diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst index 028f95af21..4f87df3b53 100644 --- a/doc/frameworks/index.rst +++ b/doc/frameworks/index.rst @@ -11,6 +11,7 @@ Frameworks input intel logging + netcontrol notice signatures sumstats diff --git a/doc/frameworks/input.rst b/doc/frameworks/input.rst index aa2dce6417..01c1658d34 100644 --- a/doc/frameworks/input.rst +++ b/doc/frameworks/input.rst @@ -7,7 +7,7 @@ Input Framework .. rst-class:: opening - Bro now features a flexible input framework that allows users + Bro features a flexible input framework that allows users to import data into Bro. Data is either read into Bro tables or converted to events which can then be handled by scripts. This document gives an overview of how to use the input framework diff --git a/doc/frameworks/netcontrol-1-drop-with-debug.bro b/doc/frameworks/netcontrol-1-drop-with-debug.bro new file mode 100644 index 0000000000..d4bbcde042 --- /dev/null +++ b/doc/frameworks/netcontrol-1-drop-with-debug.bro @@ -0,0 +1,10 @@ +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/doc/frameworks/netcontrol-10-use-skeleton.bro b/doc/frameworks/netcontrol-10-use-skeleton.bro new file mode 100644 index 0000000000..4f683dfd83 --- /dev/null +++ b/doc/frameworks/netcontrol-10-use-skeleton.bro @@ -0,0 +1,10 @@ +event NetControl::init() + { + local skeleton_plugin = NetControl::create_skeleton(""); + NetControl::activate(skeleton_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/doc/frameworks/netcontrol-2-ssh-guesser.bro b/doc/frameworks/netcontrol-2-ssh-guesser.bro new file mode 100644 index 0000000000..2b8757cdea --- /dev/null +++ b/doc/frameworks/netcontrol-2-ssh-guesser.bro @@ -0,0 +1,16 @@ + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + NetControl::drop_address(n$src, 60min); + } diff --git a/doc/frameworks/netcontrol-3-ssh-guesser.bro b/doc/frameworks/netcontrol-3-ssh-guesser.bro new file mode 100644 index 0000000000..6f6065350c --- /dev/null +++ b/doc/frameworks/netcontrol-3-ssh-guesser.bro @@ -0,0 +1,16 @@ + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + add n$actions[Notice::ACTION_DROP]; + } diff --git a/doc/frameworks/netcontrol-4-drop.bro b/doc/frameworks/netcontrol-4-drop.bro new file mode 100644 index 0000000000..b95822736d --- /dev/null +++ b/doc/frameworks/netcontrol-4-drop.bro @@ -0,0 +1,26 @@ +function our_drop_connection(c: conn_id, t: interval) + { + # As a first step, create the NetControl::Entity that we want to block + local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c); + # Then, use the entity to create the rule to drop the entity in the forward path + local r = NetControl::Rule($ty=NetControl::DROP, + $target=NetControl::FORWARD, $entity=e, $expire=t); + + # Add the rule + local id = NetControl::add_rule(r); + + if ( id == "" ) + print "Error while dropping"; + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + our_drop_connection(c$id, 20 secs); + } + diff --git a/doc/frameworks/netcontrol-5-hook.bro b/doc/frameworks/netcontrol-5-hook.bro new file mode 100644 index 0000000000..dee8d5547a --- /dev/null +++ b/doc/frameworks/netcontrol-5-hook.bro @@ -0,0 +1,22 @@ +hook NetControl::rule_policy(r: NetControl::Rule) + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::CONNECTION && + r$entity$conn$orig_h in 192.168.0.0/16 ) + { + print "Ignored connection from", r$entity$conn$orig_h; + break; + } + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } + diff --git a/doc/frameworks/netcontrol-6-find.bro b/doc/frameworks/netcontrol-6-find.bro new file mode 100644 index 0000000000..9e7677dfac --- /dev/null +++ b/doc/frameworks/netcontrol-6-find.bro @@ -0,0 +1,17 @@ +event NetControl::init() + { + local netcontrol_debug = NetControl::create_debug(T); + NetControl::activate(netcontrol_debug, 0); + } + +event connection_established(c: connection) + { + if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 ) + { + print "Rule already exists"; + return; + } + + NetControl::drop_connection(c$id, 20 secs); + print "Rule added"; + } diff --git a/doc/frameworks/netcontrol-7-catch-release.bro b/doc/frameworks/netcontrol-7-catch-release.bro new file mode 100644 index 0000000000..189a89e68d --- /dev/null +++ b/doc/frameworks/netcontrol-7-catch-release.bro @@ -0,0 +1,10 @@ +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_address_catch_release(c$id$orig_h); + } diff --git a/doc/frameworks/netcontrol-8-multiple.bro b/doc/frameworks/netcontrol-8-multiple.bro new file mode 100644 index 0000000000..4d134a577c --- /dev/null +++ b/doc/frameworks/netcontrol-8-multiple.bro @@ -0,0 +1,29 @@ +function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::ADDRESS && + subnet_width(r$entity$ip) == 32 && + subnet_to_addr(r$entity$ip) in 192.168.17.0/24 ) + return F; + + return T; + } + +event NetControl::init() + { + # Add debug plugin with low priority + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + + # Instantiate OpenFlow debug plugin with higher priority + local of_controller = OpenFlow::log_new(42); + local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]); + NetControl::activate(netcontrol_of, 10); + } + +event NetControl::init_done() + { + NetControl::drop_address(10.0.0.1, 1min); + NetControl::drop_address(192.168.17.2, 1min); + NetControl::drop_address(192.168.18.2, 1min); + } diff --git a/doc/frameworks/netcontrol-9-skeleton.bro b/doc/frameworks/netcontrol-9-skeleton.bro new file mode 100644 index 0000000000..442d74582b --- /dev/null +++ b/doc/frameworks/netcontrol-9-skeleton.bro @@ -0,0 +1,39 @@ +module NetControl; + +export { + ## Instantiates the plugin. + global create_skeleton: function(argument: string) : PluginState; +} + +function skeleton_name(p: PluginState) : string + { + return "NetControl skeleton plugin"; + } + +function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool + { + print "add", r; + event NetControl::rule_added(r, p); + return T; + } + + function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool + { + print "remove", r; + event NetControl::rule_removed(r, p); + return T; + } + +global skeleton_plugin = Plugin( + $name = skeleton_name, + $can_expire = F, + $add_rule = skeleton_add_rule_fun, + $remove_rule = skeleton_remove_rule_fun + ); + +function create_skeleton(argument: string) : PluginState + { + local p = PluginState($plugin=skeleton_plugin); + + return p; + } diff --git a/doc/frameworks/netcontrol-architecture.png b/doc/frameworks/netcontrol-architecture.png new file mode 100644 index 0000000000..4e23c55003 Binary files /dev/null and b/doc/frameworks/netcontrol-architecture.png differ diff --git a/doc/frameworks/netcontrol-openflow.png b/doc/frameworks/netcontrol-openflow.png new file mode 100644 index 0000000000..1c2690fb82 Binary files /dev/null and b/doc/frameworks/netcontrol-openflow.png differ diff --git a/doc/frameworks/netcontrol-rules.png b/doc/frameworks/netcontrol-rules.png new file mode 100644 index 0000000000..5141c81ceb Binary files /dev/null and b/doc/frameworks/netcontrol-rules.png differ diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst new file mode 100644 index 0000000000..33f2b8af40 --- /dev/null +++ b/doc/frameworks/netcontrol.rst @@ -0,0 +1,633 @@ + +.. _framework-netcontrol: + +==================== +NetControl Framework +==================== + +.. rst-class:: opening + + Bro can connect with network devices like, for example, switches + or soft- and hardware- firewalls using the NetControl framework. The + NetControl framework provides a flexible, unified interface for active + response and hides the complexity of heterogeneous network equipment + behind a simple task-oriented API, which is easily usable via Bro + scripts. This document gives an overview of how to use the NetControl + framework in different scenarios; to get a better understanding of how + it can be used in practice, it might be worthwhile to take a look at + the unit tests. + +.. contents:: + +NetControl Architecture +======================= + +.. figure:: netcontrol-architecture.png + :width: 600 + :align: center + :alt: NetControl framework architecture + :target: ../_images/netcontrol-architecture.png + + NetControl architecture (click to enlarge). + +The basic architecture of the NetControl framework is shown in the figure above. +Conceptually, the NetControl framework sits inbetween the user provided scripts +(which use the Bro event engine) and the network device (which can either be a +hardware or software device), that is used to implement the commands. + +The NetControl framework supports a number of high-level calls, like the +:bro:see:`NetControl::drop_address` function, or lower a lower level rule +syntax. After a rule has been added to the NetControl framework, NetControl +sends the rule to one or several of its *backends*. Each backend is responsible +to communicate with a single hard- or software device. The NetControl framework +tracks rules throughout their entire lifecycle and reports the status (like +success, failure and timeouts) back to the user scripts. + +The backends are implemented as Bro scripts using a plugin based API; an example +for this is :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`. This +document will show how to write plugins in +:ref:`framework-netcontrol-plugins`. + +NetControl API +============== + +High-level NetControl API +------------------------- + +In this section, we will introduce the high level netcontrol API. As mentioned +above, NetControl uses *backends* to communicate with the external devices that +will implement the rules. You will need at least one active backend, before you +can use NetControl. For our examples, we will just use the debug plugin to +create a backend. This plugin outputs all actions that are taken to the standard +output. + +Backends should be initialized in the :bro:see:`NetControl::init` event, calling +the :bro:see:`NetControl::activate` function after the plugin instance has been +initialized. The debug plugin can be initialized as follows: + +.. code:: bro + + event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +After at least one backend has been added to the NetControl framework, the +framework can be used and will send added rules to the added backend. + +The NetControl framework contains several high level functions that allow users +to drop connections of certain addresses and networks, shunt network traffic, +etc. The following table shows and describes all of the currently available +high-level functions. + +.. list-table:: + :widths: 32 40 + :header-rows: 1 + + * - Function + - Description + + * - :bro:see:`NetControl::drop_address` + - Calling this function causes NetControl to block all packets involving + an IP address from being forwarded + + * - :bro:see:`NetControl::drop_connection` + - Calling this function stops all packets of a specific connection + (identified by its 5-tuple) from being forwarded. + + * - :bro:see:`NetControl::drop_address` + - Calling this function causes NetControl to block all packets involving + an IP address from being forwarded + + * - :bro:see:`NetControl::drop_address_catch_release` + - Calling this function causes all packets of a specific source IP to be + blocked. This function uses catch-and-release functionality and the IP + address is only dropped for a short amount of time to conserve rule + space in the network hardware. It is immediately re-dropped when it is + seen again in traffic. See :ref:`framework-netcontrol-catchrelease` for + more information. + + * - :bro:see:`NetControl::shunt_flow` + - Calling this function causes NetControl to stop forwarding a + uni-directional flow of packets to Bro. This allows Bro to conserve + resources by shunting flows that have been identified as being benign. + + * - :bro:see:`NetControl::redirect_flow` + - Calling this function causes NetControl to redirect an uni-directional + flow to another port of the networking hardware. + + * - :bro:see:`NetControl::quarantine_host` + - Calling this function allows Bro to quarantine a host by sending DNS + traffic to a host with a special DNS server, which resolves all queries + as pointing to itself. The quarantined host is only allowed between the + special server, which will serve a warning message detailing the next + steps for the user + + * - :bro:see:`NetControl::whitelist_address` + - Calling this function causes NetControl to push a whitelist entry for an + IP address to the networking hardware. + + * - :bro:see:`NetControl::whitelist_subnet` + - Calling this function causes NetControl to push a whitelist entry for a + subnet to the networking hardware. + +After adding a backend, all of these functions can immediately be used and will +start sending the rules to the added backend(s). To give a very simple example, +the following script will simply block the traffic of all connections that it +sees being established: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro + +Running this script on a file containing one connection will cause the debug +plugin to print one line to the standard output, which contains information +about the rule that was added. It will also cause creation of `netcontrol.log`, +which contains information about all actions that are taken by NetControl: + +.. btest:: netcontrol-1-drop-with-debug.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro + @TEST-EXEC: btest-rst-cmd cat netcontrol.log + +In our case, `netcontrol.log` contains several :bro:see:`NetControl::MESSAGE` +entries, which show that the debug plugin has been initialized and added. +Afterwards, there are two :bro:see:`NetControl::RULE` entries; the first shows +that the addition of a rule has been requested (state is +:bro:see:`NetControl::REQUESTED`). The following line shows that the rule was +successfully added (the state is :bro:see:`NetControl::SUCCEEDED`). The +remainder of the log line gives more information about the added rule, which in +our case applies to a specific 5-tuple. + +In addition to the netcontrol.log, the drop commands also create a second, +additional log called `netcontrol_drop.log`. This log file is much more succinct and +only contains information that is specific to drops that are enacted by +NetControl: + +.. btest:: netcontrol-1-drop-with-debug.bro + + @TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log + +While this example of blocking all connections is usually not very useful, the +high-level API gives an easy way to take action, for example when a host is +identified doing some harmful activity. To give a more realistic example, the +following code automatically blocks a recognized SSH guesser: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro + +.. btest:: netcontrol-2-ssh-guesser.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro + @TEST-EXEC: btest-rst-cmd cat netcontrol.log + +Note that in this case, instead of calling NetControl directly, we also can use +the :bro:see:`Notice::ACTION_DROP` action of the notice framework: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro + +.. btest:: netcontrol-3-ssh-guesser.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro + @TEST-EXEC: btest-rst-cmd cat netcontrol.log + +Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also +will cause the `dropped` column in `notice.log` to be set to true each time that +the NetControl framework enacts a block: + +.. btest:: netcontrol-3-ssh-guesser.bro + + @TEST-EXEC: btest-rst-cmd cat notice.log + +Rule API +-------- + +As already mentioned in the last section, in addition to the high-level API, the +NetControl framework also supports a Rule based API which allows greater +flexibility while adding rules. Actually, all the high-level functions are +implemented using this lower-level rule API; the high-level functions simply +convert their arguments into the lower-level rules and then add the rules +directly to the NetControl framework (by calling :bro:see:`NetControl::add_rule`). + +The following figure shows the main components of NetControl rules: + +.. figure:: netcontrol-rules.png + :width: 600 + :align: center + :alt: NetControl rule overview + :target: ../_images/netcontrol-rules.png + + NetControl Rule overview (click to enlarge). + +The types that are used to make up a rule are defined in +:doc:`/scripts/base/frameworks/netcontrol/types.bro`. + +Rules are defined as a :bro:see:`NetControl::Rule` record. Rules have a *type*, +which specifies what kind of action is taken. The possible actions are to +**drop** packets, to **modify** them, to **redirect** or to **whitelist** them. +The *target* of a rule specifies if the rule is applied in the *forward path*, +and affects packets as they are forwarded through the network, or if it affects +the *monitor path* and only affects the packets that are sent to Bro, but not +the packets that traverse the network. The *entity* specifies the address, +connection, etc. that the rule applies to. In addition, each notice has a +*timeout* (which can be left empty), a *priority* (with higher priority rules +overriding lower priority rules). Furthermore, a *location* string with more +text information about each rule can be provided. + +There are a couple more fields that only needed for some rule types. For +example, when you insert a redirect rule, you have to specify the port that +packets should be redirected too. All these fields are shown in the +:bro:see:`NetControl::Rule` documentation. + +To give an example on how to construct your own rule, we are going to write +our own version of the :bro:see:`NetControl::drop_connection` function. The only +difference between our function and the one provided by NetControl is the fact +that the NetControl function has additional functionality, e.g. for logging. + +Once again, we are going to test our function with a simple example that simply +drops all connections on the Network: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro + +.. btest:: netcontrol-4-drop.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro + @TEST-EXEC: btest-rst-cmd cat netcontrol.log + +The last example shows that :bro:see:`NetControl::add_rule` returns a string +identifier that is unique for each rule (uniqueness is not preserved across +restarts or Bro). This rule id can be used to later remove rules manually using +:bro:see:`NetControl::remove_rule`. + +Similar to :bro:see:`NetControl::add_rule`, all the high-level functions also +return their rule IDs, which can be removed in the same way. + +Interacting with Rules +---------------------- + +The NetControl framework offers a number of different ways to interact with +Rules. Before a rule is applied by the framework, a number of different hooks +allow you to either modify or discard rules before they are added. Furthermore, +a number of events can be used to track the lifecycle of a rule while it is +being managed by the NetControl framework. It is also possible to query and +access the current set of active rules. + +Rule Policy +*********** + +The hook :bro:see:`NetControl::rule_policy` provides the mechanism for modifying +or discarding a rule before it is sent onwards to the backends. Hooks can be +thought of as multi-bodied functions and using them looks very similar to +handling events. In difference to events, they are processed immediately. Like +events, hooks can have priorities to sort the order in which they are applied. +Hooks can use the ``break`` keyword to show that processing should be aborted; +if any :bro:see:`NetControl::rule_policy` hook uses ``break``, the rule will be +discarded before further processing. + +Here is a simple example which tells Bro to discard all rules for connections +originating from the 192.168.* network: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro + +.. btest:: netcontrol-5-hook.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro + +NetControl Events +***************** + +In addition to the hooks, the NetControl framework offers a variety of events +that are raised by the framework to allow users to track rules, as well as the +state of the framework. + +We already encountered and used one event of the NetControl framework, +:bro:see:`NetControl::init`, which is used to initialize the framework. After +the framework has finished initialization and will start accepting rules, the +:bro:see:`NetControl::init_done` event will be raised. + +When rules are added to the framework, the following events will be called in +this order: + +.. list-table:: + :widths: 20 80 + :header-rows: 1 + + * - Event + - Description + + * - :bro:see:`NetControl::rule_new` + - Signals that a new rule is created by the NetControl framework due to + :bro:see:`NetControl::add_rule`. At this point of time, the rule has not + yet been added to any backend. + + * - :bro:see:`NetControl::rule_added` + - Signals that a new rule has successfully been added by a backend. + + * - :bro:see:`NetControl::rule_exists` + - This event is raised instead of :bro:see:`NetControl::rule_added` when a + backend reports that a rule was already existing. + + * - :bro:see:`NetControl::rule_timeout` + - Signals that a rule timeout was reached. If the hardware does not support + automatic timeouts, the NetControl framework will automatically call + bro:see:`NetControl::remove_rule`. + + * - :bro:see:`NetControl::rule_removed` + - Signals that a new rule has successfully been removed a backend. + + * - :bro:see:`NetControl::rule_destroyed` + - This event is the pendant to :bro:see:`NetControl::rule_added`, and + reports that a rule is no longer be tracked by the NetControl framework. + This happens, for example, when a rule was removed from all backend. + + * - :bro:see:`NetControl::rule_error` + - This event is raised whenever an error occurs during any rule operation. + +Finding active rules +******************** + +The NetControl framework provides two functions for finding currently active +rules: :bro:see:`NetControl::find_rules_addr` finds all rules that affect a +certain IP address and :bro:see:`NetControl::find_rules_subnet` finds all rules +that affect a specified subnet. + +Consider, for example, the case where a Bro instance monitors the traffic at the +border, before any firewall or switch rules were applied. In this case, Bro will +still be able to see connection attempts of already blocked IP addresses. In this +case, :bro:see:`NetControl::find_rules_addr` could be used to check if an +address already was blocked in the past. + +Here is a simple example, which uses a trace that contains two connections from +the same IP address. After the first connection, the script recognizes that the +address is already blocked in the second connection. + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-6-find.bro + +.. btest:: netcontrol-6-find.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro + +Notice that the functions return vectors because it is possible that several +rules exist simultaneously that affect one IP; either there could be +rules with different priorities, or rules for the subnet that an IP address is +part of. + + + +.. _framework-netcontrol-catchrelease: + +Catch and Release +----------------- + +We already mentioned earlier, that in addition to the +:bro:see:`NetControl::drop_connection` and :bro:see:`NetControl::drop_address` +functions, which drop a connection or address for a specified amount of time, +NetControl also comes with a blocking function that uses an approach called +*catch and release*. + +Catch and release is a blocking scheme that conserves valuable rule space in +your hardware. Instead of using long-lasting blocks, catch and release first +only installs blocks for short amount of times (typically a few minutes). After +these minutes pass, the block is lifted, but the IP address is added to a +watchlist and the IP address will immediately be re-blocked again (for a longer +amount of time), if it is seen reappearing in any traffic, no matter if the new +traffic triggers any alert or not. + +This makes catch and release blocks similar to normal, longer duration blocks, +while only requiring a small amount of space for the currently active rules. IP +addresses that only are seen once for a short time are only blocked for a few +minutes, monitored for a while and then forgotten. IP addresses that keep +appearing will get re-blocked for longer amounts of time. + +In difference to the other high-level functions that we documented so far, the +catch and release functionality is much more complex and adds a number of +different specialized functions to NetControl. The documentation for catch and +release is contained in the file +:doc:`/scripts/base/frameworks/netcontrol/catch-and-release.bro`. + +Using catch and release in your scripts is easy; just use +:bro:see:`NetControl::drop_address_catch_release` like in this example: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro + +.. btest:: netcontrol-7-catch-release.