diff --git a/CHANGES b/CHANGES index bb795d114a..d1031765cc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,141 @@ +2.3-411 | 2015-02-05 10:05:48 -0600 + + * Fix file analysis of files with total size below the bof_buffer size + never delivering content to stream analyzers. (Seth Hall) + + * Add/fix log fields in x509 diff canonifier. (Jon Siwek) + + * "id" not defined for debug code when using -DPROFILE_BRO_FUNCTIONS + (Mike Smiley) + +2.3-406 | 2015-02-03 17:02:45 -0600 + + * Add x509 canonifier to a unit test. (Jon Siwek) + +2.3-405 | 2015-02-02 11:14:24 -0600 + + * Fix memory leak in new split_string* functions. (Jon Siwek) + +2.3-404 | 2015-01-30 14:23:27 -0800 + + * Update documentation (broken links, outdated tests). (Jon Siwek) + + * Deprecate split* family of BIFs. (Jon Siwek) + + These functions are now deprecated in favor of alternative versions that + return a vector of strings rather than a table of strings. + + Deprecated functions: + + - split: use split_string instead. + - split1: use split_string1 instead. + - split_all: use split_string_all instead. + - split_n: use split_string_n instead. + - cat_string_array: see join_string_vec instead. + - cat_string_array_n: see join_string_vec instead. + - join_string_array: see join_string_vec instead. + - sort_string_array: use sort instead instead. + - find_ip_addresses: use extract_ip_addresses instead. + + Changed functions: + + - has_valid_octets: uses a string_vec parameter instead of string_array. + + Addresses BIT-924. + + * Add a new attribute: &deprecated. While scripts are parsed, a + warning is raised for each usage of an identifier marked as + &deprecated. This also works for BIFs. Addresses BIT-924, + BIT-757. (Jon Siwek) + +2.3-397 | 2015-01-27 10:13:10 -0600 + + * Handle guess_lexer exceptions in pygments reST directive (Jon Siwek) + +2.3-396 | 2015-01-23 10:49:15 -0600 + + * DNP3: fix reachable assertion and buffer over-read/overflow. + CVE number pending. (Travis Emmert, Jon Siwek) + + * Update binpac: Fix potential out-of-bounds memory reads in generated + code. CVE-2014-9586. (John Villamil and Chris Rohlf - Yahoo + Paranoids, Jon Siwek) + + * Fixing (harmless) Coverity warning. (Robin Sommer) + +2.3-392 | 2015-01-15 09:44:15 -0800 + + * Small changes to EC curve names in a newer draft. (Johanna Amann) + +2.3-390 | 2015-01-14 13:27:34 -0800 + + * Updating MySQL analyses. (Vlad Grigorescu) + - Use a boolean success instead of a result string. + - Change the affected_rows response detail string to a "rows" count. + - Fix the state tracking to log incomplete command. + + * Extend DNP3 to support communication over UDP. (Hui Lin) + + * Fix a bug in DNP3 determining the length of an object in some + cases. (Hui Lin) + +2.3-376 | 2015-01-12 09:38:10 -0600 + + * Improve documentation for connection_established event. (Jon Siwek) + +2.3-375 | 2015-01-08 13:10:09 -0600 + + * Increase minimum required CMake version to 2.8. (Jon Siwek) + +2.3-374 | 2015-01-07 10:03:17 -0600 + + * Improve documentation of the Intelligence Framework. (Daniel Thayer) + +2.3-371 | 2015-01-06 09:58:09 -0600 + + * Update/improve file mime type identification. (Seth Hall) + + - Change to the default BOF buffer size to 3000 (was 1024). + + - Reorganized MS signatures into a separate file. + + - Remove all of the x-c detections. Nearly all false positives. + + - Improve TAR detections, removing old, back up TAR detections. + + - Remove one of the x-elc detections that was too loose + and caused many false positives. + + - Improved lots of the signatures and added new ones. (Seth Hall) + + * Add support for file reassembly in the file analysis framework + (Seth Hall, Jon Siwek). + + - The reassembly behavior can be modified per-file by enabling or + disabling the reassembler and/or modifying the size of the + reassembly buffer. + + - Changed the file extraction analyzer to use stream-wise input to + avoid issues with the chunk-wise approach not immediately + triggering the file_new event due to mime-type detection delay. + Before, early chunks frequently ended up lost. Extraction also + will now explicitly NUL-fill gaps in the file instead of + implicitly relying on pwrite to do it. + +2.3-349 | 2015-01-05 15:21:13 -0600 + + * Fix race condition in unified2 file analyzer startup. (Jon siwek) + +2.3-348 | 2014-12-31 09:19:34 -0800 + + * Changing Makefile's test-all to run test-all for broctl, which now + executes trace-summary tests as well. (Robin Sommer) + +2.3-345 | 2014-12-31 09:06:15 -0800 + + * Correct a typo in the Notice framework doc. (Daniel Thayer) + 2.3-343 | 2014-12-12 12:43:46 -0800 * Fix PIA packet replay to deliver copy of IP header. This prevented diff --git a/CMakeLists.txt b/CMakeLists.txt index 7a287ef5b4..c0ff6c09d4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ project(Bro C CXX) # When changing the minimum version here, also adapt # aux/bro-aux/plugin-support/skeleton/CMakeLists.txt -cmake_minimum_required(VERSION 2.6.3 FATAL_ERROR) +cmake_minimum_required(VERSION 2.8 FATAL_ERROR) include(cmake/CommonCMakeConfig.cmake) diff --git a/Makefile b/Makefile index 9feaecd656..207ce72780 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ test: @( cd testing && make ) test-all: test - test -d aux/broctl && ( cd aux/broctl && make test ) + test -d aux/broctl && ( cd aux/broctl && make test-all ) test -d aux/btest && ( cd aux/btest && make test ) test -d aux/bro-aux && ( cd aux/bro-aux && make test ) test -d aux/plugins && ( cd aux/plugins && make test-all ) diff --git a/NEWS b/NEWS index 6de9bd8f3e..af59858e06 100644 --- a/NEWS +++ b/NEWS @@ -28,11 +28,63 @@ New Functionality - Bro now has supoprt for the MySQL wire protocol. Activity gets logged into mysql.log. +- Bro's file analysis now supports reassembly of files that are not + transferred/seen sequentially. + Changed Functionality --------------------- - bro-cut has been rewritten in C, and is hence much faster. +- File analysis + + * Removed ``fa_file`` record's ``mime_type`` and ``mime_types`` + fields. The events ``file_mime_type`` and ``file_mime_types`` + have been added which contain the same information. The + ``mime_type`` field of ``Files::Info`` also still has this info. + + * Removed ``Files::add_analyzers_for_mime_type`` function. + + * Removed ``offset`` parameter of the ``file_extraction_limit`` + event. Since file extraction now internally depends on file + reassembly for non-sequential files, "offset" can be obtained + with other information already available -- adding together + ``seen_bytes`` and ``missed_bytes`` fields of the ``fa_file`` + record gives the how many bytes have been written so far (i.e. + the "offset"). + +- has_valid_octets: now uses a string_vec parameter instead of + string_array. + +Deprecated Functionality +------------------------ + +- The split* family of functions are to be replaced with alternate + versions that return a vector of strings rather than a table of + strings. This also allows deprecation for some related string + concatenation/extraction functions. Note that the new functions use + 0-based indexing, rather than 1-based. + + The full list of now deprecation functions is: + + * split: use split_string instead. + + * split1: use split_string1 instead. + + * split_all: use split_string_all instead. + + * split_n: use split_string_n instead. + + * cat_string_array: see join_string_vec instead. + + * cat_string_array_n: see join_string_vec instead. + + * join_string_array: see join_string_vec instead. + + * sort_string_array: use sort instead. + + * find_ip_addresses: use extract_ip_addresses instead. + Bro 2.3 ======= diff --git a/VERSION b/VERSION index df7c5848c1..defa33cc31 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-343 +2.3-411 diff --git a/aux/bro-aux b/aux/bro-aux index 43a9f360c9..0b713c027d 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 43a9f360c9bf6b35fcb25d61ebff80c7feb1812b +Subproject commit 0b713c027d3efaaca50e5df995c02656175573cd diff --git a/aux/broccoli b/aux/broccoli index acb8fbe8e7..d43cc790e5 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca +Subproject commit d43cc790e5b8709b5e032e52ad0e00936494739b diff --git a/aux/broctl b/aux/broctl index 90f9ca0ffa..8c9b87bc73 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 90f9ca0ffa2306f0d1d2ac208cdbb7787199f890 +Subproject commit 8c9b87bc73e1ddaa304e3d89028c1e7b95d37a91 diff --git a/aux/btest b/aux/btest index d67d89aaee..93d4989ed1 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit d67d89aaee32ad5edb9068db55d1310c2f36970a +Subproject commit 93d4989ed1537e4d143cf09d44077159f869a4b2 diff --git a/doc/ext/rst_directive.py b/doc/ext/rst_directive.py index 434eef2c61..43c95abc52 100644 --- a/doc/ext/rst_directive.py +++ b/doc/ext/rst_directive.py @@ -135,7 +135,10 @@ class Pygments(Directive): # lexer not found, use default. lexer = TextLexer() else: - lexer = guess_lexer(content) + try: + lexer = guess_lexer(content) + except: + lexer = TextLexer() # import sys # print >>sys.stderr, self.arguments, lexer.__class__ diff --git a/doc/frameworks/file_analysis_02.bro b/doc/frameworks/file_analysis_02.bro index 3ef32d865c..141b11fca6 100644 --- a/doc/frameworks/file_analysis_02.bro +++ b/doc/frameworks/file_analysis_02.bro @@ -1,7 +1,7 @@ -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/doc/frameworks/intel.rst b/doc/frameworks/intel.rst index f90092aac3..965fba4c14 100644 --- a/doc/frameworks/intel.rst +++ b/doc/frameworks/intel.rst @@ -14,32 +14,35 @@ consume that data, make it available for matching, and provide infrastructure around improving performance, memory utilization, and generally making all of this easier. -Data in the Intelligence Framework is the atomic piece of intelligence +Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address along with a suite of metadata about it such as a freeform source field, a freeform descriptive field and a URL which might lead to more information about the specific item. The metadata in the default scripts has been deliberately kept minimal so that the community can find the -appropriate fields that need added by writing scripts which extend the +appropriate fields that need to be added by writing scripts which extend the base record using the normal record extension mechanism. Quick Start ----------- -Load the package of scripts that sends data into the Intelligence -Framework to be checked by loading this script in local.bro:: - - @load policy/frameworks/intel/seen - Refer to the "Loading Intelligence" section below to see the format for Intelligence Framework text files, then load those text files with this line in local.bro:: redef Intel::read_files += { "/somewhere/yourdata.txt" }; -The data itself only needs to reside on the manager if running in a +The text files need to reside only on the manager if running in a cluster. +Add the following line to local.bro in order to load the scripts +that send "seen" data into the Intelligence Framework to be checked against +the loaded intelligence data:: + + @load policy/frameworks/intel/seen + +Intelligence data matches will be logged to the intel.log file. + Architecture ------------ @@ -58,8 +61,10 @@ manager is the only node that needs the intelligence data. The intelligence framework has distribution mechanisms which will push data out to all of the nodes that need it. -Here is an example of the intelligence data format. Note that all -whitespace field separators are literal tabs and fields containing only a +Here is an example of the intelligence data format (note that there will be +additional fields if you are using CIF intelligence data or if you are +using the policy/frameworks/intel/do_notice script). Note that all fields +must be separated by a single tab character and fields containing only a hyphen are considered to be null values. :: #fields indicator indicator_type meta.source meta.desc meta.url @@ -69,8 +74,21 @@ hyphen are considered to be null values. :: For a list of all built-in `indicator_type` values, please refer to the documentation of :bro:see:`Intel::Type`. -To load the data once files are created, use the following example -code to define files to load with your own file names of course:: +Note that if you are using data from the Collective Intelligence Framework, +then you will need to add the following line to your local.bro in order +to support additional metadata fields used by CIF:: + + @load policy/integration/collective-intel + +There is a simple mechanism to raise a Bro notice (of type Intel::Notice) +for user-specified intelligence matches. To use this feature, add the +following line to local.bro in order to support additional metadata fields +(documented in the :bro:see:`Intel::MetaData` record):: + + @load policy/frameworks/intel/do_notice + +To load the data once the files are created, use the following example +to specify which files to load (with your own file names of course):: redef Intel::read_files += { "/somewhere/feed1.txt", @@ -85,24 +103,23 @@ Seen Data When some bit of data is extracted (such as an email address in the "From" header in a message over SMTP), the Intelligence Framework -needs to be informed that this data was discovered and it's presence -should be checked within the intelligence data set. This is -accomplished through the :bro:see:`Intel::seen` function. +needs to be informed that this data was discovered so that its presence +will be checked within the loaded intelligence data. This is +accomplished through the :bro:see:`Intel::seen` function, however +typically users won't need to work with this function due to the +scripts included with Bro that will call this function. -Typically users won't need to work with this function due to built in -hook scripts that Bro ships with that will "see" data and send it into -the intelligence framework. A user may only need to load the entire -package of hook scripts as a module or pick and choose specific -scripts to load. Keep in mind that as more data is sent into the +To load all of the scripts included with Bro for sending "seen" data to +the intelligence framework, just add this line to local.bro:: + + @load policy/frameworks/intel/seen + +Alternatively, specific scripts in that directory can be loaded. +Keep in mind that as more data is sent into the intelligence framework, the CPU load consumed by Bro will increase depending on how many times the :bro:see:`Intel::seen` function is being called which is heavily traffic dependent. -The full package of hook scripts that Bro ships with for sending this -"seen" data into the intelligence framework can be loading by adding -this line to local.bro:: - - @load policy/frameworks/intel/seen Intelligence Matches ******************** @@ -111,6 +128,7 @@ Against all hopes, most networks will eventually have a hit on intelligence data which could indicate a possible compromise or other unwanted activity. The Intelligence Framework provides an event that is generated whenever a match is discovered named :bro:see:`Intel::match`. + Due to design restrictions placed upon the intelligence framework, there is no assurance as to where this event will be generated. It could be generated on the worker where @@ -119,3 +137,7 @@ handled, only the data given as event arguments to the event can be assured since the host where the data was seen may not be where ``Intel::match`` is handled. +Intelligence matches are logged to the intel.log file. For a description of +each field in that file, see the documentation for the :bro:see:`Intel::Info` +record. + diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst index 2c20149ce5..d8197c13af 100644 --- a/doc/frameworks/notice.rst +++ b/doc/frameworks/notice.rst @@ -271,7 +271,7 @@ script that is generating the notice has indicated to the notice framework how to identify notices that are intrinsically the same. Identification of these "intrinsically duplicate" notices is implemented with an optional field in :bro:see:`Notice::Info` records named ``$identifier`` which is a simple string. -If the ``$identifier`` and ``$type`` fields are the same for two notices, the +If the ``$identifier`` and ``$note`` fields are the same for two notices, the notice framework actually considers them to be the same thing and can use that information to suppress duplicates for a configurable period of time. diff --git a/doc/httpmonitor/file_extraction.bro b/doc/httpmonitor/file_extraction.bro index b2318c595e..3860cb361e 100644 --- a/doc/httpmonitor/file_extraction.bro +++ b/doc/httpmonitor/file_extraction.bro @@ -7,18 +7,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/doc/install/install.rst b/doc/install/install.rst index 0052acafb0..a3531f70c3 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -35,7 +35,7 @@ before you begin: To build Bro from source, the following additional dependencies are required: - * CMake 2.6.3 or greater (http://www.cmake.org) + * CMake 2.8 or greater (http://www.cmake.org) * Make * C/C++ compiler * SWIG (http://www.swig.org) diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst index 5680a034ff..ef6c6a54a1 100644 --- a/doc/script-reference/attributes.rst +++ b/doc/script-reference/attributes.rst @@ -49,6 +49,8 @@ The Bro scripting language supports the following attributes. +-----------------------------+-----------------------------------------------+ | :bro:attr:`&type_column` |Used by input framework for "port" type. | +-----------------------------+-----------------------------------------------+ +| :bro:attr:`&deprecated` |Marks an identifier as deprecated. | ++-----------------------------+-----------------------------------------------+ Here is a more detailed explanation of each attribute: @@ -230,3 +232,9 @@ Here is a more detailed explanation of each attribute: msg: string; }; +.. bro:attr:: &deprecated + + The associated identifier is marked as deprecated and will be + removed in a future version of Bro. Look in the NEWS file for more + explanation and/or instructions to migrate code that uses deprecated + functionality. diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index d18f87ac38..fb1c1b67a1 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -103,9 +103,9 @@ In the ``file_hash`` event handler, there is an ``if`` statement that is used to check for the correct type of hash, in this case a SHA1 hash. It also checks for a mime type we've defined as being of interest as defined in the constant ``match_file_types``. -The comparison is made against the expression ``f$mime_type``, which uses +The comparison is made against the expression ``f$info$mime_type``, which uses the ``$`` dereference operator to check the value ``mime_type`` -inside the variable ``f``. If the entire expression evaluates to true, +inside the variable ``f$info``. If the entire expression evaluates to true, then a helper function is called to do the rest of the work. In that function, a local variable is defined to hold a string comprised of the SHA1 hash concatenated with ``.malware.hash.cymru.com``; this diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 2f6ae79f4f..73f98aa5f8 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -71,11 +71,50 @@ global classification_map: table[count] of string; global sid_map: table[count] of string; global gen_map: table[count] of string; +global num_classification_map_reads = 0; +global num_sid_map_reads = 0; +global num_gen_map_reads = 0; +global watching = F; + # For reading in config files. type OneLine: record { line: string; }; +function mappings_initialized(): bool + { + return num_classification_map_reads > 0 && + num_sid_map_reads > 0 && + num_gen_map_reads > 0; + } + +function start_watching() + { + if ( watching ) + return; + + watching = T; + + if ( watch_dir != "" ) + { + Dir::monitor(watch_dir, function(fname: string) + { + Input::add_analysis([$source=fname, + $reader=Input::READER_BINARY, + $mode=Input::STREAM, + $name=fname]); + }, 10secs); + } + + if ( watch_file != "" ) + { + Input::add_analysis([$source=watch_file, + $reader=Input::READER_BINARY, + $mode=Input::STREAM, + $name=watch_file]); + } + } + function create_info(ev: IDSEvent): Info { local info = Info($ts=ev$ts, @@ -113,34 +152,56 @@ redef record fa_file += { event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 100); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - sid_map[to_count(parts[1])] = parts[2]; + local parts = split_string_n(line, / \|\| /, F, 100); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + sid_map[to_count(parts[0])] = parts[1]; } event Unified2::read_gen_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 3); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - gen_map[to_count(parts[1])] = parts[3]; + local parts = split_string_n(line, / \|\| /, F, 3); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + gen_map[to_count(parts[0])] = parts[2]; } event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, /: /, F, 2); + local parts = split_string_n(line, /: /, F, 2); if ( |parts| == 2 ) { - local parts2 = split_n(parts[2], /,/, F, 4); + local parts2 = split_string_n(parts[1], /,/, F, 4); if ( |parts2| > 1 ) - classification_map[|classification_map|+1] = parts2[1]; + classification_map[|classification_map|+1] = parts2[0]; } } +event Input::end_of_data(name: string, source: string) + { + if ( name == classification_config ) + ++num_classification_map_reads; + else if ( name == sid_msg ) + ++num_sid_map_reads; + else if ( name == gen_msg ) + ++num_gen_map_reads; + else + return; + + if ( watching ) + return; + + if ( mappings_initialized() ) + start_watching(); + } + event bro_init() &priority=5 { Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2]); - if ( sid_msg != "" ) + if ( sid_msg == "" ) + { + num_sid_map_reads = 1; + } + else { Input::add_event([$source=sid_msg, $reader=Input::READER_RAW, @@ -151,7 +212,11 @@ event bro_init() &priority=5 $ev=Unified2::read_sid_msg_line]); } - if ( gen_msg != "" ) + if ( gen_msg == "" ) + { + num_gen_map_reads = 1; + } + else { Input::add_event([$source=gen_msg, $name=gen_msg, @@ -162,7 +227,11 @@ event bro_init() &priority=5 $ev=Unified2::read_gen_msg_line]); } - if ( classification_config != "" ) + if ( classification_config == "" ) + { + num_classification_map_reads = 1; + } + else { Input::add_event([$source=classification_config, $name=classification_config, @@ -173,32 +242,16 @@ event bro_init() &priority=5 $ev=Unified2::read_classification_line]); } - if ( watch_dir != "" ) - { - Dir::monitor(watch_dir, function(fname: string) - { - Input::add_analysis([$source=fname, - $reader=Input::READER_BINARY, - $mode=Input::STREAM, - $name=fname]); - }, 10secs); - } - - if ( watch_file != "" ) - { - Input::add_analysis([$source=watch_file, - $reader=Input::READER_BINARY, - $mode=Input::STREAM, - $name=watch_file]); - } + if ( mappings_initialized() ) + start_watching(); } event file_new(f: fa_file) { local file_dir = ""; - local parts = split_all(f$source, /\/[^\/]*$/); + local parts = split_string_all(f$source, /\/[^\/]*$/); if ( |parts| == 3 ) - file_dir = parts[1]; + file_dir = parts[0]; if ( (watch_file != "" && f$source == watch_file) || (watch_dir != "" && compress_path(watch_dir) == file_dir) ) diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro index 4a2de0926d..c6ee799a53 100644 --- a/scripts/base/frameworks/files/magic/__load__.bro +++ b/scripts/base/frameworks/files/magic/__load__.bro @@ -1,2 +1,3 @@ @load-sigs ./general +@load-sigs ./msoffice @load-sigs ./libmagic diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index a11e4a05e4..500c4f7be0 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -1,16 +1,137 @@ # General purpose file magic signatures. signature file-plaintext { - file-magic /([[:print:][:space:]]{10})/ + file-magic /^([[:print:][:space:]]{10})/ file-mime "text/plain", -20 } signature file-tar { - file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ - file-mime "application/x-tar", 150 + file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/ + file-mime "application/x-tar", 100 } +signature file-zip { + file-mime "application/zip", 10 + file-magic /^PK\x03\x04.{2}/ +} + +signature file-jar { + file-mime "application/java-archive", 100 + file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/ +} + +signature file-java-applet { + file-magic /^\xca\xfe\xba\xbe...[\x2e-\x34]/ + file-mime "application/x-java-applet", 71 +} + +# Shockwave flash signature file-swf { - file-magic /(F|C|Z)WS/ + file-magic /^(F|C|Z)WS/ file-mime "application/x-shockwave-flash", 60 -} \ No newline at end of file +} + +# Microsoft Outlook's Transport Neutral Encapsulation Format +signature file-tnef { + file-magic /^\x78\x9f\x3e\x22/ + file-mime "application/vnd.ms-tnef", 100 +} + +# Mac OS X DMG files +signature file-dmg { + file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/ + file-mime "application/x-dmg", 100 +} + +# Mac OS X Mach-O executable +signature file-mach-o { + file-magic /^[\xce\xcf]\xfa\xed\xfe/ + file-mime "application/x-mach-o-executable", 100 +} + +# Mac OS X Universal Mach-O executable +signature file-mach-o-universal { + file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/ + file-mime "application/x-mach-o-executable", 100 +} + +# XAR (eXtensible ARchive) format. +# Mac OS X uses this for the .pkg format. +signature file-xar { + file-magic /^xar\!/ + file-mime "application/x-xar", 100 +} + +signature file-pkcs7 { + file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/ + file-mime "application/pkcs7-signature", 100 +} + +# Concatenated X.509 certificates in textual format. +signature file-pem { + file-magic /^-----BEGIN CERTIFICATE-----/ + file-mime "application/x-pem" +} + +# Java Web Start file. +signature file-jnlp { + file-magic /^\2080 string,=Foglio di lavoro Microsoft Exce (len=31), ["%s"], swap_endian=0 -signature file-magic-auto0 { - file-mime "application/vnd.ms-excel", 340 - file-magic /(.{2080})(Foglio di lavoro Microsoft Exce)/ -} - # >2 string,=---BEGIN PGP PUBLIC KEY BLOCK- (len=30), ["PGP public key block"], swap_endian=0 signature file-magic-auto1 { file-mime "application/pgp-keys", 330 file-magic /(.{2})(\x2d\x2d\x2dBEGIN PGP PUBLIC KEY BLOCK\x2d)/ } -# >2080 string,=Microsoft Excel 5.0 Worksheet (len=29), ["%s"], swap_endian=0 -signature file-magic-auto2 { - file-mime "application/vnd.ms-excel", 320 - file-magic /(.{2080})(Microsoft Excel 5\x2e0 Worksheet)/ -} - # >11 string,=must be converted with BinHex (len=29), ["BinHex binary text"], swap_endian=0 signature file-magic-auto3 { file-mime "application/mac-binhex40", 320 file-magic /(.{11})(must be converted with BinHex)/ } -# >2080 string,=Microsoft Word 6.0 Document (len=27), ["%s"], swap_endian=0 -signature file-magic-auto4 { - file-mime "application/msword", 300 - file-magic /(.{2080})(Microsoft Word 6\x2e0 Document)/ -} - -# >2080 string,=Documento Microsoft Word 6 (len=26), ["Spanish Microsoft Word 6 document data"], swap_endian=0 -signature file-magic-auto5 { - file-mime "application/msword", 290 - file-magic /(.{2080})(Documento Microsoft Word 6)/ -} - # >0 string,=-----BEGIN PGP SIGNATURE- (len=25), ["PGP signature"], swap_endian=0 signature file-magic-auto6 { file-mime "application/pgp-signature", 280 @@ -92,36 +68,6 @@ signature file-magic-auto13 { file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/ } -# >0 string/wt,=#! /usr/local/bin/bash (len=22), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto14 { - file-mime "text/x-shellscript", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fbash)/ -} - -# >0 string/wt,=#! /usr/local/bin/tcsh (len=22), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto15 { - file-mime "text/x-shellscript", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcsh)/ -} - -# >0 string/wt,=#! /usr/local/bin/zsh (len=21), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto16 { - file-mime "text/x-shellscript", 240 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fzsh)/ -} - -# >0 string/wt,=#! /usr/local/bin/ash (len=21), ["Neil Brown's ash script text executable"], swap_endian=0 -signature file-magic-auto17 { - file-mime "text/x-shellscript", 240 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fash)/ -} - -# >0 string/wt,=#! /usr/local/bin/ae (len=20), ["Neil Brown's ae script text executable"], swap_endian=0 -signature file-magic-auto18 { - file-mime "text/x-shellscript", 230 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fae)/ -} - # >0 string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0 signature file-magic-auto19 { file-mime "application/x-svr4-package", 230 @@ -140,30 +86,12 @@ signature file-magic-auto21 { file-magic /(\x5bKDE Desktop Entry\x5d)/ } -# >512 string,=R\000o\000o\000t\000 \000E\000n\000t\000r\000y (len=19), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto22 { - file-mime "application/msword", 220 - file-magic /(.{512})(R\x00o\x00o\x00t\x00 \x00E\x00n\x00t\x00r\x00y)/ -} - # >0 string,=!