From 3af6b97c63d246d3a855507bc3f73a93b67c42e5 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Tue, 29 Nov 2022 17:51:01 +0100 Subject: [PATCH 1/4] analyzers/http: Update request_version on subsequent SetVersion() calls The #124 PR introduced special treatment when HTTP version 0.9 was set. With #127, a reproducer that set HTTP/1.0 in the first request was created and subsequent requests wouldn't reset to HTTP version 0.9. This is subtle, but doesn't seem like things fall apart. Improves runtime from 20 seconds to 2 seconds for the given reproducer. Fixes #127. --- src/analyzer/protocol/http/HTTP.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 55406b52fe..09bff23847 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1339,7 +1339,10 @@ void HTTP_Analyzer::SetVersion(HTTP_VersionNumber* version, HTTP_VersionNumber n *version = new_version; else if ( *version != new_version ) + { Weird("HTTP_version_mismatch"); + *version = new_version; + } if ( version->major > 1 || (version->major == 1 && version->minor > 0) ) keep_alive = 1; From dab551aaa302f92c983eeb606befad440dd6fa50 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 1 Dec 2022 14:42:54 +0100 Subject: [PATCH 2/4] testing/external: m57-long baseline update There's a HTTP server that first replies with HTTP/1.1, then HTTP/1.0. Seems actually nicer to have the real value within the log/event. --- testing/external/commit-hash.zeek-testing | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index c908a582ad..11b9b74fbf 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -623d90bdb4d3d84ee4f7743e653c93bd25e162ea +2c6d83b6856a3aab110dc76bba0223c4193231a3 From 0b26866ecf0921e33c736b1da598b4d490cb9335 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 30 Nov 2022 15:59:45 +0100 Subject: [PATCH 3/4] testing/http: Add pcap extracted from m5-long external test-suite This tests that the HTTP version is now updated if it changes in the course of a connection. --- .../http.log | 12 ++++++++++++ .../weird.log | 11 +++++++++++ testing/btest/Traces/http/version-mismatch.pcap | Bin 0 -> 17069 bytes .../base/protocols/http/version-mismatch.zeek | 7 +++++++ 4 files changed, 30 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/http.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/weird.log create mode 100644 testing/btest/Traces/http/version-mismatch.pcap create mode 100644 testing/btest/scripts/base/protocols/http/version-mismatch.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/http.log b/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/http.log new file mode 100644 index 0000000000..23b43c9607 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/http.