec2) ) { // fold vector against scalar VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal(); VectorVal* v_result = new VectorVal(Type()->AsVectorType()); @@ -4703,8 +4703,14 @@ Val* InExpr::Fold(Val* v1, Val* v2) const v2->Type()->Tag() == TYPE_SUBNET ) return new Val(v2->AsSubNetVal()->Contains(v1->AsAddr()), TYPE_BOOL); - TableVal* vt = v2->AsTableVal(); - if ( vt->Lookup(v1, false) ) + Val* res; + + if ( is_vector(v2) ) + res = v2->AsVectorVal()->Lookup(v1); + else + res = v2->AsTableVal()->Lookup(v1, false); + + if ( res ) return new Val(1, TYPE_BOOL); else return new Val(0, TYPE_BOOL); diff --git a/src/File.cc b/src/File.cc index bf6a7e7f51..e62ca732cd 100644 --- a/src/File.cc +++ b/src/File.cc @@ -527,7 +527,7 @@ void BroFile::SetAttrs(Attributes* arg_attrs) if ( ef->AttrExpr() ) InitEncrypt(ef->AttrExpr()->ExprVal()->AsString()->CheckString()); else - InitEncrypt(log_encryption_key->AsString()->CheckString()); + InitEncrypt(opt_internal_string("log_encryption_key")->CheckString()); } if ( attrs->FindAttr(ATTR_RAW_OUTPUT) ) @@ -708,10 +708,10 @@ void BroFile::InitEncrypt(const char* keyfile) secret_len = htonl(secret_len); - if ( ! (fwrite("BROENC1", 7, 1, f) && - fwrite(&secret_len, sizeof(secret_len), 1, f) && - fwrite(secret, ntohl(secret_len), 1, f) && - fwrite(iv, iv_len, 1, f)) ) + if ( fwrite("BROENC1", 7, 1, f) < 1 || + fwrite(&secret_len, sizeof(secret_len), 1, f) < 1 || + fwrite(secret, ntohl(secret_len), 1, f) < 1 || + fwrite(iv, iv_len, 1, f) < 1 ) { reporter->Error("can't write header to log file %s: %s", name, strerror(errno)); @@ -736,7 +736,7 @@ void BroFile::FinishEncrypt() int outl; EVP_SealFinal(cipher_ctx, cipher_buffer, &outl); - if ( outl && ! fwrite(cipher_buffer, outl, 1, f) ) + if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 ) { reporter->Error("write error for %s: %s", name, strerror(errno)); @@ -777,7 +777,7 @@ int BroFile::Write(const char* data, int len) return 0; } - if ( outl && ! fwrite(cipher_buffer, outl, 1, f) ) + if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 ) { reporter->Error("write error for %s: %s", name, strerror(errno)); @@ -792,8 +792,7 @@ int BroFile::Write(const char* data, int len) return 1; } - len = fwrite(data, 1, len, f); - if ( len <= 0 ) + if ( fwrite(data, len, 1, f) < 1 ) return false; if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size ) diff --git a/src/Flare.cc b/src/Flare.cc index dcb5fa2c1f..5df6d663aa 100644 --- a/src/Flare.cc +++ b/src/Flare.cc @@ -22,7 +22,7 @@ static void bad_pipe_op(const char* which) void Flare::Fire() { - char tmp; + char tmp = 0; for ( ; ; ) { diff --git a/src/H3.h b/src/H3.h index 321fda924b..3b4b9ee539 100644 --- a/src/H3.h +++ b/src/H3.h @@ -110,7 +110,7 @@ public: T result = 0; // loop optmized with Duff's Device - register unsigned n = (size + 7) / 8; + unsigned n = (size + 7) / 8; switch ( size % 8 ) { case 0: do { result ^= byte_lookup[offset++][*p++]; case 7: result ^= byte_lookup[offset++][*p++]; diff --git a/src/Reassem.cc b/src/Reassem.cc index 27fb26561f..1ad0cb2717 100644 --- a/src/Reassem.cc +++ b/src/Reassem.cc @@ -182,7 +182,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper, { if ( DEBUG_reassem ) { - DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%"PRIu64", upper=%"PRIu64"\n", + DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%" PRIu64", upper=%" PRIu64"\n", network_time, seq, upper); } diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index b475c4a8cc..9756e0b0ae 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -707,7 +707,7 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip, const size_t BUFSIZE = 1024; char* data = new char[BUFSIZE]; snprintf(data, BUFSIZE, - "%"PRI_PTR_COMPAT_UINT",%s,%s,%"PRIu16",%"PRIu32",%d", p->id, + "%" PRI_PTR_COMPAT_UINT",%s,%s,%" PRIu16",%" PRIu32",%d", p->id, ip.AsString().c_str(), zone_id.c_str(), port, uint32(retry), use_ssl); @@ -1267,7 +1267,7 @@ bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl, const size_t BUFSIZE = 1024; char* data = new char[BUFSIZE]; - snprintf(data, BUFSIZE, "%s,%"PRIu16",%d,%d,%s,%"PRIu32, + snprintf(data, BUFSIZE, "%s,%" PRIu16",%d,%d,%s,%" PRIu32, ip.AsString().c_str(), port, expect_ssl, ipv6, zone_id.c_str(), (uint32) retry); @@ -4075,7 +4075,7 @@ bool SocketComm::Connect(Peer* peer) const size_t BUFSIZE = 1024; char* data = new char[BUFSIZE]; - snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(), + snprintf(data, BUFSIZE, "%s,%" PRIu32, peer->ip.AsString().c_str(), peer->port); if ( ! SendToParent(MSG_CONNECTED, peer, data) ) @@ -4190,7 +4190,7 @@ bool SocketComm::Listen() setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0 ) Error(fmt("can't set IPV6_V6ONLY, %s", strerror(errno))); - if ( bind(fd, res->ai_addr, res->ai_addrlen) < 0 ) + if ( ::bind(fd, res->ai_addr, res->ai_addrlen) < 0 ) { Error(fmt("can't bind to %s:%s, %s", l_addr_str.c_str(), port_str, strerror(errno))); @@ -4287,7 +4287,7 @@ bool SocketComm::AcceptConnection(int fd) const size_t BUFSIZE = 1024; char* data = new char[BUFSIZE]; - snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(), + snprintf(data, BUFSIZE, "%s,%" PRIu32, peer->ip.AsString().c_str(), peer->port); if ( ! SendToParent(MSG_CONNECTED, peer, data) ) diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc index 6a133d64e4..58935fe175 100644 --- a/src/SerializationFormat.cc +++ b/src/SerializationFormat.cc @@ -541,19 +541,19 @@ bool XMLSerializationFormat::Write(uint16 v, const char* tag) bool XMLSerializationFormat::Write(uint32 v, const char* tag) { - const char* tmp = fmt("%"PRIu32, v); + const char* tmp = fmt("%" PRIu32, v); return WriteElem(tag, "uint32", tmp, strlen(tmp)); } bool XMLSerializationFormat::Write(uint64 v, const char* tag) { - const char* tmp = fmt("%"PRIu64, v); + const char* tmp = fmt("%" PRIu64, v); return WriteElem(tag, "uint64", tmp, strlen(tmp)); } bool XMLSerializationFormat::Write(int64 v, const char* tag) { - const char* tmp = fmt("%"PRId64, v); + const char* tmp = fmt("%" PRId64, v); return WriteElem(tag, "int64", tmp, strlen(tmp)); } diff --git a/src/Sessions.cc