Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/seth/mime-updates

Browse source 
Conflicts:
	testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
This commit is contained in:
Seth Hall 2014-11-05 10:57:57 -05:00
commit efdfef7970
89 changed files with 671 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

112
CHANGES
View file

@ -1,4 +1,116 @@
2.3-278 | 2014-11-03 18:55:18 -0800
* Add new curves from draft-ietf-tls-negotiated-ff-dhe to SSL
analysis. (Johanna Amann)
2.3-274 | 2014-10-31 17:45:25 -0700
* Adding call to new binpac::init() function. (Robin Sommer)
2.3-272 | 2014-10-31 16:29:42 -0700
* Fix segfault if when statement's RHS is unitialized. Addresses
BIT-1176. (Jon Siwek)
* Fix checking vector indices via "in". Addresses BIT-1280. (Jon
Siwek)
2.3-268 | 2014-10-31 12:12:22 -0500
* BIT-1283: Fix crash when using &encrypt. (Jon Siwek)
2.3-267 | 2014-10-31 10:35:02 -0500
* BIT-1284: Allow arbitrary when statement timeout expressions
(Jon Siwek)
2.3-266 | 2014-10-31 09:21:28 -0500
* BIT-1166: Add configure options to fine tune local state dirs used
by BroControl. (Jon Siwek)
2.3-264 | 2014-10-30 13:25:57 -0500
* Fix some minor Coverity Scan complaints. (Jon Siwek)
2.3-263 | 2014-10-28 15:09:10 -0500
* Fix checking of fwrite return values (Johanna Amann)
2.3-260 | 2014-10-27 12:54:17 -0500
* Fix errors/warnings when compiling with -std=c++11 (Jon Siwek)
2.3-259 | 2014-10-27 10:04:04 -0500
* Documentation fixes. (Vicente Jimenez Aguilar and Stefano Azzalini)
2.3-256 | 2014-10-24 15:33:45 -0700
* Adding missing test baseline. (Robin Sommer)
2.3-255 | 2014-10-24 13:39:44 -0700
* Fixing unstable active-http test. (Robin Sommer)
2.3-254 | 2014-10-24 11:40:51 -0700
* Fix active-http.bro to deal reliably with empty server responses,
which will now be passed back as empty files. (Christian Struck)
2.3-248 | 2014-10-23 14:20:59 -0700
* Change order in which a plugin's scripts are loaded at startup.
(Robin Sommer)
2.3-247 | 2014-10-21 13:42:38 -0700
* Updates to the SSL analyzer. (Johanna Amann)
* Mark everything below 2048 bit as a weak key.
* Fix notice suppression.
* Add information about server-chosen protocol to ssl.log, if
provided by application_layer_next_protocol.
* Add boolean flag to ssl.log signaling if a session was
resumed. Remove the (usually not really that useful) session
ID that the client sent.
2.3-240 | 2014-10-21 13:36:33 -0700
* Fix Coverity-reported issues in DNP3 analyzer. (Seth Hall)
2.3-238 | 2014-10-16 06:51:49 -0700
* Fix multipart HTTP/MIME entity file analysis so that (1) singular
CR or LF characters in multipart body content are no longer
converted to a full CRLF (thus corrupting the file) and (2) it
also no longer considers the CRLF before the multipart boundary as
part of the content. Addresses BIT-1235. (Jon Siwek)
2.3-235 | 2014-10-15 10:20:47 -0500
* BIT-1273: Add error message for bad enum declaration syntax.
(Jon Siwek)
2.3-234 | 2014-10-14 14:42:09 -0500
* Documentation fixes. (Steve Smoot)
2.3-233 | 2014-10-09 16:00:27 -0500
* Change find-bro-logs unit test to follow symlinks. (Jon Siwek)
* Add error checks and messages to a test script (Daniel Thayer)
2.3-230 | 2014-10-08 08:15:17 -0700
* Further baseline normalization for plugin test portability. (Robin
Sommer)
2.3-229 | 2014-10-07 20:18:11 -0700 2.3-229 | 2014-10-07 20:18:11 -0700
* Fix for test portability. (Robin Sommer) * Fix for test portability. (Robin Sommer)

2
VERSION
View file

@ -1 +1 @@
2.3-229 2.3-278

2
aux/binpac

@ -1 +1 @@
Subproject commit 3a4684801aafa0558383199e9abd711650b53af9 Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073

2
aux/bro-aux

@ -1 +1 @@
Subproject commit 95afe42e7474113a16cb2cb09ebdf8b552c59744 Subproject commit 977654dc51ab08a2afde32241f108cdb4a581d8f

2
aux/broccoli

@ -1 +1 @@
Subproject commit 33d0ed4a54a6ecf08a0b5fe18831aa413b437066 Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca

2
aux/broctl

@ -1 +1 @@
Subproject commit 2f808bc8541378b1a4953cca02c58c43945d154f Subproject commit 39e865dec9611b9b53b609cbc8df519cebae0a1e

2
cmake

@ -1 +1 @@
Subproject commit 03de0cc467d2334dcb851eddd843d59fef217909 Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f

16
configure vendored
View file

@ -24,6 +24,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--prefix=PREFIX installation directory [/usr/local/bro] --prefix=PREFIX installation directory [/usr/local/bro]
--scriptdir=PATH root installation directory for Bro scripts --scriptdir=PATH root installation directory for Bro scripts
[PREFIX/share/bro] [PREFIX/share/bro]
--localstatedir=PATH when using BroControl, path to store log files
and run-time data (within log/ and spool/ subdirs)
[PREFIX]
--spooldir=PATH when using BroControl, path to store run-time data
[PREFIX/spool]
--logdir=PATH when using BroControl, path to store log file
[PREFIX/logs]
--conf-files-dir=PATH config files installation directory [PREFIX/etc] --conf-files-dir=PATH config files installation directory [PREFIX/etc]
Optional Features: Optional Features:
@ -144,6 +151,15 @@ while [ $# -ne 0 ]; do
append_cache_entry BRO_ETC_INSTALL_DIR PATH $optarg append_cache_entry BRO_ETC_INSTALL_DIR PATH $optarg
user_set_conffilesdir="true" user_set_conffilesdir="true"
;; ;;
--localstatedir=*)
append_cache_entry BRO_LOCAL_STATE_DIR PATH $optarg
;;
--spooldir=*)
append_cache_entry BRO_SPOOL_DIR PATH $optarg
;;
--logdir=*)
append_cache_entry BRO_LOG_DIR PATH $optarg
;;
--enable-debug) --enable-debug)
append_cache_entry ENABLE_DEBUG BOOL true append_cache_entry ENABLE_DEBUG BOOL true
;; ;;

2
doc/scripting/data_struct_vector_declaration.bro
View file

@ -10,6 +10,6 @@ event bro_init()
print fmt("contents of v1: %s", v1); print fmt("contents of v1: %s", v1);
print fmt("length of v1: %d", |v1|); print fmt("length of v1: %d", |v1|);
print fmt("contents of v1: %s", v2); print fmt("contents of v2: %s", v2);
print fmt("length of v2: %d", |v2|); print fmt("length of v2: %d", |v2|);
} }

2
doc/scripting/data_type_pattern_01.bro
View file

@ -1,6 +1,6 @@
event bro_init() event bro_init()
{ {
local test_string = "The quick brown fox jumped over the lazy dog."; local test_string = "The quick brown fox jumps over the lazy dog.";
local test_pattern = /quick|lazy/; local test_pattern = /quick|lazy/;
if ( test_pattern in test_string ) if ( test_pattern in test_string )

2
doc/scripting/index.rst
View file

@ -260,7 +260,7 @@ originating host is referenced by ``c$id$orig_h`` which if given a
narrative relates to ``orig_h`` which is a member of ``id`` which is narrative relates to ``orig_h`` which is a member of ``id`` which is
a member of the data structure referred to as ``c`` that was passed a member of the data structure referred to as ``c`` that was passed
into the event handler. Given that the responder port into the event handler. Given that the responder port
``c$id$resp_p`` is ``53/tcp``, it's likely that Bro's base HTTP scripts ``c$id$resp_p`` is ``80/tcp``, it's likely that Bro's base HTTP scripts
can further populate the connection record. Let's load the can further populate the connection record. Let's load the
``base/protocols/http`` scripts and check the output of our script. ``base/protocols/http`` scripts and check the output of our script.

5
pkg/make-deb-packages
View file

@ -16,6 +16,7 @@ the 'dpkg-dev' package, please install it first.
} }
prefix=/opt/bro prefix=/opt/bro
localstatedir=/var/opt/bro
# During the packaging process, `dpkg-shlibs` will fail if used on a library # During the packaging process, `dpkg-shlibs` will fail if used on a library
# that links to other internal/project libraries unless an RPATH is used or # that links to other internal/project libraries unless an RPATH is used or
@ -31,7 +32,7 @@ cd ..
( cd build && make package ) ( cd build && make package )
# Full Bro package # Full Bro package
./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package ./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package
( cd build && make package ) ( cd build && make package )
# Broccoli # Broccoli
@ -42,6 +43,6 @@ cd ../..
# Broctl # Broctl
cd aux/broctl cd aux/broctl
./configure --prefix=${prefix} --binary-package ./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package
( cd build && make package && mv *.deb ../../../build/ ) ( cd build && make package && mv *.deb ../../../build/ )
cd ../.. cd ../..