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro + +Note that you do not have to provide the block time for catch and release; +instead, catch and release uses the time intervals specified in +:bro:see:`NetControl::catch_release_intervals` (by default 10 minutes, 1 hour, +24 hours, 7 days). That means when an address is first blocked, it is blocked +for 10 minutes and monitored for 1 hour. If the address reappears after the +first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc. + +Catch and release adds its own new logfile in addition to the already existing +ones (netcontrol_catch_release.log): + +.. btest:: netcontrol-7-catch-release.bro + + @TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log + +In addition to the blocking function, catch and release comes with the +:bro:see:`NetControl::get_catch_release_info` function to +check if an address is already blocked by catch and release (and get information +about the block). The :bro:see:`NetControl::unblock_address_catch_release` +function can be used to unblock addresses from catch and release. + +.. note:: + + Since catch and release does its own connection tracking in addition to the + tracking used by the NetControl framework, it is not sufficient to remove + rules that were added by catch and release using :bro:see:`NetControl::remove_rule`. + You have to use :bro:see:`NetControl::unblock_address_catch_release` in this + case. + +.. _framework-netcontrol-plugins: + +NetControl Plugins +================== + +Using the existing plugins +-------------------------- + +In the API part of the documentation, we exclusively used the debug plugin, +which simply outputs its actions to the screen. In addition to this debugging +plugin, Bro ships with a small number of plugins that can be used to interface +the NetControl framework with your networking hard- and software. + +The plugins that currently ship with NetControl are: + +.. list-table:: + :widths: 15 55 + :header-rows: 1 + + * - Plugin name + - Description + + * - OpenFlow plugin + - This is the most fully featured plugin which allows the NetControl + framework to be interfaced with OpenFlow switches. The source of this + plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.bro`. + + * - Broker plugin + - This plugin provides a generic way to send NetControl commands using the + new Bro communication library (Broker). External programs can receive + the rules and take action; we provide an example script that calls + command-line programs triggered by NetControl. The source of this + plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.bro`. + + * - acld plugin + - This plugin adds support for the acld daemon, which can interface with + several switches and routers. The current version of acld is available + from the `LBL ftp server `_. The source of this + plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.bro`. + + * - PacketFilter plugin + - This plugin adds uses the Bro process-level packet filter (see + :bro:see:`install_src_net_filter` and + :bro:see:`install_dst_net_filter`). Since the functionality of the + PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this + plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.bro`. + + * - Debug plugin + - The debug plugin simply outputs its action to the standard output. The source of this + plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/debug.bro`. + +Activating plugins +****************** + +In the API reference part of this document, we already used the debug plugin. To +use the plugin, we first had to instantiate it by calling +:bro:see:`NetControl::NetControl::create_debug` and then add it to NetControl by +calling :bro:see:`NetControl::activate`. + +As we already hinted before, NetControl supports having several plugins that are +active at the same time. The second argument to the `NetControl::activate` +function is the priority of the backend that was just added. Each rule is sent +to all plugins in order, from highest priority to lowest priority. The backend +can then choose if it accepts the rule and pushes it out to the hardware that it +manages. Or, it can opt to reject the rule. In this case, the NetControl +framework will try to apply the rule to the backend with the next lower +priority. If no backend accepts a rule, the rule insertion is marked as failed. + +The choice if a rule is accepted or rejected stays completely with each plugin. +The debug plugin we used so far just accepts all rules. However, for other +plugins you can specify what rules they will accept. Consider, for example, a +network with two OpenFlow switches. The first switch forwards packets from the +network to the external world, the second switch sits in front of your Bro +cluster to provide packet shunting. In this case, you can add two OpenFlow +backends to NetControl. When you create the instances using +:bro:see:`NetControl::create_openflow`, you set the `monitor` and `forward` +attributes of the configuration in :bro:see:`NetControl::OfConfig` +appropriately. Afterwards, one of the backends will only accept rules for the +monitor path; the other backend will only accept rules for the forward path. + +Commonly, plugins also support predicate functions, that allow the user to +specify restrictions on the rules that they will accept. This can for example be +used if you have a network where certain switches are responsible for specified +subnets. The predicate can examine the subnet of the rule and only accept the +rule if the rule matches the subnet that the specific switch is responsible for. + +To give an example, the following script adds two backends to NetControl. One +backend is the NetControl debug backend, which just outputs the rules to the +console. The second backend is an OpenFlow backend, which uses the OpenFlow +debug mode that outputs the openflow rules to openflow.log. The OpenFlow +backend uses a predicate function to only accept rules with a source address in +the 192.168.17.0/24 network; all other rules will be passed on to the debug +plugin. We manually block a few addresses in the +:bro:see:`NetControl::init_done` event to verify the correct functionality. + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro + +.. btest:: netcontrol-8-multiple.bro + + @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro + +As you can see, only the single block affecting the 192.168.17.0/24 network is +output to the command line. The other two lines are handled by the OpenFlow +plugin. We can verify this by looking at netcontrol.log. The plugin column shows +which plugin handled a rule and reveals that two rules were handled by OpenFlow: + +.. btest:: netcontrol-8-multiple.bro + + @TEST-EXEC: btest-rst-cmd cat netcontrol.log + +Furthermore, openflow.log also shows the two added rules, converted to OpenFlow +flow mods: + +.. btest:: netcontrol-8-multiple.bro + + @TEST-EXEC: btest-rst-cmd cat openflow.log + +.. note:: + + You might have asked yourself what happens when you add two or more with the + same priority. In this case, the rule is sent to all the backends + simultaneously. This can be useful, for example when you have redundant + switches that should keep the same rule state. + +Interfacing with external hardware +********************************** + +Now that we know which plugins exist, and how they can be added to NetControl, +it is time to discuss how we can interface Bro with actual hardware. The typical +way to accomplish this is to use the Bro communication library (Broker), which +can be used to exchange Bro events with external programs and scripts. The +NetControl plugins can use Broker to send events to external programs, which can +then take action depending on these events. + +The following figure shows this architecture with the example of the OpenFlow +plugin. The OpenFlow plugin uses Broker to send events to an external python +script, which uses the `Ryu SDN controller `_ to +communicate with the Switch. + +.. figure:: netcontrol-openflow.png + :width: 600 + :align: center + :alt: NetControl and OpenFlow architecture. + :target: ../_images/netcontrol-openflow.png + + NetControl and OpenFlow architecture (click to enlarge). + +The python scripts that are used to interface with the available NetControl +plugins are contained in the `bro-netcontrol` repository (`github link `_). +The repository contains scripts for the OpenFlow as well as the acld plugin. +Furthermore, it contains a script for the broker plugin which can be used to +call configureable command-line programs when used with the broker plugin. + +The repository also contains documentation on how to install these connectors. +The `netcontrol` directory contains an API that allows you to write your own +connectors to the broker plugin. + +.. note:: + + Note that the API of the Broker communication library is not finalized yet. + You might have to rewrite any scripts for use in future Bro versions. + +Writing plugins +--------------- + +In addition to using the plugins that are part of NetControl, you can write your +own plugins to interface with hard- or software that we currently do not support +out of the Box. + +Creating your own plugin is easy; besides a bit of boilerplate, you only need to +create two functions: one that is called when a rule is added, and one that is +called when a rule is removed. The following script creates a minimal plugin +that just outputs a rule when it is added or removed. Note that you have to +raise the :bro:see:`NetControl::rule_added` and +:bro:see:`NetControl::rule_removed` events in your plugin to let NetControl know +when a rule was added and removed successfully. + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro + +This example is already fully functional and we can use it with a script similar +to our very first example: + +.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro + +.. btest:: netcontrol-9-skeleton.bro + + @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro + +If you want to write your own plugins, it will be worthwhile to look at the +plugins that ship with the NetControl framework to see how they define the +predicates and interact with Broker. diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst index 3c1720afd1..f7a4682f3a 100644 --- a/doc/script-reference/log-files.rst +++ b/doc/script-reference/log-files.rst @@ -71,6 +71,23 @@ Files | x509.log | X.509 certificate info | :bro:type:`X509::Info` | +----------------------------+---------------------------------------+---------------------------------+ +NetControl +---------- + ++------------------------------+---------------------------------------+------------------------------------------+ +| Log File | Description | Field Descriptions | ++==============================+=======================================+==========================================+ +| netcontrol.log | NetControl actions | :bro:type:`NetControl::Info` | ++------------------------------+---------------------------------------+------------------------------------------+ +| netcontrol_drop.log | NetControl actions | :bro:type:`NetControl::DropInfo` | ++------------------------------+---------------------------------------+------------------------------------------+ +| netcontrol_shunt.log | NetControl shunt actions | :bro:type:`NetControl::ShuntInfo` | ++------------------------------+---------------------------------------+------------------------------------------+ +| netcontrol_catch_release.log | NetControl catch and release actions | :bro:type:`NetControl::CatchReleaseInfo` | ++------------------------------+---------------------------------------+------------------------------------------+ +| openflow.log | OpenFlow debug log | :bro:type:`OpenFlow::Info` | ++------------------------------+---------------------------------------+------------------------------------------+ + Detection --------- diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro index 8b3c389b6c..e9c1100887 100644 --- a/scripts/base/frameworks/netcontrol/catch-and-release.bro +++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro @@ -2,6 +2,7 @@ module NetControl; +@load base/frameworks/cluster @load ./main @load ./drop @@ -9,45 +10,67 @@ export { redef enum Log::ID += { CATCH_RELEASE }; - # The record that is used for storing information about current blocks that are - # part of catch and release. + ## Thhis record is used is used for storing information about current blocks that are + ## part of catch and release. type BlockInfo: record { - # Absolute time indicating until when a block is inserted using NetControl + ## Absolute time indicating until when a block is inserted using NetControl block_until: time &optional; - # Absolute time indicating until when an IP address is watched to reblock it + ## Absolute time indicating until when an IP