b/src/Sessions.cc index 43e55dd95a..ffc2baf944 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -544,7 +544,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( proto_typ != 0x0800 && proto_typ != 0x86dd ) { // Not IPv4/IPv6 payload. - Weird(fmt("unknown_gre_protocol_%"PRIu16, proto_typ), ip_hdr, + Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr, encapsulation); return; } diff --git a/src/Stats.cc b/src/Stats.cc index 6cf9a622e1..01ca0a41d3 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -160,7 +160,7 @@ void ProfileLogger::Log() file->Write(fmt("%.06f Connections expired due to inactivity: %d\n", network_time, killed_by_inactivity)); - file->Write(fmt("%.06f Total reassembler data: %"PRIu64"K\n", network_time, + file->Write(fmt("%.06f Total reassembler data: %" PRIu64"K\n", network_time, Reassembler::TotalMemoryAllocation() / 1024)); // Signature engine. diff --git a/src/Trigger.cc b/src/Trigger.cc index ed5d0e18f6..099027f4e0 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -131,18 +131,19 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts, arg_frame->SetDelayed(); } - Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0; + Val* timeout_val = arg_timeout ? arg_timeout->Eval(arg_frame) : 0; // Make sure we don't get deleted if somebody calls a method like // Timeout() while evaluating the trigger. Ref(this); - if ( ! Eval() && timeout ) + if ( ! Eval() && timeout_val ) { - timer = new TriggerTimer(timeout->AsInterval(), this); + timer = new TriggerTimer(timeout_val->AsInterval(), this); timer_mgr->Add(timer); } + Unref(timeout_val); Unref(this); } @@ -206,7 +207,7 @@ bool Trigger::Eval() return false; } - if ( v->IsZero() ) + if ( ! v || v->IsZero() ) { // Not true. Perhaps next time... DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is false", Name()); diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index fb5602f96e..b4048af467 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -598,7 +598,7 @@ SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig) void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) { - DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } @@ -612,7 +612,7 @@ void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void Analyzer::Undelivered(uint64 seq, int len, bool is_orig) { - DBG_LOG(DBG_ANALYZER, "%s Undelivered(%"PRIu64", %d, %s)", + DBG_LOG(DBG_ANALYZER, "%s Undelivered(%" PRIu64", %d, %s)", fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F"); } diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac index 2065237f45..5e9ae85bcf 100644 --- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac +++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac @@ -5,18 +5,18 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) { }; %header{ - uint64 bytestring_to_time(const_bytestring time48, size_t length); + uint64 bytestring_to_time(const_bytestring time48); %} %code{ - uint64 bytestring_to_time(const_bytestring time48, size_t length) + uint64 bytestring_to_time(const_bytestring time48) { /* In DNP3, a timestamp is represented by 6 bytes since epoch in milliseconds. The 6 bytes are stored in big endian format. */ uint64 epochTime = 0; - for ( unsigned int i = 0; i < length; i++ ) - epochTime = time48[length - i - 1] + epochTime * 256; + for ( int i = time48.length() - 1; i >= 0; i-- ) + epochTime = time48[i] + epochTime * 256; return epochTime; } @@ -240,7 +240,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_counter_32wFlagTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, count_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, count_value, bytestring_to_time(time48)); } return true; @@ -254,7 +254,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_counter_16wFlagTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, count_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, count_value, bytestring_to_time(time48)); } return true; @@ -408,7 +408,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_32wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value, bytestring_to_time(time48)); } return true; @@ -422,7 +422,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_16wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value, bytestring_to_time(time48)); } return true; @@ -520,7 +520,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_analog_input_event_32wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, value, bytestring_to_time(time48)); } return true; @@ -534,7 +534,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_analog_input_event_16wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, value, bytestring_to_time(time48)); } return true; @@ -576,7 +576,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_analog_input_event_SPwTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, value, bytestring_to_time(time48)); } return true; @@ -590,7 +590,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_analog_input_event_DPwTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, value_low, value_high, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, value_low, value_high, bytestring_to_time(time48)); } return true; @@ -632,7 +632,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_event_32wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value, bytestring_to_time(time48)); } return true; @@ -646,7 +646,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_event_16wTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value, bytestring_to_time(time48)); } return true; @@ -688,7 +688,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value, bytestring_to_time(time48)); } return true; @@ -702,7 +702,7 @@ flow DNP3_Flow(is_orig: bool) { BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime( connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48, sizeof(time48))); + is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48)); } return true; diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 4d00ca85aa..924c958e43 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -416,7 +416,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) int64_t