\n__________E (len=19), ["MIPS archive"], swap_endian=0 signature file-magic-auto23 { file-mime "application/x-archive", 220 file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/ } -# >0 string/wt,=#! /usr/local/tcsh (len=18), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto24 { - file-mime "text/x-shellscript", 210 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2ftcsh)/ -} - -# >0 string/wt,=#! /usr/local/bash (len=18), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto25 { - file-mime "text/x-shellscript", 210 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbash)/ -} - # >0 string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0 signature file-magic-auto26 { file-mime "application/x-kdelnk", 200 @@ -189,12 +117,6 @@ signature file-magic-auto29 { file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/ } -# >0 string/wt,=#! /usr/bin/tcsh (len=16), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto30 { - file-mime "text/x-shellscript", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2ftcsh)/ -} - # >0 string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0 signature file-magic-auto31 { file-mime "text/x-gawk", 190 @@ -207,12 +129,6 @@ signature file-magic-auto32 { file-magic /(.{369})(MICROSOFT PIFEX\x00)/ } -# >0 string/wt,=#! /usr/bin/bash (len=16), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto33 { - file-mime "text/x-shellscript", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fbash)/ -} - # >0 string/w,=#VRML V1.0 ascii (len=16), ["VRML 1 file"], swap_endian=0 signature file-magic-auto34 { file-mime "model/vrml", 190 @@ -334,12 +250,6 @@ signature file-magic-auto51 { file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/ } -# >0 string/wt,=#! /usr/bin/zsh (len=15), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto52 { - file-mime "text/x-shellscript", 180 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fzsh)/ -} - # >0 string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0 # >>14 string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0 signature file-magic-auto53 { @@ -457,12 +367,6 @@ signature file-magic-auto70 { file-magic /(\x3cmap ?version)/ } -# >0 string/wt,=#! /bin/tcsh (len=12), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto71 { - file-mime "text/x-shellscript", 150 - file-magic /(\x23\x21 ?\x2fbin\x2ftcsh)/ -} - # >0 string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0 signature file-magic-auto72 { file-mime "text/x-nawk", 150 @@ -475,12 +379,6 @@ signature file-magic-auto73 { file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/ } -# >0 string/wt,=#! /bin/bash (len=12), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto74 { - file-mime "text/x-shellscript", 150 - file-magic /(\x23\x21 ?\x2fbin\x2fbash)/ -} - # >0 string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0 signature file-magic-auto75 { file-mime "text/x-awk", 140 @@ -505,24 +403,6 @@ signature file-magic-auto78 { file-magic /(d8\x3aannounce)/ } -# >0 string/wt,=#! /bin/csh (len=11), ["C shell script text executable"], swap_endian=0 -signature file-magic-auto79 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fcsh)/ -} - -# >0 string/wt,=#! /bin/ksh (len=11), ["Korn shell script text executable"], swap_endian=0 -signature file-magic-auto80 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fksh)/ -} - -# >0 string/wt,=#! /bin/zsh (len=11), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto81 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fzsh)/ -} - # >0 string/c,=BEGIN:VCARD (len=11), ["vCard visiting card"], swap_endian=0 signature file-magic-auto82 { file-mime "text/x-vcard", 140 @@ -545,12 +425,6 @@ signature file-magic-auto84 { file-magic /(Forward to)/ } -# >0 string/wt,=#! /bin/sh (len=10), ["POSIX shell script text executable"], swap_endian=0 -signature file-magic-auto85 { - file-mime "text/x-shellscript", 130 - file-magic /(\x23\x21 ?\x2fbin\x2fsh)/ -} - # >0 string,=II*\000\020\000\000\000CR (len=10), ["Canon CR2 raw image data"], swap_endian=0 signature file-magic-auto86 { file-mime "image/x-canon-cr2", 130 @@ -585,12 +459,6 @@ signature file-magic-auto90 { file-magic /(\x3cBookFile)/ } -# >2112 string,=MSWordDoc (len=9), ["Microsoft Word document data"], swap_endian=0 -signature file-magic-auto91 { - file-mime "application/msword", 120 - file-magic /(.{2112})(MSWordDoc)/ -} - # >0 string/t,=N#! rnews (len=9), ["mailed, batched news text"], swap_endian=0 signature file-magic-auto92 { file-mime "message/rfc822", 120 @@ -656,12 +524,6 @@ signature file-magic-auto100 { file-magic /(MSCF\x00\x00\x00\x00)/ } -# >0 string/b,=\320\317\021\340\241\261\032\341 (len=8), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto101 { - file-mime "application/msword", 110 - file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/ -} - # >21 string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0 signature file-magic-auto102 { file-mime "audio/x-mod", 110 @@ -754,10 +616,10 @@ signature file-magic-auto116 { } # >257 string,=ustar \000 (len=8), ["GNU tar archive"], swap_endian=0 -signature file-magic-auto117 { - file-mime "application/x-tar", 110 - file-magic /(.{257})(ustar \x00)/ -} +#signature file-magic-auto117 { +# file-mime "application/x-tar", 110 +# file-magic /(.{257})(ustar \x00)/ +#} # >0 string,=0 string/b,=\t\004\006\000\000\000\020\000 (len=8), ["Microsoft Excel Worksheet"], swap_endian=0 -signature file-magic-auto120 { - file-mime "application/vnd.ms-excel", 110 - file-magic /(\x09\x04\x06\x00\x00\x00\x10\x00)/ -} - # >0 string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0 signature file-magic-auto121 { file-mime "application/vnd.lotus-wordpro", 110 @@ -844,10 +700,10 @@ signature file-magic-auto130 { } # >257 string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0 -signature file-magic-auto131 { - file-mime "application/x-tar", 90 - file-magic /(.{257})(ustar\x00)/ -} +#signature file-magic-auto131 { +# file-mime "application/x-tar", 90 +# file-magic /(.{257})(ustar\x00)/ +#} # >0 string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0 signature file-magic-auto132 { @@ -994,12 +850,6 @@ signature file-magic-auto155 { file-magic /(\x23 xmcd)/ } -# >0 string/b,=\333\245-\000\000\000 (len=6), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto156 { - file-mime "application/msword", 90 - file-magic /(\xdb\xa5\x2d\x00\x00\x00)/ -} - # >2 string,=MMXPR3 (len=6), ["Motorola Quark Express Document (English)"], swap_endian=0 signature file-magic-auto157 { file-mime "application/x-quark-xpress-3", 90 @@ -1046,36 +896,6 @@ signature file-magic-auto162 { file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/ } -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=word/ (len=5), ["Microsoft Word 2007+"], swap_endian=0 -signature file-magic-auto163 { - file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(word\x2f)/ -} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=ppt/ (len=4), ["Microsoft PowerPoint 2007+"], swap_endian=0 -signature file-magic-auto164 { - file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 70 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(ppt\x2f)/ -} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=xl/ (len=3), ["Microsoft Excel 2007+"], swap_endian=0 -signature file-magic-auto165 { - file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 60 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(xl\x2f)/ -} - # >60 string,=RINEX (len=5), [""], swap_endian=0 # >>80 search/256,=XXRINEXB (len=8), ["RINEX Data, GEO SBAS Broadcast"], swap_endian=0 # >>>5 string,x, [", version %6.6s"], swap_endian=0 @@ -1229,30 +1049,12 @@ signature file-magic-auto187 { file-magic /(\x00\x01\x00\x00\x00)/ } -# >0 string/b,=PO^Q` (len=5), ["Microsoft Word 6.0 Document"], swap_endian=0 -signature file-magic-auto188 { - file-mime "application/msword", 80 - file-magic /(PO\x5eQ\x60)/ -} - # >0 string,=%PDF- (len=5), ["PDF document"], swap_endian=0 signature file-magic-auto189 { file-mime "application/pdf", 80 file-magic /(\x25PDF\x2d)/ } -# >2114 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 -signature file-magic-auto190 { - file-mime "application/vnd.ms-excel", 80 - file-magic /(.{2114})(Biff5)/ -} - -# >2121 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 -signature file-magic-auto191 { - file-mime "application/vnd.ms-excel", 80 - file-magic /(.{2121})(Biff5)/ -} - # >0 string/t,=Path: (len=5), ["news text"], swap_endian=0 signature file-magic-auto192 { file-mime "message/news", 80 @@ -1383,12 +1185,6 @@ signature file-magic-auto211 { file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/ } -# >0 belong&,=-889275714 (0xcafebabe), [""], swap_endian=0 -signature file-magic-auto212 { - file-mime "application/x-java-applet", 71 - file-magic /(\xca\xfe\xba\xbe)/ -} - # >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 # >>3 byte&,=0xba, ["MPEG sequence"], swap_endian=0 signature file-magic-auto213 { @@ -1706,46 +1502,6 @@ signature file-magic-auto245 { file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/ } -# Seems redundant with other zip signature below. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 -# >>>50 string,!epub+zip (len=8), [""], swap_endian=0 -# >>>>50 string,!vnd.oasis.opendocument. (len=23), [""], swap_endian=0 -# >>>>>50 string,!vnd.sun.xml. (len=12), [""], swap_endian=0 -# >>>>>>50 string,!vnd.kde. (len=8), [""], swap_endian=0 -# >>>>>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 -#signature file-magic-auto246 { -# file-mime "application/zip", 39 -# file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)/ -#} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 string,=\b\000\000\000mimetype (len=12), [""], swap_endian=0 -# >>>38 string,!application/ (len=12), [""], swap_endian=0 -# >>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 -signature file-magic-auto247 { - file-mime "application/zip", 39 - file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetype)/ -} - -# The indirect offset makes this difficult to convert. -# The (.*) may be too generous. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 (leshort,+30), leshort&,=-13570 (0xcafe), ["Java archive data (JAR)"], swap_endian=0 -signature file-magic-auto248 { - file-mime "application/java-archive", 50 - file-magic /(PK\x03\x04)(.*)(\xfe\xca)/ -} - -# The indeirect offset and string inequality make this difficult to convert. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 (leshort,+30), leshort&,!-13570 (0xcafe), [""], swap_endian=0 -# >>>26 string,!\b\000\000\000mimetype (len=12), ["Zip archive data"], swap_endian=0 -signature file-magic-auto249 { - file-mime "application/zip", 10 - file-magic /(PK\x03\x04)(.{2})/ -} - # >0 belong&,=442 (0x000001ba), [""], swap_endian=0 # >>4 byte&,&0x40, [""], swap_endian=0 signature file-magic-auto250 { @@ -2065,18 +1821,6 @@ signature file-magic-auto299 { file-magic /(PDN3)/ } -# >0 ulelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (little-endian)"], swap_endian=0 -signature file-magic-auto300 { - file-mime "application/vnd.tcpdump.pcap", 70 - file-magic /(\xd4\xc3\xb2\xa1)/ -} - -# >0 ubelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (big-endian)"], swap_endian=0 -signature file-magic-auto301 { - file-mime "application/vnd.tcpdump.pcap", 70 - file-magic /(\xa1\xb2\xc3\xd4)/ -} - # >0 belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0 signature file-magic-auto302 { file-mime "application/x-java-keystore", 70 @@ -2297,12 +2041,6 @@ signature file-magic-auto335 { file-magic /(SIT\x21)/ } -# >0 lelong&,=574529400 (0x223e9f78), ["Transport Neutral Encapsulation Format"], swap_endian=0 -signature file-magic-auto336 { - file-mime "application/vnd.ms-tnef", 70 - file-magic /(\x78\x9f\x3e\x22)/ -} - # >0 string,= (len=4), ["System V Release 1 ar archive"], swap_endian=0 signature file-magic-auto337 { file-mime "application/x-archive", 70 @@ -2433,48 +2171,6 @@ signature file-magic-auto357 { file-magic /(RIFF)(.{4})(AVI )/ } -# >0 belong&,=834535424 (0x31be0000), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto358 { - file-mime "application/msword", 70 - file-magic /(\x31\xbe\x00\x00)/ -} - -# >0 string/b,=\3767\000# (len=4), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto359 { - file-mime "application/msword", 70 - file-magic /(\xfe7\x00\x23)/ -} - -# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 -signature file-magic-auto360 { - file-mime "application/msword", 70 - file-magic /(\xdb\xa5\x2d\x00)/ -} - -# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 -signature file-magic-auto361 { - file-mime "application/msword", 70 - file-magic /(\xdb\xa5\x2d\x00)/ -} - -# >0 belong&,=6656 (0x00001a00), ["Lotus 1-2-3"], swap_endian=0 -signature file-magic-auto362 { - file-mime "application/x-123", 70 - file-magic /(\x00\x00\x1a\x00)/ -} - -# >0 belong&,=512 (0x00000200), ["Lotus 1-2-3"], swap_endian=0 -signature file-magic-auto363 { - file-mime "application/x-123", 70 - file-magic /(\x00\x00\x02\x00)/ -} - -# >0 string/b,=\000\000\001\000 (len=4), ["MS Windows icon resource"], swap_endian=0 -signature file-magic-auto364 { - file-mime "image/x-icon", 70 - file-magic /(\x00\x00\x01\x00)/ -} - # >0 lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0 # >>4 lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0 # >>>8 lelong&,=268435588 (0x10000084), ["Agenda file"], swap_endian=0 @@ -2737,12 +2433,6 @@ signature file-magic-auto403 { file-magic /(SBI)/ } -# >0 string/b,=\224\246. (len=3), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto404 { - file-mime "application/msword", 60 - file-magic /(\x94\xa6\x2e)/ -} - # >0 string,=\004%! (len=3), ["PostScript document text"], swap_endian=0 signature file-magic-auto405 { file-mime "application/postscript", 60 @@ -2763,17 +2453,11 @@ signature file-magic-auto407 { file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/ } -# >512 string/b,=\354\245\301 (len=3), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto408 { - file-mime "application/msword", 60 - file-magic /(.{512})(\xec\xa5\xc1)/ -} - # >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto411 { - file-mime "text/troff", 59 - file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ -} +#signature file-magic-auto411 { +# file-mime "text/troff", 59 +# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ +#} # >0 search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0 signature file-magic-auto412 { @@ -2806,10 +2490,10 @@ signature file-magic-auto416 { } # >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto417 { - file-mime "text/troff", 56 - file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ -} +#signature file-magic-auto417 { +# file-mime "text/troff", 56 +# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ +#} # >0 search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0 signature file-magic-auto418 { @@ -2829,30 +2513,12 @@ signature file-magic-auto420 { file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/ } -# >0 search/w/1,=#! /usr/local/bin/python (len=24), ["Python script text executable"], swap_endian=0 -signature file-magic-auto421 { - file-mime "text/x-python", 54 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fpython)/ -} - # >0 search/1,=Common subdirectories: (len=23), ["diff output text"], swap_endian=0 signature file-magic-auto422 { file-mime "text/x-diff", 53 file-magic /(.*)(Common subdirectories\x3a )/ } -# >0 search/1,=#! /usr/bin/env python (len=22), ["Python script text executable"], swap_endian=0 -signature file-magic-auto423 { - file-mime "text/x-python", 52 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv python)/ -} - -# >0 search/w/1,=#! /usr/local/bin/ruby (len=22), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto424 { - file-mime "text/x-ruby", 52 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fruby)/ -} - # >0 search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0 signature file-magic-auto425 { file-mime "text/x-tcl", 52 @@ -2871,12 +2537,6 @@ signature file-magic-auto427 { file-magic /(\xff\xd8)/ } -# >0 search/1,=#!/usr/bin/env python (len=21), ["Python script text executable"], swap_endian=0 -signature file-magic-auto428 { - file-mime "text/x-python", 51 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv python)/ -} - # >0 search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto429 { file-mime "application/javascript", 51 @@ -3189,12 +2849,6 @@ signature file-magic-auto474 { file-magic /(\x25\x21)/ } -# >0 search/1,=#! /usr/bin/env ruby (len=20), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto475 { - file-mime "text/x-ruby", 50 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv ruby)/ -} - # >0 regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0 signature file-magic-auto476 { file-mime "application/marc", 50 @@ -3228,10 +2882,10 @@ signature file-magic-auto480 { } # >0 string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0 -signature file-magic-auto481 { - file-mime "application/x-elc", 50 - file-magic /(\x0a\x28)/ -} +#signature file-magic-auto481 { +# file-mime "application/x-elc", 50 +# file-magic /(\x0a\x28)/ +#} # >0 string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0 signature file-magic-auto482 { @@ -3305,17 +2959,17 @@ signature file-magic-auto493 { file-magic /(\xf7\x02)/ } -# >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 -signature file-magic-auto494 { - file-mime "application/x-tex-tfm", 50 - file-magic /(.{2})(\x00\x11)/ -} - -# >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 -signature file-magic-auto495 { - file-mime "application/x-tex-tfm", 50 - file-magic /(.{2})(\x00\x12)/ -} +## >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 +#signature file-magic-auto494 { +# file-mime "application/x-tex-tfm", 50 +# file-magic /(.{2})(\x00\x11)/ +#} +# +## >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 +#signature file-magic-auto495 { +# file-mime "application/x-tex-tfm", 50 +# file-magic /(.{2})(\x00\x12)/ +#} # >0 beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0 signature file-magic-auto496 { @@ -3470,12 +3124,6 @@ signature file-magic-auto514 { file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/ } -# >0 search/1,=#!/usr/bin/env ruby (len=19), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto515 { - file-mime "text/x-ruby", 49 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv ruby)/ -} - # >0 search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0 signature file-magic-auto516 { file-mime "text/x-tcl", 49 @@ -3493,12 +3141,6 @@ signature file-magic-auto519 { file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/ } -# >0 search/w/1,=#! /usr/bin/python (len=18), ["Python script text executable"], swap_endian=0 -signature file-magic-auto520 { - file-mime "text/x-python", 48 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fpython)/ -} - # >0 search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto521 { file-mime "application/javascript", 47 @@ -3506,10 +3148,10 @@ signature file-magic-auto521 { } # >0 regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0 -signature file-magic-auto522 { - file-mime "text/x-c++", 47 - file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ -} +#signature file-magic-auto522 { +# file-mime "text/x-c++", 47 +# file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ +#} # >0 search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0 signature file-magic-auto528 { @@ -3658,12 +3300,6 @@ signature file-magic-auto545 { file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/ } -# >0 search/w/1,=#! /usr/bin/ruby (len=16), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto546 { - file-mime "text/x-ruby", 46 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fruby)/ -} - # >0 search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0 signature file-magic-auto547 { file-mime "text/x-lua", 45 @@ -3727,10 +3363,10 @@ signature file-magic-auto556 { } # >0 regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto557 { - file-mime "text/x-c", 43 - file-magic /(.*)(extern[ \x09\x0a]+)/ -} +#signature file-magic-auto557 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(extern[ \x09\x0a]+)/ +#} # >0 search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0 signature file-magic-auto558 { @@ -3746,10 +3382,10 @@ signature file-magic-auto558 { #} # >0 regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto560 { - file-mime "text/x-c", 43 - file-magic /(.*)(struct[ \x09\x0a]+)/ -} +#signature file-magic-auto560 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(struct[ \x09\x0a]+)/ +#} # >0 search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto561 { @@ -3802,10 +3438,10 @@ signature file-magic-auto567 { } # >0 regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0 -signature file-magic-auto568 { - file-mime "text/x-c", 41 - file-magic /(.*)(char[ \x09\x0a]+)/ -} +#signature file-magic-auto568 { +# file-mime "text/x-c", 41 +# file-magic /(.*)(char[ \x09\x0a]+)/ +#} # >0 search/1,=#! (len=2), [""], swap_endian=0 # >>0 regex,=^#!.*/bin/perl$ (len=15), ["Perl script text executable"], swap_endian=0 @@ -3887,23 +3523,11 @@ signature file-magic-auto578 { file-magic /(^dnl )/ } -# >0 regex,=^all: (len=5), ["makefile script text"], swap_endian=0 -signature file-magic-auto579 { - file-mime "text/x-makefile", 40 - file-magic /(^all:)/ -} - -# >0 regex,=^.PRECIOUS (len=10), ["makefile script text"], swap_endian=0 -signature file-magic-auto580 { - file-mime "text/x-makefile", 40 - file-magic /(^.PRECIOUS)/ -} - # >0 search/8192,=main( (len=5), ["C source text"], swap_endian=0 -signature file-magic-auto581 { - file-mime "text/x-c", 40 - file-magic /(.*)(main\x28)/ -} +#signature file-magic-auto581 { +# file-mime "text/x-c", 40 +# file-magic /(.*)(main\x28)/ +#} # Not specific enough. # >0 search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0 @@ -3932,22 +3556,22 @@ signature file-magic-auto584 { #} # >0 regex,=^#include (len=9), ["C source text"], swap_endian=0 -signature file-magic-auto586 { - file-mime "text/x-c", 39 - file-magic /(.*)(#include)/ -} +#signature file-magic-auto586 { +# file-mime "text/x-c", 39 +# file-magic /(.*)(#include)/ +#} # >0 search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto587 { - file-mime "text/troff", 39 - file-magic /(.*)(\x2e\x5c\x22)/ -} +#signature file-magic-auto587 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x2e\x5c\x22)/ +#} # >0 search/1,='\" (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto588 { - file-mime "text/troff", 39 - file-magic /(.*)(\x27\x5c\x22)/ -} +#signature file-magic-auto588 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x27\x5c\x22)/ +#} # >0 search/1,=0 search/1,=''' (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto593 { - file-mime "text/troff", 39 - file-magic /(.*)(\x27\x27\x27)/ -} +#signature file-magic-auto593 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x27\x27\x27)/ +#} # >0 search/4096,=try: (len=4), [""], swap_endian=0 # >>&0 regex,=^\s*except.*: (len=13), ["Python script text executable"], swap_endian=0 @@ -3999,12 +3623,6 @@ signature file-magic-auto596 { file-magic /(.*)(\x22LIBHDR\x22)/ } -# >0 regex,=^SUBDIRS (len=8), ["automake makefile script text"], swap_endian=0 -signature file-magic-auto597 { - file-mime "text/x-makefile", 38 - file-magic /(.*)(SUBDIRS)/ -} - # >0 search/4096,=(defvar (len=8), ["Lisp/Scheme program text"], swap_endian=0 signature file-magic-auto598 { file-mime "text/x-lisp", 38 @@ -4031,19 +3649,6 @@ signature file-magic-auto600 { # file-magic /(.*)(\x2a\x2a\x2a )/ #} -# >0 search/1,='.\" (len=4), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto602 { - file-mime "text/troff", 38 - file-magic /(.*)(\x27\x2e\x5c\x22)/ -} - -# LDFLAGS appears in other contexts, e.g. shell script. -# >0 regex,=^LDFLAGS (len=8), ["makefile script text"], swap_endian=0 -#signature file-magic-auto603 { -# file-mime "text/x-makefile", 38 -# file-magic /(.*)(LDFLAGS)/ -#} - # >0 search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0 signature file-magic-auto604 { file-mime "text/x-bcpl", 38 @@ -4057,12 +3662,6 @@ signature file-magic-auto604 { # file-magic /(^record)/ #} -# >0 regex,=^CFLAGS (len=7), ["makefile script text"], swap_endian=0 -signature file-magic-auto606 { - file-mime "text/x-makefile", 37 - file-magic /(.*)(CFLAGS)/ -} - # >0 search/4096,=(defun (len=7), ["Lisp/Scheme program text"], swap_endian=0 signature file-magic-auto607 { file-mime "text/x-lisp", 37 diff --git a/scripts/base/frameworks/files/magic/msoffice.sig b/scripts/base/frameworks/files/magic/msoffice.sig new file mode 100644 index 0000000000..111ec77004 --- /dev/null +++ b/scripts/base/frameworks/files/magic/msoffice.sig @@ -0,0 +1,28 @@ + +# This signature is non-specific and terrible but after +# searching for a long time there doesn't seem to be a +# better option. +signature file-msword { + file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/ + file-mime "application/msword", 50 +} + +signature file-ooxml { + file-magic /^PK\x03\x04\x14\x00\x06\x00/ + file-mime "application/vnd.openxmlformats-officedocument", 50 +} + +signature file-docx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80 +} + +signature file-xlsx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\2f).*PK\x03\x04.{26}xl\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80 +} + +signature file-pptx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80 +} diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index d680c467b6..e335d4be9d 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -100,8 +100,9 @@ export { ## during the process of analysis e.g. due to dropped packets. missing_bytes: count &log &default=0; - ## The number of not all-in-sequence bytes in the file stream that - ## were delivered to file analyzers due to reassembly buffer overflow. + ## The number of bytes in the file stream that were not delivered to + ## stream file analyzers. This could be overlapping bytes or + ## bytes that couldn't be reassembled. overflow_bytes: count &log &default=0; ## Whether the file analysis timed out at least once for the file. @@ -124,6 +125,37 @@ export { ## generate two handles that would hash to the same file id. const salt = "I recommend changing this." &redef; + ## Decide if you want to automatically attached analyzers to + ## files based on the detected mime type of the file. + const analyze_by_mime_type_automatically = T &redef; + + ## The default setting for if the file reassembler is enabled for + ## each file. + const enable_reassembler = T &redef; + + ## The default per-file reassembly buffer size. + const reassembly_buffer_size = 1048576 &redef; + + ## Allows the file reassembler to be used if it's necessary because the + ## file is transferred out of order. + ## + ## f: the file. + global enable_reassembly: function(f: fa_file); + + ## Disables the file reassembler on this file. If the file is not + ## transferred out of order this will have no effect. + ## + ## f: the file. + global disable_reassembly: function(f: fa_file); + + ## Set the maximum size the reassembly buffer is allowed to grow + ## for the given file. + ## + ## f: the file. + ## + ## max: Maximum allowed size of the reassembly buffer. + global set_reassembly_buffer_size: function(f: fa_file, max: count); + ## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is ## used to determine the length of inactivity that is allowed for a file ## before internal state related to it is cleaned up. When used within @@ -153,15 +185,6 @@ export { tag: Files::Tag, args: AnalyzerArgs &default=AnalyzerArgs()): bool; - ## Adds all analyzers associated with a give MIME type to the analysis of - ## a file. Note that analyzers added via MIME types cannot take further - ## arguments. - ## - ## f: the file. - ## - ## mtype: the MIME type; it will be compared case-insensitive. - global add_analyzers_for_mime_type: function(f: fa_file, mtype: string); - ## Removes an analyzer from the analysis of a given file. ## ## f: the file. @@ -284,6 +307,7 @@ global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table() # Store the MIME type to analyzer mappings. global mime_types: table[Analyzer::Tag] of set[string]; +global mime_type_to_analyzers: table[string] of set[Analyzer::Tag]; global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table(); @@ -313,8 +337,6 @@ function set_info(f: fa_file) f$info$overflow_bytes = f$overflow_bytes; if ( f?$is_orig ) f$info$is_orig = f$is_orig; - if ( f?$mime_type ) - f$info$mime_type = f$mime_type; } function set_timeout_interval(f: fa_file, t: interval): bool @@ -322,6 +344,21 @@ function set_timeout_interval(f: fa_file, t: interval): bool return __set_timeout_interval(f$id, t); } +function enable_reassembly(f: fa_file) + { + __enable_reassembly(f$id); + } + +function disable_reassembly(f: fa_file) + { + __disable_reassembly(f$id); + } + +function set_reassembly_buffer_size(f: fa_file, max: count) + { + __set_reassembly_buffer(f$id, max); + } + function add_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool { add f$info$analyzers[Files::analyzer_name(tag)]; @@ -337,15 +374,6 @@ function add_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool return T; } -function add_analyzers_for_mime_type(f: fa_file, mtype: string) - { - local dummy_args: AnalyzerArgs; - local analyzers = __add_analyzers_for_mime_type(f$id, mtype, dummy_args); - - for ( tag in analyzers ) - add f$info$analyzers[Files::analyzer_name(tag)]; - } - function register_analyzer_add_callback(tag: Files::Tag, callback: function(f: fa_file, args: AnalyzerArgs)) { analyzer_add_callbacks[tag] = callback; @@ -366,42 +394,6 @@ function analyzer_name(tag: Files::Tag): string return __analyzer_name(tag); } -event file_new(f: fa_file) &priority=10 - { - set_info(f); - - if ( f?