address is watched to reblock it watch_until: time; - # Number of times an IP address was reblocked + ## Number of times an IP address was reblocked num_reblocked: count &default=0; - # Number indicating at which catch and release interval we currently are + ## Number indicating at which catch and release interval we currently are current_interval: count; - # ID of the inserted block, if any. + ## ID of the inserted block, if any. current_block_id: string; - # User specified string + ## User specified string location: string &optional; }; + ## The enum that contains the different kinds of messages that are logged by + ## catch and release type CatchReleaseActions: enum { + ## Log lines marked with info are purely informational; no action was taken INFO, + ## A rule for the specified IP address already existed in NetControl (outside + ## of catch-and-release). Catch and release did not add a new rule, but is now + ## watching the IP address and will add a new rule after the current rule expired. ADDED, + ## A drop was requested by catch and release DROP, + ## A address was succesfully blocked by catch and release DROPPED, + ## An address was unblocked after the timeout expired UNBLOCK, - RESTORED, + ## An address was forgotten because it did not reappear within the `watch_until` interval FORGOTTEN, + ## A watched IP address was seen again; catch and release will re-block it. SEEN_AGAIN }; + ## The record type that is used for representing and logging type CatchReleaseInfo: record { + ## The absolute time indicating when the action for this log-line occured. ts: time &log; + ## The rule id that this log lone refers to. rule_id: string &log &optional; + ## The IP address that this line refers to. ip: addr &log; + ## The action that was taken in this log-line. action: CatchReleaseActions &log; + ## The current block_interaval (for how long the address is blocked). block_interval: interval &log &optional; + ## The current watch_interval (for how long the address will be watched and re-block if it reappears). watch_interval: interval &log &optional; + ## The absolute time until which the address is blocked. blocked_until: time &log &optional; + ## The absolute time until which the address will be monitored. watched_until: time &log &optional; + ## Number of times that this address was blocked in the current cycle. num_blocked: count &log &optional; + ## The user specified location string. location: string &log &optional; + ## Additional informational string by the catch and release framework about this log-line. message: string &log &optional; }; diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro index cc2998aa82..9f91aa405b 100644 --- a/scripts/base/frameworks/netcontrol/main.bro +++ b/scripts/base/frameworks/netcontrol/main.bro @@ -81,9 +81,11 @@ export { ## Returns: The id of the inserted rule on succes and zero on failure. global redirect_flow: function(f: flow_id, out_port: count, t: interval, location: string &default="") : string; - ## Quarantines a host by redirecting rewriting DNS queries to the network dns server dns - ## to the host. Host has to answer to all queries with its own address. Only http communication - ## from infected to quarantinehost is allowed. + ## Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining + ## the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries + ## from the host to the network dns server will be rewritten and will be sent to the quarantine server + ## instead. Only http communication infected to quarantinehost is allowed. All other network communication + ## is blocked. ## ## infected: the host to quarantine ## @@ -96,7 +98,7 @@ export { ## Returns: Vector of inserted rules on success, empty list on failure. global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string; - ## Flushes all state. + ## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules. global clear: function(); # ### @@ -120,7 +122,7 @@ export { ## Removes a rule. ## - ## id: The rule to remove, specified as the ID returned by :bro:id:`NetControl::add_rule`. + ## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`. ## ## Returns: True if succesful, the relevant plugin indicated that it knew ## how to handle the removal. Note that again "success" means the @@ -134,10 +136,10 @@ export { ## the rule has been added; if it is not removed from them by a separate mechanism, ## it will stay installed and not be removed later. ## - ## id: The rule to delete, specified as the ID returned by :bro:id:`add_rule` . + ## id: The rule to delete, specified as the ID returned by :bro:see:`add_rule` . ## ## Returns: True if removal is successful, or sent to manager. - ## False if the rule could not be found. + ## False if the rule could not be found. global delete_rule: function(id: string) : bool; ## Searches all rules affecting a certain IP address. @@ -152,6 +154,14 @@ export { global find_rules_addr: function(ip: addr) : vector of Rule; ## Searches all rules affecting a certain subnet. + ## + ## A rule affects a subnet, if it covers the whole subnet. Note especially that + ## this function will not reveal all rules that are covered by a subnet. + ## + ## For example, a search for 192.168.17.0/8 will reveal a rule that exists for + ## 192.168.0.0/16, since this rule affects the subnet. However, it will not reveal + ## a more specific rule for 192.168.17.1/32, which does not directy affect the whole + ## subnet. ## ## This function works on both the manager and workers of a cluster. Note that on ## the worker, the internal rule variables (starting with _) will not reflect the @@ -263,14 +273,14 @@ export { RULE }; - ## State of an entry in the NetControl log. + ## State of an entry in the NetControl log. type InfoState: enum { - REQUESTED, - SUCCEEDED, - EXISTS, - FAILED, - REMOVED, - TIMEOUT, + REQUESTED, ##< The request to add/remove a rule was sent to the respective backend + SUCCEEDED, ##< A rule was succesfully added by a backend + EXISTS, ##< A backend reported that a rule was already existing + FAILED, ##< A rule addition failed + REMOVED, ##< A rule was succesfully removed by a backend + TIMEOUT, ##< A rule timeout was triggered by the NetControl framework or a backend }; ## The record type defining the column fields of the NetControl log. @@ -313,13 +323,13 @@ export { } redef record Rule += { - ##< Internally set to the plugins handling the rule. + ## Internally set to the plugins handling the rule. _plugin_ids: set[count] &default=count_set(); - ##< Internally set to the plugins on which the rule is currently active. + ## Internally set to the plugins on which the rule is currently active. _active_plugin_ids: set[count] &default=count_set(); - ##< Internally set to plugins where the rule should not be removed upon timeout. + ## Internally set to plugins where the rule should not be removed upon timeout. _no_expire_plugins: set[count] &default=count_set(); - ##< Track if the rule was added succesfully by all responsible plugins. + ## Track if the rule was added succesfully by all responsible plugins. _added: bool &default=F; }; diff --git a/scripts/base/frameworks/netcontrol/plugin.bro b/scripts/base/frameworks/netcontrol/plugin.bro index 7d0ee13a81..9acb611893 100644 --- a/scripts/base/frameworks/netcontrol/plugin.bro +++ b/scripts/base/frameworks/netcontrol/plugin.bro @@ -1,11 +1,13 @@ -##! Plugin interface for NetControl backends. +##! This file defines the plugin interface for NetControl. module NetControl; @load ./types export { - ## State for a plugin instance. + ## This record keeps the per instance state of a plugin. + ## + ## Individual plugins commonly extend this record to suit their needs. type PluginState: record { ## Table for a plugin to store custom, instance-specfific state. config: table[string] of string &default=table(); @@ -20,69 +22,69 @@ export { _activated: bool &default=F; }; - # Definition of a plugin. - # - # Generally a plugin needs to implement only what it can support. By - # returning failure, it indicates that it can't support something and the - # the framework will then try another plugin, if available; or inform the - # that the operation failed. If a function isn't implemented by a plugin, - # that's considered an implicit failure to support the operation. - # - # If plugin accepts a rule operation, it *must* generate one of the reporting - # events ``rule_{added,remove,error}`` to signal if it indeed worked out; - # this is separate from accepting the operation because often a plugin - # will only know later (i.e., asynchrously) if that was an error for - # something it thought it could handle. + ## Definition of a plugin. + ## + ## Generally a plugin needs to implement only what it can support. By + ## returning failure, it indicates that it can't support something and the + ## the framework will then try another plugin, if available; or inform the + ## that the operation failed. If a function isn't implemented by a plugin, + ## that's considered an implicit failure to support the operation. + ## + ## If plugin accepts a rule operation, it *must* generate one of the reporting + ## events ``rule_{added,remove,error}`` to signal if it indeed worked out; + ## this is separate from accepting the operation because often a plugin + ## will only know later (i.e., asynchrously) if that was an error for + ## something it thought it could handle. type Plugin: record { - # Returns a descriptive name of the plugin instance, suitable for use in logging - # messages. Note that this function is not optional. + ## Returns a descriptive name of the plugin instance, suitable for use in logging + ## messages. Note that this function is not optional. name: function(state: PluginState) : string; - ## If true, plugin can expire rules itself. If false, + ## If true, plugin can expire rules itself. If false, the NetControl ## framework will manage rule expiration. can_expire: bool; - # One-time initialization function called when plugin gets registered, and - # before any other methods are called. - # - # If this function is provided, NetControl assumes that the plugin has to - # perform, potentially lengthy, initialization before the plugin will become - # active. In this case, the plugin has to call ``NetControl::plugin_activated``, - # once initialization finishes. + ## One-time initialization function called when plugin gets registered, and + ## before any other methods are called. + ## + ## If this function is provided, NetControl assumes that the plugin has to + ## perform, potentially lengthy, initialization before the plugin will become + ## active. In this case, the plugin has to call ``NetControl::plugin_activated``, + ## once initialization finishes. init: function(state: PluginState) &optional; - # One-time finalization function called when a plugin is shutdown; no further - # functions will be called afterwords. + ## One-time finalization function called when a plugin is shutdown; no further + ## functions will be called afterwords. done: function(state: PluginState) &optional; - # Implements the add_rule() operation. If the plugin accepts the rule, - # it returns true, false otherwise. The rule will already have its - # ``id`` field set, which the plugin may use for identification - # purposes. + ## Implements the add_rule() operation. If the plugin accepts the rule, + ## it returns true, false otherwise. The rule will already have its + ## ``id`` field set, which the plugin may use for identification + ## purposes. add_rule: function(state: PluginState, r: Rule) : bool &optional; - # Implements the remove_rule() operation. This will only be called for - # rules that the plugins has previously accepted with add_rule(). The - # ``id`` field will match that of the add_rule() call. Generally, - # a plugin that accepts an add_rule() should also accept the - # remove_rule(). + ## Implements the remove_rule() operation. This will only be called for + ## rules that the plugins has previously accepted with add_rule(). The + ## ``id`` field will match that of the add_rule() call. Generally, + ## a plugin that accepts an add_rule() should also accept the + ## remove_rule(). remove_rule: function(state: PluginState, r: Rule) : bool &optional; - # A transaction groups a number of operations. The plugin can add them internally - # and postpone putting them into effect until committed. This allows to build a - # configuration of multiple rules at once, including replaying a previous state. + ## A transaction groups a number of operations. The plugin can add them internally + ## and postpone putting them into effect until committed. This allows to build a + ## configuration of multiple rules at once, including replaying a previous state. transaction_begin: function(state: PluginState) &optional; transaction_end: function(state: PluginState) &optional; }; - # Table for a plugin to store instance-specific configuration information. - # - # Note, it would be nicer to pass the Plugin instance to all the below, instead - # of this state table. However Bro's type resolver has trouble with refering to a - # record type from inside itself. + ## Table for a plugin to store instance-specific configuration information. + ## + ## Note, it would be nicer to pass the Plugin instance to all the below, instead + ## of this state table. However Bro's type resolver has trouble with refering to a + ## record type from inside itself. redef record PluginState += { ## The plugin that the state belongs to. (Defined separately - ## because of cyclic type dependency.) + ## because of cyclic type dependency.) plugin: Plugin &optional; }; diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro index ab97734fc9..da8e942ae7 100644 --- a/scripts/base/frameworks/netcontrol/plugins/broker.bro +++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro @@ -11,6 +11,7 @@ module NetControl; @ifdef ( Broker::__enable ) export { + ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`. type BrokerConfig: record { ## The broker topic used to send events to topic: string &optional; @@ -38,6 +39,7 @@ export { global create_broker: function(config: BrokerConfig, can_expire: bool) : PluginState; redef record PluginState += { + ## OpenFlow controller for NetControl Broker plugin broker_config: BrokerConfig &optional; ## The ID of this broker instance - for the mapping to PluginStates broker_id: count &optional; diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro index 44a8bb2f1a..e47c8ba713 100644 --- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro +++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro @@ -7,22 +7,46 @@ module NetControl; export { + ## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`. type OfConfig: record { - monitor: bool &default=T; - forward: bool &default=T; - idle_timeout: count &default=0; - table_id: count &optional; + monitor: bool &default=T; ##< accept rules that target the monitor path + forward: bool &default=T; ##< accept rules that target the forward path + idle_timeout: count &default=0; ##< default OpenFlow idle timeout + table_id: count &optional; ##< default OpenFlow table ID. priority_offset: int &default=+0; ##< add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function. ## Predicate that is called on rule insertion or removal. ## - ## p: Current plugin state + ## p: Current plugin state. ## - ## r: The rule to be inserted or removed + ## r: The rule to be inserted or removed. ## - ## Returns: T if the rule can be handled by the current backend, F otherwhise + ## Returns: T if the rule can be handled by the current backend, F otherwhise. check_pred: function(p: PluginState, r: Rule): bool &optional; + + ## This predicate is called each time an OpenFlow match record is created. + ## The predicate can modify the match structure before it is sent on to the + ## device. + ## + ## p: Current plugin state. + ## + ## r: The rule to be inserted or removed. + ## + ## m: The openflow match structures that were generated for this rules. + ## + ## Returns: The modified OpenFlow match structures that will be used in place the structures passed in m. match_pred: function(p: PluginState, e: Entity, m: vector of OpenFlow::ofp_match): vector of OpenFlow::ofp_match &optional; + + ## This predicate is called before an FlowMod message is sent to the OpenFlow + ## device. It can modify the FlowMod message before it is passed on. + ## + ## p: Current plugin state. + ## + ## r: The rule to be inserted or removed. + ## + ## m: The OpenFlow FlowMod message. + ## + ## Returns: The modified FloMod message that is used in lieu of m. flow_mod_pred: function(p: PluginState, r: Rule, m: OpenFlow::ofp_flow_mod): OpenFlow::ofp_flow_mod &optional; }; diff --git a/scripts/base/frameworks/netcontrol/types.bro b/scripts/base/frameworks/netcontrol/types.bro index 3147420c99..dce3ed4223 100644 --- a/scripts/base/frameworks/netcontrol/types.bro +++ b/scripts/base/frameworks/netcontrol/types.bro @@ -1,30 +1,45 @@ -##! Types used by the NetControl framework. +##! This file defines the that are used by the NetControl framework. +##! +##! The most important type defined in this file is :bro:see:`NetControl::Rule`, +##! which is used to describe all rules that can be expressed by the NetControl framework. module NetControl; export { + ## The default priority that is used when creating rules. const default_priority: int = +0 &redef; + + ## The default priority that is used when using the high-level functions to + ## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and + ## :bro:see:`NetControl::whitelist_subnet`). + ## + ## Note that this priority is not automatically used when manually creating rules + ## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`. const whitelist_priority: int = +5 &redef; - ## Type of a :bro:id:`Entity` for defining an action. + ## The EntityType is used in :bro:id:`Entity` for defining the entity that a rule + ## applies to. type EntityType: enum { ADDRESS, ##< Activity involving a specific IP address. - CONNECTION, ##< All of a bi-directional connection's activity. - FLOW, ##< All of a uni-directional flow's activity. Can contain wildcards. + CONNECTION, ##< Activity involving all of a bi-directional connection's activity. + FLOW, ##< Actitivy involving a uni-directional flow's activity. Can contain wildcards. MAC, ##< Activity involving a MAC address. }; - ## Type for defining a flow. + ## Flow is used in :bro:id:`Entity` together with :bro:enum:`NetControl::FLOW` to specify + ## a uni-directional flow that a :bro:id:`Rule` applies to. + ## + ## If optional fields are not set, they are interpreted as wildcarded. type Flow: record { src_h: subnet &optional; ##< The source IP address/subnet. src_p: port &optional; ##< The source port number. dst_h: subnet &optional; ##< The destination IP address/subnet. - dst_p: port &optional; ##< The desintation port number. + dst_p: port &optional; ##< The destination port number. src_m: string &optional; ##< The source MAC address. dst_m: string &optional; ##< The destination MAC address. }; - ## Type defining the enity an :bro:id:`Rule` is operating on. + ## Type defining the entity an :bro:id:`Rule` is operating on. type Entity: record { ty: EntityType; ##< Type of entity. conn: conn_id &optional; ##< Used with :bro:enum:`NetControl::CONNECTION`. @@ -33,32 +48,36 @@ export { mac: string &optional; ##< Used with :bro:enum:`NetControl::MAC`. }; - ## Target of :bro:id:`Rule` action. + ## The :bro:id`TargetType` defined the target of a :bro:id:`Rule`. + ## + ## Rules can either be applied to the forward path, affecting all network traffic, or + ## on the monitor path, only affecting the traffic that is sent to Bro. The second + ## is mostly used for shunting, which allows Bro to tell the networking hardware that + ## it wants to no longer see traffic that it identified as benign. type TargetType: enum { FORWARD, #< Apply rule actively to traffic on forwarding path. MONITOR, #< Apply rule passively to traffic sent to Bro for monitoring. }; - ## Type of rules that the framework supports. Each type lists the + ## Type of rules that the framework supports. Each type lists the extra ## :bro:id:`Rule` argument(s) it uses, if any. ## ## Plugins may extend this type to define their own. type RuleType: enum { - ## Stop forwarding all packets matching entity. + ## Stop forwarding all packets matching the entity. ## - ## No arguments. + ## No additional arguments. DROP, - ## Begin modifying all packets matching entity. + ## Modify all packets matching entity. The packets + ## will be modified according to the `mod` entry of + ## the rule. ## - ## .. todo:: - ## Define arguments. MODIFY, - ## Begin redirecting all packets matching entity. + ## Redirect all packets matching entity to a different switch port, + ## given in the `out_port` argument of the rule. ## - ## .. todo:: - ## c: output port to redirect traffic to. REDIRECT, ## Whitelists all packets of an entity, meaning no restrictions will be applied. diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 477b4cc1b3..e0765e0446 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2016-06-07-19-22-42 +#open 2016-06-22-22-50-49 #fields name #types string scripts/base/init-bare.bro @@ -155,14 +155,38 @@ scripts/base/init-default.bro scripts/base/frameworks/notice/main.bro scripts/base/frameworks/notice/weird.bro scripts/base/frameworks/notice/actions/drop.bro + scripts/base/frameworks/netcontrol/__load__.bro + scripts/base/frameworks/netcontrol/types.bro + scripts/base/frameworks/netcontrol/main.bro + scripts/base/frameworks/netcontrol/plugin.bro + scripts/base/frameworks/netcontrol/plugins/__load__.bro + scripts/base/frameworks/netcontrol/plugins/debug.bro + scripts/base/frameworks/netcontrol/plugins/openflow.bro + scripts/base/frameworks/openflow/__load__.bro + scripts/base/frameworks/openflow/consts.bro + scripts/base/frameworks/openflow/types.bro + scripts/base/frameworks/openflow/main.bro + scripts/base/frameworks/openflow/plugins/__load__.bro + scripts/base/frameworks/openflow/plugins/ryu.bro + scripts/base/utils/json.bro + scripts/base/frameworks/openflow/plugins/log.bro + scripts/base/frameworks/openflow/plugins/broker.bro + scripts/base/frameworks/cluster/__load__.bro + scripts/base/frameworks/cluster/main.bro + scripts/base/frameworks/control/__load__.bro + scripts/base/frameworks/control/main.bro + scripts/base/frameworks/openflow/non-cluster.bro + scripts/base/frameworks/netcontrol/plugins/packetfilter.bro + scripts/base/frameworks/netcontrol/plugins/broker.bro + scripts/base/frameworks/netcontrol/plugins/acld.bro + scripts/base/frameworks/netcontrol/drop.bro + scripts/base/frameworks/netcontrol/shunt.bro + scripts/base/frameworks/netcontrol/catch-and-release.bro + scripts/base/frameworks/netcontrol/non-cluster.bro scripts/base/frameworks/notice/actions/email_admin.bro scripts/base/frameworks/notice/actions/page.bro scripts/base/frameworks/notice/actions/add-geodata.bro scripts/base/frameworks/notice/extend-email/hostnames.bro - scripts/base/frameworks/cluster/__load__.bro - scripts/base/frameworks/cluster/main.bro - scripts/base/frameworks/control/__load__.bro - scripts/base/frameworks/control/main.bro scripts/base/frameworks/notice/non-cluster.bro scripts/base/frameworks/notice/actions/pp-alarms.bro scripts/base/frameworks/dpd/__load__.bro @@ -196,30 +220,6 @@ scripts/base/init-default.bro scripts/base/frameworks/sumstats/non-cluster.bro scripts/base/frameworks/tunnels/__load__.bro scripts/base/frameworks/tunnels/main.bro - scripts/base/frameworks/openflow/__load__.bro - scripts/base/frameworks/openflow/consts.bro - scripts/base/frameworks/openflow/types.bro - scripts/base/frameworks/openflow/main.bro - scripts/base/frameworks/openflow/plugins/__load__.bro - scripts/base/frameworks/openflow/plugins/ryu.bro - scripts/base/utils/json.bro - scripts/base/frameworks/openflow/plugins/log.bro - scripts/base/frameworks/openflow/plugins/broker.bro - scripts/base/frameworks/openflow/non-cluster.bro - scripts/base/frameworks/netcontrol/__load__.bro - scripts/base/frameworks/netcontrol/types.bro - scripts/base/frameworks/netcontrol/main.bro - scripts/base/frameworks/netcontrol/plugin.bro - scripts/base/frameworks/netcontrol/plugins/__load__.bro - scripts/base/frameworks/netcontrol/plugins/debug.bro - scripts/base/frameworks/netcontrol/plugins/openflow.bro - scripts/base/frameworks/netcontrol/plugins/packetfilter.bro - scripts/base/frameworks/netcontrol/plugins/broker.bro - scripts/base/frameworks/netcontrol/plugins/acld.bro - scripts/base/frameworks/netcontrol/drop.bro - scripts/base/frameworks/netcontrol/shunt.bro - scripts/base/frameworks/netcontrol/catch-and-release.bro - scripts/base/frameworks/netcontrol/non-cluster.bro scripts/base/protocols/conn/__load__.bro scripts/base/protocols/conn/main.bro scripts/base/protocols/conn/contents.bro @@ -311,4 +311,4 @@ scripts/base/init-default.bro scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-filtered-trace.bro scripts/policy/misc/loaded-scripts.bro -#close 2016-06-07-19-22-42 +#close 2016-06-22-22-50-50 diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index f7b7398bc8..65e1f24366 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -23,6 +23,7 @@ modbus modbus_register_change mysql net_control +netcontrol_catch_release netcontrol_drop netcontrol_shunt notice diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output new file mode 100644 index 0000000000..b451d5aa4f --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-1-drop-with-debug.bro + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output new file mode 100644 index 0000000000..331afbc80d --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-10-use-skeleton.bro + +event NetControl::init() + { + local skeleton_plugin = NetControl::create_skeleton(""); + NetControl::activate(skeleton_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output new file mode 100644 index 0000000000..87c8cdda7a --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output @@ -0,0 +1,20 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-2-ssh-guesser.bro + + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + NetControl::drop_address(n$src, 60min); + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output new file mode 100644 index 0000000000..228856f00a --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output @@ -0,0 +1,20 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-3-ssh-guesser.bro + + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + add n$actions[Notice::ACTION_DROP]; + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output new file mode 100644 index 0000000000..e7b15fd91b --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output @@ -0,0 +1,30 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-4-drop.bro + +function our_drop_connection(c: conn_id, t: interval) + { + # As a first step, create the NetControl::Entity that we want to block + local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c); + # Then, use the entity to create the rule to drop the entity in the forward path + local r = NetControl::Rule($ty=NetControl::DROP, + $target=NetControl::FORWARD, $entity=e, $expire=t); + + # Add the rule + local id = NetControl::add_rule(r); + + if ( id == "" ) + print "Error while dropping"; + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + our_drop_connection(c$id, 20 secs); + } + diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output new file mode 100644 index 0000000000..d27e3f9a6a --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output @@ -0,0 +1,26 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-5-hook.bro + +hook NetControl::rule_policy(r: NetControl::Rule) + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::CONNECTION && + r$entity$conn$orig_h in 192.168.0.0/16 ) + { + print "Ignored connection from", r$entity$conn$orig_h; + break; + } + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } + diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output new file mode 100644 index 0000000000..bcc5199590 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output @@ -0,0 +1,21 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-6-find.bro + +event NetControl::init() + { + local netcontrol_debug = NetControl::create_debug(T); + NetControl::activate(netcontrol_debug, 0); + } + +event connection_established(c: connection) + { + if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 ) + { + print "Rule already exists"; + return; + } + + NetControl::drop_connection(c$id, 20 secs); + print "Rule added"; + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output new file mode 100644 index 0000000000..aa10d8cc01 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-7-catch-release.bro + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_address_catch_release(c$id$orig_h); + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output new file mode 100644 index 0000000000..f9bac69f44 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output @@ -0,0 +1,33 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-8-multiple.bro + +function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::ADDRESS && + subnet_width(r$entity$ip) == 32 && + subnet_to_addr(r$entity$ip) in 192.168.17.0/24 ) + return F; + + return T; + } + +event NetControl::init() + { + # Add debug plugin with low priority + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + + # Instantiate OpenFlow debug plugin with higher priority + local of_controller = OpenFlow::log_new(42); + local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]); + NetControl::activate(netcontrol_of, 10); + } + +event NetControl::init_done() + { + NetControl::drop_address(10.0.0.1, 1min); + NetControl::drop_address(192.168.17.2, 1min); + NetControl::drop_address(192.168.18.2, 1min); + } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output new file mode 100644 index 0000000000..dc23f832dd --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output @@ -0,0 +1,43 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-9-skeleton.bro + +module NetControl; + +export { + ## Instantiates the plugin. + global create_skeleton: function(argument: string) : PluginState; +} + +function skeleton_name(p: PluginState) : string + { + return "NetControl skeleton plugin"; + } + +function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool + { + print "add", r; + event NetControl::rule_added(r, p); + return T; + } + + function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool + { + print "remove", r; + event NetControl::rule_removed(r, p); + return T; + } + +global skeleton_plugin = Plugin( + $name = skeleton_name, + $can_expire = F, + $add_rule = skeleton_add_rule_fun, + $remove_rule = skeleton_remove_rule_fun + ); + +function create_skeleton(argument: string) : PluginState + { + local p = PluginState($plugin=skeleton_plugin); + + return p; + } diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 new file mode 100644 index 0000000000..91f41babb3 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 @@ -0,0 +1,32 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2016-06-22-22-58-31 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + #close 2016-06-22-22-58-31 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 new file mode 100644 index 0000000000..5c361dba1c --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 @@ -0,0 +1,18 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol_drop.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol_drop + #open 2016-06-22-22-58-31 + #fields ts rule_id orig_h orig_p resp_h resp_p expire location + #types time string addr port addr port interval string + 1398529018.678276 2 192.168.18.50 56981 74.125.239.97 443 20.000000 - + #close 2016-06-22-22-58-31 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 new file mode 100644 index 0000000000..da4c7a78d1 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 @@ -0,0 +1,32 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=1.0 hr, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2016-06-22-22-58-36 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1427726711.398575 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All + 1427726711.398575 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All + #close 2016-06-22-22-58-36 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 new file mode 100644 index 0000000000..d70b371a01 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 @@ -0,0 +1,32 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2016-06-22-22-58-38 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1427726711.398575 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All + 1427726711.398575 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All + #close 2016-06-22-22-58-38 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 new file mode 100644 index 0000000000..a768fde679 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 @@ -0,0 +1,18 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2016-06-22-22-58-38 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1427726711.398575 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - bro Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 T - - - - - + #close 2016-06-22-22-58-38 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 new file mode 100644 index 0000000000..437d9ba58f --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 @@ -0,0 +1,32 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2016-06-22-22-58-42 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + #close 2016-06-22-22-58-42 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 new file mode 100644 index 0000000000..0dd5d01130 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 @@ -0,0 +1,10 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro + netcontrol debug (Debug-All): init + Ignored connection from, 192.168.18.50 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 new file mode 100644 index 0000000000..66846d738d --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 @@ -0,0 +1,12 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + Rule added + Rule already exists + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 new file mode 100644 index 0000000000..ed2d956171 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 @@ -0,0 +1,10 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.18.50/32, mac=], expire=10.0 mins, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 new file mode 100644 index 0000000000..df2080fc59 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 @@ -0,0 +1,19 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol_catch_release.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol_catch_release + #open 2016-06-22-22-58-49 + #fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message + #types time string addr enum interval interval time time count string string + 1398529018.678276 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - + 1398529018.678276 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - + #close 2016-06-22-22-58-49 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 new file mode 100644 index 0000000000..3f48475e7e --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 @@ -0,0 +1,10 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro netcontrol-8-multiple.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.17.2/32, mac=], expire=1.0 min, priority=0, location=, out_port=, mod=, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 new file mode 100644 index 0000000000..435078d4fb --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 @@ -0,0 +1,28 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2016-06-22-22-58-52 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 1466636332.844326 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 1466636332.844326 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 1466636332.844326 - NetControl::MESSAGE - - - - - - - activating plugin with priority 10 - - - Openflow-Log-42 + 1466636332.844326 - NetControl::MESSAGE - - - - - - - activation finished - - - Openflow-Log-42 + 1466636332.844326 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1466636332.844326 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 + 1466636332.844326 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All + 1466636332.844326 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 + 1466636332.844326 3 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All + 1466636332.844326 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 + 1466636332.844326 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 + #close 2016-06-22-22-58-52 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 new file mode 100644 index 0000000000..7094c08b74 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 @@ -0,0 +1,21 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # cat openflow.