5
pkg/make-rpm-packages
View file

@ -15,6 +15,7 @@ the 'rpm-build' package, please install it first.
} }
prefix=/opt/bro prefix=/opt/bro
localstatedir=/var/opt/bro
cd .. cd ..
@ -24,7 +25,7 @@ cd ..
( cd build && make package ) ( cd build && make package )
# Full Bro package # Full Bro package
./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package ./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package
( cd build && make package ) ( cd build && make package )
# Broccoli # Broccoli
@ -35,6 +36,6 @@ cd ../..
# Broctl # Broctl
cd aux/broctl cd aux/broctl
./configure --prefix=${prefix} --binary-package ./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package
( cd build && make package && mv *.rpm ../../../build/ ) ( cd build && make package && mv *.rpm ../../../build/ )
cd ../.. cd ../..

6
scripts/base/protocols/ssl/consts.bro
View file

@ -158,6 +158,12 @@ export {
[26] = "brainpoolP256r1", [26] = "brainpoolP256r1",
[27] = "brainpoolP384r1", [27] = "brainpoolP384r1",
[28] = "brainpoolP512r1", [28] = "brainpoolP512r1",
# draft-ietf-tls-negotiated-ff-dhe-02
[256] = "ffdhe2432",
[257] = "ffdhe3072",
[258] = "ffdhe4096",
[259] = "ffdhe6144",
[260] = "ffdhe8192",
[0xFF01] = "arbitrary_explicit_prime_curves", [0xFF01] = "arbitrary_explicit_prime_curves",
[0xFF02] = "arbitrary_explicit_char2_curves" [0xFF02] = "arbitrary_explicit_char2_curves"
} &default=function(i: count):string { return fmt("unknown-%d", i); }; } &default=function(i: count):string { return fmt("unknown-%d", i); };

65
scripts/base/protocols/ssl/main.bro
View file

@ -25,9 +25,25 @@ export {
## indicates the server name that the client was requesting. ## indicates the server name that the client was requesting.
server_name: string &log &optional; server_name: string &log &optional;
## Session ID offered by the client for session resumption. ## Session ID offered by the client for session resumption.
session_id: string &log &optional; ## Not used for logging.
session_id: string &optional;
## Flag to indicate if the session was resumed reusing
## the key material exchanged in an earlier connection.
resumed: bool &log &default=F;
## Flag to indicate if we saw a non-empty session ticket being
## sent by the client using an empty session ID. This value
## is used to determine if a session is being resumed. It's
## not logged.
client_ticket_empty_session_seen: bool &default=F;
## Flag to indicate if we saw a client key exchange message sent
## by the client. This value is used to determine if a session
## is being resumed. It's not logged.
client_key_exchange_seen: bool &default=F;
## Last alert that was seen during the connection. ## Last alert that was seen during the connection.
last_alert: string &log &optional; last_alert: string &log &optional;
## Next protocol the server chose using the application layer
## next protocol extension, if present.
next_protocol: string &log &optional;
## The analyzer ID used for the analyzer instance attached ## The analyzer ID used for the analyzer instance attached
## to each connection. It is not used for logging since it's a ## to each connection. It is not used for logging since it's a
@ -149,8 +165,11 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
set_session(c); set_session(c);
# Save the session_id if there is one set. # Save the session_id if there is one set.
if ( session_id != /^\x00{32}$/ ) if ( |session_id| > 0 && session_id != /^\x00{32}$/ )
{
c$ssl$session_id = bytestring_to_hexstr(session_id); c$ssl$session_id = bytestring_to_hexstr(session_id);
c$ssl$client_ticket_empty_session_seen = F;
}
} }
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5 event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
@ -159,6 +178,9 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
c$ssl$version = version_strings[version]; c$ssl$version = version_strings[version];
c$ssl$cipher = cipher_desc[cipher]; c$ssl$cipher = cipher_desc[cipher];
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
c$ssl$resumed = T;
} }
event ssl_server_curve(c: connection, curve: count) &priority=5 event ssl_server_curve(c: connection, curve: count) &priority=5
@ -180,6 +202,45 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
} }
} }
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
{
set_session(c);
if ( is_orig )
return;
if ( |protocols| > 0 )
c$ssl$next_protocol = protocols[0];
}
event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5
{
set_session(c);
if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE )
c$ssl$client_key_exchange_seen = T;
}
# Extension event is fired _before_ the respective client or server hello.
# Important for client_ticket_empty_session_seen.
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
{
set_session(c);
if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 )
# In this case, we might have an empty ID. Set back to F in client_hello event
# if it is not empty after all.
c$ssl$client_ticket_empty_session_seen = T;
}
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
{
set_session(c);
if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen )
c$ssl$resumed = T;
}
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
{ {
set_session(c); set_session(c);

4
scripts/base/utils/active-http.bro
View file

@ -65,12 +65,14 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string
cmd = fmt("%s -m %.0f", cmd, r$max_time); cmd = fmt("%s -m %.0f", cmd, r$max_time);
if ( r?$client_data ) if ( r?$client_data )
cmd = fmt("%s -d -", cmd); cmd = fmt("%s -d @-", cmd);
if ( r?$addl_curl_args ) if ( r?$addl_curl_args )
cmd = fmt("%s %s", cmd, r$addl_curl_args); cmd = fmt("%s %s", cmd, r$addl_curl_args);
cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url)); cmd = fmt("%s \"%s\"", cmd, str_shell_escape(r$url));
# Make sure file will exist even if curl did not write one.
cmd = fmt("%s && touch %s", cmd, str_shell_escape(bodyfile));
return cmd; return cmd;
} }

9
scripts/base/utils/exec.bro
View file

@ -106,6 +106,15 @@ event Input::end_of_data(name: string, source:string)
local track_file = parts[2]; local track_file = parts[2];
# If the file is empty, still add it to the result$files table. This is needed
# because it is expected that the file was read even if it was empty.
local result = results[name];
if ( ! result?$files )
result$files = table();
if ( track_file !in result$files )
result$files[track_file] = vector();
Input::remove(name); Input::remove(name);
if ( name !in pending_files ) if ( name !in pending_files )

8
scripts/policy/protocols/ssl/weak-keys.bro
View file

@ -22,7 +22,7 @@ export {
## The minimal key length in bits that is considered to be safe. Any shorter ## The minimal key length in bits that is considered to be safe. Any shorter
## (non-EC) key lengths will trigger the notice. ## (non-EC) key lengths will trigger the notice.
const notify_minimal_key_length = 1024 &redef; const notify_minimal_key_length = 2048 &redef;
## Warn if the DH key length is smaller than the certificate key length. This is ## Warn if the DH key length is smaller than the certificate key length. This is
## potentially unsafe because it gives a wrong impression of safety due to the ## potentially unsafe because it gives a wrong impression of safety due to the
@ -56,7 +56,7 @@ event ssl_established(c: connection) &priority=3
NOTICE([$note=Weak_Key, NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length), $msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p, key_length) $identifier=cat(c$id$resp_h, c$id$resp_h, key_length)
]); ]);
} }
@ -71,7 +71,7 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
NOTICE([$note=Weak_Key, NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length), $msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p, key_length) $identifier=cat(c$id$resp_h, c$id$resp_p, key_length)
]); ]);
if ( notify_dh_length_shorter_cert_length && if ( notify_dh_length_shorter_cert_length &&
@ -86,7 +86,7 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p) $identifier=cat(c$id$resp_h, c$id$resp_p)
]); ]);
} }
} }

2
src/Brofiler.cc
View file

@ -96,7 +96,7 @@ bool Brofiler::WriteStats()
map<pair<string, string>, uint64 >::const_iterator it; map<pair<string, string>, uint64 >::const_iterator it;
for ( it = usage_map.begin(); it != usage_map.end(); ++it ) for ( it = usage_map.begin(); it != usage_map.end(); ++it )
{ {
fprintf(f, "%"PRIu64"%c%s%c%s\n", it->second, delim, fprintf(f, "%" PRIu64"%c%s%c%s\n", it->second, delim,
it->first.first.c_str(), delim, it->first.second.c_str()); it->first.first.c_str(), delim, it->first.second.c_str());
} }

4
src/DNS_Mgr.cc
View file

@ -214,7 +214,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
char req_buf[512+1], name_buf[512+1]; char req_buf[512+1], name_buf[512+1];
int is_req_host; int is_req_host;
if ( sscanf(buf, "%lf %d %512s %d %512s %d %d %"PRIu32, &creation_time, if ( sscanf(buf, "%lf %d %512s %d %512s %d %d %" PRIu32, &creation_time,
&is_req_host, req_buf, &failed, name_buf, &map_type, &num_addrs, &is_req_host, req_buf, &failed, name_buf, &map_type, &num_addrs,
&req_ttl) != 8 ) &req_ttl) != 8 )
return; return;
@ -360,7 +360,7 @@ void DNS_Mapping::Clear()
void DNS_Mapping::Save(FILE* f) const void DNS_Mapping::Save(FILE* f) const
{ {
fprintf(f, "%.0f %d %s %d %s %d %d %"PRIu32"\n", creation_time, req_host != 0, fprintf(f, "%.0f %d %s %d %s %d %d %" PRIu32"\n", creation_time, req_host != 0,
req_host ? req_host : req_addr.AsString().c_str(), req_host ? req_host : req_addr.AsString().c_str(),
failed, (names && names[0]) ? names[0] : "*", failed, (names && names[0]) ? names[0] : "*",
map_type, num_addrs, req_ttl); map_type, num_addrs, req_ttl);

12
src/Expr.cc
View file

@ -636,7 +636,7 @@ Val* BinaryExpr::Eval(Frame* f) const
return v_result; return v_result;
} }
if ( is_vec1 || is_vec2 ) if ( IsVector(Type()->Tag()) && (is_vec1 || is_vec2) )
{ // fold vector against scalar { // fold vector against scalar
VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal(); VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal();
VectorVal* v_result = new VectorVal(Type()->AsVectorType()); VectorVal* v_result = new VectorVal(Type()->AsVectorType());
@ -4703,8 +4703,14 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
v2->Type()->Tag() == TYPE_SUBNET ) v2->Type()->Tag() == TYPE_SUBNET )
return new Val(v2->AsSubNetVal()->Contains(v1->AsAddr()), TYPE_BOOL); return new Val(v2->AsSubNetVal()->Contains(v1->AsAddr()), TYPE_BOOL);
TableVal* vt = v2->AsTableVal(); Val* res;
if ( vt->Lookup(v1, false) )
if ( is_vector(v2) )
res = v2->AsVectorVal()->Lookup(v1);
else
res = v2->AsTableVal()->Lookup(v1, false);
if ( res )
return new Val(1, TYPE_BOOL); return new Val(1, TYPE_BOOL);
else else
return new Val(0, TYPE_BOOL); return new Val(0, TYPE_BOOL);

17
src/File.cc
View file

@ -527,7 +527,7 @@ void BroFile::SetAttrs(Attributes* arg_attrs)
if ( ef->AttrExpr() ) if ( ef->AttrExpr() )
InitEncrypt(ef->AttrExpr()->ExprVal()->AsString()->CheckString()); InitEncrypt(ef->AttrExpr()->ExprVal()->AsString()->CheckString());
else else
InitEncrypt(log_encryption_key->AsString()->CheckString()); InitEncrypt(opt_internal_string("log_encryption_key")->CheckString());
} }
if ( attrs->FindAttr(ATTR_RAW_OUTPUT) ) if ( attrs->FindAttr(ATTR_RAW_OUTPUT) )
@ -708,10 +708,10 @@ void BroFile::InitEncrypt(const char* keyfile)
secret_len = htonl(secret_len); secret_len = htonl(secret_len);
if ( ! (fwrite("BROENC1", 7, 1, f) && if ( fwrite("BROENC1", 7, 1, f) < 1 ||
fwrite(&secret_len, sizeof(secret_len), 1, f) && fwrite(&secret_len, sizeof(secret_len), 1, f) < 1 ||
fwrite(secret, ntohl(secret_len), 1, f) && fwrite(secret, ntohl(secret_len), 1, f) < 1 ||
fwrite(iv, iv_len, 1, f)) ) fwrite(iv, iv_len, 1, f) < 1 )
{ {
reporter->Error("can't write header to log file %s: %s", reporter->Error("can't write header to log file %s: %s",
name, strerror(errno)); name, strerror(errno));
@ -736,7 +736,7 @@ void BroFile::FinishEncrypt()
int outl; int outl;
EVP_SealFinal(cipher_ctx, cipher_buffer, &outl); EVP_SealFinal(cipher_ctx, cipher_buffer, &outl);
if ( outl && ! fwrite(cipher_buffer, outl, 1, f) ) if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 )
{ {
reporter->Error("write error for %s: %s", reporter->Error("write error for %s: %s",
name, strerror(errno)); name, strerror(errno));
@ -777,7 +777,7 @@ int BroFile::Write(const char* data, int len)
return 0; return 0;
} }
if ( outl && ! fwrite(cipher_buffer, outl, 1, f) ) if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 )
{ {
reporter->Error("write error for %s: %s", reporter->Error("write error for %s: %s",
name, strerror(errno)); name, strerror(errno));
@ -792,8 +792,7 @@ int BroFile::Write(const char* data, int len)
return 1; return 1;
} }
len = fwrite(data, 1, len, f); if ( fwrite(data, len, 1, f) < 1 )
if ( len <= 0 )
return false; return false;
if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size ) if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )

2
src/Flare.cc
View file

@ -22,7 +22,7 @@ static void bad_pipe_op(const char* which)
void Flare::Fire() void Flare::Fire()
{ {
char tmp; char tmp = 0;
for ( ; ; ) for ( ; ; )
{ {

2
src/H3.h
View file

@ -110,7 +110,7 @@ public:
T result = 0; T result = 0;
// loop optmized with Duff's Device // loop optmized with Duff's Device
register unsigned n = (size + 7) / 8; unsigned n = (size + 7) / 8;
switch ( size % 8 ) { switch ( size % 8 ) {
case 0: do { result ^= byte_lookup[offset++][*p++]; case 0: do { result ^= byte_lookup[offset++][*p++];
case 7: result ^= byte_lookup[offset++][*p++]; case 7: result ^= byte_lookup[offset++][*p++];

2
src/Reassem.cc
View file

@ -182,7 +182,7 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
{ {
if ( DEBUG_reassem ) if ( DEBUG_reassem )
{ {
DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%"PRIu64", upper=%"PRIu64"\n", DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%" PRIu64", upper=%" PRIu64"\n",
network_time, seq, upper); network_time, seq, upper);
} }

10
src/RemoteSerializer.cc
View file

@ -707,7 +707,7 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip,
const size_t BUFSIZE = 1024; const size_t BUFSIZE = 1024;
char* data = new char[BUFSIZE]; char* data = new char[BUFSIZE];
snprintf(data, BUFSIZE, snprintf(data, BUFSIZE,
"%"PRI_PTR_COMPAT_UINT",%s,%s,%"PRIu16",%"PRIu32",%d", p->id, "%" PRI_PTR_COMPAT_UINT",%s,%s,%" PRIu16",%" PRIu32",%d", p->id,
ip.AsString().c_str(), zone_id.c_str(), port, uint32(retry), ip.AsString().c_str(), zone_id.c_str(), port, uint32(retry),
use_ssl); use_ssl);
@ -1267,7 +1267,7 @@ bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl,
const size_t BUFSIZE = 1024; const size_t BUFSIZE = 1024;
char* data = new char[BUFSIZE]; char* data = new char[BUFSIZE];
snprintf(data, BUFSIZE, "%s,%"PRIu16",%d,%d,%s,%"PRIu32, snprintf(data, BUFSIZE, "%s,%" PRIu16",%d,%d,%s,%" PRIu32,
ip.AsString().c_str(), port, expect_ssl, ipv6, zone_id.c_str(), ip.AsString().c_str(), port, expect_ssl, ipv6, zone_id.c_str(),
(uint32) retry); (uint32) retry);
@ -4075,7 +4075,7 @@ bool SocketComm::Connect(Peer* peer)
const size_t BUFSIZE = 1024; const size_t BUFSIZE = 1024;
char* data = new char[BUFSIZE]; char* data = new char[BUFSIZE];
snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(), snprintf(data, BUFSIZE, "%s,%" PRIu32, peer->ip.AsString().c_str(),
peer->port); peer->port);
if ( ! SendToParent(MSG_CONNECTED, peer, data) ) if ( ! SendToParent(MSG_CONNECTED, peer, data) )
@ -4190,7 +4190,7 @@ bool SocketComm::Listen()
setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0 ) setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0 )
Error(fmt("can't set IPV6_V6ONLY, %s", strerror(errno))); Error(fmt("can't set IPV6_V6ONLY, %s", strerror(errno)));
if ( bind(fd, res->ai_addr, res->ai_addrlen) < 0 ) if ( ::bind(fd, res->ai_addr, res->ai_addrlen) < 0 )
{ {
Error(fmt("can't bind to %s:%s, %s", l_addr_str.c_str(), Error(fmt("can't bind to %s:%s, %s", l_addr_str.c_str(),
port_str, strerror(errno))); port_str, strerror(errno)));
@ -4287,7 +4287,7 @@ bool SocketComm::AcceptConnection(int fd)
const size_t BUFSIZE = 1024; const size_t BUFSIZE = 1024;
char* data = new char[BUFSIZE]; char* data = new char[BUFSIZE];
snprintf(data, BUFSIZE, "%s,%"PRIu32, peer->ip.AsString().c_str(), snprintf(data, BUFSIZE, "%s,%" PRIu32, peer->ip.AsString().c_str(),
peer->port); peer->port);
if ( ! SendToParent(MSG_CONNECTED, peer, data) ) if ( ! SendToParent(MSG_CONNECTED, peer, data) )