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 1482 74.201.118.102 80 1 GET ad.afy11.net /srad.js?azId=1000000326207 http://d3.zedo.com/jsc/d3/ff2.html?n=1073;c=1;s=1;d=7;w=160;h=600 1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 12122 200 OK - - (empty) - - - - - - FdVLuk3tKSr7YHlidh - text/plain +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 1482 74.201.118.102 80 2 GET ad.afy11.net /ad?asId=1000000326207&sd=2x160x600&ct=7&enc=1&sf=0&sfd=0&ynw=0&anw=1&rand=71014409&rk1=46812516&rk2=XXXXXXXXXX.XXXXXX&pt=0 http://d3.zedo.com/jsc/d3/ff2.html?n=1073;c=1;s=1;d=7;w=160;h=600 1.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 0 1254 200 OK - - (empty) - - - - - - F5aMef27icyTRBKeQa - application/javascript +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/weird.log new file mode 100644 index 0000000000..7fa1fc9d70 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.version-mismatch/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 1482 74.201.118.102 80 HTTP_version_mismatch - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/http/version-mismatch.pcap b/testing/btest/Traces/http/version-mismatch.pcap new file mode 100644 index 0000000000000000000000000000000000000000..179e44f984a524bf4770c2fda578535604ffee48 GIT binary patch literal 17069 zcmeHOYiuN0b?#ke5jJ?WJ9!8;XmzIu?)LVxy4|+No|@Sn+cVRQU*q;XU}j>KtE=rA zx4U|)s@?Vs8-WxSB#=lDTA@e~~x?m6e4`?p{F!f!sAIF$%K4<9BHPvGTuXHH!$ zefuqmi+HAQ;$8pt?|0vmc>6yZw?6;2#Bw50IDPZQ#E0H$mj3+rpJ=@AFAp0}eIv1P z`}O^=QRDWL4<8m66Nx8JJ@ut0o;da7uU?w}7D4=(pF5Q}k9zt_SQ4&;IB}dvcyImk zvjmNxCN`e>#`CW=vVi*a_URWB2d^^3Izc38-~9Pgi5CHgz61EBPTyku=KJvbIw0mY zo_YB2AI7O0eV+Z$S91jKE6<%utUQ_EZ$G>z=TE<%;2FuG@ZS0G;r9*`iOb7dBJVnS zJ$KK&px>|7HMPK>QgNnOm=#yHwl?x=PMsLPV!PhFKtsK8tg5+|=}nAZcTFc-*)?0J zS+(z5&8D6&=L#Zq(`wc2uDc+vF9`oxtZj*MPF)aYD|@}RAe_T_HFq|r=E_szvT5ww z`C_4PR#gi{amjMbhJBPT<;uD8#CXLp%r-`NA^$?~l3meTyB&SkoF{M{H)FOIUeXG^ z*4gEjVb`tJ?!4H&Z?!XZv(eN&Gwi>(r#r3*pw-%Xc5beGHmhbjUL!llU}iHf$lreIWfLzHcZEK=Ea`pwdeEsdMS6`tlK%m zKFHs54ZP_S&lX9^2@+Ke2--nTHIuB~NT_dd|x z+gU9fUu|sGI_>WIwaeEg#;c9&D(GuiW<6W8S_T?la;%I{OJdDF6vRqVn4T}F^Wf*@ z)h+I^X1C1js_q$k^Fk>#8ue1c)YbCLw4tl>C3Qxb7@rvb)5GUJNwW3!3#Ssl{#1g$ z{gVIGC!T)Ci;(=b(kJ=3+pizIvGL3g-u%{oB@%(`5H@1{DznamtYlZr)~*K})S_A} z_KLTT+eCA_-Lwpy7@R-K-qR0t*Kn*hq-{lay^!ih(krDVy9q%t-FdNd?3wPw`0|zx zkr*I;wrqg-n&}+U46a&+W4m_4%T}wk{7eqBek;3ScQL>9?8W1GQK@a@)|SE4CCJpg zxM|kG`MDnF)w%gXc^=D$IX^L;YIIsGGO4MF@dp#*hq@y=Ey$#%@Q>9p>&k*G-^K*( zY4k5B=<;IH|Lk zO-`N9suvV~hRiDS{76qz{y>&nUDmdPL2`PtDJ}@l>6l_(H1wux^0@hYuSwUjJTv7w zmrW0A#ju^a4*5(KrU>N3xYZCT4>N5y&}Lh&Lxq6pQ<}z{0Ds0J#afS;v=Y@ldA)vt zIMxrZ4V|#PZys-}5r_`}lvrNZT4q&4ASYwOMC1qZZg$#jIybaE2B0_A!