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path openflow + #open 2016-06-22-22-58-52 + #fields ts dpid match.in_port match.dl_src match.dl_dst match.dl_vlan match.dl_vlan_pcp match.dl_type match.nw_tos match.nw_proto match.nw_src match.nw_dst match.tp_src match.tp_dst flow_mod.cookie flow_mod.table_id flow_mod.command flow_mod.idle_timeout flow_mod.hard_timeout flow_mod.priority flow_mod.out_port flow_mod.out_group flow_mod.flags flow_mod.actions.out_ports flow_mod.actions.vlan_vid flow_mod.actions.vlan_pcp flow_mod.actions.vlan_strip flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst + #types time count count string string count count count count count subnet subnet count count count count enum count count count count count count vector[count] count count bool string string count addr addr count count + 1466636332.844326 42 - - - - - 2048 - - 10.0.0.1/32 - - - 4398046511108 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1466636332.844326 42 - - - - - 2048 - - - 10.0.0.1/32 - - 4398046511109 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1466636332.844326 42 - - - - - 2048 - - 192.168.18.2/32 - - - 4398046511112 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1466636332.844326 42 - - - - - 2048 - - - 192.168.18.2/32 - - 4398046511113 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + #close 2016-06-22-22-58-52 + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 new file mode 100644 index 0000000000..941d9336c9 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 @@ -0,0 +1,15 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro + add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ + + }, _active_plugin_ids={ + + }, _no_expire_plugins={ + + }, _added=F] + diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 new file mode 100644 index 0000000000..941d9336c9 --- /dev/null +++ b/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 @@ -0,0 +1,15 @@ +.. rst-class:: btest-cmd + + .. code-block:: none + :linenos: + :emphasize-lines: 1,1 + + # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro + add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ + + }, _active_plugin_ids={ + + }, _no_expire_plugins={ + + }, _added=F] + diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 91f56d8d5b..5a0c16daea 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -172,6 +172,7 @@ 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=intel, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=kerberos, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, , (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_catch_release, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_drop, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_shunt, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> @@ -212,6 +213,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> @@ -238,7 +240,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -253,6 +255,7 @@ 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Intel::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (KRB::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Modbus::LOG)) -> +0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (NetControl::CATCH_RELEASE)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (NetControl::DROP)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (NetControl::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (NetControl::SHUNT)) -> @@ -293,6 +296,7 @@ 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::add_filter, , (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> @@ -333,6 +337,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> @@ -359,7 +364,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -392,7 +397,7 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, , ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, , ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(strftime, , (%Y, 1466281781.048782)) -> +0.000000 MetaHookPost CallFunction(strftime, , (%Y, 1466636352.006823)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost CallFunction(to_count, , (2016)) -> @@ -834,6 +839,7 @@ 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=intel, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=kerberos, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, , (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_catch_release, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_drop, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_shunt, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) @@ -874,6 +880,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) @@ -900,7 +907,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -915,6 +922,7 @@ 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Intel::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (KRB::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Modbus::LOG)) +0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (NetControl::CATCH_RELEASE)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (NetControl::DROP)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (NetControl::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (NetControl::SHUNT)) @@ -955,6 +963,7 @@ 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::add_filter, , (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) @@ -995,6 +1004,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) @@ -1021,7 +1031,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1054,7 +1064,7 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, , ()) 0.000000 MetaHookPre CallFunction(reading_traces, , ()) 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(strftime, , (%Y, 1466281781.048782)) +0.000000 MetaHookPre CallFunction(strftime, , (%Y, 1466636352.006823)) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre CallFunction(to_count, , (2016)) @@ -1495,6 +1505,7 @@ 0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=intel, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=kerberos, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=modbus, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_catch_release, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_drop, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=netcontrol_shunt, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) @@ -1535,6 +1546,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=, ev=Intel::log_intel, path=intel]) 0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos]) 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) 0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) 0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol]) 0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) @@ -1561,7 +1573,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1576,6 +1588,7 @@ 0.000000 | HookCallFunction Log::add_default_filter(Intel::LOG) 0.000000 | HookCallFunction Log::add_default_filter(KRB::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG) +0.000000 | HookCallFunction Log::add_default_filter(NetControl::CATCH_RELEASE) 0.000000 | HookCallFunction Log::add_default_filter(NetControl::DROP) 0.000000 | HookCallFunction Log::add_default_filter(NetControl::LOG) 0.000000 | HookCallFunction Log::add_default_filter(NetControl::SHUNT) @@ -1616,6 +1629,7 @@ 0.000000 | HookCallFunction Log::add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) @@ -1656,6 +1670,7 @@ 0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=, ev=Intel::log_intel, path=intel]) 0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos]) 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) +0.000000 | HookCallFunction Log::create_stream(NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) 0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) 0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol]) 0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) @@ -1682,7 +1697,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1466636352.007236, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -1715,7 +1730,7 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction strftime(%Y, 1466281781.048782) +0.000000 | HookCallFunction strftime(%Y, 1466636352.006823) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookCallFunction to_count(2016) @@ -1730,7 +1745,8 @@ 0.000000 | HookQueueEvent filter_change_tracking() 1362692526.869344 MetaHookPost BroObjDtor() -> 1362692526.869344 MetaHookPost CallFunction(ChecksumOffloading::check, , ()) -> -1362692526.869344 MetaHookPost CallFunction(NetControl::check_conn, , (141.142.228.5)) -> +1362692526.869344 MetaHookPost CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) -> +1362692526.869344 MetaHookPost CallFunction(addr_to_subnet, , (141.142.228.5)) -> 1362692526.869344 MetaHookPost CallFunction(filter_change_tracking, , ()) -> 1362692526.869344 MetaHookPost CallFunction(get_net_stats, , ()) -> 1362692526.869344 MetaHookPost CallFunction(new_connection, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> @@ -1741,7 +1757,8 @@ 1362692526.869344 MetaHookPost UpdateNetworkTime(1362692526.869344) -> 1362692526.869344 MetaHookPre BroObjDtor() 1362692526.869344 MetaHookPre CallFunction(ChecksumOffloading::check, , ()) -1362692526.869344 MetaHookPre CallFunction(NetControl::check_conn, , (141.142.228.5)) +1362692526.869344 MetaHookPre CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) +1362692526.869344 MetaHookPre CallFunction(addr_to_subnet, , (141.142.228.5)) 1362692526.869344 MetaHookPre CallFunction(filter_change_tracking, , ()) 1362692526.869344 MetaHookPre CallFunction(get_net_stats, , ()) 1362692526.869344 MetaHookPre CallFunction(new_connection, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) @@ -1753,7 +1770,8 @@ 1362692526.869344 | HookBroObjDtor 1362692526.869344 | HookUpdateNetworkTime 1362692526.869344 1362692526.869344 | HookCallFunction ChecksumOffloading::check() -1362692526.869344 | HookCallFunction NetControl::check_conn(141.142.228.5) +1362692526.869344 | HookCallFunction NetControl::catch_release_seen(141.142.228.5) +1362692526.869344 | HookCallFunction addr_to_subnet(141.142.228.5) 1362692526.869344 | HookCallFunction filter_change_tracking() 1362692526.869344 | HookCallFunction get_net_stats() 1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) @@ -1762,15 +1780,21 @@ 1362692526.869344 | HookQueueEvent filter_change_tracking() 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692526.869344 | RequestObjDtor ChecksumOffloading::check() +1362692526.939084 MetaHookPost CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) -> +1362692526.939084 MetaHookPost CallFunction(addr_to_subnet, , (141.142.228.5)) -> 1362692526.939084 MetaHookPost CallFunction(connection_established, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> 1362692526.939084 MetaHookPost DrainEvents() -> 1362692526.939084 MetaHookPost QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> false 1362692526.939084 MetaHookPost UpdateNetworkTime(1362692526.939084) -> +1362692526.939084 MetaHookPre CallFunction(NetControl::catch_release_seen, , (141.142.228.5)) +1362692526.939084 MetaHookPre CallFunction(addr_to_subnet, , (141.142.228.5)) 1362692526.939084 MetaHookPre CallFunction(connection_established, , ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692526.939084 MetaHookPre DrainEvents() 1362692526.939084 MetaHookPre QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=])) 1362692526.939084 MetaHookPre UpdateNetworkTime(1362692526.939084) 1362692526.939084 | HookUpdateNetworkTime 1362692526.939084 +1362692526.939084 | HookCallFunction NetControl::catch_release_seen(141.142.228.5) +1362692526.939084 | HookCallFunction addr_to_subnet(141.142.228.5) 1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) 1362692526.939084 | HookDrainEvents 1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]) diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index 6b80273111..64cbb5f748 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -1,6 +1,6 @@ 0.000000 bro_init - 0.000000 filter_change_tracking 0.000000 NetControl::init + 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check 1254722767.492060 filter_change_tracking 1254722767.492060 new_connection @@ -107,6 +107,7 @@ 1437831776.764391 connection_state_remove 1437831776.764391 filter_change_tracking 1437831776.764391 new_connection +1437831777.107399 partial_connection 1437831787.856895 new_connection 1437831787.861602 connection_established 1437831787.867142 smtp_reply @@ -152,7 +153,9 @@ 1437831787.905375 smtp_request 1437831787.914113 smtp_reply 1437831798.533593 new_connection +1437831798.533765 partial_connection 1437831799.262632 new_connection +1437831799.410135 partial_connection 1437831799.461152 new_connection 1437831799.610433 connection_established 1437831799.611764 ssl_extension_server_name @@ -206,10 +209,15 @@ 1437831800.045701 ssl_established 1437831800.217854 net_done 1437831800.217854 filter_change_tracking +1437831800.217854 connection_pending 1437831800.217854 connection_state_remove +1437831800.217854 connection_pending 1437831800.217854 connection_state_remove +1437831800.217854 connection_pending 1437831800.217854 connection_state_remove +1437831800.217854 connection_pending 1437831800.217854 connection_state_remove +1437831800.217854 connection_pending 1437831800.217854 connection_state_remove 1437831800.217854 bro_done 1437831800.217854 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 