6
src/SerializationFormat.cc
View file

@ -541,19 +541,19 @@ bool XMLSerializationFormat::Write(uint16 v, const char* tag)
bool XMLSerializationFormat::Write(uint32 v, const char* tag) bool XMLSerializationFormat::Write(uint32 v, const char* tag)
{ {
const char* tmp = fmt("%"PRIu32, v); const char* tmp = fmt("%" PRIu32, v);
return WriteElem(tag, "uint32", tmp, strlen(tmp)); return WriteElem(tag, "uint32", tmp, strlen(tmp));
} }
bool XMLSerializationFormat::Write(uint64 v, const char* tag) bool XMLSerializationFormat::Write(uint64 v, const char* tag)
{ {
const char* tmp = fmt("%"PRIu64, v); const char* tmp = fmt("%" PRIu64, v);
return WriteElem(tag, "uint64", tmp, strlen(tmp)); return WriteElem(tag, "uint64", tmp, strlen(tmp));
} }
bool XMLSerializationFormat::Write(int64 v, const char* tag) bool XMLSerializationFormat::Write(int64 v, const char* tag)
{ {
const char* tmp = fmt("%"PRId64, v); const char* tmp = fmt("%" PRId64, v);
return WriteElem(tag, "int64", tmp, strlen(tmp)); return WriteElem(tag, "int64", tmp, strlen(tmp));
} }

2
src/Sessions.cc
View file

@ -544,7 +544,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( proto_typ != 0x0800 && proto_typ != 0x86dd ) if ( proto_typ != 0x0800 && proto_typ != 0x86dd )
{ {
// Not IPv4/IPv6 payload. // Not IPv4/IPv6 payload.
Weird(fmt("unknown_gre_protocol_%"PRIu16, proto_typ), ip_hdr, Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
encapsulation); encapsulation);
return; return;
} }

2
src/Stats.cc
View file

@ -160,7 +160,7 @@ void ProfileLogger::Log()
file->Write(fmt("%.06f Connections expired due to inactivity: %d\n", file->Write(fmt("%.06f Connections expired due to inactivity: %d\n",
network_time, killed_by_inactivity)); network_time, killed_by_inactivity));
file->Write(fmt("%.06f Total reassembler data: %"PRIu64"K\n", network_time, file->Write(fmt("%.06f Total reassembler data: %" PRIu64"K\n", network_time,
Reassembler::TotalMemoryAllocation() / 1024)); Reassembler::TotalMemoryAllocation() / 1024));
// Signature engine. // Signature engine.

9
src/Trigger.cc
View file

@ -131,18 +131,19 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
arg_frame->SetDelayed(); arg_frame->SetDelayed();
} }
Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0; Val* timeout_val = arg_timeout ? arg_timeout->Eval(arg_frame) : 0;
// Make sure we don't get deleted if somebody calls a method like // Make sure we don't get deleted if somebody calls a method like
// Timeout() while evaluating the trigger. // Timeout() while evaluating the trigger.
Ref(this); Ref(this);
if ( ! Eval() && timeout ) if ( ! Eval() && timeout_val )
{ {
timer = new TriggerTimer(timeout->AsInterval(), this); timer = new TriggerTimer(timeout_val->AsInterval(), this);
timer_mgr->Add(timer); timer_mgr->Add(timer);
} }
Unref(timeout_val);
Unref(this); Unref(this);
} }
@ -206,7 +207,7 @@ bool Trigger::Eval()
return false; return false;
} }
if ( v->IsZero() ) if ( ! v || v->IsZero() )
{ {
// Not true. Perhaps next time... // Not true. Perhaps next time...
DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is false", Name()); DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is false", Name());

4
src/analyzer/Analyzer.cc
View file

@ -598,7 +598,7 @@ SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig)
void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
uint64 seq, const IP_Hdr* ip, int caplen) uint64 seq, const IP_Hdr* ip, int caplen)
{ {
DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]", DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]",
fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen, fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen,
fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
} }
@ -612,7 +612,7 @@ void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
void Analyzer::Undelivered(uint64 seq, int len, bool is_orig) void Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
{ {
DBG_LOG(DBG_ANALYZER, "%s Undelivered(%"PRIu64", %d, %s)", DBG_LOG(DBG_ANALYZER, "%s Undelivered(%" PRIu64", %d, %s)",
fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F"); fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F");
} }

32
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -5,18 +5,18 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
}; };
%header{ %header{
uint64 bytestring_to_time(const_bytestring time48, size_t length); uint64 bytestring_to_time(const_bytestring time48);
%} %}
%code{ %code{
uint64 bytestring_to_time(const_bytestring time48, size_t length) uint64 bytestring_to_time(const_bytestring time48)
{ {
/* In DNP3, a timestamp is represented by 6 bytes since epoch /* In DNP3, a timestamp is represented by 6 bytes since epoch
in milliseconds. The 6 bytes are stored in big endian format. */ in milliseconds. The 6 bytes are stored in big endian format. */
uint64 epochTime = 0; uint64 epochTime = 0;
for ( unsigned int i = 0; i < length; i++ ) for ( int i = time48.length() - 1; i >= 0; i-- )
epochTime = time48[length - i - 1] + epochTime * 256; epochTime = time48[i] + epochTime * 256;
return epochTime; return epochTime;
} }
@ -240,7 +240,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_counter_32wFlagTime( BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, count_value, bytestring_to_time(time48));
} }
return true; return true;
@ -254,7 +254,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_counter_16wFlagTime( BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, count_value, bytestring_to_time(time48));
} }
return true; return true;
@ -408,7 +408,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_32wTime( BifEvent::generate_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
return true; return true;
@ -422,7 +422,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_16wTime( BifEvent::generate_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
return true; return true;
@ -520,7 +520,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_32wTime( BifEvent::generate_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, value, bytestring_to_time(time48));
} }
return true; return true;
@ -534,7 +534,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_16wTime( BifEvent::generate_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, value, bytestring_to_time(time48));
} }
return true; return true;
@ -576,7 +576,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_SPwTime( BifEvent::generate_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, value, bytestring_to_time(time48));
} }
return true; return true;
@ -590,7 +590,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_analog_input_event_DPwTime( BifEvent::generate_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
} }
return true; return true;
@ -632,7 +632,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime( BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
return true; return true;
@ -646,7 +646,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime( BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
return true; return true;
@ -688,7 +688,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime( BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
return true; return true;
@ -702,7 +702,7 @@ flow DNP3_Flow(is_orig: bool) {
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime( BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48, sizeof(time48))); is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
} }
return true; return true;

25
src/analyzer/protocol/http/HTTP.cc
View file

@ -416,7 +416,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
int64_t len = l - f + 1; int64_t len = l - f + 1;
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("Content-Range length = %"PRId64"\n", len); DEBUG_MSG("Content-Range length = %" PRId64"\n", len);
if ( len > 0 ) if ( len > 0 )
{ {
@ -466,6 +466,20 @@ void HTTP_Entity::SubmitAllHeaders()
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f end of headers\n", network_time); DEBUG_MSG("%.6f end of headers\n", network_time);
if ( Parent() &&
Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART )
{
// Don't treat single \r or \n characters in the multipart body content
// as lines because the MIME_Entity code will implicitly add back a
// \r\n for each line it receives. We do this instead of setting
// plain delivery mode for the content line analyzer because
// the size of the content to deliver "plainly" may be unknown
// and just leaving it in that mode indefinitely screws up the
// detection of multipart boundaries.
http_message->content_line->SupressWeirds(true);
http_message->content_line->SetCRLFAsEOL(0);
}
// The presence of a message-body in a request is signaled by // The presence of a message-body in a request is signaled by
// the inclusion of a Content-Length or Transfer-Encoding // the inclusion of a Content-Length or Transfer-Encoding
// header field in the request's message-headers. // header field in the request's message-headers.
@ -655,6 +669,13 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
if ( entity->Parent() &&
entity->Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART )
{
content_line->SupressWeirds(false);
content_line->SetCRLFAsEOL();
}
// It is necessary to call Done when EndEntity is triggered by // It is necessary to call Done when EndEntity is triggered by
// SubmitAllHeaders (through EndOfData). // SubmitAllHeaders (through EndOfData).
if ( entity == top_level ) if ( entity == top_level )
@ -1039,7 +1060,7 @@ void HTTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
{ {
if ( msg ) if ( msg )
msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
fmt("seq=%"PRIu64", len=%d", seq, len)); fmt("seq=%" PRIu64", len=%d", seq, len));
} }
// Check if the content gap falls completely within a message body // Check if the content gap falls completely within a message body

2
src/analyzer/protocol/http/HTTP.h
View file

@ -99,6 +99,8 @@ enum {
// HTTP_MessageDone -> {Request,Reply}Made // HTTP_MessageDone -> {Request,Reply}Made
class HTTP_Message : public mime::MIME_Message { class HTTP_Message : public mime::MIME_Message {
friend class HTTP_Entity;
public: public:
HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length); bool is_orig, int expect_body, int64_t init_header_length);

22
src/analyzer/protocol/mime/MIME.cc
View file

@ -553,6 +553,7 @@ void MIME_Entity::init()
data_buf_offset = -1; data_buf_offset = -1;
message = 0; message = 0;
delay_adding_implicit_CRLF = false;
} }
MIME_Entity::~MIME_Entity() MIME_Entity::~MIME_Entity()
@ -1003,14 +1004,35 @@ void MIME_Entity::DecodeDataLine(int len, const char* data, int trailing_CRLF)
void MIME_Entity::DecodeBinary(int len, const char* data, int trailing_CRLF) void MIME_Entity::DecodeBinary(int len, const char* data, int trailing_CRLF)
{ {
if ( delay_adding_implicit_CRLF )
{
delay_adding_implicit_CRLF = false;
DataOctet(CR);
DataOctet(LF);
}
DataOctets(len, data); DataOctets(len, data);
if ( trailing_CRLF ) if ( trailing_CRLF )
{
if ( Parent() &&
Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART )
{
// For multipart body content, we want to keep all implicit CRLFs
// except for the last because that one belongs to the multipart
// boundary delimiter, not the content. Simply delaying the
// addition of implicit CRLFs until another chunk of content
// data comes in is a way to prevent the CRLF before the final
// message boundary from being accidentally added to the content.
delay_adding_implicit_CRLF = true;
}
else
{ {
DataOctet(CR); DataOctet(CR);
DataOctet(LF); DataOctet(LF);
} }
} }
}
void MIME_Entity::DecodeQuotedPrintable(int len, const char* data) void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
{ {

1
src/analyzer/protocol/mime/MIME.h
View file

@ -173,6 +173,7 @@ protected:
int data_buf_offset; int data_buf_offset;
MIME_Message* message; MIME_Message* message;
bool delay_adding_implicit_CRLF;
}; };
// The reason I separate MIME_Message as an abstract class is to // The reason I separate MIME_Message as an abstract class is to

7
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -21,7 +21,9 @@ static const char* smtp_cmd_word[] = {
#include "SMTP_cmd.def" #include "SMTP_cmd.def"
}; };
#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : "(UNKNOWN)") static const char* unknown_cmd = "(UNKNOWN)";
#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : unknown_cmd)
SMTP_Analyzer::SMTP_Analyzer(Connection* conn) SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
@ -83,7 +85,7 @@ void SMTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
if ( len <= 0 ) if ( len <= 0 )
return; return;
const char* buf = fmt("seq = %"PRIu64", len = %d", seq, len); const char* buf = fmt("seq = %" PRIu64", len = %d", seq, len);
int buf_len = strlen(buf); int buf_len = strlen(buf);
Unexpected(is_orig, "content gap", buf_len, buf); Unexpected(is_orig, "content gap", buf_len, buf);
@ -422,7 +424,6 @@ void SMTP_Analyzer::NewReply(const int reply_code)
if ( state == SMTP_AFTER_GAP && reply_code > 0 ) if ( state == SMTP_AFTER_GAP && reply_code > 0 )
{ {
state = SMTP_GAP_RECOVERY; state = SMTP_GAP_RECOVERY;
const char* unknown_cmd = SMTP_CMD_WORD(-1);
RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, ""); RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, "");
/* /*
if ( line_after_gap ) if ( line_after_gap )

2
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -84,7 +84,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
if ( i > 0 ) if ( i > 0 )
{ {
rval += "."; rval += ".";
snprintf(tmp, sizeof(tmp), "%"PRIu64, subidentifier_values[i]); snprintf(tmp, sizeof(tmp), "%" PRIu64, subidentifier_values[i]);
rval += tmp; rval += tmp;
} }
else else

7
src/analyzer/protocol/tcp/ContentLine.cc
View file

@ -32,6 +32,7 @@ void ContentLine_Analyzer::InitState()
seq_to_skip = 0; seq_to_skip = 0;
plain_delivery_length = 0; plain_delivery_length = 0;
is_plain = 0; is_plain = 0;
suppress_weirds = false;
InitBuffer(0); InitBuffer(0);
} }
@ -258,7 +259,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
else else
{ {
if ( Conn()->FlagEvent(SINGULAR_LF) ) if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) )
Conn()->Weird("line_terminated_with_single_LF"); Conn()->Weird("line_terminated_with_single_LF");
buf[offset++] = c; buf[offset++] = c;
} }
@ -277,7 +278,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
} }
if ( last_char == '\r' ) if ( last_char == '\r' )
if ( Conn()->FlagEvent(SINGULAR_CR) ) if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) )
Conn()->Weird("line_terminated_with_single_CR"); Conn()->Weird("line_terminated_with_single_CR");
last_char = c; last_char = c;
@ -307,7 +308,7 @@ void ContentLine_Analyzer::CheckNUL()
; // Ignore it. ; // Ignore it.
else else
{ {
if ( Conn()->FlagEvent(NUL_IN_LINE) ) if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) )
Conn()->Weird("NUL_in_line"); Conn()->Weird("NUL_in_line");
flag_NULs = 0; flag_NULs = 0;
} }

5
src/analyzer/protocol/tcp/ContentLine.h
View file

@ -15,6 +15,9 @@ public:
ContentLine_Analyzer(Connection* conn, bool orig); ContentLine_Analyzer(Connection* conn, bool orig);
~ContentLine_Analyzer(); ~ContentLine_Analyzer();
void SupressWeirds(bool enable)
{ suppress_weirds = enable; }
// If enabled, flag (first) line with embedded NUL. Default off. // If enabled, flag (first) line with embedded NUL. Default off.
void SetIsNULSensitive(bool enable) void SetIsNULSensitive(bool enable)
{ flag_NULs = enable; } { flag_NULs = enable; }
@ -96,6 +99,8 @@ protected:
// Don't deliver further data. // Don't deliver further data.
int skip_deliveries; int skip_deliveries;
bool suppress_weirds;
// If true, flag (first) line with embedded NUL. // If true, flag (first) line with embedded NUL.
unsigned int flag_NULs:1; unsigned int flag_NULs:1;

4
src/analyzer/protocol/tcp/TCP.cc
View file

@ -1901,7 +1901,7 @@ void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data,
const IP_Hdr* ip, int caplen) const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]", DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %" PRIu64", %p, %d) [%s%s]",
len, is_orig ? "T" : "F", seq, ip, caplen, len, is_orig ? "T" : "F", seq, ip, caplen,
fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
} }
@ -2053,7 +2053,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
num_rxmit_bytes += len; num_rxmit_bytes += len;
} }
DEBUG_MSG("%.6f rexmit %"PRIu64" + %d <= %"PRIu64" data_in_flight = %d\n", DEBUG_MSG("%.6f rexmit %" PRIu64" + %d <= %" PRIu64" data_in_flight = %d\n",
network_time, seq, len, max_top_seq, data_in_flight); network_time, seq, len, max_top_seq, data_in_flight);
if ( tcp_rexmit ) if ( tcp_rexmit )

10
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -188,7 +188,7 @@ void TCP_Reassembler::Undelivered(uint64 up_to_seq)
if ( DEBUG_tcp_contents ) if ( DEBUG_tcp_contents )
{ {
DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%"PRIu64", last_reassm=%"PRIu64", " DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%" PRIu64", last_reassm=%" PRIu64", "
"endp: FIN_cnt=%d, RST_cnt=%d, " "endp: FIN_cnt=%d, RST_cnt=%d, "
"peer: FIN_cnt=%d, RST_cnt=%d\n", "peer: FIN_cnt=%d, RST_cnt=%d\n",
network_time, IsOrig(), up_to_seq, last_reassem_seq, network_time, IsOrig(), up_to_seq, last_reassem_seq,
@ -219,7 +219,7 @@ void TCP_Reassembler::Undelivered(uint64 up_to_seq)
{ {
if ( DEBUG_tcp_contents ) if ( DEBUG_tcp_contents )
{ {
DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%"PRIu64", len=%"PRIu64", " DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%" PRIu64", len=%" PRIu64", "
"skip_deliveries=%d\n", "skip_deliveries=%d\n",
network_time, IsOrig(), last_reassem_seq, network_time, IsOrig(), last_reassem_seq,
up_to_seq - last_reassem_seq, up_to_seq - last_reassem_seq,
@ -350,7 +350,7 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f) void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
{ {
if ( f->Write(fmt("\n<<gap %"PRIu64">>\n", upper_seq - start_seq)) ) if ( f->Write(fmt("\n<<gap %" PRIu64">>\n", upper_seq - start_seq)) )
return; return;
reporter->Error("TCP_Reassembler contents gap write failed"); reporter->Error("TCP_Reassembler contents gap write failed");
@ -420,7 +420,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
{ {
if ( DEBUG_tcp_contents ) if ( DEBUG_tcp_contents )
DEBUG_MSG("%.6f TCP contents overlap: %"PRIu64" IsOrig()=%d\n", network_time, n, IsOrig()); DEBUG_MSG("%.6f TCP contents overlap: %" PRIu64" IsOrig()=%d\n", network_time, n, IsOrig());
if ( rexmit_inconsistency && if ( rexmit_inconsistency &&
memcmp((const void*) b1, (const void*) b2, n) && memcmp((const void*) b1, (const void*) b2, n) &&
@ -465,7 +465,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
if ( DEBUG_tcp_contents ) if ( DEBUG_tcp_contents )
{ {
DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%"PRIu64" upper=%"PRIu64" ack=%"PRIu64"\n", DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%" PRIu64" upper=%" PRIu64" ack=%" PRIu64"\n",
network_time, IsOrig(), seq, upper_seq, ack); network_time, IsOrig(), seq, upper_seq, ack);
} }

4
src/cq.c
View file

@ -357,7 +357,7 @@ cq_remove(register struct cq_handle *hp, register double pri,
/* The priority must be positive and the cookie non-null */ /* The priority must be positive and the cookie non-null */
if (pri <= 0.0 || cookie == NULL) if (pri <= 0.0 || cookie == NULL)
return (-0); return (0);
bp = hp->buckets + PRI2BUCKET(hp, pri); bp = hp->buckets + PRI2BUCKET(hp, pri);
if (! BUCKETINUSE(bp)) if (! BUCKETINUSE(bp))
@ -370,7 +370,7 @@ cq_remove(register struct cq_handle *hp, register double pri,
} }
if ( ! bp ) if ( ! bp )
return (-0); return (0);
/* Unlink entry */ /* Unlink entry */
if ( ! bp2 ) { if ( ! bp2 ) {

1
src/iosource/PktSrc.cc
View file

@ -506,6 +506,7 @@ bool PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_ch
{ {
Error(fmt("BPF filter %d not compiled", index)); Error(fmt("BPF filter %d not compiled", index));
Close(); Close();
return false;
} }
if ( code->MatchesAnything() ) if ( code->MatchesAnything() )

4
src/iosource/PktSrc.h
View file

@ -266,7 +266,11 @@ protected:
Properties() Properties()
{ {
selectable_fd = -1;
link_type = -1;
hdr_size = -1;
netmask = PCAP_NETMASK_UNKNOWN; netmask = PCAP_NETMASK_UNKNOWN;
is_live = false;
} }
}; };

3
src/iosource/pcap/Source.cc
View file

@ -21,6 +21,9 @@ PcapSource::PcapSource(const std::string& path, bool is_live)
{ {
props.path = path; props.path = path;
props.is_live = is_live; props.is_live = is_live;
pd = 0;
memset(&current_hdr, 0, sizeof(current_hdr));
memset(&last_hdr, 0, sizeof(last_hdr));
last_data = 0; last_data = 0;
} }

3
src/main.cc
View file

@ -775,6 +775,9 @@ int main(int argc, char** argv)
// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key)); // DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
init_hash_function(); init_hash_function();
// Must come after hash initialization.
binpac::init();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
OPENSSL_add_all_algorithms_conf(); OPENSSL_add_all_algorithms_conf();
SSL_library_init(); SSL_library_init();

4
src/parse.y
View file

@ -127,7 +127,11 @@ static void parser_new_enum (void)
{ {
/* Starting a new enum definition. */ /* Starting a new enum definition. */
assert(cur_enum_type == NULL); assert(cur_enum_type == NULL);
if ( cur_decl_type_id )
cur_enum_type = new EnumType(cur_decl_type_id->Name()); cur_enum_type = new EnumType(cur_decl_type_id->Name());
else
reporter->FatalError("incorrect syntax for enum type declaration");
} }
static void parser_redef_enum (ID *id) static void parser_redef_enum (ID *id)

4
src/plugin/Manager.cc
View file

@ -172,7 +172,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
// Load {bif,scripts}/__load__.bro automatically. // Load {bif,scripts}/__load__.bro automatically.
string init = dir + "lib/bif/__load__.bro"; string init = dir + "scripts/__load__.bro";
if ( is_file(init) ) if ( is_file(init) )
{ {
@ -180,7 +180,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
scripts_to_load.push_back(init); scripts_to_load.push_back(init);
} }
init = dir + "scripts/__load__.bro"; init = dir + "lib/bif/__load__.bro";
if ( is_file(init) ) if ( is_file(init) )
{ {

2
testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1
View file

@ -7,6 +7,6 @@
# bro data_struct_vector_declaration.bro # bro data_struct_vector_declaration.bro
contents of v1: [1, 2, 3, 4] contents of v1: [1, 2, 3, 4]
length of v1: 4 length of v1: 4
contents of v1: [1, 2, 3, 4] contents of v2: [1, 2, 3, 4]
length of v2: 4 length of v2: 4

2
testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1
View file

@ -6,6 +6,6 @@
# bro data_type_pattern_01.bro # bro data_type_pattern_01.bro
The The
brown fox jumped over the brown fox jumps over the
dog. dog.

11
testing/btest/Baseline/language.vector-in-operator/out Normal file
View file

@ -0,0 +1,11 @@
[zero, one, , , , five, , seven]
vec[0] = zero.exe
vec[1] = one.exe
vec[2] = <not set>
vec[3] = <not set>
vec[4] = <not set>
vec[5] = five.exe
vec[6] = <not set>
vec[7] = seven.exe
vec[8] = <not set>
vec[9] = <not set>

38
testing/btest/Baseline/language.when-unitialized-rhs/out Normal file
View file

@ -0,0 +1,38 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 9: value used but not set (crashMe)
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 14: value used but not set (x)
1
2
3
4
5
6
7
8
9
10
2nd when stmt executing, 999
1st when stmt executing, not anymore you don't
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

2
testing/btest/Baseline/plugins.api-version-mismatch/output
View file

@ -1 +1 @@
fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/Demo-Foo.linux-x86_64.so) fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/XXX)

2
testing/btest/Baseline/plugins.bifs-and-scripts-install/output
View file

@ -3,5 +3,5 @@ Demo::Foo - <Insert description> (dynamic, version 1.0)
[Event] plugin_event [Event] plugin_event
plugin: automatically loaded at startup plugin: automatically loaded at startup
calling bif, Hello from the plugin!
plugin: manually loaded plugin: manually loaded
calling bif, Hello from the plugin!

10
testing/btest/Baseline/plugins.bifs-and-scripts/output
View file

@ -4,21 +4,19 @@ Demo::Foo - <Insert description> (dynamic, version 1.0)
=== ===
plugin: automatically loaded at startup plugin: automatically loaded at startup
calling bif, Hello from the plugin!
=== ===
plugin: automatically loaded at startup plugin: automatically loaded at startup
calling bif, Hello from the plugin!
plugin: manually loaded plugin: manually loaded
calling bif, Hello from the plugin!
=-= =-=
=-= =-=
=== ===
plugin: automatically loaded at startup plugin: automatically loaded at startup
===
plugin: automatically loaded at startup
plugin: manually loaded
calling bif, Hello from the plugin! calling bif, Hello from the plugin!
=== ===
plugin: automatically loaded at startup plugin: automatically loaded at startup
calling bif, Hello from the plugin!
plugin: manually loaded plugin: manually loaded
===
plugin: automatically loaded at startup
calling bif, Hello from the plugin! calling bif, Hello from the plugin!
plugin: manually loaded

30
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
View file

@ -1,39 +1,39 @@
FILE_NEW FILE_NEW
file #0, 0, 0 file #0, 0, 0
FILE_BOF_BUFFER FILE_BOF_BUFFER
test^M^J test
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #0, 6, 0 file #0, 4, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP source: HTTP
MD5: 9f06243abcb89c70e0c331c61d871fa7 MD5: 098f6bcd4621d373cade4e832627b4f6
SHA1: fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4 SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256: 837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
FILE_NEW FILE_NEW
file #1, 0, 0 file #1, 0, 0
FILE_BOF_BUFFER FILE_BOF_BUFFER
test2^M^J test2
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #1, 7, 0 file #1, 5, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP source: HTTP
MD5: d68af81ef370b3873d50f09140068810 MD5: ad0234829205b9033196ba818f7a872b
SHA1: 51a7b6f2d91f6a87822dc04560f2972bc14fc97e SHA1: 109f4b3c50d7b0df729d299bc6f8e9ef9066971f
SHA256: de0edd0ac4a705aff70f34734e90a1d0a1d8b76abe4bb53f3ea934bc105b3b17 SHA256: 60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752
FILE_NEW FILE_NEW
file #2, 0, 0 file #2, 0, 0
FILE_BOF_BUFFER FILE_BOF_BUFFER
test3^M^J test3
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #2, 7, 0 file #2, 5, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP source: HTTP
MD5: 1a3d75d44753ad246f0bd333cdaf08b0 MD5: 8ad8757baa8564dc136c1e07507f4a98
SHA1: 4f98809ab09272dfcc58266e3f23ae2393f70e76 SHA1: 3ebfa301dc59196f18593c45e519287a23297589
SHA256: 018c67a2c30ed9977e1dddfe98cac542165dac355cf9764c91a362613e752933 SHA256: fd61a03af4f77d870fc21e05e7e80678095c92d808cfb3b5c279ee04c74aca13
FILE_NEW FILE_NEW
file #3, 0, 0 file #3, 0, 0
FILE_BOF_BUFFER FILE_BOF_BUFFER

8
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
View file

@ -6,12 +6,12 @@ MIME_TYPE
text/plain text/plain
FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION
FILE_STATE_REMOVE FILE_STATE_REMOVE
file #0, 79, 0 file #0, 77, 0
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp] [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
source: SMTP source: SMTP
MD5: 92bca2e6cdcde73647125da7dccbdd07 MD5: 58aff3af22807bc5f4b6357c0038256c
SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13 SHA1: c39dc8cd0f8d8b1f7fc8b362c41e69fdf20f668a
SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5 SHA256: 8d057f3af311c20675eea767a9df5fa31ff3597c6d5d50fd0cdc34766c40204d
FILE_NEW FILE_NEW
file #1, 0, 0 file #1, 0, 0
FILE_BOF_BUFFER FILE_BOF_BUFFER

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0
View file

@ -10,4 +10,3 @@ Find the attachment
GPS GPS

12
testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-44-47 #open 2014-08-08-17-13-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - - T FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348168976.508038 CXWv6p3arKYeMETxOg 192.168.57.103 60108 192.168.57.101 2811 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - - - T F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3 FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid 1348168976.551422 CjhGID4nQcgTWjvg4c 192.168.57.103 35391 192.168.57.101 55968 TLSv10 TLS_RSA_WITH_NULL_SHA - - F - - T F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3 FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
#close 2014-04-26-16-44-47 #close 2014-08-08-17-13-20

10
testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-05-15-17-23-07 #open 2014-08-08-17-13-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - - 1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - F - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - -
#close 2014-05-15-17-23-07 #close 2014-08-08-17-13-27

10
testing/btest/Baseline/scripts.base.protocols.smtp.starttls/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-05-15-16-56-36 #open 2014-08-08-17-13-38
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1400168397.019290 CXWv6p3arKYeMETxOg 192.168.4.149 54170 74.125.142.26 25 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FUE0dj3SWjQASC0bk3,FbPkr51wrSMIUT5Hib,FVW1o23Jjs8yenOhzb (empty) CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - 1400168397.019290 CXWv6p3arKYeMETxOg 192.168.4.149 54170 74.125.142.26 25 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FUE0dj3SWjQASC0bk3,FbPkr51wrSMIUT5Hib,FVW1o23Jjs8yenOhzb (empty) CN=mx.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
#close 2014-05-15-16-56-36 #close 2014-08-08-17-13-38

10
testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-45-01 #open 2014-08-08-17-13-42
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com - - T F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - - 1335538392.319381 CXWv6p3arKYeMETxOg 192.168.1.105 62045 74.125.224.79 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 ssl.gstatic.com F - - T F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h (empty) CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority,O=Google Inc,C=US - -
#close 2014-04-26-16-45-01 #close 2014-08-08-17-13-42

10
testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-27-00-52-03 #open 2014-08-08-17-13-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1398558136.319509 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - - 1398558136.319509 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 TLSv12 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - - F - - T F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7 (empty) emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL - -
#close 2014-04-27-00-52-03 #close 2014-08-08-17-13-45

10
testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-39-57 #open 2014-08-08-17-13-48
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1398529018.678827 CXWv6p3arKYeMETxOg 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - 1398529018.678827 CXWv6p3arKYeMETxOg 192.168.18.50 56981 74.125.239.97 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
#close 2014-04-26-16-39-57 #close 2014-08-08-17-13-48

10
testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-45-16 #open 2014-08-08-17-13-53
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - - handshake_failure F - - - - - - 1393957586.786031 CXWv6p3arKYeMETxOg 192.168.4.149 53525 74.125.239.37 443 - - - - F handshake_failure - F - - - - - -
#close 2014-04-26-16-45-16 #close 2014-08-08-17-13-53

10
testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-45-09 #open 2014-08-08-17-13-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - - - T FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh (empty) CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - 1357328848.549370 CXWv6p3arKYeMETxOg 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh (empty) CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - -
#close 2014-04-26-16-45-09 #close 2014-08-08-17-13-51

5
testing/btest/Baseline/scripts.base.utils.active-http/bro..stdout
View file

@ -1,5 +0,0 @@
[code=200, msg=OK^M, body=It works!, headers={
[Server] = 1.0,
[Content-type] = text/plain,
[Date] = July 22, 2013
}]

10
testing/btest/Baseline/scripts.base.utils.active-http/output Normal file
View file

@ -0,0 +1,10 @@
[Content-type] = text/plain,
[Content-type] = text/plain,
[Date] = July 22, 2013
[Date] = July 22, 2013
[Server] = 1.0,
[Server] = 1.0,
test1, [code=200, msg=OK^M, body=It works!, headers={
test2, [code=200, msg=OK^M, body=, headers={
}]
}]

6
testing/btest/Baseline/scripts.base.utils.exec/bro..stdout
View file

@ -1,6 +1,10 @@
test2, [exit_code=1, signal_exit=F, stdout=[here's something on stdout, some more stdout, last stdout], stderr=[and some stderr, more stderr, last stderr], files=<uninitialized>]
test1, [exit_code=0, signal_exit=F, stdout=[done, exit, stop], stderr=<uninitialized>, files={ test1, [exit_code=0, signal_exit=F, stdout=[done, exit, stop], stderr=<uninitialized>, files={
[out1] = [insert text here, and here], [out1] = [insert text here, and here],
[out2] = [insert more text here, and there] [out2] = [insert more text here, and there]
}] }]
test2, [exit_code=1, signal_exit=F, stdout=[here's something on stdout, some more stdout, last stdout], stderr=[and some stderr, more stderr, last stderr], files=<uninitialized>]
test4, [exit_code=0, signal_exit=F, stdout=[hibye], stderr=<uninitialized>, files=<uninitialized>] test4, [exit_code=0, signal_exit=F, stdout=[hibye], stderr=<uninitialized>, files=<uninitialized>]
test5, [exit_code=0, signal_exit=F, stdout=<uninitialized>, stderr=<uninitialized>, files={
[out4] = [test],
[out3] = []
}]

6
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
View file

@ -305,15 +305,15 @@
[2] is_orig: bool = T [2] is_orig: bool = T
1254722770.692743 file_new 1254722770.692743 file_new
[0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>] [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
1254722770.692743 file_over_new_connection 1254722770.692743 file_over_new_connection
[0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>] [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
[1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[2] is_orig: bool = F [2] is_orig: bool = F
1254722770.692743 file_state_remove 1254722770.692743 file_state_remove
[0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>] [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
1254722770.692743 get_file_handle 1254722770.692743 get_file_handle
[0] tag: enum = Analyzer::ANALYZER_SMTP [0] tag: enum = Analyzer::ANALYZER_SMTP

12
testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-27-06-48-05 #open 2014-08-08-17-13-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - 1394747126.855035 CXWv6p3arKYeMETxOg 192.168.4.149 60623 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - - 1394747129.505622 CjhGID4nQcgTWjvg4c 192.168.4.149 60624 74.125.239.129 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - - T FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1 (empty) CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G2,O=Google Inc,C=US - -
#close 2014-04-27-06-48-05 #close 2014-08-08-17-13-55

12
testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-04-26-16-45-32 #open 2014-08-08-17-13-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired 1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - F - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired
1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok 1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok
#close 2014-04-26-16-45-32 #close 2014-08-08-17-13-58

10
testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-09-04-19-17-18 #open 2014-10-21-18-37-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1404148886.994021 CXWv6p3arKYeMETxOg 192.168.4.149 51293 72.21.91.29 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h (empty) CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - good 1404148886.994021 CXWv6p3arKYeMETxOg 192.168.4.149 51293 72.21.91.29 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - F - - T FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h (empty) CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - good
#close 2014-09-04-19-17-18 #close 2014-10-21-18-37-44

10
testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-09-04-19-17-14 #open 2014-10-21-18-37-33
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1409786981.016881 CXWv6p3arKYeMETxOg 192.168.4.149 53106 93.184.216.146 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa (empty) CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US - - good 1409786981.016881 CXWv6p3arKYeMETxOg 192.168.4.149 53106 93.184.216.146 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - F - - T FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa (empty) CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US - - good
#close 2014-09-04-19-17-14 #close 2014-10-21-18-37-33

10
testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ssl #path ssl
#open 2014-05-30-22-37-19 #open 2014-08-08-17-14-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string #types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1398367809.790512 CXWv6p3arKYeMETxOg 192.168.4.149 56253 131.253.61.82 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - - - T Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9 (empty) CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - good 1398367809.790512 CXWv6p3arKYeMETxOg 192.168.4.149 56253 131.253.61.82 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - F - - T Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9 (empty) CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - good
#close 2014-05-30-22-37-19 #close 2014-08-08-17-14-03

12
testing/btest/coverage/find-bro-logs.test
View file

@ -9,6 +9,11 @@
BROSCRIPTS=${DIST}/scripts BROSCRIPTS=${DIST}/scripts
if [ ! -d "${BROSCRIPTS}" ]; then
echo "Directory not found: ${BROSCRIPTS}" 1>&2
exit 1
fi
# For a given Bro script, look for a call to "create_stream". If found, # For a given Bro script, look for a call to "create_stream". If found,
# extract the log ID (adding the module name if necessary), and print the # extract the log ID (adding the module name if necessary), and print the
# log ID and script filename. # log ID and script filename.
@ -33,7 +38,12 @@ cat << '_EOF_' > find_logid.awk
} }
_EOF_ _EOF_
find ${BROSCRIPTS} -type f -exec awk -f find_logid.awk {} \; > out.logid find -L ${BROSCRIPTS} -type f -exec awk -f find_logid.awk {} \; > out.logid
if [ ! -s out.logid ]; then
echo "Did not find Bro scripts in directory: ${BROSCRIPTS}" 1>&2
exit 1
fi
# For each log ID, have Bro convert it to the corresponding log filename # For each log ID, have Bro convert it to the corresponding log filename
# using the default mechanism for generating a log filename (we must load # using the default mechanism for generating a log filename (we must load

17
testing/btest/language/vector-in-operator.bro Normal file
View file

@ -0,0 +1,17 @@
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
local ten = "0123456789";
local vec: vector of string = { "zero", "one" };
local n = 0;
vec[5] = "five";
vec[7] = "seven";
print vec;
vec = vec + ".exe";
for ( c in ten )
{
local is_set: bool = (n in vec);
print fmt("vec[%s] = %s", n, is_set ? vec[n] : "<not set>");
++n;
}

32
testing/btest/language/when-unitialized-rhs.bro Normal file
View file

@ -0,0 +1,32 @@
# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
global crashMe: function(): string;
global x: int;
event bro_init()
{
when( local result = crashMe() )
{
print "1st when stmt executing", result;
}
when( local other_result = x )
{
print "2nd when stmt executing", other_result;
}
}
global conn_count = 0;
event new_connection(c: connection)
{
++conn_count;
print conn_count;
if ( conn_count == 10 )
{
x = 999;
crashMe = function(): string { return "not anymore you don't"; };
}
}

16
testing/btest/language/when.bro
View file

@ -8,13 +8,25 @@
event bro_init() event bro_init()
{ {
local h1: addr = 127.0.0.1; local h: addr = 127.0.0.1;
when ( local h1name = lookup_addr(h1) ) when ( local hname = lookup_addr(h) )
{ {
print "lookup successful"; print "lookup successful";
terminate(); terminate();
} }
timeout 10sec
{
print "timeout (1)";
}
local to = 5sec;
# Just checking that timeouts can use arbitrary expressions...
when ( local hname2 = lookup_addr(h) ) {}
timeout to {}
when ( local hname3 = lookup_addr(h) ) {}
timeout to + 2sec {}
print "done"; print "done";
} }

3
testing/btest/plugins/api-version-mismatch.sh
View file

@ -1,7 +1,8 @@
# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
# @TEST-EXEC: bash %INPUT # @TEST-EXEC: bash %INPUT
# @TEST-EXEC: ./configure --bro-dist=${DIST} && make # @TEST-EXEC: ./configure --bro-dist=${DIST} && make
# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output 2>&1 # @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc ( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc

2
testing/btest/plugins/bifs-and-scripts-install.sh
View file

@ -21,6 +21,7 @@ cat >scripts/demo/foo/manually.bro <<EOF
event bro_init() &priority=-10 event bro_init() &priority=-10
{ {
print "plugin: manually loaded"; print "plugin: manually loaded";
print "calling bif", hello_plugin_world();
} }
EOF EOF
@ -28,7 +29,6 @@ cat >scripts/demo/foo/base/at-startup.bro <<EOF
event bro_init() &priority=10 event bro_init() &priority=10
{ {
print "plugin: automatically loaded at startup"; print "plugin: automatically loaded at startup";
print "calling bif", hello_plugin_world();
} }
EOF EOF

2
testing/btest/plugins/bifs-and-scripts.sh
View file

@ -37,6 +37,7 @@ cat >scripts/demo/foo/manually.bro <<EOF
event bro_init() &priority=-10 event bro_init() &priority=-10
{ {
print "plugin: manually loaded"; print "plugin: manually loaded";
print "calling bif", hello_plugin_world();
} }
EOF EOF
@ -44,7 +45,6 @@ cat >scripts/demo/foo/base/at-startup.bro <<EOF
event bro_init() &priority=10 event bro_init() &priority=10
{ {
print "plugin: automatically loaded at startup"; print "plugin: automatically loaded at startup";
print "calling bif", hello_plugin_world();
} }
EOF EOF

31
testing/btest/scripts/base/utils/active-http.test
View file

@ -1,28 +1,43 @@
# @TEST-REQUIRES: which python # @TEST-REQUIRES: which python
# @TEST-REQUIRES: which curl # @TEST-REQUIRES: which curl
# #
# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 1 --addr=127.0.0.1 # @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 2 --addr=127.0.0.1
# @TEST-EXEC: sleep 3 # @TEST-EXEC: sleep 3
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
# @TEST-EXEC: btest-bg-wait 15 # @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: cat bro/.stdout | sort >output
# @TEST-EXEC: btest-diff output
@load base/utils/active-http @load base/utils/active-http
@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats... @load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
redef exit_only_after_terminate = T; redef exit_only_after_terminate = T;
event bro_init() global c: count = 0;
{
local req = ActiveHTTP::Request($url="127.0.0.1:32123");
when ( local resp = ActiveHTTP::request(req) ) function check_exit_condition()
{ {
print resp; c += 1;
if ( c == 2 )
terminate(); terminate();
} }
function test_request(label: string, req: ActiveHTTP::Request)
{
when ( local response = ActiveHTTP::request(req) )
{
print label, response;
check_exit_condition();
}
timeout 1min timeout 1min
{ {
print "HTTP request timeout"; print "HTTP request timeout";
terminate(); check_exit_condition();
} }
} }
event bro_init()
{
test_request("test1", [$url="127.0.0.1:32123"]);
test_request("test2", [$url="127.0.0.1:32123/empty", $method="POST"]);
}

10
testing/btest/scripts/base/utils/exec.test
View file

@ -14,7 +14,7 @@ function check_exit_condition()
{ {
c += 1; c += 1;
if ( c == 3 ) if ( c == 4 )
terminate(); terminate();
} }
@ -35,6 +35,8 @@ event bro_init()
# Not sure of a portable way to test signals yet. # Not sure of a portable way to test signals yet.
#test_cmd("test3", [$cmd="bash ../suicide.sh"]); #test_cmd("test3", [$cmd="bash ../suicide.sh"]);
test_cmd("test4", [$cmd="bash ../stdin.sh", $stdin="hibye"]); test_cmd("test4", [$cmd="bash ../stdin.sh", $stdin="hibye"]);
test_cmd("test5", [$cmd="bash ../empty_file.sh",
$read_files=set("out3", "out4")]);
} }
@TEST-END-FILE @TEST-END-FILE
@ -73,3 +75,9 @@ echo "nope"
read -r line read -r line
echo "$line" echo "$line"
@TEST-END-FILE @TEST-END-FILE
@TEST-START-FILE empty_file.sh
#! /usr/bin/env bash
touch out3
echo "test" > out4
@TEST-END-FILE

15
testing/scripts/httpd.py
View file

@ -2,12 +2,27 @@
import BaseHTTPServer import BaseHTTPServer
class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self): def do_GET(self):
self.send_response(200) self.send_response(200)
self.send_header("Content-type", "text/plain") self.send_header("Content-type", "text/plain")
self.end_headers() self.end_headers()
if "/empty" in self.path:
self.wfile.write("")
else:
self.wfile.write("It works!")
def do_POST(self):
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
if "/empty" in self.path:
self.wfile.write("")
else:
self.wfile.write("It works!") self.wfile.write("It works!")
def version_string(self): def version_string(self):