=n@n5jB>qe8 zw{^qZw(9AmBKAycchA!bqHEP5nFZl`$4ygH>XzGX>R1ges1@Zrq0B6aQz;qBQXi1R z5}tExOnAzF24?m_YD&By{OzYupc(3i*Wecq2{V6? z6w=f`d$OjUU`>4{uBrDw6=>>%Pb3nOSRMk%sKsGi@$rz-Fo=i*A!`8xd)Y`*X!VZ* zKy{izE4z;m&|S8(y`vlZ{at%Cn)04Y{2AHbGmpIC{iz21rSUVef5&MK?~V%eURKMO z3WbrqJ%Y&CDz=GK_pazA9wPW4l9| zH%bYVO$f-Z2BhL#xmc0doCs+rHYr13?d${ErAtdobLvpMi2K_k(TdhWwv_h+e^{c> zOpZAeoV#atw;Q(Y#d#$Wi&O#_ZDo))$QzUiRGPliG==Pn9}I&H4?}tSF02Q%0hb~G zwB8nox;U>R&9<@C>z!sy^ahX#8Ud;JAha0zfgkI8+t|#urBN_Alks|h3=r*GR(gE| z7^%!6m7`%C*!2OarZV(U2N!bNZg<+-!*oEe20e%94_R-uFss;%qcjt;@mfut<4wAc zTz`VMEpukuYB>7A0OEr!B82-|sihxUySisPIT))qOvi<-8X8v0YOT5~W|XNjT2}RU z4FXD<`Y$Rc`hOo_|8FktuN}Pc{A=y+lK=PD1?l}I5=$?smk8c_jT3G3b<+Iyx8s_> z{oO$G|2?dGNPC1CXEa(4;eLh{0g=|5j;Ys=h1C*z3kAfrjIdkHW6^OL(vBF=t~aIKktWQFky{7kz%~$MoViI zn9)cKN?5KSlikh2jL;>bI=n{L6?L-(A4!;wgT>s1hbnBt=s1j#KbqDXiwzFO6m^k} z1tyaJO1emV@Po8Ohu5=?2lxjxM7&jOd+OB)=G>zma@`=AYbvgH9-;3o`L28$oQ$Y5m=uE}62Tm0+=n9@MD9gGef zNoz+CV+%x6cBT2Q5M##bVHZs)9`TlA!u9E|Qn?DHz4mEhd|*woft6N{l&Fy{O(uy7 zq32?AGe~#Jj_e(YG!2#1UBqYlEp)D#bg3dTtSmJ=ZoXx@-lE>tcdVx6S*DwslJF+M zB{ZOk^$XmFR!I7zO}dSG#3aQZ&)HWQ z!-yXi_S!G@RTYD(wj?Ve!IFJY3(3i2ooE^&P=svU{$V7z&(7oafu+;yr4t?_MvB-h zq^WZ!Yw8Ww)c+FK)Q2AkH1*#YiA23OFlI^eK4M~ECG>NiWFT&m7#-KM4+_|tLT4K~ ziUlsMB`1x-XnKOKv|@)sRYyXlDIUQk3038_ITUJfBvg`)6QLGILoJPjT6z@J(rBpD zBcV<|3hFdLoj{m?KfOs~%>);{3)_B5oY7>|$hRu|aw-noP=9;uP3b=Ag%NBD;PRBx zmg5(&Q_F==^doSBD%&-^&`It`EnXej;vbOsL`1F|s3w!Ke(gzxxLui#}XS$GSaw2(r$p_fXJvbEmVrZMF4!-GK!Y zqaikgWotKTwqfZ_b@Iq+V>rxVUvJ6BK}NYIqC<74-QEDcR7Gm!y!qv{OTbW|H`*d) z_|AZPL_Ya8B4B!esox=1cY+8QCx~bahGZApM$ut=GC@@l^m`R-FG;n9Cc$>>@ARap z04SF$J;vqS?H4so5#Vn*lm`80KBD&CtF_z^#8%HuV&%wzc;_~FgFjmC( zGj!B3g+M*99E(t#g*#fRmOu`LsN5kD(saJN!~`18377z@&OJv zxdL|yGMAC@7>NP9iIPz1A8$*6)Z`CO3B-e)VRAdj^-ZxiCjGVuvQlJ|=cJb&gzj-_ z5D__q^s%X8x=|d_hFnJRei>ubV8IK7_Q6E!zA4}`+07=nrYS93fp5ZR5&m|EPV9z9 zdLHP`uGNyh4TF*e{=fiz{v5((6iPTxSoED0seD#6#>5hbL%!w$0!dSUr+#8IyE!%Cp}+ousnH=JZTiNneP27%nL zax}%P1S01rgN~c@>LX3y`g@ofKMF3;KhDcwrTe}h7{^Y6f$MDH}B*q-2q0Me>eQOzB`QR+$ ztn!j=Pa%}%AYX$5eC82lTVM`J&B$tm*IG%B0)P~8bIe@}R>;_Ifjjhs0TG5cvXuHoZzB< zquJT5wu04*na0t_0q0-Z7!G;EcG5pgYi;whxcu%r?O%eC#WFcLx^ z>_KQ*EjQY{O`6&}SyO+RHT6+kQ@`>`psBCEJ&}-r2S=ogCQfLIj)^e0EQI;6LTMn2 zy6dM9@ZzfF*TG~xWFJhPk}&p=)WkeOH!21K1f!QL1JDn>vLFzk-UfGeqtA{nx)2g)W^JQ5hPvD`h#5%Bb7 znovhztGDe)38h6$3zNR2PecCrvJpf-$m#5_%QZRCNSucS%68oYf-)4$ZMTtDL@`%T z?oxEW9}=qX`lg|T!JKxxpr8m6hBObMAuh*oDJU9hB+$wnSn>nQq;7|T5osYuxtj~3 zyR^N63MOSN!pDAqIizP;UP=+l)a~Nk;4O!