len = l - f + 1; if ( DEBUG_http ) - DEBUG_MSG("Content-Range length = %"PRId64"\n", len); + DEBUG_MSG("Content-Range length = %" PRId64"\n", len); if ( len > 0 ) { @@ -466,6 +466,20 @@ void HTTP_Entity::SubmitAllHeaders() if ( DEBUG_http ) DEBUG_MSG("%.6f end of headers\n", network_time); + if ( Parent() && + Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART ) + { + // Don't treat single \r or \n characters in the multipart body content + // as lines because the MIME_Entity code will implicitly add back a + // \r\n for each line it receives. We do this instead of setting + // plain delivery mode for the content line analyzer because + // the size of the content to deliver "plainly" may be unknown + // and just leaving it in that mode indefinitely screws up the + // detection of multipart boundaries. + http_message->content_line->SupressWeirds(true); + http_message->content_line->SetCRLFAsEOL(0); + } + // The presence of a message-body in a request is signaled by // the inclusion of a Content-Length or Transfer-Encoding // header field in the request's message-headers. @@ -655,6 +669,13 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) current_entity = (HTTP_Entity*) entity->Parent(); + if ( entity->Parent() && + entity->Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART ) + { + content_line->SupressWeirds(false); + content_line->SetCRLFAsEOL(); + } + // It is necessary to call Done when EndEntity is triggered by // SubmitAllHeaders (through EndOfData). if ( entity == top_level ) @@ -1039,7 +1060,7 @@ void HTTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig) { if ( msg ) msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, - fmt("seq=%"PRIu64", len=%d", seq, len)); + fmt("seq=%" PRIu64", len=%d", seq, len)); } // Check if the content gap falls completely within a message body diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h index 876bcfe5aa..d55c10c4c1 100644 --- a/src/analyzer/protocol/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -99,6 +99,8 @@ enum { // HTTP_MessageDone -> {Request,Reply}Made class HTTP_Message : public mime::MIME_Message { +friend class HTTP_Entity; + public: HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, bool is_orig, int expect_body, int64_t init_header_length); diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index c3fde12a5d..a1759d97d0 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -553,6 +553,7 @@ void MIME_Entity::init() data_buf_offset = -1; message = 0; + delay_adding_implicit_CRLF = false; } MIME_Entity::~MIME_Entity() @@ -1003,12 +1004,33 @@ void MIME_Entity::DecodeDataLine(int len, const char* data, int trailing_CRLF) void MIME_Entity::DecodeBinary(int len, const char* data, int trailing_CRLF) { + if ( delay_adding_implicit_CRLF ) + { + delay_adding_implicit_CRLF = false; + DataOctet(CR); + DataOctet(LF); + } + DataOctets(len, data); if ( trailing_CRLF ) { - DataOctet(CR); - DataOctet(LF); + if ( Parent() && + Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART ) + { + // For multipart body content, we want to keep all implicit CRLFs + // except for the last because that one belongs to the multipart + // boundary delimiter, not the content. Simply delaying the + // addition of implicit CRLFs until another chunk of content + // data comes in is a way to prevent the CRLF before the final + // message boundary from being accidentally added to the content. + delay_adding_implicit_CRLF = true; + } + else + { + DataOctet(CR); + DataOctet(LF); + } } } diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h index 3e25a85360..a3ee45d071 100644 --- a/src/analyzer/protocol/mime/MIME.h +++ b/src/analyzer/protocol/mime/MIME.h @@ -173,6 +173,7 @@ protected: int data_buf_offset; MIME_Message* message; + bool delay_adding_implicit_CRLF; }; // The reason I separate MIME_Message as an abstract class is to diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index 61ed1a4949..a835672378 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -21,7 +21,9 @@ static const char* smtp_cmd_word[] = { #include "SMTP_cmd.def" }; -#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : "(UNKNOWN)") +static const char* unknown_cmd = "(UNKNOWN)"; + +#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : unknown_cmd) SMTP_Analyzer::SMTP_Analyzer(Connection* conn) @@ -83,7 +85,7 @@ void SMTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig) if ( len <= 0 ) return; - const char* buf = fmt("seq = %"PRIu64", len = %d", seq, len); + const char* buf = fmt("seq = %" PRIu64", len = %d", seq, len); int buf_len = strlen(buf); Unexpected(is_orig, "content gap", buf_len, buf); @@ -422,7 +424,6 @@ void SMTP_Analyzer::NewReply(const int reply_code) if ( state == SMTP_AFTER_GAP && reply_code > 0 ) { state = SMTP_GAP_RECOVERY; - const char* unknown_cmd = SMTP_CMD_WORD(-1); RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, ""); /* if ( line_after_gap ) diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac index cc190e6ebe..feb4474feb 100644 --- a/src/analyzer/protocol/snmp/snmp-analyzer.pac +++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac @@ -84,7 +84,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid) if ( i > 0 ) { rval += "."; - snprintf(tmp, sizeof(tmp), "%"PRIu64, subidentifier_values[i]); + snprintf(tmp, sizeof(tmp), "%" PRIu64, subidentifier_values[i]); rval += tmp; } else diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index 72314dd45d..f5dd7aaf07 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -32,6 +32,7 @@ void ContentLine_Analyzer::InitState() seq_to_skip = 0; plain_delivery_length = 0; is_plain = 0; + suppress_weirds = false; InitBuffer(0); } @@ -258,7 +259,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) else { - if ( Conn()->FlagEvent(SINGULAR_LF) ) + if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) ) Conn()->Weird("line_terminated_with_single_LF"); buf[offset++] = c; } @@ -277,7 +278,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) } if ( last_char == '\r' ) - if ( Conn()->FlagEvent(SINGULAR_CR) ) + if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) ) Conn()->Weird("line_terminated_with_single_CR"); last_char = c; @@ -307,7 +308,7 @@ void ContentLine_Analyzer::CheckNUL() ; // Ignore it. else { - if ( Conn()->FlagEvent(NUL_IN_LINE) ) + if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) ) Conn()->Weird("NUL_in_line"); flag_NULs = 0; } diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h index 93c473c47c..7a5a6b996e 100644 --- a/src/analyzer/protocol/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -15,6 +15,9 @@ public: ContentLine_Analyzer(Connection* conn, bool orig); ~ContentLine_Analyzer(); + void SupressWeirds(bool enable) + { suppress_weirds = enable; } + // If enabled, flag (first) line with embedded NUL. Default off. void SetIsNULSensitive(bool enable) { flag_NULs = enable; } @@ -96,6 +99,8 @@ protected: // Don't deliver further data. int skip_deliveries; + bool suppress_weirds; + // If true, flag (first) line with embedded NUL. unsigned int flag_NULs:1; diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index f9fb0fb2b7..88def89689 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -1901,7 +1901,7 @@ void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]", len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } @@ -2053,7 +2053,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen, num_rxmit_bytes += len; } - DEBUG_MSG("%.6f rexmit %"PRIu64" + %d <= %"PRIu64" data_in_flight = %d\n", + DEBUG_MSG("%.6f rexmit %" PRIu64" + %d <= %" PRIu64" data_in_flight = %d\n", network_time, seq, len, max_top_seq, data_in_flight); if ( tcp_rexmit ) diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 0f7699011e..e00e32ef1b 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -188,7 +188,7 @@ void TCP_Reassembler::Undelivered(uint64 up_to_seq) if ( DEBUG_tcp_contents ) { - DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%"PRIu64", last_reassm=%"PRIu64", " + DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%" PRIu64", last_reassm=%" PRIu64", " "endp: FIN_cnt=%d, RST_cnt=%d, " "peer: FIN_cnt=%d, RST_cnt=%d\n", network_time, IsOrig(), up_to_seq, last_reassem_seq, @@ -219,7 +219,7 @@ void TCP_Reassembler::Undelivered(uint64 up_to_seq) { if ( DEBUG_tcp_contents ) { - DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%"PRIu64", len=%"PRIu64", " + DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%" PRIu64", len=%" PRIu64", " "skip_deliveries=%d\n", network_time, IsOrig(), last_reassem_seq, up_to_seq - last_reassem_seq, @@ -350,7 +350,7 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f) void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f) { - if ( f->Write(fmt("\n<>\n", upper_seq - start_seq)) ) + if ( f->Write(fmt("\n<>\n", upper_seq - start_seq)) ) return; reporter->Error("TCP_Reassembler contents gap write failed"); @@ -420,7 +420,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block) void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) { if ( DEBUG_tcp_contents ) - DEBUG_MSG("%.6f TCP contents overlap: %"PRIu64" IsOrig()=%d\n", network_time, n, IsOrig()); + DEBUG_MSG("%.6f TCP contents overlap: %" PRIu64" IsOrig()=%d\n", network_time, n, IsOrig()); if ( rexmit_inconsistency && memcmp((const void*) b1, (const void*) b2, n) && @@ -465,7 +465,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len, if ( DEBUG_tcp_contents ) { - DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%"PRIu64" upper=%"PRIu64" ack=%"PRIu64"\n", + DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%" PRIu64" upper=%" PRIu64" ack=%" PRIu64"\n", network_time, IsOrig(), seq, upper_seq, ack); } diff --git a/src/cq.c b/src/cq.c index c5405e526a..8005544400 100644 --- a/src/cq.c +++ b/src/cq.c @@ -357,7 +357,7 @@ cq_remove(register struct cq_handle *hp, register double pri, /* The priority must be positive and the cookie non-null */ if (pri <= 0.0 || cookie == NULL) - return (-0); + return (0); bp = hp->buckets + PRI2BUCKET(hp, pri); if (! BUCKETINUSE(bp)) @@ -370,7 +370,7 @@ cq_remove(register struct cq_handle *hp, register double pri, } if ( ! bp ) - return (-0); + return (0); /* Unlink entry */ if ( ! bp2 ) { diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index eaf85bbfa4..527dadd393 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -506,6 +506,7 @@ bool PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_ch { Error(fmt("BPF filter %d not compiled", index)); Close(); + return false; } if ( code->MatchesAnything() ) diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h index 9c05115257..7137798129 100644 --- a/src/iosource/PktSrc.h +++ b/src/iosource/PktSrc.h @@ -266,7 +266,11 @@ protected: Properties() { + selectable_fd = -1; + link_type = -1; + hdr_size = -1; netmask = PCAP_NETMASK_UNKNOWN; + is_live = false; } }; diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index e96933aaa6..72b19b2f14 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -21,6 +21,9 @@ PcapSource::PcapSource(const std::string& path, bool is_live) { props.path = path; props.is_live = is_live; + pd = 0; + memset(¤t_hdr, 0, sizeof(current_hdr)); + memset(&last_hdr, 0, sizeof(last_hdr)); last_data = 0; } diff --git a/src/main.cc b/src/main.cc index 63949c5093..15aea3d3fe 100644 --- a/src/main.cc +++ b/src/main.cc @@ -775,6 +775,9 @@ int main(int argc, char** argv) // DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key)); init_hash_function(); + // Must come after hash initialization. + binpac::init(); + ERR_load_crypto_strings(); OPENSSL_add_all_algorithms_conf(); SSL_library_init(); diff --git a/src/parse.y b/src/parse.y index 0289184055..83760dbbf0 100644 --- a/src/parse.y +++ b/src/parse.y @@ -127,7 +127,11 @@ static void parser_new_enum (void) { /* Starting a new enum definition. */ assert(cur_enum_type == NULL); - cur_enum_type = new EnumType(cur_decl_type_id->Name()); + + if ( cur_decl_type_id ) + cur_enum_type = new EnumType(cur_decl_type_id->Name()); + else + reporter->FatalError("incorrect syntax for enum type declaration"); } static void parser_redef_enum (ID *id) diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index ab0b85676b..2ca34d94f3 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -172,7 +172,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ // Load {bif,scripts}/__load__.bro automatically. - string init = dir + "lib/bif/__load__.bro"; + string init = dir + "scripts/__load__.bro"; if ( is_file(init) ) { @@ -180,7 +180,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ scripts_to_load.push_back(init); } - init = dir + "scripts/__load__.bro"; + init = dir + "lib/bif/__load__.bro"; if ( is_file(init) ) { diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 b/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 index d6e63d72ba..e8bb16ee00 100644 --- a/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 +++ b/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 @@ -7,6 +7,6 @@ # bro data_struct_vector_declaration.bro contents of v1: [1, 2, 3, 4] length of v1: 4 - contents of v1: [1, 2, 3, 4] + contents of v2: [1, 2, 3, 4] length of v2: 4 diff --git a/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 b/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 index 99281b205e..a05d4cdabc 100644 --- a/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 +++ b/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 @@ -6,6 +6,6 @@ # bro data_type_pattern_01.bro The - brown fox jumped over the + brown fox jumps over the dog. diff --git a/testing/btest/Baseline/language.vector-in-operator/out b/testing/btest/Baseline/language.vector-in-operator/out new file mode 100644 index 0000000000..5d4600a188 --- /dev/null +++ b/testing/btest/Baseline/language.vector-in-operator/out @@ -0,0 +1,11 @@ +[zero, one, , , , five, , seven] +vec[0] = zero.exe +vec[1] = one.exe +vec[2] = +vec[3] = +vec[4] = +vec[5] = five.exe +vec[6] = +vec[7] = seven.exe +vec[8] = +vec[9] = diff --git a/testing/btest/Baseline/language.when-unitialized-rhs/out b/testing/btest/Baseline/language.when-unitialized-rhs/out new file mode 100644 index 0000000000..620b384da2 --- /dev/null +++ b/testing/btest/Baseline/language.when-unitialized-rhs/out @@ -0,0 +1,38 @@ +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 9: value used but not set (crashMe) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 14: value used but not set (x) +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 +2nd when stmt executing, 999 +1st when stmt executing, not anymore you don't +11 +12 +13 +14 +15 +16 +17 +18 +19 +20 +21 +22 +23 +24 +25 +26 +27 +28 +29 +30 +31 +32 +33 +34 diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output index 806623cd02..1e4dae5e65 100644 --- a/testing/btest/Baseline/plugins.api-version-mismatch/output +++ b/testing/btest/Baseline/plugins.api-version-mismatch/output @@ -1 +1 @@ -fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/Demo-Foo.linux-x86_64.so) +fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/XXX) diff --git a/testing/btest/Baseline/plugins.bifs-and-scripts-install/output b/testing/btest/Baseline/plugins.bifs-and-scripts-install/output index f03cfddc81..62e53550a1 100644 --- a/testing/btest/Baseline/plugins.bifs-and-scripts-install/output +++ b/testing/btest/Baseline/plugins.bifs-and-scripts-install/output @@ -3,5 +3,5 @@ Demo::Foo - (dynamic, version 1.0) [Event] plugin_event plugin: automatically loaded at startup -calling bif, Hello from the plugin! plugin: manually loaded +calling bif, Hello from the plugin! diff --git a/testing/btest/Baseline/plugins.bifs-and-scripts/output b/testing/btest/Baseline/plugins.bifs-and-scripts/output index 47dd6ed430..89a783241d 100644 --- a/testing/btest/Baseline/plugins.bifs-and-scripts/output +++ b/testing/btest/Baseline/plugins.bifs-and-scripts/output @@ -4,21 +4,19 @@ Demo::Foo - (dynamic, version 1.0) === plugin: automatically loaded at startup -calling bif, Hello from the plugin! === plugin: automatically loaded at startup -calling bif, Hello from the plugin! plugin: manually loaded +calling bif, Hello from the plugin! =-= =-= === plugin: automatically loaded at startup +=== +plugin: automatically loaded at startup +plugin: manually loaded calling bif, Hello from the plugin! === plugin: automatically loaded at startup -calling bif, Hello from the plugin! plugin: manually loaded -=== -plugin: automatically loaded at startup calling bif, Hello from the plugin! -plugin: manually loaded diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/1-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/1-file index 77356c3140..30d74d2584 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/1-file +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/1-file @@ -1 +1 @@ -test +test \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/2-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/2-file index ac2a9e002d..d606037cb2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/2-file +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/2-file @@ -1 +1 @@ -test2 +test2 \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/3-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/3-file index ae48ec8c20..29f446afe2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/3-file +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/3-file @@ -1 +1 @@ -test3 +test3 \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out index b22c8fe886..0bf8d6a0c9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out @@ -1,39 +1,39 @@ FILE_NEW file #0, 0, 0 FILE_BOF_BUFFER -test^M^J +test FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #0, 6, 0 +file #0, 4, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] source: HTTP -MD5: 9f06243abcb89c70e0c331c61d871fa7 -SHA1: fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4 -SHA256: 837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b +MD5: 098f6bcd4621d373cade4e832627b4f6 +SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 +SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 FILE_NEW file #1, 0, 0 FILE_BOF_BUFFER -test2^M^J +test2 FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #1, 7, 0 +file #1, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] source: HTTP -MD5: d68af81ef370b3873d50f09140068810 -SHA1: 51a7b6f2d91f6a87822dc04560f2972bc14fc97e -SHA256: de0edd0ac4a705aff70f34734e90a1d0a1d8b76abe4bb53f3ea934bc105b3b17 +MD5: ad0234829205b9033196ba818f7a872b +SHA1: 109f4b3c50d7b0df729d299bc6f8e9ef9066971f +SHA256: 60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752 FILE_NEW file #2, 0, 0 FILE_BOF_BUFFER -test3^M^J +test3 FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #2, 7, 0 +file #2, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] source: HTTP -MD5: 1a3d75d44753ad246f0bd333cdaf08b0 -SHA1: 4f98809ab09272dfcc58266e3f23ae2393f70e76 -SHA256: 018c67a2c30ed9977e1dddfe98cac542165dac355cf9764c91a362613e752933 +MD5: 8ad8757baa8564dc136c1e07507f4a98 +SHA1: 3ebfa301dc59196f18593c45e519287a23297589 +SHA256: fd61a03af4f77d870fc21e05e7e80678095c92d808cfb3b5c279ee04c74aca13 FILE_NEW file #3, 0, 0 FILE_BOF_BUFFER diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index 1d54e9a2ac..44c240c7ee 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -6,12 +6,12 @@ MIME_TYPE text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #0, 79, 0 +file #0, 77, 0 [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp] source: SMTP -MD5: 92bca2e6cdcde73647125da7dccbdd07 -SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13 -SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5 +MD5: 58aff3af22807bc5f4b6357c0038256c +SHA1: c39dc8cd0f8d8b1f7fc8b362c41e69fdf20f668a +SHA256: 8d057f3af311c20675eea767a9df5fa31ff3597c6d5d50fd0cdc34766c40204d FILE_NEW file #1, 0, 0 FILE_BOF_BUFFER diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0 b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0 index f4dd7d22f4..0b84e1fd86 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0 +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0 @@ -10,4 +10,3 @@ Find the attachment GPS - diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log index 5fb15d53ae..130ca05bca 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-44-47 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - - T FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid -1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - - - T F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3 FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid -#close 2014-04-26-16-44-47 +#open 2014-08-08-17-13-20 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid +1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - F - - T F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3 FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid +#close 2014-08-08-17-13-20 diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log index 1eab1092ed..632dcddfb0 100644 --- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-05-15-17-23-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - - -#close 2014-05-15-17-23-07 +#open 2014-08-08-17-13-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - F - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - - +#close 2014-08-08-17-13-27 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log index cec018c589..5e9aa80cb5 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-05-15-16-56-36 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1400168397.019290 CXWv6p3arKYeMETxOg 192.168.4.149 54170 74.125.142.26 25 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FUE0dj3SWjQASC0bk3,FbPkr51wrSMIUT5Hib,FVW1o23Jjs8yenOhzb (empty) CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - -#close 2014-05-15-16-56-36 +#open 2014-08-08-17-13-38 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1400168397.019290 CXWv6p3arKYeMETxOg 192.168.4.149 54170 74.125.142.26 25 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FUE0dj3SWjQASC0bk3,FbPkr51wrSMIUT5Hib,FVW1o23Jjs8yenOhzb (empty) CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - +#close 2014-08-08-17-13-38 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log index 7834e74868..bea2210a13 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-45-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com - - T F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - - -#close 2014-04-26-16-45-01 +#open 2014-08-08-17-13-42 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - - +#close 2014-08-08-17-13-42 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log index 652f3b3df7..0eb4ee4100 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-27-00-52-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1398558136.319509 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - -#close 2014-04-27-00-52-03 +#open 2014-08-08-17-13-45 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1398558136.319509 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - +#close 2014-08-08-17-13-45 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log index 66ea42be70..2571efbbff 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-39-57 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1398529018.678827 CXWv6p3arKYeMETxOg 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - -#close 2014-04-26-16-39-57 +#open 2014-08-08-17-13-48 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1398529018.678827 CXWv6p3arKYeMETxOg 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - +#close 2014-08-08-17-13-48 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log index 082106e89e..1bee20aaff 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-45-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - - handshake_failure F - - - - - - -#close 2014-04-26-16-45-16 +#open 2014-08-08-17-13-53 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - F handshake_failure - F - - - - - - +#close 2014-08-08-17-13-53 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log index ab1345d0cc..4e51c53d27 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-45-09 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - - - T FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh (empty) CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - -#close 2014-04-26-16-45-09 +#open 2014-08-08-17-13-51 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh (empty) CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - +#close 