From 430e3ab940a95bb3638512432543d9b3a0d8f051 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 30 Jan 2025 13:28:17 -0700 Subject: [PATCH 1/2] Fix formatting of Traces/README entry for modbus-eit.trace --- testing/btest/Traces/README | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 53b0ea4c12..3f5666f07c 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -6,8 +6,9 @@ depend on them for tests. Trace Index/Sources: -- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. - +- modbus/modbus-eit.trace: + Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. + The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. - [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap) - ldap/simpleauth-diff-port.pcap: made with `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap` From a5b0a9467dbe0b589f6efe61632522f4cd590d64 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 30 Jan 2025 13:28:35 -0700 Subject: [PATCH 2/2] Add note to Traces/README about possible malware in pe/pe.trace --- testing/btest/Traces/README | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 3f5666f07c..c8185dbea6 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -39,3 +39,7 @@ Trace Index/Sources: - http/docker-http-upgrade.pcap Provided by blightzero on #4068 https://github.com/zeek/zeek/issues/4068 +- pe/pe.trace + VirusTotal reports that this file contains malware. The PE analyzer was originally added + to decode info for malware, so this is expected. See + https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049 \ No newline at end of file