@!d({paAO-IDPFCuc zw(WSXuO_Bxw0u6aK0|_s2te1|@ecC<(i4IRmeV{m#tX(O_m5Tj5ymPH9gAEmrp<2R z)Z8Djk22(+{cw~G9jVA8h3t{b84_u^v=;FI=R&TYs31xikgI?*hhmnToFg{&1OCyG zB5$T+V_{z{s0?P9=35QtJJXx*m!tbe(2GW)9S(oA0)t{4TfkZhbUihq#TV3`pJpul zEl4d>JrR$eAjxNTVS+UEFQ2Tb|AaMlH?FBa{vUy+{_-~yiN3?G(AP3?e3%g?xn*03 zN5P{)j$KA{7Ky_Te1xe{F6goXv&C$|Y$aVlEr9co>eMipL}5T0`BL=$GQkPwT*C4^ z-PmJKuQ!U%rv3)0q}{?_Q`^!yD$}7&&h?_Y$cgyl@mJZSmy_^SU&h%&yd7{e*VF~jYFj;i4Dliz{#U7@@ zfuFb!$Oy%{jFJpTQvKPW^@TDpdv^_PF-(o?ZSYc>8k$D&B*xvBCSM3K zPIu2j$_n>|g$Z`7ailgl5@1>ZR3qTM1`FuPYx;4<9FTn8lYLBr%n~*~LtC-OT#7$R zfy?JTZFKVA3&paG?d0>#lbRtznr9|v4Uid0Y|}Jl4d)Vu-Zmi%ppnV9p@lU+S0)Do zrIk{YjIzDc)LZ*_@N64VY)30(f_zy#)?qIj$nn5=Dc)R9_d4`|l!cCL3x6IV5j;~d zhe^n>)O>571j1K|i~?cH0Vd)*my8X^>L-p*rfD`jY#a!kWjwp>Klz~JYiq2j-}!?#?<1N*F(ttBy&Ylziv&v<(b_u$VETjk zXdsgrN74(#7;2W2A*U@nHCrrXkaHiYIQOTzrygtG9OSg<3*r{vk#G_<`R8UaCnK~EET0eiOtQ6ogJF@a92Rv0Zq`KvN4#R zP)xz6_SXq1X1n9nJjYLkq(roog*+AO99sEi?Shp~lSW{~SeIknYgBLGa>F8CDqhNx z5zSVmhd&c-_`?=AWvfxrd{Va9;@QyM5U zIW7u$nqQtGmo}oSU1#~oG&+j(3Sj!@|7GE%Nz}>NAD=Z8H{Vc`YDQQ|K6vAEWzVH z{Ox}tc=o&BnwUW$efu?gB6a$kq}kiA$2I$_VSe}@d|uwI`_A9JEpZKZ&FDLD*X+V+ zov<>V8;TX~n*Hl1{kvwkx4~&lexAR)W=82t#UosRI>P2YiL9krPEAsgf}|B>9?~S| zA5Bu;kvhp4MYC!_ot`e7ounk9>6tmTSXO87LZ?*ax$?|xxrDoD#quQ5g$nucT3mCCis#mf6` zUG&aw+41@x_w8b-ef8e;nI9Jn_t&(+!`GVbWkgBME}2HQSWs~zu`thnbT4i}$Xs15 zyiba4VWYG$4^I%T<1ucqX$oC-!fmwJ&9Am&9qPt$?&zS282aLdrr>y^Dwb*+Vy(I) zDod-nSX#cJi;Y@^{w?WZ{raX@-`dngb!|y3uCI!<$_-K5s-SR@FFlg{t-gCK@opHu z^zB!ZPd)wI=ScqQPsio&GkHwpYxO66Sj(q?6KS=2TcwL1}7>UIYf zBRj}+j~3)v`L*(_I-7%SQ&MqDc6z!54K`PrEf>}N#pyyBrf@k|T5#{vHBr)%3wOCc zUy$qP5Ol1e?cJ;%9ai`DtIIFla*yZS;^OYw{_)LQ%QxpPH!IC_shi%~Kf1r(=-gYp zTE2R8;M8su-@kglarS=QSWR2I)zy2ho1Q+ZF3lajbk9)lZ!TZErfFx8?xD?|otvF4 zP8X&x+)>2M>eAK~!b@CPu3o;fMR!=mYGw0sbxl?UZ+Eimz`lfa#>EF<~lRSUNxzjp_meq|d0Y{Fn1EWFj@B`PD z?<60C`S%`^`TCBdow3a5B>c3@fn-J=+)&aA7$V=-)+Kx7TSZ*iT)uRoAl~a7w0}5e zOfUFcDgX4crMi0gF{I%C65alq!AcssHY+Pz5Q9Yu(1|O!Lv=?%dP2pQp}5fGr3&LZ zT5xdgNmt&0t{iPrKKC1>EBF38t}8$L1=f|%e*cZ%`iL|s-}U@h;zcN1`u3ZYFidyY z&@IGGO8d>{U;FGA$ Date: Wed, 30 Nov 2022 16:52:42 +0100 Subject: [PATCH 4/4] testing/http: http-11-request-then-cruft A client sends a "proper" HTTP/1.1 request and afterwards a few T /\n\n sequences. The latter ones aren't logged. --- .../dpd.log | 11 +++++++++++ .../http.log | 11 +++++++++++ .../weird.log | 12 ++++++++++++ .../Traces/http/http-11-request-then-cruft.pcap | Bin 0 -> 2226 bytes .../http/http-11-request-then-cruft.pcap | 7 +++++++ 5 files changed, 41 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/dpd.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/http.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/weird.log create mode 100644 testing/btest/Traces/http/http-11-request-then-cruft.pcap create mode 100644 testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/dpd.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/dpd.log new file mode 100644 index 0000000000..2948f61836 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/dpd.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.12.5 51792 192.0.78.212 80 tcp HTTP not a http request line +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/http.log new file mode 100644 index 0000000000..6a68dd9fe6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/http.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.12.5 51792 192.0.78.212 80 1 GET zeek.org / - 1.1 - - 0 162 301 Moved Permanently - - (empty) - - - - - - FAKHufE4EVGbXF6P - text/html +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/weird.log new file mode 100644 index 0000000000..b64f58f771 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/weird.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.12.5 51792 192.0.78.212 80 HTTP_version_mismatch - F zeek HTTP +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.12.5 51792 192.0.78.212 80 bad_HTTP_request - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/http/http-11-request-then-cruft.pcap b/testing/btest/Traces/http/http-11-request-then-cruft.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a9f38244768853d5e9b559cd2cabc7857e728fe3 GIT binary patch literal 2226 zcmbuAPi)gx9LIllTUI<=T42!9BE8edfz(OppVi7r33NpWkhMe_Q<;iM9!*AKm&Am2 z(zX&oIKW}IP1=Mghzf4ow9Aktb!C%S2kl|qVL}3FJ5}4zBq)MusQbO=hBmedAR;{_ z{_{Tm{C@tvm)UDykBLwXrO(0wfPe?H!>8l@^D^wl-)u~uy)bk+p#6EY@6Hdk&=LY|aH;lccVfWF=sQOK@XOjClb zL5Zn-cYI0BRjjXYofZ4XDMzsfvDn*MJw$)}#8&eS*TGw;#)eDnjiSue0uHs?yg*dj zK>&7{IZGuUP@)Ku z6bOY#uwC8SskV2JzP&M7+F=?NPWQ(~hVW*K4qHmn%A}Vr?4ib>l~hTvBg9V{G;XC# zLnTKj9rEkxRG!Mx9y6}nXOosSlv5R@)Imj-_WSj?NSVXV$wT^6gh zK!8N_1bLetJw|iZ3kIt5MFZ6yC=XOTZRRjbWpPOyKK`tnIIN#5A+9+ula10_DDAAy zw*bDv4ZcO3C|}%4Gk*&W5S_%gz$oh9_TK!I{kfiJ<4s349*&JG&6u!z-#6Qo6X%3V zyL@7GJ^a>lzb|aR>rFLJD6ZA* mE3V^yT@JtX+^<2HpLk?bY6g}l9=)33E+2WgY~U`R1N;ws*V~%_ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap b/testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap new file mode 100644 index 0000000000..647e8cfa73 --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/http-11-request-then-cruft.pcap @@ -0,0 +1,7 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/http-11-request-then-cruft.pcap %INPUT > output +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff dpd.log + +@load base/protocols/http +@load base/frameworks/notice/weird