$mime_type ) - add_analyzers_for_mime_type(f, f$mime_type); - } - -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10 - { - set_info(f); - add f$info$conn_uids[c$uid]; - local cid = c$id; - add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h]; - if( |Site::local_nets| > 0 ) - f$info$local_orig=Site::is_local_addr(f$is_orig ? cid$orig_h : cid$resp_h); - - add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h]; - } - -event file_timeout(f: fa_file) &priority=10 - { - set_info(f); - f$info$timedout = T; - } - -event file_state_remove(f: fa_file) &priority=10 - { - set_info(f); - } - -event file_state_remove(f: fa_file) &priority=-10 - { - Log::write(Files::LOG, f$info); - } - function register_protocol(tag: Analyzer::Tag, reg: ProtoRegistration): bool { local result = (tag !in registered_protocols); @@ -424,13 +416,18 @@ function register_for_mime_types(tag: Analyzer::Tag, mime_types: set[string]) : function register_for_mime_type(tag: Analyzer::Tag, mt: string) : bool { - if ( ! __register_for_mime_type(tag, mt) ) - return F; - if ( tag !in mime_types ) + { mime_types[tag] = set(); - + } add mime_types[tag][mt]; + + if ( mt !in mime_type_to_analyzers ) + { + mime_type_to_analyzers[mt] = set(); + } + add mime_type_to_analyzers[mt][tag]; + return T; } @@ -462,3 +459,61 @@ event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool) &priorit local handler = registered_protocols[tag]; set_file_handle(handler$get_file_handle(c, is_orig)); } + +event file_new(f: fa_file) &priority=10 + { + set_info(f); + + if ( enable_reassembler ) + { + Files::enable_reassembly(f); + Files::set_reassembly_buffer_size(f, reassembly_buffer_size); + } + } + +event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10 + { + set_info(f); + + add f$info$conn_uids[c$uid]; + local cid = c$id; + add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h]; + if( |Site::local_nets| > 0 ) + f$info$local_orig=Site::is_local_addr(f$is_orig ? cid$orig_h : cid$resp_h); + + add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h]; + } + +event file_mime_type(f: fa_file, mime_type: string) &priority=10 + { + set_info(f); + + f$info$mime_type = mime_type; + + if ( analyze_by_mime_type_automatically && + mime_type in mime_type_to_analyzers ) + { + local analyzers = mime_type_to_analyzers[mime_type]; + for ( a in analyzers ) + { + add f$info$analyzers[Files::analyzer_name(a)]; + Files::add_analyzer(f, a); + } + } + } + +event file_timeout(f: fa_file) &priority=10 + { + set_info(f); + f$info$timedout = T; + } + +event file_state_remove(f: fa_file) &priority=10 + { + set_info(f); + } + +event file_state_remove(f: fa_file) &priority=-10 + { + Log::write(Files::LOG, f$info); + } diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 5b31dd964e..4866766df4 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -67,6 +67,7 @@ export { IN_ANYWHERE, }; + ## Information about a piece of "seen" data. type Seen: record { ## The string if the data is about a string. indicator: string &log &optional; @@ -124,7 +125,7 @@ export { sources: set[string] &log &default=string_set(); }; - ## Intelligence data manipulation functions. + ## Intelligence data manipulation function. global insert: function(item: Item); ## Function to declare discovery of a piece of data in order to check @@ -289,8 +290,8 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5 if ( ! info?$fuid ) info$fuid = s$f$id; - if ( ! info?$file_mime_type && s$f?$mime_type ) - info$file_mime_type = s$f$mime_type; + if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type ) + info$file_mime_type = s$f$info$mime_type; if ( ! info?$file_desc ) info$file_desc = Files::describe(s$f); diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index bf1affcb01..d4d5c0244e 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -405,30 +405,30 @@ function default_path_func(id: ID, path: string, rec: any) : string local id_str = fmt("%s", id); - local parts = split1(id_str, /::/); + local parts = split_string1(id_str, /::/); if ( |parts| == 2 ) { # Example: Notice::LOG -> "notice" - if ( parts[2] == "LOG" ) + if ( parts[1] == "LOG" ) { - local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4); + local module_parts = split_string_n(parts[0], /[^A-Z][A-Z][a-z]*/, T, 4); local output = ""; - if ( 1 in module_parts ) - output = module_parts[1]; + if ( 0 in module_parts ) + output = module_parts[0]; + if ( 1 in module_parts && module_parts[1] != "" ) + output = cat(output, sub_bytes(module_parts[1],1,1), "_", sub_bytes(module_parts[1], 2, |module_parts[1]|)); if ( 2 in module_parts && module_parts[2] != "" ) - output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|)); + output = cat(output, "_", module_parts[2]); if ( 3 in module_parts && module_parts[3] != "" ) - output = cat(output, "_", module_parts[3]); - if ( 4 in module_parts && module_parts[4] != "" ) - output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|)); + output = cat(output, sub_bytes(module_parts[3],1,1), "_", sub_bytes(module_parts[3], 2, |module_parts[3]|)); return to_lower(output); } # Example: Notice::POLICY_LOG -> "notice_policy" - if ( /_LOG$/ in parts[2] ) - parts[2] = sub(parts[2], /_LOG$/, ""); + if ( /_LOG$/ in parts[1] ) + parts[1] = sub(parts[1], /_LOG$/, ""); - return cat(to_lower(parts[1]),"_",to_lower(parts[2])); + return cat(to_lower(parts[0]),"_",to_lower(parts[1])); } else return to_lower(id_str); diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index 4790245de0..d7d9bd61c9 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -531,8 +531,8 @@ function create_file_info(f: fa_file): Notice::FileInfo local fi: Notice::FileInfo = Notice::FileInfo($fuid = f$id, $desc = Files::describe(f)); - if ( f?$mime_type ) - fi$mime = f$mime_type; + if ( f?$info && f$info?$mime_type ) + fi$mime = f$info$mime_type; if ( f?$conns && |f$conns| == 1 ) for ( id in f$conns ) diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index f5c9927126..f7b8ce9326 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -133,62 +133,62 @@ function parse(unparsed_version: string): Description { # The regular expression should match the complete version number # and software name. - local version_parts = split_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); - if ( 1 in version_parts ) + local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); + if ( 0 in version_parts ) { - if ( /^\(/ in version_parts[1] ) - software_name = strip(sub(version_parts[1], /[\(]/, "")); + if ( /^\(/ in version_parts[0] ) + software_name = strip(sub(version_parts[0], /[\(]/, "")); else - software_name = strip(version_parts[1]); + software_name = strip(version_parts[0]); } if ( |version_parts| >= 2 ) { # Remove the name/version separator if it's left at the beginning # of the version number from the previous split_all. - local sv = strip(version_parts[2]); + local sv = strip(version_parts[1]); if ( /^[\/\-\._v\(]/ in sv ) - sv = strip(sub(version_parts[2], /^\(?[\/\-\._v\(]/, "")); - local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 3); - if ( 5 in version_numbers && version_numbers[5] != "" ) - v$addl = strip(version_numbers[5]); - else if ( 3 in version_parts && version_parts[3] != "" && - version_parts[3] != ")" ) + sv = strip(sub(version_parts[1], /^\(?[\/\-\._v\(]/, "")); + local version_numbers = split_string_n(sv, /[\-\._,\[\(\{ ]/, F, 3); + if ( 4 in version_numbers && version_numbers[4] != "" ) + v$addl = strip(version_numbers[4]); + else if ( 2 in version_parts && version_parts[2] != "" && + version_parts[2] != ")" ) { - if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] ) + if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[2] ) { - v$addl = split_n(version_parts[3], /[\(\)]/, F, 2)[2]; + v$addl = split_string_n(version_parts[2], /[\(\)]/, F, 2)[1]; } else { - local vp = split_n(version_parts[3], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); - if ( |vp| >= 1 && vp[1] != "" ) + local vp = split_string_n(version_parts[2], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); + if ( |vp| >= 1 && vp[0] != "" ) + { + v$addl = strip(vp[0]); + } + else if ( |vp| >= 2 && vp[1] != "" ) { v$addl = strip(vp[1]); } - else if ( |vp| >= 2 && vp[2] != "" ) + else if ( |vp| >= 3 && vp[2] != "" ) { v$addl = strip(vp[2]); } - else if ( |vp| >= 3 && vp[3] != "" ) - { - v$addl = strip(vp[3]); - } else { - v$addl = strip(version_parts[3]); + v$addl = strip(version_parts[2]); } } } - if ( 4 in version_numbers && version_numbers[4] != "" ) - v$minor3 = extract_count(version_numbers[4]); if ( 3 in version_numbers && version_numbers[3] != "" ) - v$minor2 = extract_count(version_numbers[3]); + v$minor3 = extract_count(version_numbers[3]); if ( 2 in version_numbers && version_numbers[2] != "" ) - v$minor = extract_count(version_numbers[2]); + v$minor2 = extract_count(version_numbers[2]); if ( 1 in version_numbers && version_numbers[1] != "" ) - v$major = extract_count(version_numbers[1]); + v$minor = extract_count(version_numbers[1]); + if ( 0 in version_numbers && version_numbers[0] != "" ) + v$major = extract_count(version_numbers[0]); } } @@ -200,14 +200,14 @@ function parse_mozilla(unparsed_version: string): Description { local software_name = ""; local v: Version; - local parts: table[count] of string; + local parts: string_vec; if ( /Opera [0-9\.]*$/ in unparsed_version ) { software_name = "Opera"; - parts = split_all(unparsed_version, /Opera [0-9\.]*$/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera [0-9\.]*$/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / MSIE |Trident\// in unparsed_version ) { @@ -222,28 +222,28 @@ function parse_mozilla(unparsed_version: string): Description v = [$major=11,$minor=0]; else { - parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) { software_name = "Safari"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) { - v = parse(parts[2])$version; + v = parse(parts[1])$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } } else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version ) { - parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); + if ( 1 in parts ) { - local tmp_s = parse(parts[2]); + local tmp_s = parse(parts[1]); software_name = tmp_s$name; v = tmp_s$version; } @@ -251,48 +251,48 @@ function parse_mozilla(unparsed_version: string): Description else if ( /Chrome\/.*Safari\// in unparsed_version ) { software_name = "Chrome"; - parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Chrome\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( /^Opera\// in unparsed_version ) { if ( /Opera M(ini|obi)\// in unparsed_version ) { - parts = split_all(unparsed_version, /Opera M(ini|obi)/); - if ( 2 in parts ) - software_name = parts[2]; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera M(ini|obi)/); + if ( 1 in parts ) + software_name = parts[1]; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; else { - parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera Mini\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else { software_name = "Opera"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) { software_name = "Unspecified WebKit"; - parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / Java\/[0-9]\./ in unparsed_version ) { software_name = "Java"; - parts = split_all(unparsed_version, /Java\/[0-9\._]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Java\/[0-9\._]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f71ebe7718..e8e35c2e3b 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -353,9 +353,10 @@ type connection: record { ## gives up and discards any internal state related to the file. const default_file_timeout_interval: interval = 2 mins &redef; -## Default amount of bytes that file analysis will buffer before raising -## :bro:see:`file_new`. -const default_file_bof_buffer_size: count = 1024 &redef; +## Default amount of bytes that file analysis will buffer in order to use +## for mime type matching. File analyzers attached at the time of mime type +## matching or later, will receive a copy of this buffer. +const default_file_bof_buffer_size: count = 4096 &redef; ## A file that Bro is analyzing. This is Bro's type for describing the basic ## internal metadata collected about a "file", which is essentially just a @@ -394,8 +395,10 @@ type fa_file: record { ## during the process of analysis e.g. due to dropped packets. missing_bytes: count &default=0; - ## The number of not all-in-sequence bytes in the file stream that - ## were delivered to file analyzers due to reassembly buffer overflow. + ## The number of bytes in the file stream that were not delivered to + ## stream file analyzers. Generally, this consists of bytes that + ## couldn't be reassembled, either because reassembly simply isn't + ## enabled, or due to size limitations of the reassembly buffer. overflow_bytes: count &default=0; ## The amount of time between receiving new data for this file that @@ -409,16 +412,6 @@ type fa_file: record { ## The content of the beginning of a file up to *bof_buffer_size* bytes. ## This is also the buffer that's used for file/mime type detection. bof_buffer: string &optional; - - ## The mime type of the strongest file magic signature matches against - ## the data chunk in *bof_buffer*, or in the cases where no buffering - ## of the beginning of file occurs, an initial guess of the mime type - ## based on the first data seen. - mime_type: string &optional; - - ## All mime types that matched file magic signatures against the data - ## chunk in *bof_buffer*, in order of their strength value. - mime_types: mime_matches &optional; } &redef; ## Fields of a SYN packet. diff --git a/scripts/base/protocols/dhcp/utils.bro b/scripts/base/protocols/dhcp/utils.bro index e49bfe6af9..9d5a422128 100644 --- a/scripts/base/protocols/dhcp/utils.bro +++ b/scripts/base/protocols/dhcp/utils.bro @@ -13,7 +13,7 @@ export { function reverse_ip(ip: addr): addr { - local octets = split(cat(ip), /\./); - return to_addr(cat(octets[4], ".", octets[3], ".", octets[2], ".", octets[1])); + local octets = split_string(cat(ip), /\./); + return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0])); } diff --git a/scripts/base/protocols/dnp3/dpd.sig b/scripts/base/protocols/dnp3/dpd.sig index c482661a43..9de16e15f9 100644 --- a/scripts/base/protocols/dnp3/dpd.sig +++ b/scripts/base/protocols/dnp3/dpd.sig @@ -5,5 +5,11 @@ signature dpd_dnp3_server { ip-proto == tcp payload /\x05\x64/ tcp-state responder - enable "dnp3" + enable "dnp3_tcp" +} + +signature dpd_dnp3_server_udp { + ip-proto == udp + payload /\x05\x64/ + enable "dnp3_udp" } diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.bro index 3e5eede462..c00934a65b 100644 --- a/scripts/base/protocols/dnp3/main.bro +++ b/scripts/base/protocols/dnp3/main.bro @@ -31,16 +31,16 @@ redef record connection += { dnp3: Info &optional; }; -const ports = { 20000/tcp }; +const ports = { 20000/tcp , 20000/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3]); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports); } -event dnp3_application_request_header(c: connection, is_orig: bool, fc: count) +event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count) { if ( ! c?$dnp3 ) c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; @@ -49,7 +49,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, fc: count) c$dnp3$fc_request = function_codes[fc]; } -event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count) +event dnp3_application_response_header(c: connection, is_orig: bool, application_control: count, fc: count, iin: count) { if ( ! c?$dnp3 ) c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro index b507ca32a7..617b57348b 100644 --- a/scripts/base/protocols/ftp/files.bro +++ b/scripts/base/protocols/ftp/files.bro @@ -17,6 +17,10 @@ export { ## Describe the file being transferred. global describe_file: function(f: fa_file): string; + + redef record fa_file += { + ftp: FTP::Info &optional; + }; } function get_file_handle(c: connection, is_orig: bool): string @@ -48,7 +52,6 @@ event bro_init() &priority=5 $describe = FTP::describe_file]); } - event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 { if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) @@ -56,6 +59,14 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori local ftp = ftp_data_expected[c$id$resp_h, c$id$resp_p]; ftp$fuid = f$id; - if ( f?$mime_type ) - ftp$mime_type = f$mime_type; + + f$ftp = ftp; + } + +event file_mime_type(f: fa_file, mime_type: string) &priority=5 + { + if ( ! f?$ftp ) + return; + + f$ftp$mime_type = mime_type; } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9bc1f0d0f1..24195c1d7e 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -274,7 +274,7 @@ event file_transferred(c: connection, prefix: string, descr: string, if ( [id$resp_h, id$resp_p] in ftp_data_expected ) { local s = ftp_data_expected[id$resp_h, id$resp_p]; - s$mime_type = split1(mime_type, /;/)[1]; + s$mime_type = split_string1(mime_type, /;/)[0]; } } diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro index ff5c915801..9fcf7f24f7 100644 --- a/scripts/base/protocols/http/entities.bro +++ b/scripts/base/protocols/http/entities.bro @@ -35,6 +35,10 @@ export { ## body. resp_mime_depth: count &default=0; }; + + redef record fa_file += { + http: HTTP::Info &optional; + }; } event http_begin_entity(c: connection, is_orig: bool) &priority=10 @@ -67,6 +71,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori { if ( f$source == "HTTP" && c?$http ) { + f$http = c$http; + if ( c$http?$current_entity && c$http$current_entity?$filename ) f$info$filename = c$http$current_entity$filename; @@ -76,14 +82,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$http$orig_fuids = string_vec(f$id); else c$http$orig_fuids[|c$http$orig_fuids|] = f$id; - - if ( f?$mime_type ) - { - if ( ! c$http?$orig_mime_types ) - c$http$orig_mime_types = string_vec(f$mime_type); - else - c$http$orig_mime_types[|c$http$orig_mime_types|] = f$mime_type; - } } else { @@ -91,17 +89,29 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori c$http$resp_fuids = string_vec(f$id); else c$http$resp_fuids[|c$http$resp_fuids|] = f$id; - - if ( f?$mime_type ) - { - if ( ! c$http?$resp_mime_types ) - c$http$resp_mime_types = string_vec(f$mime_type); - else - c$http$resp_mime_types[|c$http$resp_mime_types|] = f$mime_type; - } } } + } +event file_mime_type(f: fa_file, mime_type: string) &priority=5 + { + if ( ! f?$http || ! f?$is_orig ) + return; + + if ( f$is_orig ) + { + if ( ! f$http?$orig_mime_types ) + f$http$orig_mime_types = string_vec(mime_type); + else + f$http$orig_mime_types[|f$http$orig_mime_types|] = mime_type; + } + else + { + if ( ! f$http?$resp_mime_types ) + f$http$resp_mime_types = string_vec(mime_type); + else + f$http$resp_mime_types[|f$http$resp_mime_types|] = mime_type; + } } event http_end_entity(c: connection, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 0457da8ccf..2349635844 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -242,7 +242,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "HOST" ) # The split is done to remove the occasional port value that shows up here. - c$http$host = split1(value, /:/)[1]; + c$http$host = split_string1(value, /:/)[0]; else if ( name == "RANGE" ) c$http$range_request = T; @@ -262,12 +262,12 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( /^[bB][aA][sS][iI][cC] / in value ) { local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, "")); - local up = split(userpass, /:/); + local up = split_string(userpass, /:/); if ( |up| >= 2 ) { - c$http$username = up[1]; + c$http$username = up[0]; if ( c$http$capture_password ) - c$http$password = up[2]; + c$http$password = up[1]; } else { diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro index 3c75ae254b..88549f8404 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -42,12 +42,12 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec { local key_vec: vector of string = vector(); - local parts = split(data, kv_splitter); + local parts = split_string(data, kv_splitter); for ( part_index in parts ) { - local key_val = split1(parts[part_index], /=/); - if ( 1 in key_val ) - key_vec[|key_vec|] = key_val[1]; + local key_val = split_string1(parts[part_index], /=/); + if ( 0 in key_val ) + key_vec[|key_vec|] = key_val[0]; } return key_vec; } diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.bro index 7e077c8331..518775abb4 100644 --- a/scripts/base/protocols/irc/files.bro +++ b/scripts/base/protocols/irc/files.bro @@ -12,6 +12,10 @@ export { ## Default file handle provider for IRC. global get_file_handle: function(c: connection, is_orig: bool): string; + + redef record fa_file += { + irc: IRC::Info &optional; + }; } function get_file_handle(c: connection, is_orig: bool): string @@ -34,6 +38,12 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori irc$fuid = f$id; if ( irc?$dcc_file_name ) f$info$filename = irc$dcc_file_name; - if ( f?$mime_type ) - irc$dcc_mime_type = f$mime_type; + + f$irc = irc; } + +event file_mime_type(f: fa_file, mime_type: string) &priority=5 + { + if ( f?$irc ) + f$irc$dcc_mime_type = mime_type; + } \ No newline at end of file diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.bro index d0d3d4b3d6..748049965a 100644 --- a/scripts/base/protocols/mysql/main.bro +++ b/scripts/base/protocols/mysql/main.bro @@ -18,8 +18,10 @@ export { cmd: string &log; ## The argument issued to the command arg: string &log; - ## The result (error, OK, etc.) from the server - result: string &log &optional; + ## Did the server tell us that the command succeeded? + success: bool &log &optional; + ## The number of affected rows, if any + rows: count &log &optional; ## Server message, if any response: string &log &optional; }; @@ -57,16 +59,21 @@ event mysql_handshake(c: connection, username: string) event mysql_command_request(c: connection, command: count, arg: string) &priority=5 { - if ( ! c?$mysql ) + if ( c?$mysql ) { - local info: Info; - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - info$cmd = commands[command]; - info$arg = sub(arg, /\0$/, ""); - c$mysql = info; + # We got a request, but we haven't logged our + # previous request yet, so let's do that now. + Log::write(mysql::LOG, c$mysql); + delete c$mysql; } + + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$cmd = commands[command]; + info$arg = sub(arg, /\0$/, ""); + c$mysql = info; } event mysql_command_request(c: connection, command: count, arg: string) &priority=-5 @@ -83,7 +90,7 @@ event mysql_error(c: connection, code: count, msg: string) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "error"; + c$mysql$success = F; c$mysql$response = msg; } } @@ -101,8 +108,8 @@ event mysql_ok(c: connection, affected_rows: count) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "ok"; - c$mysql$response = fmt("Affected rows: %d", affected_rows); + c$mysql$success = T; + c$mysql$rows = affected_rows; } } @@ -114,3 +121,12 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5 delete c$mysql; } } + +event connection_state_remove(c: connection) &priority=-5 + { + if ( c?$mysql ) + { + Log::write(mysql::LOG, c$mysql); + delete c$mysql; + } + } diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index a22d93d2fa..925b0f4da5 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -98,7 +98,7 @@ event bro_init() &priority=5 function find_address_in_smtp_header(header: string): string { - local ips = find_ip_addresses(header); + local ips = extract_ip_addresses(header); # If there are more than one IP address found, return the second. if ( |ips| > 1 ) return ips[1]; @@ -163,7 +163,7 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & { if ( ! c$smtp?$rcptto ) c$smtp$rcptto = set(); - add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]]; + add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]]; c$smtp$has_client_activity = T; } @@ -172,8 +172,8 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & # Flush last message in case we didn't see the server's acknowledgement. smtp_message(c); - local partially_done = split1(arg, /:[[:blank:]]*/)[2]; - c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1]; + local partially_done = split_string1(arg, /:[[:blank:]]*/)[1]; + c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0]; c$smtp$has_client_activity = T; } } @@ -234,14 +234,14 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5 if ( ! c$smtp?$to ) c$smtp$to = set(); - local to_parts = split(h$value, /[[:blank:]]*,[[:blank:]]*/); + local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/); for ( i in to_parts ) add c$smtp$to[to_parts[i]]; } else if ( h$name == "X-ORIGINATING-IP" ) { - local addresses = find_ip_addresses(h$value); + local addresses = extract_ip_addresses(h$value); if ( 1 in addresses ) c$smtp$x_originating_ip = to_addr(addresses[1]); } diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 278a2a37ae..3d115419d4 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -158,12 +158,11 @@ export { [26] = "brainpoolP256r1", [27] = "brainpoolP384r1", [28] = "brainpoolP512r1", - # draft-ietf-tls-negotiated-ff-dhe-02 - [256] = "ffdhe2432", + # draft-ietf-tls-negotiated-ff-dhe-05 + [256] = "ffdhe2048", [257] = "ffdhe3072", [258] = "ffdhe4096", - [259] = "ffdhe6144", - [260] = "ffdhe8192", + [259] = "ffdhe8192", [0xFF01] = "arbitrary_explicit_prime_curves", [0xFF02] = "arbitrary_explicit_char2_curves" } &default=function(i: count):string { return fmt("unknown-%d", i); }; diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.bro index 5dc512408a..de78eeac6d 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.bro @@ -105,21 +105,21 @@ function request(req: Request): ActiveHTTP::Response # The reply is the first line. if ( i == 0 ) { - local response_line = split_n(headers[0], /[[:blank:]]+/, F, 2); + local response_line = split_string_n(headers[0], /[[:blank:]]+/, F, 2); if ( |response_line| != 3 ) return resp; - resp$code = to_count(response_line[2]); - resp$msg = response_line[3]; + resp$code = to_count(response_line[1]); + resp$msg = response_line[2]; resp$body = join_string_vec(result$files[bodyfile], ""); } else { local line = headers[i]; - local h = split1(line, /:/); + local h = split_string1(line, /:/); if ( |h| != 2 ) next; - resp$headers[h[1]] = sub_bytes(h[2], 0, |h[2]|-1); + resp$headers[h[0]] = sub_bytes(h[1], 0, |h[1]|-1); } } return resp; diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro index 9e33e6d585..e8fd746e5e 100644 --- a/scripts/base/utils/addrs.bro +++ b/scripts/base/utils/addrs.bro @@ -32,7 +32,7 @@ const ip_addr_regex = ## octets: an array of strings to check for valid octet values. ## ## Returns: T if every element is between 0 and 255, inclusive, else F. -function has_valid_octets(octets: string_array): bool +function has_valid_octets(octets: string_vec): bool { local num = 0; for ( i in octets ) @@ -51,10 +51,10 @@ function has_valid_octets(octets: string_array): bool ## Returns: T if the string is a valid IPv4 or IPv6 address format. function is_valid_ip(ip_str: string): bool { - local octets: string_array; + local octets: string_vec; if ( ip_str == ipv4_addr_regex ) { - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; @@ -67,13 +67,13 @@ function is_valid_ip(ip_str: string): bool { # the regexes for hybrid IPv6-IPv4 address formats don't for valid # octets within the IPv4 part, so do that now - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; # get rid of remaining IPv6 stuff in first octet - local tmp = split(octets[1], /:/); - octets[1] = tmp[|tmp|]; + local tmp = split_string(octets[0], /:/); + octets[0] = tmp[|tmp| - 1]; return has_valid_octets(octets); } @@ -92,14 +92,32 @@ function is_valid_ip(ip_str: string): bool ## input: a string that may contain an IP address anywhere within it. ## ## Returns: an array containing all valid IP address strings found in *input*. -function find_ip_addresses(input: string): string_array +function find_ip_addresses(input: string): string_array &deprecated { - local parts = split_all(input, ip_addr_regex); + local parts = split_string_all(input, ip_addr_regex); local output: string_array; for ( i in parts ) { - if ( i % 2 == 0 && is_valid_ip(parts[i]) ) + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) + output[|output|] = parts[i]; + } + return output; + } + +## Extracts all IP (v4 or v6) address strings from a given string. +## +## input: a string that may contain an IP address anywhere within it. +## +## Returns: an array containing all valid IP address strings found in *input*. +function extract_ip_addresses(input: string): string_vec + { + local parts = split_string_all(input, ip_addr_regex); + local output: string_vec; + + for ( i in parts ) + { + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) output[|output|] = parts[i]; } return output; diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 37ec35cb2c..15d88e9851 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -82,9 +82,9 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s: string) { - local parts = split1(description$name, /_/); - local name = parts[1]; - local track_file = parts[2]; + local parts = split_string1(description$name, /_/); + local name = parts[0]; + local track_file = parts[1]; local result = results[name]; if ( ! result?$files ) @@ -99,13 +99,13 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s event Input::end_of_data(orig_name: string, source:string) { local name = orig_name; - local parts = split1(name, /_/); - name = parts[1]; + local parts = split_string1(name, /_/); + name = parts[0]; if ( name !in pending_commands || |parts| < 2 ) return; - local track_file = parts[2]; + local track_file = parts[1]; # If the file is empty, still add it to the result$files table. This is needed # because it is expected that the file was read even if it was empty. diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro index b88ae5763e..766efd649c 100644 --- a/scripts/base/utils/files.bro +++ b/scripts/base/utils/files.bro @@ -23,7 +23,7 @@ function extract_filename_from_content_disposition(data: string): string # Remove quotes around the filename if they are there. if ( /^\"/ in filename ) - filename = split_n(filename, /\"/, F, 2)[2]; + filename = split_string_n(filename, /\"/, F, 2)[1]; # Remove the language and encoding if it's there. if ( /^[a-zA-Z0-9\!#$%&+-^_`{}~]+'[a-zA-Z0-9\!#$%&+-^_`{}~]*'/ in filename ) diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro index 9b100862d4..da8c15d7a0 100644 --- a/scripts/base/utils/numbers.bro +++ b/scripts/base/utils/numbers.bro @@ -2,9 +2,9 @@ ## If no integer can be found, 0 is returned. function extract_count(s: string): count { - local parts = split_n(s, /[0-9]+/, T, 1); - if ( 2 in parts ) - return to_count(parts[2]); + local parts = split_string_n(s, /[0-9]+/, T, 1); + if ( 1 in parts ) + return to_count(parts[1]); else return 0; - } \ No newline at end of file + } diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro index ce083eb6d0..6de5b85e2e 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.bro @@ -13,12 +13,12 @@ const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/; function extract_path(input: string): string { const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/; - local parts = split_all(input, dir_pattern); + local parts = split_string_all(input, dir_pattern); if ( |parts| < 3 ) return ""; - return parts[2]; + return parts[1]; } ## Compresses a given path by removing '..'s and the parent directory it @@ -31,27 +31,27 @@ function compress_path(dir: string): string { const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/; - local parts = split_n(dir, cdup_sep, T, 1); + local parts = split_string_n(dir, cdup_sep, T, 1); if ( |parts| > 1 ) { # reaching a point with two parent dir references back-to-back means # we don't know about anything higher in the tree to pop off - if ( parts[2] == "../.." ) - return cat_string_array(parts); - if ( sub_bytes(parts[2], 0, 1) == "/" ) - parts[2] = "/"; + if ( parts[1] == "../.." ) + return join_string_vec(parts, ""); + if ( sub_bytes(parts[1], 0, 1) == "/" ) + parts[1] = "/"; else - parts[2] = ""; - dir = cat_string_array(parts); + parts[1] = ""; + dir = join_string_vec(parts, ""); return compress_path(dir); } const multislash_sep = /(\/\.?){2,}/; - parts = split_all(dir, multislash_sep); + parts = split_string_all(dir, multislash_sep); for ( i in parts ) - if ( i % 2 == 0 ) + if ( i % 2 == 1 ) parts[i] = "/"; - dir = cat_string_array(parts); + dir = join_string_vec(parts, ""); # remove trailing slashes from path if ( |dir| > 1 && sub_bytes(dir, |dir|, 1) == "/" ) diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.bro index 957e19a14b..47b8cf4e37 100644 --- a/scripts/base/utils/patterns.bro +++ b/scripts/base/utils/patterns.bro @@ -50,11 +50,11 @@ type PatternMatchResult: record { ## Returns: a record indicating the match status. function match_pattern(s: string, p: pattern): PatternMatchResult { - local a = split_n(s, p, T, 1); + local a = split_string_n(s, p, T, 1); if ( |a| == 1 ) # no match return [$matched = F, $str = "", $off = 0]; else - return [$matched = T, $str = a[2], $off = |a[1]| + 1]; + return [$matched = T, $str = a[1], $off = |a[0]| + 1]; } diff --git a/scripts/base/utils/urls.bro b/scripts/base/utils/urls.bro index d4279cd0ce..41a2ab5639 100644 --- a/scripts/base/utils/urls.bro +++ b/scripts/base/utils/urls.bro @@ -48,7 +48,7 @@ function find_all_urls_without_scheme(s: string): string_set function decompose_uri(s: string): URI { - local parts: string_array; + local parts: string_vec; local u: URI = [$netlocation="", $path="/"]; if ( /\?/ in s) @@ -56,55 +56,55 @@ function decompose_uri(s: string): URI # Parse query. u$params = table(); - parts = split1(s, /\?/); - s = parts[1]; - local query: string = parts[2]; + parts = split_string1(s, /\?/); + s = parts[0]; + local query: string = parts[1]; if ( /&/ in query ) { - local opv: table[count] of string = split(query, /&/); + local opv = split_string(query, /&/); for ( each in opv ) { if ( /=/ in opv[each] ) { - parts = split1(opv[each], /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(opv[each], /=/); + u$params[parts[0]] = parts[1]; } } } else { - parts = split1(query, /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(query, /=/); + u$params[parts[0]] = parts[1]; } } if ( /:\/\// in s ) { # Parse scheme and remove from s. - parts = split1(s, /:\/\//); - u$scheme = parts[1]; - s = parts[2]; + parts = split_string1(s, /:\/\//); + u$scheme = parts[0]; + s = parts[1]; } if ( /\// in s ) { # Parse path and remove from s. - parts = split1(s, /\//); - s = parts[1]; - u$path = fmt("/%s", parts[2]); + parts = split_string1(s, /\//); + s = parts[0]; + u$path = fmt("/%s", parts[1]); if ( |u$path| > 1 && u$path[|u$path| - 1] != "/" ) { local last_token: string = find_last(u$path, /\/.+/); - local full_filename = split1(last_token, /\//)[2]; + local full_filename = split_string1(last_token, /\//)[1]; if ( /\./ in full_filename ) { u$file_name = full_filename; - u$file_base = split1(full_filename, /\./)[1]; - u$file_ext = split1(full_filename, /\./)[2]; + u$file_base = split_string1(full_filename, /\./)[0]; + u$file_ext = split_string1(full_filename, /\./)[1]; } else { @@ -117,9 +117,9 @@ function decompose_uri(s: string): URI if ( /:/ in s ) { # Parse location and port. - parts = split1(s, /:/); - u$netlocation = parts[1]; - u$portnum = to_count(parts[2]); + parts = split_string1(s, /:/); + u$netlocation = parts[0]; + u$portnum = to_count(parts[1]); } else u$netlocation = s; diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro index 3000d2d83e..6917212356 100644 --- a/scripts/policy/frameworks/files/detect-MHR.bro +++ b/scripts/policy/frameworks/files/detect-MHR.bro @@ -42,15 +42,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -66,6 +66,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro index a961896640..864b685126 100644 --- a/scripts/policy/frameworks/intel/seen/http-headers.bro +++ b/scripts/policy/frameworks/intel/seen/http-headers.bro @@ -31,7 +31,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) case "X-FORWARDED-FOR": if ( is_valid_ip(value) ) { - local addrs = find_ip_addresses(value); + local addrs = extract_ip_addresses(value); for ( i in addrs ) { Intel::seen([$host=to_addr(addrs[i]), diff --git a/scripts/policy/frameworks/intel/seen/smtp.bro b/scripts/policy/frameworks/intel/seen/smtp.bro index d760995e51..0393dbab7d 100644 --- a/scripts/policy/frameworks/intel/seen/smtp.bro +++ b/scripts/policy/frameworks/intel/seen/smtp.bro @@ -30,10 +30,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$mailfrom ) { - local mailfromparts = split_n(c$smtp$mailfrom, /<.+>/, T, 1); + local mailfromparts = split_string_n(c$smtp$mailfrom, /<.+>/, T, 1); if ( |mailfromparts| > 2 ) { - Intel::seen([$indicator=mailfromparts[2][1:-2], + Intel::seen([$indicator=mailfromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_MAIL_FROM]); @@ -44,10 +44,10 @@ event mime_end_entity(c: connection) { for ( rcptto in c$smtp$rcptto ) { - local rcpttoparts = split_n(rcptto, /<.+>/, T, 1); + local rcpttoparts = split_string_n(rcptto, /<.+>/, T, 1); if ( |rcpttoparts| > 2 ) { - Intel::seen([$indicator=rcpttoparts[2][1:-2], + Intel::seen([$indicator=rcpttoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_RCPT_TO]); @@ -57,10 +57,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$from ) { - local fromparts = split_n(c$smtp$from, /<.+>/, T, 1); + local fromparts = split_string_n(c$smtp$from, /<.+>/, T, 1); if ( |fromparts| > 2 ) { - Intel::seen([$indicator=fromparts[2][1:-2], + Intel::seen([$indicator=fromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_FROM]); @@ -71,10 +71,10 @@ event mime_end_entity(c: connection) { for ( email_to in c$smtp$to ) { - local toparts = split_n(email_to, /<.+>/, T, 1); + local toparts = split_string_n(email_to, /<.+>/, T, 1); if ( |toparts| > 2 ) { - Intel::seen([$indicator=toparts[2][1:-2], + Intel::seen([$indicator=toparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_TO]); @@ -84,10 +84,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$reply_to ) { - local replytoparts = split_n(c$smtp$reply_to, /<.+>/, T, 1); + local replytoparts = split_string_n(c$smtp$reply_to, /<.+>/, T, 1); if ( |replytoparts| > 2 ) { - Intel::seen([$indicator=replytoparts[2][1:-2], + Intel::seen([$indicator=replytoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_REPLY_TO]); diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index ee8d90b21f..527623d621 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -55,18 +55,18 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang return vvr; } - local versions = split1(vuln_sw, /\x09/); + local versions = split_string1(vuln_sw, /\x09/); for ( i in versions ) { - local field_and_ver = split1(versions[i], /=/); + local field_and_ver = split_string1(versions[i], /=/); if ( |field_and_ver| != 2 ) return vvr; #failure! - local ver = Software::parse(field_and_ver[2])$version; - if ( field_and_ver[1] == "min" ) + local ver = Software::parse(field_and_ver[1])$version; + if ( field_and_ver[0] == "min" ) vvr$min = ver; - else if ( field_and_ver[1] == "max" ) + else if ( field_and_ver[0] == "max" ) vvr$max = ver; } @@ -84,15 +84,15 @@ event grab_vulnerable_versions(i: count) when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) ) { - local parts = split1(result, /\x09/); + local parts = split_string1(result, /\x09/); if ( |parts| != 2 ) #failure or end of list! { schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) }; return; } - local sw = parts[1]; - local vvr = decode_vulnerable_version_range(parts[2]); + local sw = parts[0]; + local vvr = decode_vulnerable_version_range(parts[1]); if ( sw !in internal_vulnerable_versions ) internal_vulnerable_versions[sw] = set(); add internal_vulnerable_versions[sw][vvr]; diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index aa403e6a08..68151e209a 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -74,10 +74,10 @@ event bro_init() &priority=5 $threshold=icmp_time_exceeded_threshold, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { - local parts = split_n(key$str, /-/, F, 2); - local src = to_addr(parts[1]); - local dst = to_addr(parts[2]); - local proto = parts[3]; + local parts = split_string_n(key$str, /-/, F, 2); + local src = to_addr(parts[0]); + local dst = to_addr(parts[1]); + local proto = parts[2]; Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]); NOTICE([$note=Traceroute::Detected, $msg=fmt("%s seems to be running traceroute using %s", src, proto), diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro index b466a9da40..ab4bb93b15 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.bro +++ b/scripts/policy/protocols/http/software-browser-plugins.bro @@ -45,13 +45,13 @@ event log_http(rec: Info) if ( rec$omniture && rec?$uri ) { # We do {5,} because sometimes we see p=6 in the urls. - local parts = split_n(rec$uri, /&p=([^&]{5,});&/, T, 1); - if ( 2 in parts ) + local parts = split_string_n(rec$uri, /&p=([^&]{5,});&/, T, 1); + if ( 1 in parts ) { # We do sub_bytes here just to remove the extra extracted # characters from the regex split above. - local sw = sub_bytes(parts[2], 4, |parts[2]|-5); - local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/); + local sw = sub_bytes(parts[1], 4, |parts[1]|-5); + local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]); diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.bro index b1fb0e498d..57aef4ee48 100644 --- a/scripts/policy/protocols/smtp/blocklists.bro +++ b/scripts/policy/protocols/smtp/blocklists.bro @@ -47,7 +47,7 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h); # Determine if the originator's IP address is in the message. - local ips = find_ip_addresses(msg); + local ips = extract_ip_addresses(msg); local text_ip = ""; if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h ) { diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro index e2b0bb2faf..07f2cdebc4 100644 --- a/scripts/policy/protocols/ssl/notary.bro +++ b/scripts/policy/protocols/ssl/notary.bro @@ -70,23 +70,23 @@ event ssl_established(c: connection) &priority=3 clear_waitlist(digest); return; } - local fields = split(str, / /); + local fields = split_string(str, / /); if ( |fields| != 5 ) # version 1 has 5 fields. { clear_waitlist(digest); return; } - local version = split(fields[1], /=/)[2]; + local version = split_string(fields[0], /=/)[1]; if ( version != "1" ) { clear_waitlist(digest); return; } local r = notary_cache[digest]; - r$first_seen = to_count(split(fields[2], /=/)[2]); - r$last_seen = to_count(split(fields[3], /=/)[2]); - r$times_seen = to_count(split(fields[4], /=/)[2]); - r$valid = split(fields[5], /=/)[2] == "1"; + r$first_seen = to_count(split_string(fields[1], /=/)[1]); + r$last_seen = to_count(split_string(fields[2], /=/)[1]); + r$times_seen = to_count(split_string(fields[3], /=/)[1]); + r$valid = split_string(fields[4], /=/)[1] == "1"; # Assign notary answer to all records waiting for this digest. if ( digest in waitlist ) diff --git a/src/Attr.cc b/src/Attr.cc index 13106b02b7..fc8d3000d1 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -18,7 +18,7 @@ const char* attr_name(attr_tag t) "&encrypt", "&raw_output", "&mergeable", "&priority", "&group", "&log", "&error_handler", "&type_column", - "(&tracked)", + "(&tracked)", "&deprecated", }; return attr_names[int(t)]; @@ -212,6 +212,7 @@ void Attributes::DescribeReST(ODesc* d) const void Attributes::CheckAttr(Attr* a) { switch ( a->Tag() ) { + case ATTR_DEPRECATED: case ATTR_OPTIONAL: case ATTR_REDEF: break; diff --git a/src/Attr.h b/src/Attr.h index 228bc2e5fc..63f2524c21 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -34,7 +34,8 @@ typedef enum { ATTR_ERROR_HANDLER, ATTR_TYPE_COLUMN, // for input framework ATTR_TRACKED, // hidden attribute, tracked by NotifierRegistry -#define NUM_ATTRS (int(ATTR_TRACKED) + 1) + ATTR_DEPRECATED, +#define NUM_ATTRS (int(ATTR_DEPRECATED) + 1) } attr_tag; class Attr : public BroObj { diff --git a/src/Expr.cc b/src/Expr.cc index 671f9b2d41..d2dcb1585b 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3213,6 +3213,10 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name) { SetType(rt->FieldType(field)->Ref()); td = rt->FieldDecl(field); + + if ( td->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", rt->GetName().c_str(), + field_name); } } } @@ -3333,6 +3337,9 @@ HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name) if ( field < 0 ) ExprError("no such field in record"); + else if ( rt->FieldDecl(field)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s?$%s)", rt->GetName().c_str(), + field_name); SetType(base_type(TYPE_BOOL)); } @@ -4147,16 +4154,28 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r) } for ( i = 0; i < map_size; ++i ) - if ( map[i] == -1 && - ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + if ( map[i] == -1 ) { - char buf[512]; - safe_snprintf(buf, sizeof(buf), - "non-optional field \"%s\" missing", t_r->FieldName(i)); - Error(buf); - SetError(); - break; + if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + char buf[512]; + safe_snprintf(buf, sizeof(buf), + "non-optional field \"%s\" missing", + t_r->FieldName(i)); + Error(buf); + SetError(); + break; + } } + else + { + if ( t_r->FieldDecl(i)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", + t_r->GetName().c_str(), + t_r->FieldName(i)); + } + } } } diff --git a/src/Frag.cc b/src/Frag.cc index d0389c264a..8ada148750 100644 --- a/src/Frag.cc +++ b/src/Frag.cc @@ -28,7 +28,7 @@ void FragTimer::Dispatch(double t, int /* is_expire */) FragReassembler::FragReassembler(NetSessions* arg_s, const IP_Hdr* ip, const u_char* pkt, HashKey* k, double t) - : Reassembler(0, REASSEM_IP) + : Reassembler(0) { s = arg_s; key = k; diff --git a/src/Func.cc b/src/Func.cc index d66e9c71fa..693a4535d4 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -323,7 +323,7 @@ int BroFunc::IsPure() const Val* BroFunc::Call(val_list* args, Frame* parent) const { #ifdef PROFILE_BRO_FUNCTIONS - DEBUG_MSG("Function: %s\n", id->Name()); + DEBUG_MSG("Function: %s\n", Name()); #endif SegmentProfiler(segment_logger, location); diff --git a/src/ID.cc b/src/ID.cc index aa965b880e..a308ffa81d 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -248,6 +248,16 @@ void ID::UpdateValAttrs() } } +void ID::MakeDeprecated() + { + if ( IsDeprecated() ) + return; + + attr_list* attr = new attr_list; + attr->append(new Attr(ATTR_DEPRECATED)); + AddAttrs(new Attributes(attr, Type(), false)); + } + void ID::AddAttrs(Attributes* a) { if ( attrs ) diff --git a/src/ID.h b/src/ID.h index 31cfad4191..805a8e391b 100644 --- a/src/ID.h +++ b/src/ID.h @@ -80,6 +80,11 @@ public: Attr* FindAttr(attr_tag t) const { return attrs ? attrs->FindAttr(t) : 0; } + bool IsDeprecated() const + { return FindAttr(ATTR_DEPRECATED) != 0; } + + void MakeDeprecated(); + void Error(const char* msg, const BroObj* o2 = 0); void Describe(ODesc* d) const; diff --git a/src/Reassem.cc b/src/Reassem.cc index 1ad0cb2717..8bf965427b 100644 --- a/src/Reassem.cc +++ b/src/Reassem.cc @@ -31,7 +31,7 @@ DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq, uint64 Reassembler::total_size = 0; -Reassembler::Reassembler(uint64 init_seq, ReassemblerType arg_type) +Reassembler::Reassembler(uint64 init_seq) { blocks = last_block = 0; trim_seq = last_reassem_seq = init_seq; diff --git a/src/Reassem.h b/src/Reassem.h index 7b77a628d8..39617f7816 100644 --- a/src/Reassem.h +++ b/src/Reassem.h @@ -22,11 +22,10 @@ public: }; -enum ReassemblerType { REASSEM_IP, REASSEM_TCP }; class Reassembler : public BroObj { public: - Reassembler(uint64 init_seq, ReassemblerType arg_type); + Reassembler(uint64 init_seq); virtual ~Reassembler(); void NewBlock(double t, uint64 seq, uint64 len, const u_char* data); diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 81ccbc030e..d2f227838c 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -87,6 +87,7 @@ SERIAL_TCP_CONTENTS(TCP_NVT, 3) #define SERIAL_REASSEMBLER(name, val) SERIAL_CONST(name, val, REASSEMBLER) SERIAL_REASSEMBLER(REASSEMBLER, 1) SERIAL_REASSEMBLER(TCP_REASSEMBLER, 2) +SERIAL_REASSEMBLER(FILE_REASSEMBLER, 3) #define SERIAL_VAL(name, val) SERIAL_CONST(name, val, VAL) SERIAL_VAL(VAL, 1) diff --git a/src/Type.cc b/src/Type.cc index ead31f1b7d..9aa86da8dc 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1434,7 +1434,7 @@ EnumType::~EnumType() // Note, we use reporter->Error() here (not Error()) to include the current script // location in the error message, rather than the one where the type was // originally defined. -void EnumType::AddName(const string& module_name, const char* name, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bool is_export, bool deprecated) { /* implicit, auto-increment */ if ( counter < 0) @@ -1443,11 +1443,11 @@ void EnumType::AddName(const string& module_name, const char* name, bool is_expo SetError(); return; } - CheckAndAddName(module_name, name, counter, is_export); + CheckAndAddName(module_name, name, counter, is_export, deprecated); counter++; } -void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated) { /* explicit value specified */ if ( counter > 0 ) @@ -1457,11 +1457,11 @@ void EnumType::AddName(const string& module_name, const char* name, bro_int_t va return; } counter = -1; - CheckAndAddName(module_name, name, val, is_export); + CheckAndAddName(module_name, name, val, is_export, deprecated); } void EnumType::CheckAndAddName(const string& module_name, const char* name, - bro_int_t val, bool is_export) + bro_int_t val, bool is_export, bool deprecated) { if ( Lookup(val) ) { @@ -1477,6 +1477,10 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, id = install_ID(name, module_name.c_str(), true, is_export); id->SetType(this->Ref()); id->SetEnumConst(); + + if ( deprecated ) + id->MakeDeprecated(); + broxygen_mgr->Identifier(id); } else diff --git a/src/Type.h b/src/Type.h index a9f1e42a6d..f902b0d907 100644 --- a/src/Type.h +++ b/src/Type.h @@ -554,12 +554,12 @@ public: // The value of this name is next internal counter value, starting // with zero. The internal counter is incremented. - void AddName(const string& module_name, const char* name, bool is_export); + void AddName(const string& module_name, const char* name, bool is_export, bool deprecated); // The value of this name is set to val. Once a value has been // explicitly assigned using this method, no further names can be // added that aren't likewise explicitly initalized. - void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export); + void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated); // -1 indicates not found. bro_int_t Lookup(const string& module_name, const char* name) const; @@ -580,7 +580,8 @@ protected: const char* name, bro_int_t val, bool is_export); void CheckAndAddName(const string& module_name, - const char* name, bro_int_t val, bool is_export); + const char* name, bro_int_t val, bool is_export, + bool deprecated); typedef std::map< const char*, bro_int_t, ltstr > NameMap; NameMap names; diff --git a/src/Var.cc b/src/Var.cc index 0a196b9cac..95ec5802ef 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -435,6 +435,10 @@ void end_func(Stmt* body, attr_list* attrs) loop_over_list(*attrs, i) { Attr* a = (*attrs)[i]; + + if ( a->Tag() == ATTR_DEPRECATED ) + continue; + if ( a->Tag() != ATTR_PRIORITY ) { a->Error("illegal attribute for function body"); diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 9d9ddf0c35..b04dbf64e0 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -97,7 +97,6 @@ // Binpac DNP3 Analyzer #include "DNP3.h" -#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" using namespace analyzer::dnp3; @@ -109,12 +108,14 @@ const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-laye const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer -bool DNP3_Analyzer::crc_table_initialized = false; -unsigned int DNP3_Analyzer::crc_table[256]; +bool DNP3_Base::crc_table_initialized = false; +unsigned int DNP3_Base::crc_table[256]; -DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c) + +DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer) { - interp = new binpac::DNP3::DNP3_Conn(this); + analyzer = arg_analyzer; + interp = new binpac::DNP3::DNP3_Conn(analyzer); ClearEndpointState(true); ClearEndpointState(false); @@ -123,49 +124,12 @@ DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c) PrecomputeCRCTable(); } -DNP3_Analyzer::~DNP3_Analyzer() +DNP3_Base::~DNP3_Base() { delete interp; } -void DNP3_Analyzer::Done() - { - TCP_ApplicationAnalyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); - } - -void DNP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) - { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - - try - { - if ( ! ProcessData(len, data, orig) ) - SetSkip(1); - } - - catch ( const binpac::Exception& e ) - { - SetSkip(1); - throw; - } - } - -void DNP3_Analyzer::Undelivered(uint64 seq, int len, bool orig) - { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - interp->NewGap(orig, len); - } - -void DNP3_Analyzer::EndpointEOF(bool is_orig) - { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - interp->FlowEOF(is_orig); - } - -bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) +bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig) { Endpoint* endp = orig ? &orig_state : &resp_state; @@ -174,25 +138,30 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) if ( endp->in_hdr ) { // We're parsing the DNP3 header and link layer, get that in full. - if ( ! AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len) ) + int res = AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len); + + if ( res == 0 ) return true; + if ( res < 0 ) + return false; + // The first two bytes must always be 0x0564. if( endp->buffer[0] != 0x05 || endp->buffer[1] != 0x64 ) { - Weird("dnp3_header_lacks_magic"); + analyzer->Weird("dnp3_header_lacks_magic"); return false; } // Make sure header checksum is correct. if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") ) { - ProtocolViolation("broken_checksum"); + analyzer->ProtocolViolation("broken_checksum"); return false; } // If the checksum works out, we're pretty certainly DNP3. - ProtocolConfirmation(); + analyzer->ProtocolConfirmation(); // DNP3 packets without transport and application // layers can happen, we ignore them. @@ -207,7 +176,7 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) u_char ctrl = endp->buffer[PSEUDO_CONTROL_FIELD_INDEX]; if ( orig != (bool)(ctrl & 0x80) ) - Weird("dnp3_unexpected_flow_direction"); + analyzer->Weird("dnp3_unexpected_flow_direction"); // Update state. endp->pkt_length = endp->buffer[PSEUDO_LENGTH_INDEX]; @@ -222,7 +191,11 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) if ( ! endp->in_hdr ) { - assert(endp->pkt_length); + if ( endp->pkt_length <= 0 ) + { + analyzer->Weird("dnp3_negative_or_zero_length_link_layer"); + return false; + } // We're parsing the DNP3 application layer, get that // in full now as well. We calculate the number of @@ -230,11 +203,17 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) // the packet length by determining how much 16-byte // chunks fit in there, and then add 2 bytes CRC for // each. - int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + 2 - 1; + int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + + 2 * ( ((endp->pkt_length - 5) % 16 == 0) ? 0 : 1) - 1 ; - if ( ! AddToBuffer(endp, n, &data, &len) ) + int res = AddToBuffer(endp, n, &data, &len); + + if ( res == 0 ) return true; + if ( res < 0 ) + return false; + // Parse the the application layer data. if ( ! ParseAppLayer(endp) ) return false; @@ -248,22 +227,45 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig) return true; } -bool DNP3_Analyzer::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len) +int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len) { if ( ! target_len ) - return true; + return 1; + + if ( *len < 0 ) + { + reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len); + return -1; + } + + if ( target_len < endp->buffer_len ) + { + reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d", + target_len, endp->buffer_len); + return -1; + } int to_copy = min(*len, target_len - endp->buffer_len); + if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE ) + { + reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d", + endp->buffer_len, to_copy); + return -1; + } + memcpy(endp->buffer + endp->buffer_len, *data, to_copy); *data += to_copy; *len -= to_copy; endp->buffer_len += to_copy; - return endp->buffer_len == target_len; + if ( endp->buffer_len == target_len ) + return 1; + + return 0; } -bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp) +bool DNP3_Base::ParseAppLayer(Endpoint* endp) { bool orig = (endp == &orig_state); binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow(); @@ -291,8 +293,15 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp) if ( ! CheckCRC(n, data, data + n, "app_chunk") ) return false; + if ( data + n >= endp->buffer + endp->buffer_len ) + { + reporter->AnalyzerError(analyzer, + "dnp3 app layer parsing overflow %d - %d", + endp->buffer_len, n); + return false; + } + // Pass on to BinPAC. - assert(data + n < endp->buffer + endp->buffer_len); flow->flow_buffer()->BufferData(data + transport, data + n); transport = 0; @@ -306,7 +315,7 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp) if ( ! is_first && ! endp->encountered_first_chunk ) { // We lost the first chunk. - Weird("dnp3_first_application_layer_chunk_missing"); + analyzer->Weird("dnp3_first_application_layer_chunk_missing"); return false; } @@ -320,7 +329,7 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp) return true; } -void DNP3_Analyzer::ClearEndpointState(bool orig) +void DNP3_Base::ClearEndpointState(bool orig) { Endpoint* endp = orig ? &orig_state : &resp_state; binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow(); @@ -333,18 +342,18 @@ void DNP3_Analyzer::ClearEndpointState(bool orig) endp->pkt_cnt = 0; } -bool DNP3_Analyzer::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where) +bool DNP3_Base::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where) { unsigned int crc = CalcCRC(len, data); if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 ) return true; - Weird(fmt("dnp3_corrupt_%s_checksum", where)); + analyzer->Weird(fmt("dnp3_corrupt_%s_checksum", where)); return false; } -void DNP3_Analyzer::PrecomputeCRCTable() +void DNP3_Base::PrecomputeCRCTable() { for( unsigned int i = 0; i < 256; i++) { @@ -362,7 +371,7 @@ void DNP3_Analyzer::PrecomputeCRCTable() } } -unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) +unsigned int DNP3_Base::CalcCRC(int len, const u_char* data) { unsigned int crc = 0x0000; @@ -374,3 +383,76 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) return ~crc & 0xFFFF; } + +DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(Connection* c) + : DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c) + { + } + +DNP3_TCP_Analyzer::~DNP3_TCP_Analyzer() + { + } + +void DNP3_TCP_Analyzer::Done() + { + TCP_ApplicationAnalyzer::Done(); + + Interpreter()->FlowEOF(true); + Interpreter()->FlowEOF(false); + } + +void DNP3_TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + try + { + if ( ! ProcessData(len, data, orig) ) + SetSkip(1); + } + + catch ( const binpac::Exception& e ) + { + SetSkip(1); + throw; + } + } + +void DNP3_TCP_Analyzer::Undelivered(uint64 seq, int len, bool orig) + { + TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + Interpreter()->NewGap(orig, len); + } + +void DNP3_TCP_Analyzer::EndpointEOF(bool is_orig) + { + TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + Interpreter()->FlowEOF(is_orig); + } + +DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) + : DNP3_Base(this), Analyzer("DNP3_UDP", c) + { + } + +DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer() + { + } + +void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + try + { + if ( ! ProcessData(len, data, orig) ) + SetSkip(1); + } + + catch ( const binpac::Exception& e ) + { + SetSkip(1); + throw; + } + } + diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index 9cccf04d4d..aa4ef78479 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -3,24 +3,20 @@ #define ANALYZER_PROTOCOL_DNP3_DNP3_H #include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" + #include "dnp3_pac.h" namespace analyzer { namespace dnp3 { -class DNP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class DNP3_Base { public: - DNP3_Analyzer(Connection* conn); - virtual ~DNP3_Analyzer(); + DNP3_Base(analyzer::Analyzer* analyzer); + virtual ~DNP3_Base(); - virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void Undelivered(uint64 seq, int len, bool orig); - virtual void EndpointEOF(bool is_orig); + binpac::DNP3::DNP3_Conn* Interpreter() { return interp; } - static Analyzer* Instantiate(Connection* conn) - { return new DNP3_Analyzer(conn); } - -private: +protected: static const int MAX_BUFFER_SIZE = 300; struct Endpoint { @@ -35,22 +31,64 @@ private: bool ProcessData(int len, const u_char* data, bool orig); void ClearEndpointState(bool orig); - bool AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len); + + /** + * Buffers packet data until it reaches a specified length. + * @param endp an endpoint speaking DNP3 to which data will be buffered. + * @param target_len the required length of the buffer + * @param data source buffer to copy bytes from. Will be incremented + * by the number of bytes copied by this function. + * @param len the number of bytes available in \a data. Will be decremented + * by the number of bytes copied by this function. + * @return -1 if invalid input parameters were supplied, 0 if the endpoint's + * buffer is not yet \a target_len bytes in size, or 1 the buffer is the + * required size. + */ + int AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len); + bool ParseAppLayer(Endpoint* endp); bool CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where); unsigned int CalcCRC(int len, const u_char* data); - binpac::DNP3::DNP3_Conn* interp; - - Endpoint orig_state; - Endpoint resp_state; - static void PrecomputeCRCTable(); static bool crc_table_initialized; static unsigned int crc_table[256]; + + analyzer::Analyzer* analyzer; + binpac::DNP3::DNP3_Conn* interp; + + Endpoint orig_state; + Endpoint resp_state; }; -} } // namespace analyzer::* +class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer { +public: + DNP3_TCP_Analyzer(Connection* conn); + virtual ~DNP3_TCP_Analyzer(); + + virtual void Done(); + virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void Undelivered(uint64 seq, int len, bool orig); + virtual void EndpointEOF(bool is_orig); + + static Analyzer* Instantiate(Connection* conn) + { return new DNP3_TCP_Analyzer(conn); } +}; + +class DNP3_UDP_Analyzer : public DNP3_Base, public analyzer::Analyzer { +public: + DNP3_UDP_Analyzer(Connection* conn); + virtual ~DNP3_UDP_Analyzer(); + + virtual void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen); + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new DNP3_UDP_Analyzer(conn); } +}; + + +} } // namespace analyzer::* #endif diff --git a/src/analyzer/protocol/dnp3/Plugin.cc b/src/analyzer/protocol/dnp3/Plugin.cc index 614ff38773..6a64138ce7 100644 --- a/src/analyzer/protocol/dnp3/Plugin.cc +++ b/src/analyzer/protocol/dnp3/Plugin.cc @@ -12,11 +12,12 @@ class Plugin : public plugin::Plugin { public: plugin::Configuration Configure() { - AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate)); + AddComponent(new ::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate)); + AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); plugin::Configuration config; config.name = "Bro::DNP3"; - config.description = "DNP3 analyzer"; + config.description = "DNP3 UDP/TCP analyzers"; return config; } } plugin; diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac index 5e9ae85bcf..393ab82079 100644 --- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac +++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac @@ -38,7 +38,7 @@ flow DNP3_Flow(is_orig: bool) { return true; %} - function get_dnp3_application_request_header(fc: uint8): bool + function get_dnp3_application_request_header(application_control: uint8, fc: uint8): bool %{ if ( ::dnp3_application_request_header ) { @@ -46,13 +46,14 @@ flow DNP3_Flow(is_orig: bool) { connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), + application_control, fc ); } return true; %} - function get_dnp3_application_response_header(fc: uint8, iin: uint16): bool + function get_dnp3_application_response_header(application_control: uint8, fc: uint8, iin: uint16): bool %{ if ( ::dnp3_application_response_header ) { @@ -60,6 +61,7 @@ flow DNP3_Flow(is_orig: bool) { connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), + application_control, fc, iin ); @@ -743,11 +745,11 @@ refine typeattr Header_Block += &let { }; refine typeattr DNP3_Application_Request_Header += &let { - process_request: bool = $context.flow.get_dnp3_application_request_header(function_code); + process_request: bool = $context.flow.get_dnp3_application_request_header(application_control, function_code); }; refine typeattr DNP3_Application_Response_Header += &let { - process_request: bool = $context.flow.get_dnp3_application_response_header(function_code, internal_indications); + process_request: bool = $context.flow.get_dnp3_application_response_header(application_control, function_code, internal_indications); }; refine typeattr Object_Header += &let { diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac index 9407b000eb..3cf2290c2c 100644 --- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac +++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac @@ -90,7 +90,7 @@ type DNP3_Application_Response_Header = record { type Request_Objects(function_code: uint8) = record { object_header: Object_Header(function_code); data: case (object_header.object_type_field) of { - 0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; + 0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; 0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item] &check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01); default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; @@ -112,10 +112,10 @@ type Request_Objects(function_code: uint8) = record { type Response_Objects(function_code: uint8) = record { object_header: Object_Header(function_code); data: case (object_header.object_type_field) of { - 0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; + 0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; + 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; + 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; + 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; }; }; diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif index 18fc42d6f7..abb735488e 100644 --- a/src/analyzer/protocol/dnp3/events.bif +++ b/src/analyzer/protocol/dnp3/events.bif @@ -7,7 +7,7 @@ ## ## fc: function code. ## -event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%); +event dnp3_application_request_header%(c: connection, is_orig: bool, application: count, fc: count%); ## Generated for a DNP3 response header. ## @@ -19,7 +19,7 @@ event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%) ## ## iin: internal indication number. ## -event dnp3_application_response_header%(c: connection, is_orig: bool, fc: count, iin: count%); +event dnp3_application_response_header%(c: connection, is_orig: bool, application: count, fc: count, iin: count%); ## Generated for the object header found in both DNP3 requests and responses. ## diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index d7160c1ac6..bd81e8b8a4 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index e00e32ef1b..16bb9cc56d 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -28,7 +28,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, TCP_Endpoint* arg_endp) - : Reassembler(1, REASSEM_TCP) + : Reassembler(1) { dst_analyzer = arg_dst_analyzer; tcp_analyzer = arg_tcp_analyzer; diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h index 5d8badcef1..c2ed0175ca 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h @@ -11,9 +11,6 @@ namespace analyzer { namespace tcp { class TCP_Analyzer; -const int STOP_ON_GAP = 1; -const int PUNT_ON_PARTIAL = 1; - class TCP_Reassembler : public Reassembler { public: enum Type { diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index f52fadaebb..5cf2710804 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -29,8 +29,10 @@ event new_connection_contents%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); -## Generated when a SYN-ACK packet is seen in response to a SYN packet during -## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may +## Generated when seeing a SYN-ACK packet from the responder in a TCP +## handshake. An associated SYN packet was not seen from the originator +## side if its state is not set to :bro:see:`TCP_ESTABLISHED`. +## The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of ## :bro:type:`connection` to see if the originator sent an ACK, indicated by ## 'A' in the history string. diff --git a/src/builtin-func.y b/src/builtin-func.y index 1b22436fff..0f895ced52 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -287,7 +287,7 @@ void record_bif_item(const char* id, const char* type) %left ',' ':' -%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list +%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs %type TOK_ATOM TOK_BOOL %union { @@ -372,7 +372,13 @@ type_def_types: TOK_RECORD { set_definition_type(TYPE_DEF, "Table"); } ; -event_def: event_prefix opt_ws plain_head opt_attr_list +opt_func_attrs: attr_list opt_ws + { $$ = $1; } + | /* nothing */ + { $$ = ""; } + ; + +event_def: event_prefix opt_ws plain_head opt_func_attrs { fprintf(fp_bro_init, "%s", $4); } end_of_head ';' { print_event_c_prototype(fp_func_h, true); @@ -380,13 +386,16 @@ event_def: event_prefix opt_ws plain_head opt_attr_list print_event_c_body(fp_func_def); } -func_def: func_prefix opt_ws typed_head end_of_head body +func_def: func_prefix opt_ws typed_head opt_func_attrs + { fprintf(fp_bro_init, "%s", $4); } end_of_head body ; -enum_def: enum_def_1 enum_list TOK_RPB +enum_def: enum_def_1 enum_list TOK_RPB opt_attr_list { // First, put an end to the enum type decl. - fprintf(fp_bro_init, "};\n"); + fprintf(fp_bro_init, "} "); + fprintf(fp_bro_init, "%s", $4); + fprintf(fp_bro_init, ";\n"); if ( decl.module_name != GLOBAL_MODULE_NAME ) fprintf(fp_netvar_h, "}; } }\n"); else diff --git a/src/event.bif b/src/event.bif index 4006888eab..dd941b6736 100644 --- a/src/event.bif +++ b/src/event.bif @@ -905,7 +905,8 @@ event get_file_handle%(tag: Analyzer::Tag, c: connection, is_orig: bool%); ## ## f: The file. ## -## .. bro:see:: file_over_new_connection file_timeout file_gap file_state_remove +## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type +## file_state_remove event file_new%(f: fa_file%); ## Indicates that a file has been seen being transferred over a connection @@ -917,16 +918,39 @@ event file_new%(f: fa_file%); ## ## is_orig: true if the originator of *c* is the one sending the file. ## -## .. bro:see:: file_new file_timeout file_gap file_state_remove +## .. bro:see:: file_new file_timeout file_gap file_mime_type +## file_state_remove event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); +## Provide the most likely matching MIME type for this file. The analysis +## can be augmented at this time via :bro:see:`Files::add_analyzer`. +## +## f: The file. +## +## mime_type: The mime type that was discovered. +## +## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type +## file_mime_types file_state_remove +event file_mime_type%(f: fa_file, mime_type: string%); + +## Provide all matching MIME types for this file. The analysis can be +## augmented at this time via :bro:see:`Files::add_analyzer`. +## +## f: The file. +## +## mime_types: The mime types that were discovered. +## +## .. bro:see:: file_over_new_connection file_timeout file_gap file_mime_type +## file_mime_types file_state_remove +event file_mime_types%(f: fa_file, mime_types: mime_matches%); + ## Indicates that file analysis has timed out because no activity was seen ## for the file in a while. ## ## f: The file. ## -## .. bro:see:: file_new file_over_new_connection file_gap file_state_remove -## default_file_timeout_interval Files::set_timeout_interval +## .. bro:see:: file_new file_over_new_connection file_gap file_mime_type +## file_mime_types file_state_remove default_file_timeout_interval ## Files::set_timeout_interval event file_timeout%(f: fa_file%); @@ -938,14 +962,34 @@ event file_timeout%(f: fa_file%); ## ## len: The number of missing bytes. ## -## .. bro:see:: file_new file_over_new_connection file_timeout file_state_remove +## .. bro:see:: file_new file_over_new_connection file_timeout file_mime_type +## file_mime_types file_state_remove file_reassembly_overflow event file_gap%(f: fa_file, offset: count, len: count%); +## Indicates that the file had an overflow of the reassembly buffer. +## This is a specialization of the :bro:id:`file_gap` event. +## +## f: The file. +## +## offset: The byte offset from the start of the file at which the reassembly +## couldn't continue due to running out of reassembly buffer space. +## +## skipped: The number of bytes of the file skipped over to flush some +## file data and get back under the reassembly buffer size limit. +## This value will also be represented as a gap. +## +## .. bro:see:: file_new file_over_new_connection file_timeout file_mime_type +## file_mime_types file_state_remove file_gap Files::enable_reassembler +## Files::reassembly_buffer_size Files::enable_reassembly +## Files::disable_reassembly Files::set_reassembly_buffer_size +event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%); + ## This event is generated each time file analysis is ending for a given file. ## ## f: The file. ## ## .. bro:see:: file_new file_over_new_connection file_timeout file_gap +## file_mime_type file_mime_types event file_state_remove%(f: fa_file%); ## Generated when an internal DNS lookup produces the same result as last time. diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 619a72c81d..dcb8434a6f 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -111,6 +111,18 @@ public: */ void SetAnalyzerTag(const file_analysis::Tag& tag); + /** + * @return true if the analyzer has ever seen a stream-wise delivery. + */ + bool GotStreamDelivery() const + { return got_stream_delivery; } + + /** + * Flag the analyzer as having seen a stream-wise delivery. + */ + void SetGotStreamDelivery() + { got_stream_delivery = true; } + protected: /** @@ -123,7 +135,8 @@ protected: Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file) : tag(arg_tag), args(arg_args->Ref()->AsRecordVal()), - file(arg_file) + file(arg_file), + got_stream_delivery(false) { id = ++id_counter; } @@ -140,7 +153,8 @@ protected: Analyzer(RecordVal* arg_args, File* arg_file) : tag(), args(arg_args->Ref()->AsRecordVal()), - file(arg_file) + file(arg_file), + got_stream_delivery(false) { id = ++id_counter; } @@ -151,6 +165,7 @@ private: file_analysis::Tag tag; /**< The particular type of the analyzer instance. */ RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ File* file; /**< The file to which the analyzer is attached. */ + bool got_stream_delivery; static ID id_counter; }; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index b3f11b6816..8425e5d3c7 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -72,7 +72,7 @@ bool AnalyzerSet::Add(file_analysis::Tag tag, RecordVal* args) return true; } -bool AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args) +Analyzer* AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args) { HashKey* key = GetKey(tag, args); file_analysis::Analyzer* a = InstantiateAnalyzer(tag, args); @@ -80,12 +80,12 @@ bool AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args) if ( ! a ) { delete key; - return false; + return 0; } mod_queue.push(new AddMod(a, key)); - return true; + return a; } bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set) diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index 38eddb8967..642792f776 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -57,9 +57,10 @@ public: * Queue the attachment of an analyzer to #file. * @param tag the analyzer tag of the file analyzer to add. * @param args an \c AnalyzerArgs value which specifies an analyzer. - * @return true if analyzer was able to be instantiated, else false. + * @return if successful, a pointer to a newly instantiated analyzer else + * a null pointer. The caller does *not* take ownership of the memory. */ - bool QueueAdd(file_analysis::Tag tag, RecordVal* args); + file_analysis::Analyzer* QueueAdd(file_analysis::Tag tag, RecordVal* args); /** * Remove an analyzer from #file immediately. diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt index 846fc4bf15..34dc8d5387 100644 --- a/src/file_analysis/CMakeLists.txt +++ b/src/file_analysis/CMakeLists.txt @@ -11,6 +11,7 @@ set(file_analysis_SRCS Manager.cc File.cc FileTimer.cc + FileReassembler.cc Analyzer.cc AnalyzerSet.cc Component.cc diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 4509fc7d42..c90c9f2413 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -53,8 +53,6 @@ int File::overflow_bytes_idx = -1; int File::timeout_interval_idx = -1; int File::bof_buffer_size_idx = -1; int File::bof_buffer_idx = -1; -int File::mime_type_idx = -1; -int File::mime_types_idx = -1; void File::StaticInit() { @@ -74,15 +72,14 @@ void File::StaticInit() timeout_interval_idx = Idx("timeout_interval"); bof_buffer_size_idx = Idx("bof_buffer_size"); bof_buffer_idx = Idx("bof_buffer"); - mime_type_idx = Idx("mime_type"); - mime_types_idx = Idx("mime_types"); } -File::File(const string& file_id, Connection* conn, analyzer::Tag tag, - bool is_orig) - : id(file_id), val(0), postpone_timeout(false), first_chunk(true), - missed_bof(false), need_reassembly(false), done(false), - did_file_new_event(false), analyzers(this) +File::File(const string& file_id, const string& source_name, Connection* conn, + analyzer::Tag tag, bool is_orig) + : id(file_id), val(0), file_reassembler(0), stream_offset(0), + reassembly_max_buffer(0), did_mime_type(false), + reassembly_enabled(false), postpone_timeout(false), done(false), + analyzers(this) { StaticInit(); @@ -90,11 +87,10 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag, val = new RecordVal(fa_file_type); val->Assign(id_idx, new StringVal(file_id.c_str())); + SetSource(source_name); if ( conn ) { - // add source, connection, is_orig fields - SetSource(analyzer_mgr->GetComponentName(tag)); val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL)); UpdateConnectionFields(conn, is_orig); } @@ -106,12 +102,7 @@ File::~File() { DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str()); Unref(val); - - while ( ! fonc_queue.empty() ) - { - delete_vals(fonc_queue.front().second); - fonc_queue.pop(); - } + delete file_reassembler; } void File::UpdateLastActivityTime() @@ -124,10 +115,10 @@ double File::GetLastActivityTime() const return val->Lookup(last_active_idx)->AsTime(); } -void File::UpdateConnectionFields(Connection* conn, bool is_orig) +bool File::UpdateConnectionFields(Connection* conn, bool is_orig) { if ( ! conn ) - return; + return false; Val* conns = val->Lookup(conns_idx); @@ -138,27 +129,28 @@ void File::UpdateConnectionFields(Connection* conn, bool is_orig) } Val* idx = get_conn_id_val(conn); - if ( ! conns->AsTableVal()->Lookup(idx) ) + + if ( conns->AsTableVal()->Lookup(idx) ) { - Val* conn_val = conn->BuildConnVal(); - conns->AsTableVal()->Assign(idx, conn_val); - - if ( FileEventAvailable(file_over_new_connection) ) - { - val_list* vl = new val_list(); - vl->append(val->Ref()); - vl->append(conn_val->Ref()); - vl->append(new Val(is_orig, TYPE_BOOL)); - - if ( did_file_new_event ) - FileEvent(file_over_new_connection, vl); - else - fonc_queue.push(pair( - file_over_new_connection, vl)); - } + Unref(idx); + return false; } + conns->AsTableVal()->Assign(idx, conn->BuildConnVal()); Unref(idx); + return true; + } + +void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig) + { + if ( conn && FileEventAvailable(file_over_new_connection) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(conn->BuildConnVal()); + vl->append(new Val(is_orig, TYPE_BOOL)); + FileEvent(file_over_new_connection, vl); + } } uint64 File::LookupFieldDefaultCount(int idx) const @@ -242,7 +234,7 @@ bool File::IsComplete() const if ( ! total ) return false; - if ( LookupFieldDefaultCount(seen_bytes_idx) >= total->AsCount() ) + if ( stream_offset >= total->AsCount() ) return true; return false; @@ -258,7 +250,10 @@ bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args) DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer", id.c_str(), file_mgr->GetComponentName(tag).c_str()); - return done ? false : analyzers.QueueAdd(tag, args); + if ( done ) + return false; + + return analyzers.QueueAdd(tag, args) != 0; } bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args) @@ -269,9 +264,70 @@ bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args) return done ? false : analyzers.QueueRemove(tag, args); } +void File::EnableReassembly() + { + reassembly_enabled = true; + } + +void File::DisableReassembly() + { + reassembly_enabled = false; + delete file_reassembler; + file_reassembler = 0; + } + +void File::SetReassemblyBuffer(uint64 max) + { + reassembly_max_buffer = max; + } + +bool File::DetectMIME() + { + did_mime_type = true; + + Val* bof_buffer_val = val->Lookup(bof_buffer_idx); + + if ( ! bof_buffer_val ) + { + if ( bof_buffer.size == 0 ) + return false; + + BroString* bs = concatenate(bof_buffer.chunks); + bof_buffer_val = new StringVal(bs); + val->Assign(bof_buffer_idx, bof_buffer_val); + } + + RuleMatcher::MIME_Matches matches; + const u_char* data = bof_buffer_val->AsString()->Bytes(); + uint64 len = bof_buffer_val->AsString()->Len(); + len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); + file_mgr->DetectMIME(data, len, &matches); + + if ( matches.empty() ) + return false; + + if ( FileEventAvailable(file_mime_type) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(new StringVal(*(matches.begin()->second.begin()))); + FileEvent(file_mime_type, vl); + } + + if ( FileEventAvailable(file_mime_types) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(file_analysis::GenMIMEMatchesVal(matches)); + FileEvent(file_mime_types, vl); + } + + return true; + } + bool File::BufferBOF(const u_char* data, uint64 len) { - if ( bof_buffer.full || bof_buffer.replayed ) + if ( bof_buffer.full ) return false; uint64 desired_size = LookupFieldDefaultCount(bof_buffer_size_idx); @@ -279,131 +335,154 @@ bool File::BufferBOF(const u_char* data, uint64 len) bof_buffer.chunks.push_back(new BroString(data, len, 0)); bof_buffer.size += len; - if ( bof_buffer.size >= desired_size ) + if ( bof_buffer.size < desired_size ) + return true; + + bof_buffer.full = true; + + if ( bof_buffer.size > 0 ) { - bof_buffer.full = true; - ReplayBOF(); + BroString* bs = concatenate(bof_buffer.chunks); + val->Assign(bof_buffer_idx, new StringVal(bs)); } - return true; + return false; } -bool File::DetectMIME(const u_char* data, uint64 len) +void File::DeliverStream(const u_char* data, uint64 len) { - RuleMatcher::MIME_Matches matches; - len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); - file_mgr->DetectMIME(data, len, &matches); + bool bof_was_full = bof_buffer.full; + // Buffer enough data for the BOF buffer + BufferBOF(data, len); - if ( matches.empty() ) - return false; + if ( ! did_mime_type && bof_buffer.full && + LookupFieldDefaultCount(missing_bytes_idx) == 0 ) + DetectMIME(); - val->Assign(mime_type_idx, - new StringVal(*(matches.begin()->second.begin()))); - val->Assign(mime_types_idx, file_analysis::GenMIMEMatchesVal(matches)); + DBG_LOG(DBG_FILE_ANALYSIS, + "[%s] %" PRIu64 " stream bytes in at offset %" PRIu64 "; %s [%s%s]", + id.c_str(), len, stream_offset, + IsComplete() ? "complete" : "incomplete", + fmt_bytes((const char*) data, min((uint64)40, len)), + len > 40 ? "..." : ""); - return true; - } + file_analysis::Analyzer* a = 0; + IterCookie* c = analyzers.InitForIteration(); -void File::ReplayBOF() - { - if ( bof_buffer.replayed ) - return; - - bof_buffer.replayed = true; - - if ( bof_buffer.chunks.empty() ) + while ( (a = analyzers.NextEntry(c)) ) { - // Since we missed the beginning, try file type detect on next data in. - missed_bof = true; - return; + if ( ! a->GotStreamDelivery() ) + { + int num_bof_chunks_behind = bof_buffer.chunks.size(); + + if ( ! bof_was_full ) + // We just added a chunk to the BOF buffer, don't count it + // as it will get delivered on its own. + num_bof_chunks_behind -= 1; + + uint64 bytes_delivered = 0; + + // Catch this analyzer up with the BOF buffer. + for ( int i = 0; i < num_bof_chunks_behind; ++i ) + { + if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), + bof_buffer.chunks[i]->Len()) ) + analyzers.QueueRemove(a->Tag(), a->Args()); + + bytes_delivered += bof_buffer.chunks[i]->Len(); + } + + a->SetGotStreamDelivery(); + // May need to catch analyzer up on missed gap? + // Analyzer should be fully caught up to stream_offset now. + } + + if ( ! a->DeliverStream(data, len) ) + analyzers.QueueRemove(a->Tag(), a->Args()); } - BroString* bs = concatenate(bof_buffer.chunks); - val->Assign(bof_buffer_idx, new StringVal(bs)); + stream_offset += len; + IncrementByteCount(len, seen_bytes_idx); + } - DetectMIME(bs->Bytes(), bs->Len()); - FileEvent(file_new); +void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) + { + // Potentially handle reassembly and deliver to the stream analyzers. + if ( file_reassembler ) + { + if ( reassembly_max_buffer > 0 && + reassembly_max_buffer < file_reassembler->TotalSize() ) + { + uint64 current_offset = stream_offset; + uint64 gap_bytes = file_reassembler->Flush(); + IncrementByteCount(gap_bytes, overflow_bytes_idx); - for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i ) - DataIn(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len()); + if ( FileEventAvailable(file_reassembly_overflow) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(new Val(current_offset, TYPE_COUNT)); + vl->append(new Val(gap_bytes, TYPE_COUNT)); + FileEvent(file_reassembly_overflow, vl); + } + } + + // Forward data to the reassembler. + file_reassembler->NewBlock(network_time, offset, len, data); + } + else if ( stream_offset == offset ) + { + // This is the normal case where a file is transferred linearly. + // Nothing special should be done here. + DeliverStream(data, len); + } + else if ( reassembly_enabled ) + { + // This is data that doesn't match the offset and the reassembler + // needs to be enabled. + file_reassembler = new FileReassembler(this, stream_offset); + file_reassembler->NewBlock(network_time, offset, len, data); + } + else + { + // We can't reassemble so we throw out the data for streaming. + IncrementByteCount(len, overflow_bytes_idx); + } + + DBG_LOG(DBG_FILE_ANALYSIS, + "[%s] %" PRIu64 " chunk bytes in at offset %" PRIu64 "; %s [%s%s]", + id.c_str(), len, offset, + IsComplete() ? "complete" : "incomplete", + fmt_bytes((const char*) data, min((uint64)40, len)), + len > 40 ? "..." : ""); + + file_analysis::Analyzer* a = 0; + IterCookie* c = analyzers.InitForIteration(); + + while ( (a = analyzers.NextEntry(c)) ) + { + if ( ! a->DeliverChunk(data, len, offset) ) + { + analyzers.QueueRemove(a->Tag(), a->Args()); + } + } + + if ( IsComplete() ) + EndOfFile(); } void File::DataIn(const u_char* data, uint64 len, uint64 offset) { analyzers.DrainModifications(); - - if ( first_chunk ) - { - // TODO: this should all really be delayed until we attempt reassembly - DetectMIME(data, len); - FileEvent(file_new); - first_chunk = false; - } - - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] %" PRIu64 " bytes in at offset" PRIu64 "; %s [%s]", - id.c_str(), len, offset, - IsComplete() ? "complete" : "incomplete", - fmt_bytes((const char*) data, min((uint64)40, len)), len > 40 ? "..." : ""); - - file_analysis::Analyzer* a = 0; - IterCookie* c = analyzers.InitForIteration(); - - while ( (a = analyzers.NextEntry(c)) ) - { - if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Tag(), a->Args()); - } - + DeliverChunk(data, len, offset); analyzers.DrainModifications(); - - // TODO: check reassembly requirement based on buffer size in record - if ( need_reassembly ) - reporter->InternalError("file_analyzer::File TODO: reassembly not yet supported"); - - // TODO: reassembly overflow stuff, increment overflow count, eval trigger - - IncrementByteCount(len, seen_bytes_idx); } void File::DataIn(const u_char* data, uint64 len) { analyzers.DrainModifications(); - - if ( BufferBOF(data, len) ) - return; - - if ( missed_bof ) - { - DetectMIME(data, len); - FileEvent(file_new); - missed_bof = false; - } - - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] %" PRIu64 " bytes in; %s [%s]", - id.c_str(), len, - IsComplete() ? "complete" : "incomplete", - fmt_bytes((const char*) data, min((uint64)40, len)), len > 40 ? "..." : ""); - - file_analysis::Analyzer* a = 0; - IterCookie* c = analyzers.InitForIteration(); - - while ( (a = analyzers.NextEntry(c)) ) - { - if ( ! a->DeliverStream(data, len) ) - { - analyzers.QueueRemove(a->Tag(), a->Args()); - continue; - } - - uint64 offset = LookupFieldDefaultCount(seen_bytes_idx) + - LookupFieldDefaultCount(missing_bytes_idx); - - if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Tag(), a->Args()); - } - + DeliverChunk(data, len, stream_offset); analyzers.DrainModifications(); - IncrementByteCount(len, seen_bytes_idx); } void File::EndOfFile() @@ -413,10 +492,21 @@ void File::EndOfFile() if ( done ) return; - analyzers.DrainModifications(); + if ( file_reassembler ) + { + file_reassembler->Flush(); + } - // Send along anything that's been buffered, but never flushed. - ReplayBOF(); + // Mark the bof_buffer as full in case it isn't yet + // so that the whole thing can be flushed out to + // any stream analyzers. + if ( ! bof_buffer.full ) + { + bof_buffer.full = true; + DeliverStream((const u_char*) "", 0); + } + + analyzers.DrainModifications(); done = true; @@ -436,14 +526,17 @@ void File::EndOfFile() void File::Gap(uint64 offset, uint64 len) { - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %" PRIu64, + DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %," PRIu64, id.c_str(), len, offset); - analyzers.DrainModifications(); + if ( file_reassembler && ! file_reassembler->IsCurrentlyFlushing() ) + { + file_reassembler->FlushTo(offset + len); + // The reassembler will call us back with all the gaps we need to know. + return; + } - // If we were buffering the beginning of the file, a gap means we've got - // as much contiguous stuff at the beginning as possible, so work with that. - ReplayBOF(); + analyzers.DrainModifications(); file_analysis::Analyzer* a = 0; IterCookie* c = analyzers.InitForIteration(); @@ -464,6 +557,8 @@ void File::Gap(uint64 offset, uint64 len) } analyzers.DrainModifications(); + + stream_offset += len; IncrementByteCount(len, missing_bytes_idx); } @@ -482,30 +577,13 @@ void File::FileEvent(EventHandlerPtr h) FileEvent(h, vl); } -static void flush_file_event_queue(queue >& q) - { - while ( ! q.empty() ) - { - pair p = q.front(); - mgr.QueueEvent(p.first, p.second); - q.pop(); - } - } - void File::FileEvent(EventHandlerPtr h, val_list* vl) { - if ( h == file_state_remove ) - flush_file_event_queue(fonc_queue); - mgr.QueueEvent(h, vl); - if ( h == file_new ) - { - did_file_new_event = true; - flush_file_event_queue(fonc_queue); - } - - if ( h == file_new || h == file_timeout || h == file_extraction_limit ) + if ( h == file_new || h == file_over_new_connection || + h == file_mime_type || + h == file_timeout || h == file_extraction_limit ) { // immediate feedback is required for these events. mgr.Drain(); diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 86f60caf9f..645f7d5111 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -3,11 +3,11 @@ #ifndef FILE_ANALYSIS_FILE_H #define FILE_ANALYSIS_FILE_H -#include #include #include #include +#include "FileReassembler.h" #include "Conn.h" #include "Val.h" #include "Tag.h" @@ -16,6 +16,8 @@ namespace file_analysis { +class FileReassembler; + /** * Wrapper class around \c fa_file record values from script layer. */ @@ -86,10 +88,10 @@ public: void SetTotalBytes(uint64 size); /** - * Compares "seen_bytes" field to "total_bytes" field of #val record to - * determine if the full file has been seen. - * @return false if "total_bytes" hasn't been set yet or "seen_bytes" is - * less than it, else true. + * @return true if file analysis is complete for the file, else false. + * It is incomplete if the total size is unknown or if the number of bytes + * streamed to analyzers (either as data delivers or gap information) + * matches the known total size. */ bool IsComplete() const; @@ -166,18 +168,20 @@ public: protected: friend class Manager; + friend class FileReassembler; /** * Constructor; only file_analysis::Manager should be creating these. * @param file_id an identifier string for the file in pretty hash form * (similar to connection uids). + * @param source_name the value for the source field to fill in. * @param conn a network connection over which the file is transferred. * @param tag the network protocol over which the file is transferred. * @param is_orig true if the file is being transferred from the originator * of the connection to the responder. False indicates the other * direction. */ - File(const string& file_id, Connection* conn = 0, + File(const string& file_id, const string& source_name, Connection* conn = 0, analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false); /** @@ -185,8 +189,14 @@ protected: * \c conn_id and UID taken from \a conn. * @param conn the connection over which a part of the file has been seen. * @param is_orig true if the connection originator is sending the file. + * @return true if the connection was previously unknown. */ - void UpdateConnectionFields(Connection* conn, bool is_orig); + bool UpdateConnectionFields(Connection* conn, bool is_orig); + + /** + * Raise the file_over_new_connection event with given arguments. + */ + void RaiseFileOverNewConnection(Connection* conn, bool is_orig); /** * Increment a byte count field of #val record by \a size. @@ -219,20 +229,40 @@ protected: */ bool BufferBOF(const u_char* data, uint64 len); - /** - * Forward any beginning-of-file buffered data on to DataIn stream. - */ - void ReplayBOF(); - /** * Does mime type detection via file magic signatures and assigns * strongest matching mime type (if available) to \c mime_type - * field in #val. - * @param data pointer to a chunk of file data. - * @param len number of bytes in the data chunk. + * field in #val. It uses the data in the BOF buffer. * @return whether a mime type match was found. */ - bool DetectMIME(const u_char* data, uint64 len); + bool DetectMIME(); + + /** + * Enables reassembly on the file. + */ + void EnableReassembly(); + + /** + * Disables reassembly on the file. If there is an existing reassembler + * for the file, this will cause it to be deleted and won't allow a new + * one to be created until reassembly is reenabled. + */ + void DisableReassembly(); + + /** + * Set a maximum allowed bytes of memory for file reassembly for this file. + */ + void SetReassemblyBuffer(uint64 max); + + /** + * Perform stream-wise delivery for analyzers that need it. + */ + void DeliverStream(const u_char* data, uint64 len); + + /** + * Perform chunk-wise delivery for analyzers that need it. + */ + void DeliverChunk(const u_char* data, uint64 len, uint64 offset); /** * Lookup a record field index/offset by name. @@ -246,25 +276,24 @@ protected: */ static void StaticInit(); -private: +protected: string id; /**< A pretty hash that likely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ + FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */ + uint64 stream_offset; /**< The offset of the file which has been forwarded. */ + uint64 reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */ + bool did_mime_type; /**< Whether the mime type ident has already been attempted. */ + bool reassembly_enabled; /**< Whether file stream reassembly is needed. */ bool postpone_timeout; /**< Whether postponing timeout is requested. */ - bool first_chunk; /**< Track first non-linear chunk. */ - bool missed_bof; /**< Flags that we missed start of file. */ - bool need_reassembly; /**< Whether file stream reassembly is needed. */ bool done; /**< If this object is about to be deleted. */ - bool did_file_new_event; /**< Whether the file_new event has been done. */ - AnalyzerSet analyzers; /**< A set of attached file analyzer. */ - queue > fonc_queue; + AnalyzerSet analyzers; /**< A set of attached file analyzers. */ struct BOF_Buffer { - BOF_Buffer() : full(false), replayed(false), size(0) {} + BOF_Buffer() : full(false), size(0) {} ~BOF_Buffer() { for ( size_t i = 0; i < chunks.size(); ++i ) delete chunks[i]; } bool full; - bool replayed; uint64 size; BroString::CVec chunks; } bof_buffer; /**< Beginning of file buffer. */ diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc new file mode 100644 index 0000000000..8b678e5209 --- /dev/null +++ b/src/file_analysis/FileReassembler.cc @@ -0,0 +1,128 @@ + +#include "FileReassembler.h" +#include "File.h" + + +namespace file_analysis { + +class File; + +FileReassembler::FileReassembler(File *f, uint64 starting_offset) + : Reassembler(starting_offset), the_file(f), flushing(false) + { + } + +FileReassembler::FileReassembler() + : Reassembler(), the_file(0), flushing(false) + { + } + +FileReassembler::~FileReassembler() + { + } + +uint64 FileReassembler::Flush() + { + if ( flushing ) + return 0; + + if ( last_block ) + { + // This is expected to call back into FileReassembler::Undelivered(). + flushing = true; + uint64 rval = TrimToSeq(last_block->upper); + flushing = false; + return rval; + } + + return 0; + } + +uint64 FileReassembler::FlushTo(uint64 sequence) + { + if ( flushing ) + return 0; + + flushing = true; + uint64 rval = TrimToSeq(sequence); + flushing = false; + last_reassem_seq = sequence; + return rval; + } + +void FileReassembler::BlockInserted(DataBlock* start_block) + { + if ( start_block->seq > last_reassem_seq || + start_block->upper <= last_reassem_seq ) + return; + + for ( DataBlock* b = start_block; + b && b->seq <= last_reassem_seq; b = b->next ) + { + if ( b->seq == last_reassem_seq ) + { // New stuff. + uint64 len = b->Size(); + last_reassem_seq += len; + the_file->DeliverStream(b->block, len); + } + } + + // Throw out forwarded data + TrimToSeq(last_reassem_seq); + } + +void FileReassembler::Undelivered(uint64 up_to_seq) + { + // If we have blocks that begin below up_to_seq, deliver them. + DataBlock* b = blocks; + + while ( b ) + { + if ( b->seq < last_reassem_seq ) + { + // Already delivered this block. + b = b->next; + continue; + } + + if ( b->seq >= up_to_seq ) + // Block is beyond what we need to process at this point. + break; + + uint64 gap_at_seq = last_reassem_seq; + uint64 gap_len = b->seq - last_reassem_seq; + the_file->Gap(gap_at_seq, gap_len); + last_reassem_seq += gap_len; + BlockInserted(b); + // Inserting a block may cause trimming of what's buffered, + // so have to assume 'b' is invalid, hence re-assign to start. + b = blocks; + } + + if ( up_to_seq > last_reassem_seq ) + { + the_file->Gap(last_reassem_seq, up_to_seq - last_reassem_seq); + last_reassem_seq = up_to_seq; + } + } + +void FileReassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) + { + // Not doing anything here yet. + } + +IMPLEMENT_SERIAL(FileReassembler, SER_FILE_REASSEMBLER); + +bool FileReassembler::DoSerialize(SerialInfo* info) const + { + reporter->InternalError("FileReassembler::DoSerialize not implemented"); + return false; // Cannot be reached. + } + +bool FileReassembler::DoUnserialize(UnserialInfo* info) + { + reporter->InternalError("FileReassembler::DoUnserialize not implemented"); + return false; // Cannot be reached. + } + +} // end file_analysis diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h new file mode 100644 index 0000000000..396aa062e1 --- /dev/null +++ b/src/file_analysis/FileReassembler.h @@ -0,0 +1,65 @@ +#ifndef FILE_ANALYSIS_FILEREASSEMBLER_H +#define FILE_ANALYSIS_FILEREASSEMBLER_H + +#include "Reassem.h" +#include "File.h" + +class BroFile; +class Connection; + +namespace file_analysis { + +class File; + +class FileReassembler : public Reassembler { +public: + + FileReassembler(File* f, uint64 starting_offset); + virtual ~FileReassembler(); + + void Done(); + + // Checks if we have delivered all contents that we can possibly + // deliver for this endpoint. + void CheckEOF(); + + /** + * Discards all contents of the reassembly buffer. This will spin through + * the buffer and call File::DeliverStream() and File::Gap() wherever + * appropriate. + * @return the number of new bytes now detected as gaps in the file. + */ + uint64 Flush(); + + /** + * Discards all contents of the reassembly buffer up to a given sequence + * number. This will spin through the buffer and call + * File::DeliverStream() and File::Gap() wherever appropriate. + * @param sequence the sequence number to flush until. + * @return the number of new bytes now detected as gaps in the file. + */ + uint64 FlushTo(uint64 sequence); + + /** + * @return whether the reassembler is currently is the process of flushing + * out the contents of its buffer. + */ + bool IsCurrentlyFlushing() const + { return flushing; } + +protected: + FileReassembler(); + + DECLARE_SERIAL(FileReassembler); + + void Undelivered(uint64 up_to_seq); + void BlockInserted(DataBlock* b); + void Overlap(const u_char* b1, const u_char* b2, uint64 n); + + File* the_file; + bool flushing; +}; + +} // namespace analyzer::* + +#endif diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 59c0fa0023..995d422a37 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -154,14 +154,12 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, void Manager::DataIn(const u_char* data, uint64 len, const string& file_id, const string& source) { - File* file = GetFile(file_id); + File* file = GetFile(file_id, 0, analyzer::Tag::Error, false, false, + source.c_str()); if ( ! file ) return; - if ( file->GetSource().empty() ) - file->SetSource(source); - file->DataIn(data, len); if ( file->IsComplete() ) @@ -232,6 +230,39 @@ bool Manager::SetTimeoutInterval(const string& file_id, double interval) const return true; } +bool Manager::EnableReassembly(const string& file_id) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->EnableReassembly(); + return true; + } + +bool Manager::DisableReassembly(const string& file_id) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->DisableReassembly(); + return true; + } + +bool Manager::SetReassemblyBuffer(const string& file_id, uint64 max) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->SetReassemblyBuffer(max); + return true; + } + bool Manager::SetExtractionLimit(const string& file_id, RecordVal* args, uint64 n) const { @@ -254,28 +285,6 @@ bool Manager::AddAnalyzer(const string& file_id, file_analysis::Tag tag, return file->AddAnalyzer(tag, args); } -TableVal* Manager::AddAnalyzersForMIMEType(const string& file_id, const string& mtype, - RecordVal* args) - { - if ( ! tag_set_type ) - tag_set_type = internal_type("files_tag_set")->AsTableType(); - - TableVal* sval = new TableVal(tag_set_type); - TagSet* l = LookupMIMEType(mtype, false); - - if ( ! l ) - return sval; - - for ( TagSet::const_iterator i = l->begin(); i != l->end(); i++ ) - { - file_analysis::Tag tag = *i; - if ( AddAnalyzer(file_id, tag, args) ) - sval->Assign(tag.AsEnumVal(), 0); - } - - return sval; - } - bool Manager::RemoveAnalyzer(const string& file_id, file_analysis::Tag tag, RecordVal* args) const { @@ -288,7 +297,8 @@ bool Manager::RemoveAnalyzer(const string& file_id, file_analysis::Tag tag, } File* Manager::GetFile(const string& file_id, Connection* conn, - analyzer::Tag tag, bool is_orig, bool update_conn) + analyzer::Tag tag, bool is_orig, bool update_conn, + const char* source_name) { if ( file_id.empty() ) return 0; @@ -300,10 +310,19 @@ File* Manager::GetFile(const string& file_id, Connection* conn, if ( ! rval ) { - rval = new File(file_id, conn, tag, is_orig); + rval = new File(file_id, + source_name ? source_name + : analyzer_mgr->GetComponentName(tag), + conn, tag, is_orig); id_map.Insert(file_id.c_str(), rval); rval->ScheduleInactivityTimer(); + // Generate file_new after inserting it into manager's mapping + // in case script-layer calls back in to core from the event. + rval->FileEvent(file_new); + // Same for file_over_new_connection. + rval->RaiseFileOverNewConnection(conn, is_orig); + if ( IsIgnored(file_id) ) return 0; } @@ -311,8 +330,8 @@ File* Manager::GetFile(const string& file_id, Connection* conn, { rval->UpdateLastActivityTime(); - if ( update_conn ) - rval->UpdateConnectionFields(conn, is_orig); + if ( update_conn && rval->UpdateConnectionFields(conn, is_orig) ) + rval->RaiseFileOverNewConnection(conn, is_orig); } return rval; @@ -461,63 +480,6 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const return a; } -Manager::TagSet* Manager::LookupMIMEType(const string& mtype, bool add_if_not_found) - { - MIMEMap::const_iterator i = mime_types.find(to_upper(mtype)); - - if ( i != mime_types.end() ) - return i->second; - - if ( ! add_if_not_found ) - return 0; - - TagSet* l = new TagSet; - mime_types.insert(std::make_pair(to_upper(mtype), l)); - return l; - } - -bool Manager::RegisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype) - { - Component* p = Lookup(tag); - - if ( ! p ) - return false; - - return RegisterAnalyzerForMIMEType(p->Tag(), mtype->CheckString()); - } - -bool Manager::RegisterAnalyzerForMIMEType(Tag tag, const string& mtype) - { - TagSet* l = LookupMIMEType(mtype, true); - - DBG_LOG(DBG_FILE_ANALYSIS, "Register analyzer %s for MIME type %s", - GetComponentName(tag).c_str(), mtype.c_str()); - - l->insert(tag); - return true; - } - -bool Manager::UnregisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype) - { - Component* p = Lookup(tag); - - if ( ! p ) - return false; - - return UnregisterAnalyzerForMIMEType(p->Tag(), mtype->CheckString()); - } - -bool Manager::UnregisterAnalyzerForMIMEType(Tag tag, const string& mtype) - { - TagSet* l = LookupMIMEType(mtype, true); - - DBG_LOG(DBG_FILE_ANALYSIS, "Unregister analyzer %s for MIME type %s", - GetComponentName(tag).c_str(), mtype.c_str()); - - l->erase(tag); - return true; - } - RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64 len, RuleMatcher::MIME_Matches* rval) const { diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 5a088e86cc..93c8e7f613 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -213,6 +213,21 @@ public: */ bool SetTimeoutInterval(const string& file_id, double interval) const; + /** + * Enable the reassembler for a file. + */ + bool EnableReassembly(const string& file_id); + + /** + * Disable the reassembler for a file. + */ + bool DisableReassembly(const string& file_id); + + /** + * Set the reassembly for a file in bytes. + */ + bool SetReassemblyBuffer(const string& file_id, uint64 max); + /** * Sets a limit on the maximum size allowed for extracting the file * to local disk; @@ -238,18 +253,6 @@ public: bool AddAnalyzer(const string& file_id, file_analysis::Tag tag, RecordVal* args) const; - /** - * Queue attachment of an all analyzers associated with a given MIME - * type to the file identifier. - * - * @param file_id the file identifier/hash. - * @param mtype the MIME type; comparisions will be performanced case-insensitive. - * @param args a \c AnalyzerArgs value which describes a file analyzer. - * @return A ref'ed \c set[Tag] with all added analyzers. - */ - TableVal* AddAnalyzersForMIMEType(const string& file_id, const string& mtype, - RecordVal* args); - /** * Queue removal of an analyzer for a given file identifier. * @param file_id the file identifier/hash. @@ -277,62 +280,6 @@ public: Analyzer* InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const; /** - * Registers a MIME type for an analyzer. Once registered, files of - * that MIME type will automatically get a corresponding analyzer - * assigned. - * - * @param tag The analyzer's tag as an enum of script type \c - * Files::Tag. - * - * @param mtype The MIME type. It will be matched case-insenistive. - * - * @return True if successful. - */ - bool RegisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype); - - /** - * Registers a MIME type for an analyzer. Once registered, files of - * that MIME type will automatically get a corresponding analyzer - * assigned. - * - * @param tag The analyzer's tag as an enum of script type \c - * Files::Tag. - * - * @param mtype The MIME type. It will be matched case-insenistive. - * - * @return True if successful. - */ - bool RegisterAnalyzerForMIMEType(Tag tag, const string& mtype); - - /** - * Unregisters a MIME type for an analyzer. - * - * @param tag The analyzer's tag as an enum of script type \c - * Files::Tag. - * - * @param mtype The MIME type. It will be matched case-insenistive. - * - * @return True if successful (incl. when the type wasn't actually - * registered for the analyzer). - * - */ - bool UnregisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype); - - /** - * Unregisters a MIME type for an analyzer. - * - * @param tag The analyzer's tag as an enum of script type \c - * Files::Tag. - * - * @param mtype The MIME type. It will be matched case-insenistive. - * - * @return True if successful (incl. when the type wasn't actually - * registered for the analyzer). - * - */ - bool UnregisterAnalyzerForMIMEType(Tag tag, const string& mtype); - - /** * Returns a set of all matching MIME magic signatures for a given * chunk of data. * @param data A chunk of bytes to match magic MIME signatures against. @@ -372,6 +319,7 @@ protected: * this file isn't related to a connection). * @param update_conn whether we need to update connection-related field * in the \c fa_file record value associated with the file. + * @param an optional value of the source field to fill in. * @return the File object mapped to \a file_id or a null pointer if * analysis is being ignored for the associated file. An File * object may be created if a mapping doesn't exist, and if it did @@ -380,7 +328,8 @@ protected: */ File* GetFile(const string& file_id, Connection* conn = 0, analyzer::Tag tag = analyzer::Tag::Error, - bool is_orig = false, bool update_conn = true); + bool is_orig = false, bool update_conn = true, + const char* source_name = 0); /** * Try to retrieve a file that's being analyzed, using its identifier/hash. diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index 1a3917cd0e..c758414a6e 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -12,9 +12,9 @@ using namespace file_analysis; Extract::Extract(RecordVal* args, File* file, const string& arg_filename, uint64 arg_limit) : file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"), args, file), - filename(arg_filename), limit(arg_limit) + filename(arg_filename), limit(arg_limit), depth(0) { - fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666); + fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, 0666); if ( fd < 0 ) { @@ -53,7 +53,7 @@ file_analysis::Analyzer* Extract::Instantiate(RecordVal* args, File* file) limit->AsCount()); } -static bool check_limit_exceeded(uint64 lim, uint64 off, uint64 len, uint64* n) +static bool check_limit_exceeded(uint64 lim, uint64 depth, uint64 len, uint64* n) { if ( lim == 0 ) { @@ -61,29 +61,31 @@ static bool check_limit_exceeded(uint64 lim, uint64 off, uint64 len, uint64* n) return false; } - if ( off >= lim ) + if ( depth >= lim ) { *n = 0; return true; } - - *n = lim - off; - - if ( len > *n ) + else if ( depth + len > lim ) + { + *n = lim - depth; return true; + } else + { *n = len; + } return false; } -bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset) +bool Extract::DeliverStream(const u_char* data, uint64 len) { if ( ! fd ) return false; uint64 towrite = 0; - bool limit_exceeded = check_limit_exceeded(limit, offset, len, &towrite); + bool limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite); if ( limit_exceeded && file_extraction_limit ) { @@ -92,16 +94,31 @@ bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset) vl->append(f->GetVal()->Ref()); vl->append(Args()->Ref()); vl->append(new Val(limit, TYPE_COUNT)); - vl->append(new Val(offset, TYPE_COUNT)); vl->append(new Val(len, TYPE_COUNT)); f->FileEvent(file_extraction_limit, vl); - // Limit may have been modified by BIF, re-check it. - limit_exceeded = check_limit_exceeded(limit, offset, len, &towrite); + // Limit may have been modified by a BIF, re-check it. + limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite); } if ( towrite > 0 ) - safe_pwrite(fd, data, towrite, offset); + { + safe_write(fd, reinterpret_cast(data), towrite); + depth += towrite; + } return ( ! limit_exceeded ); } + +bool Extract::Undelivered(uint64 offset, uint64 len) + { + if ( depth == offset ) + { + char* tmp = new char[len](); + safe_write(fd, tmp, len); + delete [] tmp; + depth += len; + } + + return true; + } diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h index 00c4dbe2b7..cb57950d4c 100644 --- a/src/file_analysis/analyzer/extract/Extract.h +++ b/src/file_analysis/analyzer/extract/Extract.h @@ -28,11 +28,18 @@ public: * Write a chunk of file data to the local extraction file. * @param data pointer to a chunk of file data. * @param len number of bytes in the data chunk. - * @param offset number of bytes from start of file at which chunk starts. * @return false if there was no extraction file open and the data couldn't * be written, else true. */ - virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); + virtual bool DeliverStream(const u_char* data, uint64 len); + + /** + * Report undelivered bytes. + * @param offset distance into the file where the gap occurred. + * @param len number of bytes undelivered. + * @return true + */ + virtual bool Undelivered(uint64 offset, uint64 len); /** * Create a new instance of an Extract analyzer. @@ -67,6 +74,7 @@ private: string filename; int fd; uint64 limit; + uint64 depth; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzer/extract/events.bif b/src/file_analysis/analyzer/extract/events.bif index 1c08736416..f5ebb6816b 100644 --- a/src/file_analysis/analyzer/extract/events.bif +++ b/src/file_analysis/analyzer/extract/events.bif @@ -11,9 +11,7 @@ ## ## limit: The limit, in bytes, the extracted file is about to breach. ## -## offset: The offset at which a file chunk is about to be written. -## ## len: The length of the file chunk about to be written. ## ## .. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT -event file_extraction_limit%(f: fa_file, args: any, limit: count, offset: count, len: count%); +event file_extraction_limit%(f: fa_file, args: any, limit: count, len: count%); diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 43efd8ba0f..480d8c84d8 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -15,6 +15,27 @@ function Files::__set_timeout_interval%(file_id: string, t: interval%): bool return new Val(result, TYPE_BOOL); %} +## :bro:see:`Files::enable_reassembly`. +function Files::__enable_reassembly%(file_id: string%): bool + %{ + bool result = file_mgr->EnableReassembly(file_id->CheckString()); + return new Val(result, TYPE_BOOL); + %} + +## :bro:see:`Files::disable_reassembly`. +function Files::__disable_reassembly%(file_id: string%): bool + %{ + bool result = file_mgr->DisableReassembly(file_id->CheckString()); + return new Val(result, TYPE_BOOL); + %} + +## :bro:see:`Files::set_reassembly_buffer_size`. +function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool + %{ + bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); + return new Val(result, TYPE_BOOL); + %} + ## :bro:see:`Files::add_analyzer`. function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ @@ -26,16 +47,6 @@ function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): b return new Val(result, TYPE_BOOL); %} -## :bro:see:`Files::add_analyzers_for_mime_type`. -function Files::__add_analyzers_for_mime_type%(file_id: string, mtype: string, args: any%): files_tag_set - %{ - using BifType::Record::Files::AnalyzerArgs; - RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - Val* analyzers = file_mgr->AddAnalyzersForMIMEType(file_id->CheckString(), mtype->CheckString(), rv); - Unref(rv); - return analyzers; - %} - ## :bro:see:`Files::remove_analyzer`. function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ @@ -60,13 +71,6 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string return new StringVal(file_mgr->GetComponentName(tag)); %} -## :bro:see:`Files::register_for_mime_type`. -function Files::__register_for_mime_type%(id: Analyzer::Tag, mt: string%) : bool - %{ - bool result = file_mgr->RegisterAnalyzerForMIMEType(id->AsEnumVal(), mt); - return new Val(result, TYPE_BOOL); - %} - module GLOBAL; ## For use within a :bro:see:`get_file_handle` handler to set a unique diff --git a/src/parse.y b/src/parse.y index 83760dbbf0..f74880dc13 100644 --- a/src/parse.y +++ b/src/parse.y @@ -2,7 +2,7 @@ // See the file "COPYING" in the main distribution directory for copyright. %} -%expect 75 +%expect 78 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF @@ -24,7 +24,7 @@ %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE %token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER -%token TOK_ATTR_TYPE_COLUMN +%token TOK_ATTR_TYPE_COLUMN TOK_ATTR_DEPRECATED %token TOK_DEBUG @@ -44,7 +44,7 @@ %right '!' %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR -%type opt_no_test opt_no_test_block +%type opt_no_test opt_no_test_block opt_deprecated %type TOK_ID TOK_PATTERN_TEXT single_pattern %type local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func %type local_id_list @@ -227,6 +227,18 @@ static bool expr_is_table_type_name(const Expr* expr) return false; } + +static bool has_attr(const attr_list* al, attr_tag tag) + { + if ( ! al ) + return false; + + for ( int i = 0; i < al->length(); ++i ) + if ( (*al)[i]->Tag() == tag ) + return true; + + return false; + } %} %union { @@ -671,6 +683,9 @@ expr: } else $$ = new NameExpr(id); + + if ( id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } } @@ -759,7 +774,7 @@ enum_body_elem: error messages if someboy tries to use constant variables as enumerator. */ - TOK_ID '=' TOK_CONSTANT + TOK_ID '=' TOK_CONSTANT opt_deprecated { set_location(@1, @3); assert(cur_enum_type); @@ -768,7 +783,7 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); else cur_enum_type->AddName(current_module, $1, - $3->InternalUnsigned(), is_export); + $3->InternalUnsigned(), is_export, $4); } | TOK_ID '=' '-' TOK_CONSTANT @@ -780,11 +795,11 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); } - | TOK_ID + | TOK_ID opt_deprecated { set_location(@1); assert(cur_enum_type); - cur_enum_type->AddName(current_module, $1, is_export); + cur_enum_type->AddName(current_module, $1, is_export, $2); } ; @@ -963,7 +978,12 @@ type: $$ = error_type(); } else + { Ref($$); + + if ( $1->IsDeprecated() ) + reporter->Warning("deprecated (%s)", $1->Name()); + } } ; @@ -1139,6 +1159,9 @@ func_body: { saved_in_init.push_back(in_init); in_init = 0; + + if ( has_attr($1, ATTR_DEPRECATED) ) + current_scope()->ScopeID()->MakeDeprecated(); } stmt_list @@ -1265,6 +1288,8 @@ attr: { $$ = new Attr(ATTR_LOG); } | TOK_ATTR_ERROR_HANDLER { $$ = new Attr(ATTR_ERROR_HANDLER); } + | TOK_ATTR_DEPRECATED + { $$ = new Attr(ATTR_DEPRECATED); } ; stmt: @@ -1450,6 +1475,10 @@ event: { set_location(@1, @4); $$ = new EventExpr($1, $3); + ID* id = lookup_ID($1, current_module.c_str()); + + if ( id && id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } ; @@ -1556,6 +1585,15 @@ global_or_event_id: if ( ! $$->IsGlobal() ) $$->Error("already a local identifier"); + if ( $$->IsDeprecated() ) + { + BroType* t = $$->Type(); + + if ( t->Tag() != TYPE_FUNC || + t->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION ) + reporter->Warning("deprecated (%s)", $$->Name()); + } + delete [] $1; } @@ -1597,6 +1635,12 @@ opt_no_test_block: | { $$ = false; } +opt_deprecated: + TOK_ATTR_DEPRECATED + { $$ = true; } + | + { $$ = false; } + %% int yyerror(const char msg[]) diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h index 7337cf069a..0069c77359 100644 --- a/src/plugin/ComponentManager.h +++ b/src/plugin/ComponentManager.h @@ -243,7 +243,8 @@ void ComponentManager::RegisterComponent(C* component, // Install an identfier for enum value string id = fmt("%s%s", prefix.c_str(), cname.c_str()); tag_enum_type->AddName(module, id.c_str(), - component->Tag().AsEnumVal()->InternalInt(), true); + component->Tag().AsEnumVal()->InternalInt(), true, + false); } } // namespace plugin diff --git a/src/scan.l b/src/scan.l index 0820567c30..ae11382fb3 100644 --- a/src/scan.l +++ b/src/scan.l @@ -260,6 +260,7 @@ when return TOK_WHEN; &create_expire return TOK_ATTR_EXPIRE_CREATE; &default return TOK_ATTR_DEFAULT; &delete_func return TOK_ATTR_DEL_FUNC; +&deprecated return TOK_ATTR_DEPRECATED; &raw_output return TOK_ATTR_RAW_OUTPUT; &encrypt return TOK_ATTR_ENCRYPT; &error_handler return TOK_ATTR_ERROR_HANDLER; diff --git a/src/strings.bif b/src/strings.bif index 4a30ca2aa4..b8d21cb04a 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -130,7 +130,7 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end) ## .. bro:see:: cat cat_sep string_cat cat_string_array_n ## fmt ## join_string_vec join_string_array -function cat_string_array%(a: string_array%): string +function cat_string_array%(a: string_array%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length())); @@ -149,7 +149,7 @@ function cat_string_array%(a: string_array%): string ## .. bro:see:: cat string_cat cat_string_array ## fmt ## join_string_vec join_string_array -function cat_string_array_n%(a: string_array, start: count, end: count%): string +function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, start, end)); @@ -168,7 +168,7 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string ## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_vec -function join_string_array%(sep: string, a: string_array%): string +function join_string_array%(sep: string, a: string_array%): string &deprecated %{ vector vs; TableVal* tbl = a->AsTableVal(); @@ -230,7 +230,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string ## Returns: A sorted copy of *a*. ## ## .. bro:see:: sort -function sort_string_array%(a: string_array%): string_array +function sort_string_array%(a: string_array%): string_array &deprecated %{ TableVal* tbl = a->AsTableVal(); int n = a->AsTable()->Length(); @@ -338,6 +338,62 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) return 1; } +VectorVal* do_split_string(StringVal* str_val, RE_Matcher* re, int incl_sep, + int max_num_sep) + { + VectorVal* rval = new VectorVal(string_vec); + const u_char* s = str_val->Bytes(); + int n = str_val->Len(); + const u_char* end_of_s = s + n; + int num = 0; + int num_sep = 0; + + int offset = 0; + while ( n >= 0 ) + { + offset = 0; + // Find next match offset. + int end_of_match = 0; + while ( n > 0 && + (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 ) + { + // Move on to next byte. + ++offset; + --n; + } + + if ( max_num_sep && num_sep >= max_num_sep ) + { + offset = end_of_s - s; + n=0; + } + + rval->Assign(num++, new StringVal(offset, (const char*) s)); + + // No more separators will be needed if this is the end of string. + if ( n <= 0 ) + break; + + if ( incl_sep ) + { // including the part that matches the pattern + rval->Assign(num++, new StringVal(end_of_match, (const char*) s+offset)); + } + + if ( max_num_sep && num_sep >= max_num_sep ) + break; + + ++num_sep; + + n -= end_of_match; + s += offset + end_of_match;; + + if ( s > end_of_s ) + reporter->InternalError("RegMatch in split goes beyond the string"); + } + + return rval; + } + Val* do_split(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep) { TableVal* a = new TableVal(string_array); @@ -493,17 +549,33 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all) ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split1 split_all split_n str_split +## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split ## ## .. note:: The returned table starts at index 1. Note that conceptually the ## return value is meant to be a vector and this might change in the ## future. ## -function split%(str: string, re: pattern%): string_array +function split%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 0); %} +## Splits a string into an array of strings according to a pattern. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each element corresponds to a substring +## in *str* separated by *re*. +## +## .. bro:see:: split_string1 split_string_all split_string_n str_split +## +function split_string%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 0); + %} + ## Splits a string *once* into a two-element array of strings according to a ## pattern. This function is the same as :bro:id:`split`, but *str* is only ## split once (if possible) at the earliest position and an array of two strings @@ -518,12 +590,32 @@ function split%(str: string, re: pattern%): string_array ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split split_all split_n str_split -function split1%(str: string, re: pattern%): string_array +## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split +function split1%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 1); %} +## Splits a string *once* into a two-element array of strings according to a +## pattern. This function is the same as :bro:id:`split_string`, but *str* is +## only split once (if possible) at the earliest position and an array of two +## strings is returned. +## +## str: The string to split. +## +## re: The pattern describing the separator to split *str* in two pieces. +## +## Returns: An array of strings with two elements in which the first represents +## the substring in *str* up to the first occurence of *re*, and the +## second everything after *re*. An array of one string is returned +## when *s* cannot be split. +## +## .. bro:see:: split_string split_string_all split_string_n str_split +function split_string1%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 1); + %} + ## Splits a string into an array of strings according to a pattern. This ## function is the same as :bro:id:`split`, except that the separators are ## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns @@ -538,12 +630,32 @@ function split1%(str: string, re: pattern%): string_array ## to a substring in *str* of the part not matching *re* (odd-indexed) ## and the part that matches *re* (even-indexed). ## -## .. bro:see:: split split1 split_n str_split -function split_all%(str: string, re: pattern%): string_array +## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split +function split_all%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 1, 0); %} +## Splits a string into an array of strings according to a pattern. This +## function is the same as :bro:id:`split_string`, except that the separators +## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)`` +## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the +## pattern and even-indexed ones do not. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each two successive elements correspond +## to a substring in *str* of the part not matching *re* (even-indexed) +## and the part that matches *re* (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_n str_split +function split_string_all%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 1, 0); + %} + ## Splits a string a given number of times into an array of strings according ## to a pattern. This function is similar to :bro:id:`split1` and ## :bro:id:`split_all`, but with customizable behavior with respect to @@ -563,13 +675,39 @@ function split_all%(str: string, re: pattern%): string_array ## not matching *re* (odd-indexed) and the part that matches *re* ## (even-indexed). ## -## .. bro:see:: split split1 split_all str_split +## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split function split_n%(str: string, re: pattern, - incl_sep: bool, max_num_sep: count%): string_array + incl_sep: bool, max_num_sep: count%): string_array &deprecated %{ return do_split(str, re, incl_sep, max_num_sep); %} +## Splits a string a given number of times into an array of strings according +## to a pattern. This function is similar to :bro:id:`split_string1` and +## :bro:id:`split_string_all`, but with customizable behavior with respect to +## including separators in the result and the number of times to split. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## incl_sep: A flag indicating whether to include the separator matches in the +## result (as in :bro:id:`split_string_all`). +## +## max_num_sep: The number of times to split *str*. +## +## Returns: An array of strings where, if *incl_sep* is true, each two +## successive elements correspond to a substring in *str* of the part +## not matching *re* (event-indexed) and the part that matches *re* +## (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_all str_split +function split_string_n%(str: string, re: pattern, + incl_sep: bool, max_num_sep: count%): string_vec + %{ + return do_split_string(str, re, incl_sep, max_num_sep); + %} + ## Substitutes a given replacement string for the first occurrence of a pattern ## in a given string. ## diff --git a/testing/btest/Baseline/bifs.split_string/out b/testing/btest/Baseline/bifs.split_string/out new file mode 100644 index 0000000000..0ec2541f3d --- /dev/null +++ b/testing/btest/Baseline/bifs.split_string/out @@ -0,0 +1,32 @@ +t +s is a t +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a t +es +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a test +--------------------- +[, thi, s i, s a tes, t] +--------------------- +X-Mailer +Testing Test (http://www.example.com) +--------------------- +A += + B += + C += + D diff --git a/testing/btest/Baseline/core.bits_per_uid/128 b/testing/btest/Baseline/core.bits_per_uid/128 index 95ef343262..1cbf61a906 100644 --- a/testing/btest/Baseline/core.bits_per_uid/128 +++ b/testing/btest/Baseline/core.bits_per_uid/128 @@ -1,9 +1,9 @@ CUWkUyAuUGXfarKYeMETxOg Ck6kgXLOoSKlnQcgTWjvg4c -Cj4u32Pc5bifTEfuqmmG4bh Fj3nTWNjezo6G6xBmyo58Tf +Cj4u32Pc5bifTEfuqmmG4bh F4VAnSiNGSQhKEoCPd4zuQd CFrJExwHcSal5OKnoww6xl4 -C3PKsZ2Uye21VW0XPVINV8a FaJg8mtdsS86cWjSe4spPPl +C3PKsZ2Uye21VW0XPVINV8a FvBr89nD30GgGAp3wgtm6qf diff --git a/testing/btest/Baseline/core.bits_per_uid/256 b/testing/btest/Baseline/core.bits_per_uid/256 index 95ef343262..1cbf61a906 100644 --- a/testing/btest/Baseline/core.bits_per_uid/256 +++ b/testing/btest/Baseline/core.bits_per_uid/256 @@ -1,9 +1,9 @@ CUWkUyAuUGXfarKYeMETxOg Ck6kgXLOoSKlnQcgTWjvg4c -Cj4u32Pc5bifTEfuqmmG4bh Fj3nTWNjezo6G6xBmyo58Tf +Cj4u32Pc5bifTEfuqmmG4bh F4VAnSiNGSQhKEoCPd4zuQd CFrJExwHcSal5OKnoww6xl4 -C3PKsZ2Uye21VW0XPVINV8a FaJg8mtdsS86cWjSe4spPPl +C3PKsZ2Uye21VW0XPVINV8a FvBr89nD30GgGAp3wgtm6qf diff --git a/testing/btest/Baseline/core.bits_per_uid/32 b/testing/btest/Baseline/core.bits_per_uid/32 index a20d05dbd5..27965ff04a 100644 --- a/testing/btest/Baseline/core.bits_per_uid/32 +++ b/testing/btest/Baseline/core.bits_per_uid/32 @@ -1,9 +1,9 @@ CXWv6p30 CCyvnA30 -CjhGID40 F75yAm10 +CjhGID40 FmGk6O30 CdfHBz20 -CCvvfg30 Fuh3fj10 +CCvvfg30 Ftwuyy30 diff --git a/testing/btest/Baseline/core.bits_per_uid/64 b/testing/btest/Baseline/core.bits_per_uid/64 index b34eb4879d..e268d02801 100644 --- a/testing/btest/Baseline/core.bits_per_uid/64 +++ b/testing/btest/Baseline/core.bits_per_uid/64 @@ -1,9 +1,9 @@ CUWkUyAuUGXf0 CarKYeMETxOg0 -Ck6kgXLOoSKl0 Fj3nTWNjezo60 +Ck6kgXLOoSKl0 F4VAnSiNGSQh0 CnQcgTWjvg4c0 -Cj4u32Pc5bif0 FaJg8mtdsS860 +Cj4u32Pc5bif0 FvBr89nD30Gg0 diff --git a/testing/btest/Baseline/core.bits_per_uid/96 b/testing/btest/Baseline/core.bits_per_uid/96 index 3ba0f50e04..655122649b 100644 --- a/testing/btest/Baseline/core.bits_per_uid/96 +++ b/testing/btest/Baseline/core.bits_per_uid/96 @@ -1,9 +1,9 @@ CXWv6p3arKYeMETxOg CjhGID4nQcgTWjvg4c -CCvvfg3TEfuqmmG4bh F75yAm1G6xBmyo58Tf +CCvvfg3TEfuqmmG4bh FmGk6O3KEoCPd4zuQd CsRx2w45OKnoww6xl4 -CRJuHdVW0XPVINV8a Fuh3fj1cWjSe4spPPl +CRJuHdVW0XPVINV8a Ftwuyy3GAp3wgtm6qf diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 3da813b88e..f843da2909 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -4,7 +4,7 @@ 1 161 1 162 1 1812 -1 20000 +2 20000 1 21 1 2123 1 2152 @@ -44,8 +44,8 @@ 1 992 1 993 1 995 -48 and -47 or -48 port +49 and +48 or +49 port 34 tcp -14 udp +15 udp diff --git a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 index 5c7da193c6..a3bec06fc1 100644 --- a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 +++ b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 @@ -8,7 +8,7 @@ Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html Extracting file HTTP-FMG4bMmVV64eOsCb.txt Extracting file HTTP-FnaT2a3UDd093opCB9.txt + Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt Extracting file HTTP-FsvATF146kf1Emc21j.txt - Extracting file HTTP-FkMQHg2nBr44fc5h63.txt [...] diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output index acae92f44b..b193e4a530 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output index be9619fa1c..55950caf6b 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 index 3d6b9dffad..e62ab5a373 100644 --- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 +++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 @@ -16,15 +16,15 @@ #empty_field (empty) #unset_field - #path mime_metrics - #open 2014-04-21-21-34-08 + #open 2014-10-08-03-56-52 #fields ts ts_delta mtype uniq_hosts hits bytes #types time interval string count count count - 1389719059.311698 300.000000 text/html 1 3 47335 + 1389719059.311698 300.000000 text/html 1 7 68469 1389719059.311698 300.000000 image/jpeg 1 1 186859 1389719059.311698 300.000000 application/pgp-signature 1 1 836 - 1389719059.311698 300.000000 text/plain 1 13 119717 + 1389719059.311698 300.000000 text/plain 1 10 101763 1389719059.311698 300.000000 image/gif 1 1 172 1389719059.311698 300.000000 image/png 1 9 82176 1389719059.311698 300.000000 image/x-icon 1 2 2300 - #close 2014-04-21-21-34-08 + #close 2014-10-08-03-56-52 diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out new file mode 100644 index 0000000000..5bdf87a62b --- /dev/null +++ b/testing/btest/Baseline/language.deprecated/out @@ -0,0 +1,28 @@ +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either) +ZERO +ONE +TWO +RED +GREEN +BLUE +generate my_hook please +generate my_event please +schedule my_event please diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 31dd415e1b..927a64692f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -5,7 +5,8 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> @@ -57,7 +58,8 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> @@ -104,7 +106,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> @@ -127,37 +129,37 @@ 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) -> @@ -189,7 +191,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> @@ -283,8 +285,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> @@ -303,6 +305,8 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, ()) -> +0.000000 MetaHookPost CallFunction(Unified2::mappings_initialized, ()) -> +0.000000 MetaHookPost CallFunction(Unified2::start_watching, ()) -> 0.000000 MetaHookPost CallFunction(bro_init, ()) -> 0.000000 MetaHookPost CallFunction(cat, (Packe, t, _, Filter)) -> 0.000000 MetaHookPost CallFunction(current_time, ()) -> @@ -315,8 +319,8 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(split1, (PacketFilter::LOG, <...>/)) -> -0.000000 MetaHookPost CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> +0.000000 MetaHookPost CallFunction(split_string1, (PacketFilter::LOG, <...>/)) -> +0.000000 MetaHookPost CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost CallFunction(sub_bytes, (tFilter, 1, 1)) -> @@ -540,7 +544,8 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) @@ -592,7 +597,8 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) @@ -639,7 +645,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) @@ -662,37 +668,37 @@ 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) @@ -724,7 +730,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG)) @@ -818,8 +824,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) @@ -838,6 +844,8 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, ()) +0.000000 MetaHookPre CallFunction(Unified2::mappings_initialized, ()) +0.000000 MetaHookPre CallFunction(Unified2::start_watching, ()) 0.000000 MetaHookPre CallFunction(bro_init, ()) 0.000000 MetaHookPre CallFunction(cat, (Packe, t, _, Filter)) 0.000000 MetaHookPre CallFunction(current_time, ()) @@ -850,8 +858,8 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, ()) 0.000000 MetaHookPre CallFunction(reading_traces, ()) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(split1, (PacketFilter::LOG, <...>/)) -0.000000 MetaHookPre CallFunction(split_n, (PacketFilter, <...>/, T, 4)) +0.000000 MetaHookPre CallFunction(split_string1, (PacketFilter::LOG, <...>/)) +0.000000 MetaHookPre CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) 0.000000 MetaHookPre CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre CallFunction(sub_bytes, (tFilter, 1, 1)) @@ -1075,7 +1083,8 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp) -0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 137/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/udp) @@ -1127,7 +1136,8 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp) -0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 137/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/udp) @@ -1174,7 +1184,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp}) -0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, {20000/tcp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5355<...>/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp}) @@ -1197,37 +1207,37 @@ 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=, ev=Conn::log_conn]) @@ -1259,7 +1269,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1353,8 +1363,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1373,6 +1383,8 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}) 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}) 0.000000 | HookCallFunction SumStats::register_observe_plugins() +0.000000 | HookCallFunction Unified2::mappings_initialized() +0.000000 | HookCallFunction Unified2::start_watching() 0.000000 | HookCallFunction bro_init() 0.000000 | HookCallFunction cat(Packe, t, _, Filter) 0.000000 | HookCallFunction current_time() @@ -1385,8 +1397,8 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction split1(PacketFilter::LOG, <...>/) -0.000000 | HookCallFunction split_n(PacketFilter, <...>/, T, 4) +0.000000 | HookCallFunction split_string1(PacketFilter::LOG, <...>/) +0.000000 | HookCallFunction split_string_n(PacketFilter, <...>/, T, 4) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookCallFunction sub_bytes(tFilter, 1, 1) @@ -1474,7 +1486,7 @@ 1362692526.939527 MetaHookPost CallFunction(network_time, ()) -> 1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) -> 1362692526.939527 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692526.939527 MetaHookPost CallFunction(split1, (bro.org, <...>/)) -> +1362692526.939527 MetaHookPost CallFunction(split_string1, (bro.org, <...>/)) -> 1362692526.939527 MetaHookPost DrainEvents() -> 1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false 1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false @@ -1511,7 +1523,7 @@ 1362692526.939527 MetaHookPre CallFunction(network_time, ()) 1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) 1362692526.939527 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692526.939527 MetaHookPre CallFunction(split1, (bro.org, <...>/)) +1362692526.939527 MetaHookPre CallFunction(split_string1, (bro.org, <...>/)) 1362692526.939527 MetaHookPre DrainEvents() 1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -1549,7 +1561,7 @@ 1362692526.939527 | HookCallFunction network_time() 1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3) 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692526.939527 | HookCallFunction split1(bro.org, <...>/) +1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/) 1362692526.939527 | HookDrainEvents 1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) @@ -1566,17 +1578,19 @@ 1362692527.008509 MetaHookPre UpdateNetworkTime(1362692527.008509) 1362692527.008509 | HookUpdateNetworkTime 1362692527.008509 1362692527.008509 | HookDrainEvents -1362692527.009512 MetaHookPost CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0])) -> -1362692527.009512 MetaHookPost CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3)) -> +1362692527.009512 MetaHookPost CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576)) -> +1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::code_in_range, (200, 100, 199)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> 1362692527.009512 MetaHookPost CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009512 MetaHookPost CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -1593,9 +1607,9 @@ 1362692527.009512 MetaHookPost CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> 1362692527.009512 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009512 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(split_all, (HTTP, <...>/)) -> +1362692527.009512 MetaHookPost CallFunction(split_string_all, (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> -1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> false +1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> false 1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -1610,17 +1624,19 @@ 1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> false 1362692527.009512 MetaHookPost UpdateNetworkTime(1362692527.009512) -> -1362692527.009512 MetaHookPre CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0])) -1362692527.009512 MetaHookPre CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3)) +1362692527.009512 MetaHookPre CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576)) +1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) 1362692527.009512 MetaHookPre CallFunction(HTTP::code_in_range, (200, 100, 199)) 1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009512 MetaHookPre CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1637,9 +1653,9 @@ 1362692527.009512 MetaHookPre CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009512 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(split_all, (HTTP, <...>/)) +1362692527.009512 MetaHookPre CallFunction(split_string_all, (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() -1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1655,17 +1671,19 @@ 1362692527.009512 MetaHookPre QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre UpdateNetworkTime(1362692527.009512) 1362692527.009512 | HookUpdateNetworkTime 1362692527.009512 -1362692527.009512 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0]) -1362692527.009512 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3) +1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576) +1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576) 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1682,9 +1700,9 @@ 1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction split_all(HTTP, <...>/) +1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents -1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1710,7 +1728,8 @@ 1362692527.009765 MetaHookPre UpdateNetworkTime(1362692527.009765) 1362692527.009765 | HookUpdateNetworkTime 1362692527.009765 1362692527.009765 | HookDrainEvents -1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::code_in_range, (200, 100, 199)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> @@ -1721,7 +1740,8 @@ 1362692527.009775 MetaHookPost CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> +1362692527.009775 MetaHookPost CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s, Files::LOG)) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s, HTTP::LOG)) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> @@ -1730,19 +1750,21 @@ 1362692527.009775 MetaHookPost CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> 1362692527.009775 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (Files::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (HTTP::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (Files, <...>/, T, 4)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (HTTP, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (Files::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (HTTP::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (Files, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (HTTP, <...>/, T, 4)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (Files)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (HTTP)) -> 1362692527.009775 MetaHookPost DrainEvents() -> -1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> false +1362692527.009775 MetaHookPost QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false +1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false 1362692527.009775 MetaHookPost UpdateNetworkTime(1362692527.009775) -> -1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(HTTP::code_in_range, (200, 100, 199)) 1362692527.009775 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) @@ -1753,7 +1775,8 @@ 1362692527.009775 MetaHookPre CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) 1362692527.009775 MetaHookPre CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) +1362692527.009775 MetaHookPre CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s, Files::LOG)) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s, HTTP::LOG)) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) @@ -1762,20 +1785,22 @@ 1362692527.009775 MetaHookPre CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(split1, (Files::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split1, (HTTP::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split_n, (Files, <...