445456bb3b..632f3aa7f7 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -1,6 +1,6 @@ 0.000000 bro_init - 0.000000 filter_change_tracking 0.000000 NetControl::init + 0.000000 filter_change_tracking 1254722767.492060 ChecksumOffloading::check 1254722767.492060 filter_change_tracking 1254722767.492060 new_connection @@ -504,6 +504,9 @@ 1437831776.764391 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CRJuHdVW0XPVINV8a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1437831777.107399 partial_connection + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CRJuHdVW0XPVINV8a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + 1437831787.856895 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CPbrpk1qSsw6ESzHV4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] @@ -742,9 +745,15 @@ 1437831798.533593 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=, uid=C6pKV8GSxOnSLghOa, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1437831798.533765 partial_connection + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=dA, uid=C6pKV8GSxOnSLghOa, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + 1437831799.262632 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=CIPOse170MGiRM1Qf4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1437831799.410135 partial_connection + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=CIPOse170MGiRM1Qf4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + 1437831799.461152 new_connection [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C7XEbhP654jzLoe3a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] @@ -985,18 +994,33 @@ [0] t: time = 1437831800.217854 1437831800.217854 filter_change_tracking +1437831800.217854 connection_pending + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.914113, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[192.168.133.102, 192.168.133.100], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=[ts=1437831787.914113, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=, rcptto=, date=, from=, to=, cc=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[192.168.133.102, 192.168.133.100], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] +1437831800.217854 connection_pending + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=CIPOse170MGiRM1Qf4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=CIPOse170MGiRM1Qf4, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] -1437831800.217854 connection_state_remove +1437831800.217854 connection_pending [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CRJuHdVW0XPVINV8a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1437831800.217854 connection_state_remove + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CRJuHdVW0XPVINV8a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + +1437831800.217854 connection_pending [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1437831800.217854 connection_state_remove + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C7XEbhP654jzLoe3a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, last_alert=, next_protocol=, analyzer_id=, established=T, logged=T, delay_tokens=, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + +1437831800.217854 connection_pending + [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=dA, uid=C6pKV8GSxOnSLghOa, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + 1437831800.217854 connection_state_remove [0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=dA, uid=C6pKV8GSxOnSLghOa, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest new file mode 100644 index 0000000000..b451d5aa4f --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-1-drop-with-debug.bro + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest new file mode 100644 index 0000000000..331afbc80d --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-10-use-skeleton.bro + +event NetControl::init() + { + local skeleton_plugin = NetControl::create_skeleton(""); + NetControl::activate(skeleton_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest new file mode 100644 index 0000000000..87c8cdda7a --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest @@ -0,0 +1,20 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-2-ssh-guesser.bro + + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + NetControl::drop_address(n$src, 60min); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest new file mode 100644 index 0000000000..228856f00a --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest @@ -0,0 +1,20 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-3-ssh-guesser.bro + + +@load protocols/ssh/detect-bruteforcing + +redef SSH::password_guesses_limit=10; + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +hook Notice::policy(n: Notice::Info) + { + if ( n$note == SSH::Password_Guessing ) + add n$actions[Notice::ACTION_DROP]; + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest new file mode 100644 index 0000000000..e7b15fd91b --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest @@ -0,0 +1,30 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-4-drop.bro + +function our_drop_connection(c: conn_id, t: interval) + { + # As a first step, create the NetControl::Entity that we want to block + local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c); + # Then, use the entity to create the rule to drop the entity in the forward path + local r = NetControl::Rule($ty=NetControl::DROP, + $target=NetControl::FORWARD, $entity=e, $expire=t); + + # Add the rule + local id = NetControl::add_rule(r); + + if ( id == "" ) + print "Error while dropping"; + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + our_drop_connection(c$id, 20 secs); + } + diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest new file mode 100644 index 0000000000..d27e3f9a6a --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest @@ -0,0 +1,26 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-5-hook.bro + +hook NetControl::rule_policy(r: NetControl::Rule) + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::CONNECTION && + r$entity$conn$orig_h in 192.168.0.0/16 ) + { + print "Ignored connection from", r$entity$conn$orig_h; + break; + } + } + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_connection(c$id, 20 secs); + } + diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest new file mode 100644 index 0000000000..bcc5199590 --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest @@ -0,0 +1,21 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-6-find.bro + +event NetControl::init() + { + local netcontrol_debug = NetControl::create_debug(T); + NetControl::activate(netcontrol_debug, 0); + } + +event connection_established(c: connection) + { + if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 ) + { + print "Rule already exists"; + return; + } + + NetControl::drop_connection(c$id, 20 secs); + print "Rule added"; + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest new file mode 100644 index 0000000000..aa10d8cc01 --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest @@ -0,0 +1,14 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-7-catch-release.bro + +event NetControl::init() + { + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + } + +event connection_established(c: connection) + { + NetControl::drop_address_catch_release(c$id$orig_h); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest new file mode 100644 index 0000000000..f9bac69f44 --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest @@ -0,0 +1,33 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-8-multiple.bro + +function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool + { + if ( r$ty == NetControl::DROP && + r$entity$ty == NetControl::ADDRESS && + subnet_width(r$entity$ip) == 32 && + subnet_to_addr(r$entity$ip) in 192.168.17.0/24 ) + return F; + + return T; + } + +event NetControl::init() + { + # Add debug plugin with low priority + local debug_plugin = NetControl::create_debug(T); + NetControl::activate(debug_plugin, 0); + + # Instantiate OpenFlow debug plugin with higher priority + local of_controller = OpenFlow::log_new(42); + local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]); + NetControl::activate(netcontrol_of, 10); + } + +event NetControl::init_done() + { + NetControl::drop_address(10.0.0.1, 1min); + NetControl::drop_address(192.168.17.2, 1min); + NetControl::drop_address(192.168.18.2, 1min); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest new file mode 100644 index 0000000000..dc23f832dd --- /dev/null +++ b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest @@ -0,0 +1,43 @@ +# @TEST-EXEC: cat %INPUT >output && btest-diff output + +netcontrol-9-skeleton.bro + +module NetControl; + +export { + ## Instantiates the plugin. + global create_skeleton: function(argument: string) : PluginState; +} + +function skeleton_name(p: PluginState) : string + { + return "NetControl skeleton plugin"; + } + +function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool + { + print "add", r; + event NetControl::rule_added(r, p); + return T; + } + + function skeleton_remove_rule_fun(p: PluginState, r: Rule) : bool + { + print "remove", r; + event NetControl::rule_removed(r, p); + return T; + } + +global skeleton_plugin = Plugin( + $name = skeleton_name, + $can_expire = F, + $add_rule = skeleton_add_rule_fun, + $remove_rule = skeleton_remove_rule_fun + ); + +function create_skeleton(argument: string) : PluginState + { + local p = PluginState($plugin=skeleton_plugin); + + return p; + } diff --git a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest new file mode 100644 index 0000000000..ca5a6aec02 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest @@ -0,0 +1,2 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro +@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 new file mode 100644 index 0000000000..03d4fe15f4 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log diff --git a/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest b/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest new file mode 100644 index 0000000000..76b3ef2568 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest @@ -0,0 +1,2 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro +@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest new file mode 100644 index 0000000000..4a8b749f0f --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest @@ -0,0 +1,2 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro +@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 new file mode 100644 index 0000000000..8447c8cf90 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd cat notice.log diff --git a/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest b/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest new file mode 100644 index 0000000000..44808d18a4 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest @@ -0,0 +1,2 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro +@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest b/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest new file mode 100644 index 0000000000..d2d7ab4d28 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro diff --git a/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest b/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest new file mode 100644 index 0000000000..dd8abab8f3 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro diff --git a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest new file mode 100644 index 0000000000..ec49c2d2ba --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro diff --git a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 new file mode 100644 index 0000000000..72a79f9639 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest new file mode 100644 index 0000000000..790bac070d --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 new file mode 100644 index 0000000000..24ef5ee2f9 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 new file mode 100644 index 0000000000..ad47aa86bf --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd cat openflow.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 new file mode 100644 index 0000000000..76b34fa474 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro diff --git a/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest b/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest new file mode 100644 index 0000000000..76b34fa474 --- /dev/null +++ b/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest @@ -0,0 +1 @@ +@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro