mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
A few test updates.
This commit is contained in:
Seth Hall
parent
636914b8f1
commit
f098b17429
11 changed files with 57 additions and 61 deletions
|
|
@ -16,9 +16,6 @@ export {
|
|||
|
||||
function get_file_handle(c: connection, is_orig: bool): string
|
||||
{
|
||||
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
|
||||
return "";
|
||||
|
||||
return cat(Analyzer::ANALYZER_IRC_DATA, c$start_time, c$id, is_orig);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ event file_hash(f: fa_file, kind: string, hash: string)
|
|||
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
|
||||
if ( mhr_detect_rate >= notice_threshold )
|
||||
{
|
||||
local message = fmt("Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
|
||||
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
|
||||
local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
|
||||
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2013-05-21-21-11-20
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string]
|
||||
1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - - -
|
||||
#open 2013-07-23-05-12-58
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] vector[string] vector[string] vector[string] vector[string]
|
||||
1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - - - meGKu6goEyd application/octet-stream
|
||||
1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - -
|
||||
1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - -
|
||||
#close 2013-05-21-21-11-20
|
||||
#close 2013-07-23-05-12-58
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path loaded_scripts
|
||||
#open 2013-07-10-21-18-31
|
||||
#open 2013-07-23-05-48-10
|
||||
#fields name
|
||||
#types string
|
||||
scripts/base/init-bare.bro
|
||||
|
|
@ -84,12 +84,12 @@ scripts/base/init-bare.bro
|
|||
scripts/base/frameworks/analyzer/main.bro
|
||||
scripts/base/frameworks/packet-filter/utils.bro
|
||||
build/scripts/base/bif/analyzer.bif.bro
|
||||
scripts/base/frameworks/file-analysis/__load__.bro
|
||||
scripts/base/frameworks/file-analysis/main.bro
|
||||
scripts/base/frameworks/files/__load__.bro
|
||||
scripts/base/frameworks/files/main.bro
|
||||
build/scripts/base/bif/file_analysis.bif.bro
|
||||
scripts/base/init-default.bro
|
||||
scripts/base/utils/site.bro
|
||||
scripts/base/utils/patterns.bro
|
||||
scripts/base/init-default.bro
|
||||
scripts/base/utils/addrs.bro
|
||||
scripts/base/utils/conn-ids.bro
|
||||
scripts/base/utils/directions-and-hosts.bro
|
||||
|
|
@ -157,8 +157,8 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/ftp/__load__.bro
|
||||
scripts/base/protocols/ftp/utils-commands.bro
|
||||
scripts/base/protocols/ftp/main.bro
|
||||
scripts/base/protocols/ftp/file-analysis.bro
|
||||
scripts/base/protocols/ftp/file-extract.bro
|
||||
scripts/base/protocols/ftp/utils.bro
|
||||
scripts/base/protocols/ftp/files.bro
|
||||
scripts/base/protocols/ftp/gridftp.bro
|
||||
scripts/base/protocols/ssl/__load__.bro
|
||||
scripts/base/protocols/ssl/consts.bro
|
||||
|
|
@ -166,15 +166,13 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/ssl/mozilla-ca-list.bro
|
||||
scripts/base/protocols/http/__load__.bro
|
||||
scripts/base/protocols/http/main.bro
|
||||
scripts/base/protocols/http/entities.bro
|
||||
scripts/base/protocols/http/utils.bro
|
||||
scripts/base/protocols/http/file-analysis.bro
|
||||
scripts/base/protocols/http/file-ident.bro
|
||||
scripts/base/protocols/http/file-hash.bro
|
||||
scripts/base/protocols/http/file-extract.bro
|
||||
scripts/base/protocols/http/files.bro
|
||||
scripts/base/protocols/irc/__load__.bro
|
||||
scripts/base/protocols/irc/main.bro
|
||||
scripts/base/protocols/irc/dcc-send.bro
|
||||
scripts/base/protocols/irc/file-analysis.bro
|
||||
scripts/base/protocols/irc/files.bro
|
||||
scripts/base/protocols/modbus/__load__.bro
|
||||
scripts/base/protocols/modbus/consts.bro
|
||||
scripts/base/protocols/modbus/main.bro
|
||||
|
|
@ -182,8 +180,7 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/smtp/__load__.bro
|
||||
scripts/base/protocols/smtp/main.bro
|
||||
scripts/base/protocols/smtp/entities.bro
|
||||
scripts/base/protocols/smtp/entities-excerpt.bro
|
||||
scripts/base/protocols/smtp/file-analysis.bro
|
||||
scripts/base/protocols/smtp/files.bro
|
||||
scripts/base/protocols/socks/__load__.bro
|
||||
scripts/base/protocols/socks/consts.bro
|
||||
scripts/base/protocols/socks/main.bro
|
||||
|
|
@ -193,6 +190,10 @@ scripts/base/init-default.bro
|
|||
scripts/base/protocols/syslog/consts.bro
|
||||
scripts/base/protocols/syslog/main.bro
|
||||
scripts/base/protocols/tunnels/__load__.bro
|
||||
scripts/base/files/hash/__load__.bro
|
||||
scripts/base/files/hash/main.bro