2014-08-08-17-13-51 diff --git a/testing/btest/Baseline/scripts.base.utils.active-http/bro..stdout b/testing/btest/Baseline/scripts.base.utils.active-http/bro..stdout deleted file mode 100644 index 0284eb19b3..0000000000 --- a/testing/btest/Baseline/scripts.base.utils.active-http/bro..stdout +++ /dev/null @@ -1,5 +0,0 @@ -[code=200, msg=OK^M, body=It works!, headers={ -[Server] = 1.0, -[Content-type] = text/plain, -[Date] = July 22, 2013 -}] diff --git a/testing/btest/Baseline/scripts.base.utils.active-http/output b/testing/btest/Baseline/scripts.base.utils.active-http/output new file mode 100644 index 0000000000..43b13ff29a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.utils.active-http/output @@ -0,0 +1,10 @@ +[Content-type] = text/plain, +[Content-type] = text/plain, +[Date] = July 22, 2013 +[Date] = July 22, 2013 +[Server] = 1.0, +[Server] = 1.0, +test1, [code=200, msg=OK^M, body=It works!, headers={ +test2, [code=200, msg=OK^M, body=, headers={ +}] +}] diff --git a/testing/btest/Baseline/scripts.base.utils.exec/bro..stdout b/testing/btest/Baseline/scripts.base.utils.exec/bro..stdout index 3cfdaafb4c..043e1d4baa 100644 --- a/testing/btest/Baseline/scripts.base.utils.exec/bro..stdout +++ b/testing/btest/Baseline/scripts.base.utils.exec/bro..stdout @@ -1,6 +1,10 @@ +test2, [exit_code=1, signal_exit=F, stdout=[here's something on stdout, some more stdout, last stdout], stderr=[and some stderr, more stderr, last stderr], files=] test1, [exit_code=0, signal_exit=F, stdout=[done, exit, stop], stderr=, files={ [out1] = [insert text here, and here], [out2] = [insert more text here, and there] }] -test2, [exit_code=1, signal_exit=F, stdout=[here's something on stdout, some more stdout, last stdout], stderr=[and some stderr, more stderr, last stderr], files=] test4, [exit_code=0, signal_exit=F, stdout=[hibye], stderr=, files=] +test5, [exit_code=0, signal_exit=F, stdout=, stderr=, files={ +[out4] = [test], +[out3] = [] +}] diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index e0a29d4501..e6679c2bd8 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -305,15 +305,15 @@ [2] is_orig: bool = T 1254722770.692743 file_new - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692743 file_state_remove - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log index b09bd04350..031f205aab 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-27-06-48-05 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string -1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - -1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - -#close 2014-04-27-06-48-05 +#open 2014-08-08-17-13-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - +1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - +#close 2014-08-08-17-13-55 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log index 7965e3be89..a464c64670 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-04-26-16-45-32 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string -1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired -1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok -#close 2014-04-26-16-45-32 +#open 2014-08-08-17-13-58 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - F - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired +1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok +#close 2014-08-08-17-13-58 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log index bb0a25ac0c..fbf18207cd 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-09-04-19-17-18 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string -1404148886.994021 CXWv6p3arKYeMETxOg 192.168.4.149 51293 72.21.91.29 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h (empty) CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - good -#close 2014-09-04-19-17-18 +#open 2014-10-21-18-37-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1404148886.994021 CXWv6p3arKYeMETxOg 192.168.4.149 51293 72.21.91.29 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - F - - T FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h (empty) CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - good +#close 2014-10-21-18-37-44 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log index 4806744a5c..16c2e35a39 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-09-04-19-17-14 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string -1409786981.016881 CXWv6p3arKYeMETxOg 192.168.4.149 53106 93.184.216.146 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa (empty) CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US - - good -#close 2014-09-04-19-17-14 +#open 2014-10-21-18-37-33 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1409786981.016881 CXWv6p3arKYeMETxOg 192.168.4.149 53106 93.184.216.146 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - F - - T FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa (empty) CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US - - good +#close 2014-10-21-18-37-33 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log index 33b589d9ac..7fc4b5c636 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssl -#open 2014-05-30-22-37-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status -#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string -1398367809.790512 CXWv6p3arKYeMETxOg 192.168.4.149 56253 131.253.61.82 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - - - T Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9 (empty) CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - good -#close 2014-05-30-22-37-19 +#open 2014-08-08-17-14-03 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1398367809.790512 CXWv6p3arKYeMETxOg 192.168.4.149 56253 131.253.61.82 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - F - - T Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9 (empty) CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - good +#close 2014-08-08-17-14-03 diff --git a/testing/btest/coverage/find-bro-logs.test b/testing/btest/coverage/find-bro-logs.test index ffde5b8225..ce63078698 100644 --- a/testing/btest/coverage/find-bro-logs.test +++ b/testing/btest/coverage/find-bro-logs.test @@ -9,6 +9,11 @@ BROSCRIPTS=${DIST}/scripts +if [ ! -d "${BROSCRIPTS}" ]; then + echo "Directory not found: ${BROSCRIPTS}" 1>&2 + exit 1 +fi + # For a given Bro script, look for a call to "create_stream". If found, # extract the log ID (adding the module name if necessary), and print the # log ID and script filename. @@ -33,7 +38,12 @@ cat << '_EOF_' > find_logid.awk } _EOF_ -find ${BROSCRIPTS} -type f -exec awk -f find_logid.awk {} \; > out.logid +find -L ${BROSCRIPTS} -type f -exec awk -f find_logid.awk {} \; > out.logid + +if [ ! -s out.logid ]; then + echo "Did not find Bro scripts in directory: ${BROSCRIPTS}" 1>&2 + exit 1 +fi # For each log ID, have Bro convert it to the corresponding log filename # using the default mechanism for generating a log filename (we must load diff --git a/testing/btest/language/vector-in-operator.bro b/testing/btest/language/vector-in-operator.bro new file mode 100644 index 0000000000..5936145363 --- /dev/null +++ b/testing/btest/language/vector-in-operator.bro @@ -0,0 +1,17 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +local ten = "0123456789"; +local vec: vector of string = { "zero", "one" }; +local n = 0; +vec[5] = "five"; +vec[7] = "seven"; +print vec; +vec = vec + ".exe"; + +for ( c in ten ) + { + local is_set: bool = (n in vec); + print fmt("vec[%s] = %s", n, is_set ? vec[n] : ""); + ++n; + } diff --git a/testing/btest/language/when-unitialized-rhs.bro b/testing/btest/language/when-unitialized-rhs.bro new file mode 100644 index 0000000000..21b94c6e02 --- /dev/null +++ b/testing/btest/language/when-unitialized-rhs.bro @@ -0,0 +1,32 @@ +# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +global crashMe: function(): string; +global x: int; + +event bro_init() + { + when( local result = crashMe() ) + { + print "1st when stmt executing", result; + } + + when( local other_result = x ) + { + print "2nd when stmt executing", other_result; + } + } + +global conn_count = 0; + +event new_connection(c: connection) + { + ++conn_count; + print conn_count; + + if ( conn_count == 10 ) + { + x = 999; + crashMe = function(): string { return "not anymore you don't"; }; + } + } diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.bro index 84c1f06cef..d996d1c026 100644 --- a/testing/btest/language/when.bro +++ b/testing/btest/language/when.bro @@ -8,13 +8,25 @@ event bro_init() { - local h1: addr = 127.0.0.1; + local h: addr = 127.0.0.1; - when ( local h1name = lookup_addr(h1) ) + when ( local hname = lookup_addr(h) ) { print "lookup successful"; terminate(); } + timeout 10sec + { + print "timeout (1)"; + } + + local to = 5sec; + # Just checking that timeouts can use arbitrary expressions... + when ( local hname2 = lookup_addr(h) ) {} + timeout to {} + when ( local hname3 = lookup_addr(h) ) {} + timeout to + 2sec {} + print "done"; } diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh index c584e2c61e..cfb4269946 100644 --- a/testing/btest/plugins/api-version-mismatch.sh +++ b/testing/btest/plugins/api-version-mismatch.sh @@ -1,7 +1,8 @@ # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo # @TEST-EXEC: bash %INPUT # @TEST-EXEC: ./configure --bro-dist=${DIST} && make -# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output 2>&1 +# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1 +# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output ( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh index 158f5fc01f..627eb0f2c5 100644 --- a/testing/btest/plugins/bifs-and-scripts-install.sh +++ b/testing/btest/plugins/bifs-and-scripts-install.sh @@ -21,6 +21,7 @@ cat >scripts/demo/foo/manually.bro <scripts/demo/foo/base/at-startup.bro <scripts/demo/foo/manually.bro <scripts/demo/foo/base/at-startup.bro <output +# @TEST-EXEC: btest-diff output @load base/utils/active-http @load base/frameworks/communication # let network-time run. otherwise there are no heartbeats... redef exit_only_after_terminate = T; -event bro_init() - { - local req = ActiveHTTP::Request($url="127.0.0.1:32123"); +global c: count = 0; - when ( local resp = ActiveHTTP::request(req) ) - { - print resp; +function check_exit_condition() + { + c += 1; + + if ( c == 2 ) terminate(); + } + +function test_request(label: string, req: ActiveHTTP::Request) + { + when ( local response = ActiveHTTP::request(req) ) + { + print label, response; + check_exit_condition(); } timeout 1min { print "HTTP request timeout"; - terminate(); + check_exit_condition(); } } + +event bro_init() + { + test_request("test1", [$url="127.0.0.1:32123"]); + test_request("test2", [$url="127.0.0.1:32123/empty", $method="POST"]); + } diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test index 33ba10f97a..389527bcfc 100644 --- a/testing/btest/scripts/base/utils/exec.test +++ b/testing/btest/scripts/base/utils/exec.test @@ -14,7 +14,7 @@ function check_exit_condition() { c += 1; - if ( c == 3 ) + if ( c == 4 ) terminate(); } @@ -35,6 +35,8 @@ event bro_init() # Not sure of a portable way to test signals yet. #test_cmd("test3", [$cmd="bash ../suicide.sh"]); test_cmd("test4", [$cmd="bash ../stdin.sh", $stdin="hibye"]); + test_cmd("test5", [$cmd="bash ../empty_file.sh", + $read_files=set("out3", "out4")]); } @TEST-END-FILE @@ -73,3 +75,9 @@ echo "nope" read -r line echo "$line" @TEST-END-FILE + +@TEST-START-FILE empty_file.sh +#! /usr/bin/env bash +touch out3 +echo "test" > out4 +@TEST-END-FILE diff --git a/testing/scripts/httpd.py b/testing/scripts/httpd.py index 0732614bc2..feafa70d56 100755 --- a/testing/scripts/httpd.py +++ b/testing/scripts/httpd.py @@ -2,13 +2,28 @@ import BaseHTTPServer + class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Content-type", "text/plain") self.end_headers() - self.wfile.write("It works!") + + if "/empty" in self.path: + self.wfile.write("") + else: + self.wfile.write("It works!") + + def do_POST(self): + self.send_response(200) + self.send_header("Content-type", "text/plain") + self.end_headers() + + if "/empty" in self.path: + self.wfile.write("") + else: + self.wfile.write("It works!") def version_string(self): return "1.0"