>/, T, 4)) -1362692527.009775 MetaHookPre CallFunction(split_n, (HTTP, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (Files::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (HTTP::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (Files, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (HTTP, <...>/, T, 4)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (Files)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (HTTP)) 1362692527.009775 MetaHookPre DrainEvents() -1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) +1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre UpdateNetworkTime(1362692527.009775) 1362692527.009775 | HookUpdateNetworkTime 1362692527.009775 -1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) @@ -1786,7 +1811,8 @@ 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]) 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) +1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookCallFunction fmt(%s, Files::LOG) 1362692527.009775 | HookCallFunction fmt(%s, HTTP::LOG) 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) @@ -1795,14 +1821,15 @@ 1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction split1(Files::LOG, <...>/) -1362692527.009775 | HookCallFunction split1(HTTP::LOG, <...>/) -1362692527.009775 | HookCallFunction split_n(Files, <...>/, T, 4) -1362692527.009775 | HookCallFunction split_n(HTTP, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string1(Files::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string1(HTTP::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string_n(Files, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string_n(HTTP, <...>/, T, 4) 1362692527.009775 | HookCallFunction to_lower(Files) 1362692527.009775 | HookCallFunction to_lower(HTTP) 1362692527.009775 | HookDrainEvents -1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) +1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) @@ -1852,8 +1879,8 @@ 1362692527.080972 MetaHookPost CallFunction(net_stats, ()) -> 1362692527.080972 MetaHookPost CallFunction(reading_traces, ()) -> 1362692527.080972 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.080972 MetaHookPost CallFunction(split1, (Conn::LOG, <...>/)) -> -1362692527.080972 MetaHookPost CallFunction(split_n, (Conn, <...>/, T, 4)) -> +1362692527.080972 MetaHookPost CallFunction(split_string1, (Conn::LOG, <...>/)) -> +1362692527.080972 MetaHookPost CallFunction(split_string_n, (Conn, <...>/, T, 4)) -> 1362692527.080972 MetaHookPost CallFunction(sub_bytes, (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (Conn)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (HTTP)) -> @@ -1886,8 +1913,8 @@ 1362692527.080972 MetaHookPre CallFunction(net_stats, ()) 1362692527.080972 MetaHookPre CallFunction(reading_traces, ()) 1362692527.080972 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.080972 MetaHookPre CallFunction(split1, (Conn::LOG, <...>/)) -1362692527.080972 MetaHookPre CallFunction(split_n, (Conn, <...>/, T, 4)) +1362692527.080972 MetaHookPre CallFunction(split_string1, (Conn::LOG, <...>/)) +1362692527.080972 MetaHookPre CallFunction(split_string_n, (Conn, <...>/, T, 4)) 1362692527.080972 MetaHookPre CallFunction(sub_bytes, (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (Conn)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (HTTP)) @@ -1921,8 +1948,8 @@ 1362692527.080972 | HookCallFunction net_stats() 1362692527.080972 | HookCallFunction reading_traces() 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.080972 | HookCallFunction split1(Conn::LOG, <...>/) -1362692527.080972 | HookCallFunction split_n(Conn, <...>/, T, 4) +1362692527.080972 | HookCallFunction split_string1(Conn::LOG, <...>/) +1362692527.080972 | HookCallFunction split_string_n(Conn, <...>/, T, 4) 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(Conn) 1362692527.080972 | HookCallFunction to_lower(HTTP) diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/1.out b/testing/btest/Baseline/scripts.base.files.extract.limit/1.out index f767bfcccd..6cb00f1954 100644 --- a/testing/btest/Baseline/scripts.base.files.extract.limit/1.out +++ b/testing/btest/Baseline/scripts.base.files.extract.limit/1.out @@ -1 +1 @@ -file_extraction_limit, 3000, 2896, 1448 +file_extraction_limit, 3000, 1448 diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/2.out b/testing/btest/Baseline/scripts.base.files.extract.limit/2.out index bdf1f9d171..ecfd786e38 100644 --- a/testing/btest/Baseline/scripts.base.files.extract.limit/2.out +++ b/testing/btest/Baseline/scripts.base.files.extract.limit/2.out @@ -1,3 +1,3 @@ -file_extraction_limit, 3000, 2896, 1448 +file_extraction_limit, 3000, 1448 T -file_extraction_limit, 6000, 5792, 1448 +file_extraction_limit, 6000, 1448 diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/3.out b/testing/btest/Baseline/scripts.base.files.extract.limit/3.out index b6da9537b7..7f9b69f0ce 100644 --- a/testing/btest/Baseline/scripts.base.files.extract.limit/3.out +++ b/testing/btest/Baseline/scripts.base.files.extract.limit/3.out @@ -1,2 +1,2 @@ -file_extraction_limit, 7000, 5792, 1448 +file_extraction_limit, 7000, 1448 T diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out index d1cc77944c..5e70c0645c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out @@ -1,9 +1,5 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -^J0.26 | 201 -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION file_stream, file #0, 1146, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J file_chunk, file #0, 1146, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J @@ -16,6 +12,10 @@ file_chunk, file #0, 663, 4042, thread library when necessary (e.g.^J PF_RIN FILE_STATE_REMOVE file #0, 4705, 0 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] +FILE_BOF_BUFFER +^J0.26 | 201 +MIME_TYPE +text/plain total bytes: 4705 source: HTTP MD5: 397168fd09991a0e712254df7bc639ac diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log index b836d14e47..ca56378a9b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-09-08-21-50-32 +#open 2014-12-16-15-30-20 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string 1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - -#close 2014-09-08-21-50-32 +#close 2014-12-16-15-30-20 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out index eb62690f91..4b2bf1e210 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out @@ -1,12 +1,12 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -^J0.26 | 201 -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 4705, 0 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] +FILE_BOF_BUFFER +^J0.26 | 201 +MIME_TYPE +text/plain total bytes: 4705 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout index 1e68c761de..89ee79cad4 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout @@ -1,20 +1,28 @@ FILE_NEW file #0, 0, 0 -MIME_TYPE -application/x-dosexec FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] +FILE_BOF_BUFFER +MZ\x90\0^C\0\0\0^D\0\0 +MIME_TYPE +application/x-dosexec total bytes: 1022920 source: HTTP +MD5: fc13fee1d44ef737a3133f1298b21d28 +SHA1: 7d99803eaf3b6e8dfa3581348bc694089579d25a +SHA256: dcb87a62a2b5d449abc138776000fd1b14edc690e9da6ea325b8f352ab033202 FILE_NEW file #1, 0, 0 FILE_OVER_NEW_CONNECTION FILE_TIMEOUT FILE_TIMEOUT +FILE_GAP FILE_STATE_REMOVE -file #1, 206024, 0 +file #1, 206024, 816896 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] +FILE_BOF_BUFFER +\x1b\xb8=\xb1\xff^PU^P\xce\xc3^ total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out index 13cfe5de58..72bc73e726 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out @@ -1,7 +1,2 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -^J0.26 | 201 -MIME_TYPE -text/plain -FILE_OVER_NEW_CONNECTION diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log new file mode 100644 index 0000000000..cebe140bda --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2015-02-05-13-55-41 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - +#close 2015-02-05-13-55-41 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out index ef818618b3..a7ba6981c7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out @@ -1,13 +1,13 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -The Nationa -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 16557, 0 [orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp] +FILE_BOF_BUFFER +The Nationa +MIME_TYPE +text/plain source: FTP_DATA MD5: 7192a8075196267203adb3dfaa5c908d SHA1: 44586aed07cfe19cad25076af98f535585cd5797 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out index d42db4b90a..0ed8262afc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out @@ -1,13 +1,13 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -{^J "origin -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 197, 0 [orig_h=141.142.228.5, orig_p=50153/tcp, resp_h=54.243.118.187, resp_p=80/tcp] +FILE_BOF_BUFFER +{^J "origin +MIME_TYPE +text/plain source: HTTP MD5: 5baba7eea57bc8a42a92c817ed566d72 SHA1: e351b8c693c3353716787c02e2923f4d12ebbb31 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out index 219aad4eff..cc04790c70 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out @@ -1,13 +1,13 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -^J0.26 | 201 -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 4705, 0 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] +FILE_BOF_BUFFER +^J0.26 | 201 +MIME_TYPE +text/plain total bytes: 4705 source: HTTP MD5: 397168fd09991a0e712254df7bc639ac diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out index 0bf8d6a0c9..d6b94e5372 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out @@ -1,49 +1,49 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -test FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 4, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +FILE_BOF_BUFFER +test source: HTTP MD5: 098f6bcd4621d373cade4e832627b4f6 SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 FILE_NEW file #1, 0, 0 -FILE_BOF_BUFFER -test2 FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #1, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +FILE_BOF_BUFFER +test2 source: HTTP MD5: ad0234829205b9033196ba818f7a872b SHA1: 109f4b3c50d7b0df729d299bc6f8e9ef9066971f SHA256: 60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752 FILE_NEW file #2, 0, 0 -FILE_BOF_BUFFER -test3 FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #2, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +FILE_BOF_BUFFER +test3 source: HTTP MD5: 8ad8757baa8564dc136c1e07507f4a98 SHA1: 3ebfa301dc59196f18593c45e519287a23297589 SHA256: fd61a03af4f77d870fc21e05e7e80678095c92d808cfb3b5c279ee04c74aca13 FILE_NEW file #3, 0, 0 -FILE_BOF_BUFFER -{^J "data": -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #3, 465, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +FILE_BOF_BUFFER +{^J "data": +MIME_TYPE +text/plain total bytes: 465 source: HTTP MD5: 226244811006caf4ac904344841168dd diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out index 077fb5282c..5f2e28889e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out @@ -1,12 +1,17 @@ FILE_NEW file #0, 0, 0 -MIME_TYPE -application/pdf FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 555523, 0 [orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp] [orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp] +FILE_BOF_BUFFER +%PDF-1.4^J%\xd0 +MIME_TYPE +application/pdf total bytes: 555523 source: HTTP +MD5: 5a484ada9c816c0e8b6d2d3978e3f503 +SHA1: 54e7d39e99eb9d40d6251c0361a1090a0d278571 +SHA256: 61c0718bd534ab55716eba161e91bb49155562ddc7c08f0c20f6359d7b808b66 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index f5698aba23..36202f285b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,19 +1,27 @@ FILE_NEW file #0, 0, 0 -MIME_TYPE -application/x-dosexec FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] +FILE_BOF_BUFFER +MZ\x90\0^C\0\0\0^D\0\0 +MIME_TYPE +application/x-dosexec total bytes: 1022920 source: HTTP +MD5: fc13fee1d44ef737a3133f1298b21d28 +SHA1: 7d99803eaf3b6e8dfa3581348bc694089579d25a +SHA256: dcb87a62a2b5d449abc138776000fd1b14edc690e9da6ea325b8f352ab033202 FILE_NEW file #1, 0, 0 FILE_OVER_NEW_CONNECTION FILE_TIMEOUT +FILE_GAP FILE_STATE_REMOVE -file #1, 206024, 0 +file #1, 206024, 816896 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] +FILE_BOF_BUFFER +\x1b\xb8=\xb1\xff^PU^P\xce\xc3^ total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 5b213f429a..34cffd7f1e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -3,8 +3,15 @@ file #0, 0, 0 FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #0, 498702, 0 +file #0, 498668, 0 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp] +FILE_BOF_BUFFER +%PDF-1.4^M%\xe2 +MIME_TYPE +application/pdf total bytes: 498668 source: HTTP +MD5: 94046a5fb1c5802d0f1e6d704cf3e10e +SHA1: 250aa71dd1594363bc7083d25cfd0240e441b119 +SHA256: 5c3bc213c9eff85f98feceac8810b955f8415564e50e3889b447e847c50c5ba7 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out index b85485cd1a..e0880d128c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out @@ -1,41 +1,41 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -/*^J******** -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 2675, 0 [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +FILE_BOF_BUFFER +/*^J******** +MIME_TYPE +text/plain source: HTTP MD5: b932c3310ce47e158d1a5a42e0b01279 SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706 SHA256: 5b037a2c5e36f56e63a3012c73e46a04b27741d8ff8f8b62c832fb681fc60f42 FILE_NEW file #1, 0, 0 -FILE_BOF_BUFFER -//-- Google -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #1, 21421, 0 [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +FILE_BOF_BUFFER +//-- Google +MIME_TYPE +text/plain source: HTTP MD5: e732f7bf1d7cb4eedcb1661697d7bc8c SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983 SHA256: 6a509fd05aa7c8fa05080198894bb19e638554ffcee0e0b3d7bc8ff54afee1da FILE_NEW file #2, 0, 0 -FILE_BOF_BUFFER -GIF89a^D\0^D\0\xb3 -MIME_TYPE -image/gif FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #2, 94, 0 [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +FILE_BOF_BUFFER +GIF89a^D\0^D\0\xb3 +MIME_TYPE +image/gif total bytes: 94 source: HTTP MD5: d903de7e30db1691d3130ba5eae6b9a7 @@ -43,14 +43,14 @@ SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315 FILE_NEW file #3, 0, 0 -FILE_BOF_BUFFER -\x89PNG^M^J^Z^J\0\0\0 -MIME_TYPE -image/png FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #3, 2349, 0 [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +FILE_BOF_BUFFER +\x89PNG^M^J^Z^J\0\0\0 +MIME_TYPE +image/png total bytes: 2349 source: HTTP MD5: e0029eea80812e9a8e57b8d05d52938a @@ -58,14 +58,14 @@ SHA1: 560eab5a0177246827a94042dd103916d8765ac7 SHA256: e0b4500c1fd1d675da4137461cbe64d3c8489f4180d194e47683b20e7fb876f4 FILE_NEW file #4, 0, 0 -FILE_BOF_BUFFER -\x89PNG^M^J^Z^J\0\0\0 -MIME_TYPE -image/png FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #4, 27579, 0 [orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +FILE_BOF_BUFFER +\x89PNG^M^J^Z^J\0\0\0 +MIME_TYPE +image/png total bytes: 27579 source: HTTP MD5: 30aa926344f58019d047e85ba049ca1e diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out index cedc396254..deddfbb640 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out @@ -1,13 +1,13 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -hello world -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 11, 0 [orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp] +FILE_BOF_BUFFER +hello world +MIME_TYPE +text/plain total bytes: 11 source: HTTP MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3 @@ -15,14 +15,14 @@ SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 FILE_NEW file #1, 0, 0 -FILE_BOF_BUFFER -{^J "origin -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #1, 366, 0 [orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp] +FILE_BOF_BUFFER +{^J "origin +MIME_TYPE +text/plain total bytes: 366 source: HTTP MD5: c9337794df612aeaa901dcf9fa446bca diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout index afeb32b334..a5093d22c2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout @@ -1,11 +1,11 @@ FILE_NEW file #0, 0, 0 +FILE_STATE_REMOVE +file #0, 311, 0 FILE_BOF_BUFFER #separator MIME_TYPE text/plain -FILE_STATE_REMOVE -file #0, 311, 0 source: ../input.log MD5: bf4dfa6169b74146da5236e918743599 SHA1: 0a0f20de89c86d7bce1301af6548d6e9ae87b0f1 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out index 082fb7e038..906225c051 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out @@ -1,18 +1,14 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -PK^C^D^T\0\0\0^H\0\xae -MIME_TYPE -application/zip FILE_OVER_NEW_CONNECTION FILE_NEW file #1, 0, 0 -FILE_BOF_BUFFER -\0\0^Ex\0\0^J\xf0\0\0^P FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #1, 124, 0 [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp] +FILE_BOF_BUFFER +\0\0^Ex\0\0^J\xf0\0\0^P source: IRC_DATA MD5: 35288fd50a74c7d675909ff83424d7a1 SHA1: 8a98f177cb47e6bf771bf57c2f7e94c4b5e79ffa @@ -20,6 +16,10 @@ SHA256: b24dde52b933a0d76e885ab418cb6d697b14a4e2fef45fce66e12ecc5a6a81aa FILE_STATE_REMOVE file #0, 42208, 0 [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp] +FILE_BOF_BUFFER +PK^C^D^T\0\0\0^H\0\xae +MIME_TYPE +application/zip source: IRC_DATA MD5: 8c0803242f549c2780cb88b9a9215c65 SHA1: 8abe0239263fd7326eb803d4465cf494f8bea218 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log index daf862e3b9..dfce362b50 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-09-08-21-55-01 +#open 2014-12-16-15-30-30 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string 1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file -#close 2014-09-08-21-55-01 +#close 2014-12-16-15-30-30 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index 44c240c7ee..561f3c49f6 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -1,41 +1,41 @@ FILE_NEW file #0, 0, 0 -FILE_BOF_BUFFER -Hello^M^J^M^J ^M -MIME_TYPE -text/plain FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE file #0, 77, 0 [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp] +FILE_BOF_BUFFER +Hello^M^J^M^J ^M +MIME_TYPE +text/plain source: SMTP MD5: 58aff3af22807bc5f4b6357c0038256c SHA1: c39dc8cd0f8d8b1f7fc8b362c41e69fdf20f668a SHA256: 8d057f3af311c20675eea767a9df5fa31ff3597c6d5d50fd0cdc34766c40204d FILE_NEW file #1, 0, 0 -FILE_BOF_BUFFER -....^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. ^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [1] mime_type: string = text/html + 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -393,17 +401,21 @@ [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692823 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] +1254722770.692804 file_new + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] -1254722770.692823 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] +1254722770.692804 file_over_new_connection + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.695115 new_connection [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1254722771.494181 file_mime_type + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [1] mime_type: string = text/plain + 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -413,7 +425,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap new file mode 100755 index 0000000000..79881f62e7 Binary files /dev/null and b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap differ diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap new file mode 100755 index 0000000000..7bc9d4add2 Binary files /dev/null and b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap differ diff --git a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap new file mode 100755 index 0000000000..384b5137d6 Binary files /dev/null and b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap differ diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap new file mode 100755 index 0000000000..a2dd31b3b7 Binary files /dev/null and b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap differ diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.bro new file mode 100644 index 0000000000..e4d32b7f73 --- /dev/null +++ b/testing/btest/bifs/split_string.bro @@ -0,0 +1,36 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +function print_string_vector(v: string_vec) + { + for ( i in v ) + print v[i]; + } + +event bro_init() + { + local a = "this is a test"; + local pat = /hi|es/; + local idx = vector( 3, 6, 13); + + print_string_vector(split_string(a, pat)); + print "---------------------"; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + print_string_vector(split_string_all(a, pat)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, F, 1)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, T, 1)); + print "---------------------"; + print str_split(a, idx); + print "---------------------"; + a = "X-Mailer: Testing Test (http://www.example.com)"; + pat = /:[[:blank:]]*/; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + a = "A = B = C = D"; + pat = /=/; + print_string_vector(split_string_all(a, pat)); + } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest index acae92f44b..b193e4a530 100644 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index be9619fa1c..55950caf6b 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.bro new file mode 100644 index 0000000000..ec9c3c9e1e --- /dev/null +++ b/testing/btest/language/deprecated.bro @@ -0,0 +1,80 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +type blah: string &deprecated; + +global my_event: event(arg: string) &deprecated; + +global my_hook: hook(arg: string) &deprecated; + +type my_record: record { + a: count &default = 1; + b: string &optional &deprecated; +}; + +type my_enum: enum { + RED, + GREEN &deprecated, + BLUE &deprecated +}; + +type my_other_enum: enum { + ZERO = 0, + ONE = 1 &deprecated, + TWO = 2 &deprecated +}; + +event bro_init() + { + print ZERO; + print ONE; + print TWO; + print RED; + print GREEN; + print BLUE; + + local l: blah = "testing"; + + local ls: string = " test"; + + event my_event("generate my_event please"); + schedule 1sec { my_event("schedule my_event please") }; + hook my_hook("generate my_hook please"); + + local mr = my_record($a = 3, $b = "yeah"); + mr = [$a = 4, $b = "ye"]; + mr = record($a = 5, $b = "y"); + + if ( ! mr?$b ) + mr$b = "nooooooo"; + + mr$a = 2; + mr$b = "noooo"; + } + +event my_event(arg: string) + { + print arg; + } + +hook my_hook(arg: string) + { + print arg; + } + +function hmm(b: blah) + { + print b; + } + +global dont_use_me: function() &deprecated; + +function dont_use_me() + { + dont_use_me(); + } + +function dont_use_me_either() &deprecated + { + dont_use_me_either(); + } diff --git a/testing/btest/scripts/base/files/extract/limit.bro b/testing/btest/scripts/base/files/extract/limit.bro index 3a2271e361..1ac5f20b6d 100644 --- a/testing/btest/scripts/base/files/extract/limit.bro +++ b/testing/btest/scripts/base/files/extract/limit.bro @@ -24,9 +24,9 @@ event file_new(f: fa_file) [$extract_filename=efname, $extract_limit=max_extract]); } -event file_extraction_limit(f: fa_file, args: any, limit: count, offset: count, len: count) +event file_extraction_limit(f: fa_file, args: any, limit: count, len: count) { - print outfile, "file_extraction_limit", limit, offset, len; + print outfile, "file_extraction_limit", limit, len; if ( double_it && ! doubled ) { diff --git a/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro new file mode 100644 index 0000000000..0f7e23ddcf --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: btest-diff files.log + +@load frameworks/files/hash-all-files + +redef default_file_bof_buffer_size=5000; diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro new file mode 100644 index 0000000000..a5f1f895cc --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro new file mode 100644 index 0000000000..073e758df4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro new file mode 100644 index 0000000000..c8708b10cd --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro new file mode 100644 index 0000000000..d832d937a7 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.bro index 9c968bdaac..fac00b5012 100644 --- a/testing/btest/scripts/base/protocols/dnp3/events.bro +++ b/testing/btest/scripts/base/protocols/dnp3/events.bro @@ -7,14 +7,14 @@ # @TEST-EXEC: btest-diff coverage # @TEST-EXEC: btest-diff dnp3.log # -event dnp3_application_request_header(c: connection, is_orig: bool, fc: count) +event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count) { - print "dnp3_application_request_header", is_orig, fc; + print "dnp3_application_request_header", is_orig, application_control, fc; } -event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count) +event dnp3_application_response_header(c: connection, is_orig: bool, application_control: count, fc: count, iin: count) { - print "dnp3_application_response_header", is_orig, fc, iin; + print "dnp3_application_response_header", is_orig, application_control, fc, iin; } event dnp3_object_header(c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count) diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test index 08bce5f35f..224fd9dc62 100644 --- a/testing/btest/scripts/base/utils/addrs.test +++ b/testing/btest/scripts/base/utils/addrs.test @@ -1,8 +1,7 @@ -# @TEST-EXEC: bro %INPUT > output +# @TEST-EXEC: bro -b %INPUT > output # @TEST-EXEC: btest-diff output -# This is loaded by default -#@load base/utils/addrs +@load base/utils/addrs event bro_init() { @@ -98,8 +97,8 @@ event bro_init() ip = "2001:db8:0:0:0:FFFF:192.168.0.256"; print is_valid_ip(ip); - print "============ test find_ip_addresses()"; - print find_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); - print find_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); + print "============ test extract_ip_addresses()"; + print extract_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); + print extract_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); } diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro index e7e3c3ff8e..3f88638ee3 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT -# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log -# @TEST-EXEC: btest-diff ssl-twimg.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-twimg.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-digicert.log -# @TEST-EXEC: btest-diff ssl-digicert.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-digicert.log @load protocols/ssl/validate-ocsp diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names index 4863efc990..4534cb7d87 100755 --- a/testing/scripts/diff-remove-x509-names +++ b/testing/scripts/diff-remove-x509-names @@ -3,19 +3,25 @@ # A diff canonifier that removes all X.509 Distinguished Name subject fields # because that output can differ depending on installed OpenSSL version. -BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; cs_col = -1; ci_col = -1 } +BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; is_col = -1; cs_col = -1; ci_col = -1; cert_subj_col = -1; cert_issuer_col = -1 } /^#fields/ { for ( i = 2; i < NF; ++i ) { if ( $i == "subject" ) s_col = i-1; - if ( $i == "issuer_subject" ) + if ( $i == "issuer" ) i_col = i-1; + if ( $i == "issuer_subject" ) + is_col = i-1; if ( $i == "client_subject" ) cs_col = i-1; - if ( $i == "client_issuer_subject" ) + if ( $i == "client_issuer" ) ci_col = i-1; + if ( $i == "certificate.subject" ) + cert_subj_col = i-1; + if ( $i == "certificate.issuer" ) + cert_issuer_col = i-1; } } @@ -31,6 +37,12 @@ i_col >= 0 { $i_col = "+"; } +is_col >= 0 { + if ( $is_col != "-" ) + # Mark that it's set, but ignore content. + $is_col = "+"; +} + cs_col >= 0 { if ( $cs_col != "-" ) # Mark that it's set, but ignore content. @@ -43,6 +55,18 @@ ci_col >= 0 { $ci_col = "+"; } +cert_subj_col >= 0 { + if ( $cert_subj_col != "-" ) + # Mark that it's set, but ignore content. + $cert_subj_col = "+"; +} + +cert_issuer_col >= 0 { + if ( $cert_issuer_col != "-" ) + # Mark that it's set, but ignore content. + $cert_issuer_col = "+"; +} + { print; } diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.bro index 957218b48f..aa7d158b55 100644 --- a/testing/scripts/file-analysis-test.bro +++ b/testing/scripts/file-analysis-test.bro @@ -56,18 +56,6 @@ event file_new(f: fa_file) [$chunk_event=file_chunk, $stream_event=file_stream]); } - - if ( f?$bof_buffer ) - { - print "FILE_BOF_BUFFER"; - print f$bof_buffer[0:11]; - } - - if ( f?$mime_type ) - { - print "MIME_TYPE"; - print f$mime_type; - } } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) @@ -93,6 +81,18 @@ event file_state_remove(f: fa_file) for ( cid in f$conns ) print cid; + if ( f?$bof_buffer ) + { + print "FILE_BOF_BUFFER"; + print f$bof_buffer[0:11]; + } + + if ( f$info?$mime_type ) + { + print "MIME_TYPE"; + print f$info$mime_type; + } + if ( f?$total_bytes ) print "total bytes: " + fmt("%s", f$total_bytes); if ( f?$source )