|
||||
scripts/base/files/extract/__load__.bro
|
||||
scripts/base/files/extract/main.bro
|
||||
scripts/base/misc/find-checksum-offloading.bro
|
||||
scripts/policy/misc/loaded-scripts.bro
|
||||
#close 2013-07-10-21-18-31
|
||||
#close 2013-07-23-05-48-10
|
||||
|
|
|
|||
|
|
@ -3,7 +3,8 @@ file #0, 0, 0
|
|||
FILE_BOF_BUFFER
|
||||
The Nationa
|
||||
MIME_TYPE
|
||||
text/x-pascal
|
||||
application/octet-stream
|
||||
FILE_OVER_NEW_CONNECTION
|
||||
FILE_STATE_REMOVE
|
||||
file #0, 16557, 0
|
||||
[orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp]
|
||||
|
|
|
|||
|
|
@ -4,6 +4,21 @@ FILE_BOF_BUFFER
|
|||
PK^C^D^T\0\0\0^H\0\xae
|
||||
MIME_TYPE
|
||||
application/zip
|
||||
FILE_OVER_NEW_CONNECTION
|
||||
FILE_NEW
|
||||
file #1, 0, 0
|
||||
FILE_BOF_BUFFER
|
||||
\0\0^Ex\0\0^J\xf0\0\0^P
|
||||
MIME_TYPE
|
||||
application/octet-stream
|
||||
FILE_OVER_NEW_CONNECTION
|
||||
FILE_STATE_REMOVE
|
||||
file #1, 124, 0
|
||||
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
|
||||
source: IRC_DATA
|
||||
MD5: 35288fd50a74c7d675909ff83424d7a1
|
||||
SHA1: 8a98f177cb47e6bf771bf57c2f7e94c4b5e79ffa
|
||||
SHA256: b24dde52b933a0d76e885ab418cb6d697b14a4e2fef45fce66e12ecc5a6a81aa
|
||||
FILE_STATE_REMOVE
|
||||
file #0, 42208, 0
|
||||
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2013-05-21-21-11-23
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string]
|
||||
#open 2013-07-23-05-48-35
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] vector[string] vector[string] vector[string] vector[string]
|
||||
1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
|
|
@ -20,4 +20,4 @@
|
|||
1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -
|
||||
#close 2013-05-21-21-11-23
|
||||
#close 2013-07-23-05-48-35
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path notice
|
||||
#open 2013-04-02-02-19-21
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
||||
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double
|
||||
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
||||
#close 2013-04-02-02-19-21
|
||||
#open 2013-07-23-05-19-25
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
||||
#types time string addr port addr port string string string enum enum string string addr addr port count string table[enum] interval bool string string string double double
|
||||
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 - - - tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
||||
#close 2013-07-23-05-19-25
|
||||
|
|
|
|||
|
|
@ -1,12 +0,0 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path smtp_entities
|
||||
#open 2013-03-26-20-39-07
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt
|
||||
#types time string addr port addr port count string count string string string string
|
||||
1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain 92bca2e6cdcde73647125da7dccbdd07 - (empty)
|
||||
1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty)
|
||||
1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain a968bb0f9f9d95835b2e74c845877e87 - (empty)
|
||||
#close 2013-03-26-20-39-07
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff smtp_entities.log
|
||||
|
||||
@load base/protocols/smtp
|
||||
|
||||
redef SMTP::generate_md5=/text\/plain/;
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
global test_file_analysis_source: string = "" &redef;
|
||||
|
||||
global test_file_analyzers: set[Files::AnalyzerArgs];
|
||||
global test_file_analyzers: set[Files::Tag];
|
||||
|
||||
global test_get_file_name: function(f: fa_file): string =
|
||||
function(f: fa_file): string { return ""; } &redef;
|
||||
|
|
@ -46,10 +46,10 @@ event file_new(f: fa_file)
|
|||
|
||||
local filename: string = test_get_file_name(f);
|
||||
if ( filename != "" )
|
||||
Files::add_analyzer(f, [$tag=Files::ANALYZER_EXTRACT,
|
||||
$extract_filename=filename]);
|
||||
Files::add_analyzer(f, [$tag=Files::ANALYZER_DATA_EVENT,
|
||||
$chunk_event=file_chunk,
|
||||
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
|
||||
[$extract_filename=filename]);
|
||||
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
|
||||
[$chunk_event=file_chunk,
|
||||
$stream_event=file_stream]);
|
||||
}
|
||||
|
||||
|
|
@ -106,7 +106,7 @@ event file_state_remove(f: fa_file)
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
add test_file_analyzers[[$tag=Files::ANALYZER_MD5]];
|
||||
add test_file_analyzers[[$tag=Files::ANALYZER_SHA1]];
|
||||
add test_file_analyzers[[$tag=Files::ANALYZER_SHA256]];
|
||||
add test_file_analyzers[Files::ANALYZER_MD5];
|
||||
add test_file_analyzers[Files::ANALYZER_SHA1];
|
||||
add test_file_analyzers[Files::ANALYZER_SHA256];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue