From 0b78f444a111fa8de2b913c81caa962a400f3929 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 20 Dec 2013 00:05:08 -0500 Subject: [PATCH 01/48] Initial commit of file reassembly. --- scripts/base/init-bare.bro | 2 +- src/Frag.cc | 2 +- src/Reassem.cc | 2 +- src/Reassem.h | 3 +- src/analyzer/protocol/tcp/TCP_Reassembler.cc | 2 +- src/file_analysis/CMakeLists.txt | 1 + src/file_analysis/File.cc | 85 ++++++++++++++++--- src/file_analysis/File.h | 5 ++ src/file_analysis/FileReassembler.cc | 58 +++++++++++++ src/file_analysis/FileReassembler.h | 45 ++++++++++ .../a.out | 3 + 11 files changed, 189 insertions(+), 19 deletions(-) create mode 100644 src/file_analysis/FileReassembler.cc create mode 100644 src/file_analysis/FileReassembler.h diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 9f8c9f42ac..c58559bd9a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -356,7 +356,7 @@ type fa_file: record { missing_bytes: count &default=0; ## The number of not all-in-sequence bytes in the file stream that - ## were delivered to file analyzers due to reassembly buffer overflow. + ## were not delivered to file analyzers due to reassembly buffer overflow. overflow_bytes: count &default=0; ## The amount of time between receiving new data for this file that diff --git a/src/Frag.cc b/src/Frag.cc index b1efb41594..4669471227 100644 --- a/src/Frag.cc +++ b/src/Frag.cc @@ -28,7 +28,7 @@ void FragTimer::Dispatch(double t, int /* is_expire */) FragReassembler::FragReassembler(NetSessions* arg_s, const IP_Hdr* ip, const u_char* pkt, HashKey* k, double t) - : Reassembler(0, REASSEM_IP) + : Reassembler(0) { s = arg_s; key = k; diff --git a/src/Reassem.cc b/src/Reassem.cc index 19beaa0a16..e2664b59b9 100644 --- a/src/Reassem.cc +++ b/src/Reassem.cc @@ -40,7 +40,7 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq, unsigned int Reassembler::total_size = 0; -Reassembler::Reassembler(int init_seq, ReassemblerType arg_type) +Reassembler::Reassembler(int init_seq) { blocks = last_block = 0; trim_seq = last_reassem_seq = init_seq; diff --git a/src/Reassem.h b/src/Reassem.h index 1f65059e02..d9dd7d72e5 100644 --- a/src/Reassem.h +++ b/src/Reassem.h @@ -22,11 +22,10 @@ public: }; -enum ReassemblerType { REASSEM_IP, REASSEM_TCP }; class Reassembler : public BroObj { public: - Reassembler(int init_seq, ReassemblerType arg_type); + Reassembler(int init_seq); virtual ~Reassembler(); void NewBlock(double t, int seq, int len, const u_char* data); diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index a1e20dc0e6..06c9c06e6c 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -33,7 +33,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp) - : Reassembler(1, REASSEM_TCP) + : Reassembler(1) { dst_analyzer = arg_dst_analyzer; tcp_analyzer = arg_tcp_analyzer; diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt index 846fc4bf15..34dc8d5387 100644 --- a/src/file_analysis/CMakeLists.txt +++ b/src/file_analysis/CMakeLists.txt @@ -11,6 +11,7 @@ set(file_analysis_SRCS Manager.cc File.cc FileTimer.cc + FileReassembler.cc Analyzer.cc AnalyzerSet.cc Component.cc diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 55b28763c8..d53c45fe06 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -3,6 +3,7 @@ #include #include "File.h" +#include "FileReassembler.h" #include "FileTimer.h" #include "Analyzer.h" #include "Manager.h" @@ -87,6 +88,8 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag, val = new RecordVal(fa_file_type); val->Assign(id_idx, new StringVal(file_id.c_str())); + forwarded_offset = 0; + file_reassembler = 0; if ( conn ) { // add source, connection, is_orig fields @@ -109,6 +112,9 @@ File::~File() delete_vals(fonc_queue.front().second); fonc_queue.pop(); } + + if ( file_reassembler ) + delete file_reassembler; } void File::UpdateLastActivityTime() @@ -325,32 +331,85 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset) { analyzers.DrainModifications(); + if ( file_reassembler ) + { + // If there is a file reassembler we must forward any data there. + // But this only happens if the incoming data doesn't happen + // to align with the current forwarded_offset + file_reassembler->NewBlock(network_time, offset, len, data); + + if ( !file_reassembler->HasBlocks() ) + { + delete file_reassembler; + file_reassembler = 0; + } + } + else if ( forwarded_offset == offset ) + { + // This is the normal case where a file is transferred linearly. + // Nothing should be done here. + } + else if ( forwarded_offset > offset && forwarded_offset < offset+len ) + { + // This is a segment that begins before the forwarded_offset + // but proceeds past the forwarded_offset. It needs + // trimmed but the reassembler is not enabled. + uint64 adjustment = forwarded_offset - offset; + data = data + adjustment; + len = len - adjustment; + offset = forwarded_offset; + IncrementByteCount(adjustment, overflow_bytes_idx); + } + else if ( forwarded_offset < offset ) + { + // This is data past a gap and the reassembler needs to be enabled. + file_reassembler = new FileReassembler(this, forwarded_offset); + file_reassembler->NewBlock(network_time, offset, len, data); + return; + } + else + { + // This is data that was already seen so it can be completely ignored. + IncrementByteCount(len, overflow_bytes_idx); + return; + } + if ( first_chunk ) { - // TODO: this should all really be delayed until we attempt reassembly + // TODO: this should all really be delayed until we attempt reassembly. DetectMIME(data, len); FileEvent(file_new); first_chunk = false; } - file_analysis::Analyzer* a = 0; - IterCookie* c = analyzers.InitForIteration(); - - while ( (a = analyzers.NextEntry(c)) ) + if ( IsComplete() ) { - if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Tag(), a->Args()); + EndOfFile(); } + else + { + file_analysis::Analyzer* a = 0; + IterCookie* c = analyzers.InitForIteration(); - analyzers.DrainModifications(); + while ( (a = analyzers.NextEntry(c)) ) + { + //if ( ! a->DeliverChunk(data, len, offset) ) + // { + // analyzers.QueueRemove(a->Tag(), a->Args()); + // } - // TODO: check reassembly requirement based on buffer size in record - if ( need_reassembly ) - reporter->InternalError("file_analyzer::File TODO: reassembly not yet supported"); + if ( ! a->DeliverStream(data, len) ) + { + analyzers.QueueRemove(a->Tag(), a->Args()); + } - // TODO: reassembly overflow stuff, increment overflow count, eval trigger + } - IncrementByteCount(len, seen_bytes_idx); + analyzers.DrainModifications(); + + forwarded_offset += len; + IncrementByteCount(len, seen_bytes_idx); + } } void File::DataIn(const u_char* data, uint64 len) diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 6354c1c7e9..3422982303 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -8,6 +8,7 @@ #include #include +#include "FileReassembler.h" #include "Conn.h" #include "Val.h" #include "Tag.h" @@ -16,6 +17,8 @@ namespace file_analysis { +class FileReassembler; + /** * Wrapper class around \c fa_file record values from script layer. */ @@ -248,6 +251,8 @@ protected: private: string id; /**< A pretty hash that likely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ + uint64 forwarded_offset; /**< The offset of the file which has been forwarded. */ + FileReassembler *file_reassembler; /**< A reassembler for the file if it's needed. */ bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool first_chunk; /**< Track first non-linear chunk. */ bool missed_bof; /**< Flags that we missed start of file. */ diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc new file mode 100644 index 0000000000..8440fdca83 --- /dev/null +++ b/src/file_analysis/FileReassembler.cc @@ -0,0 +1,58 @@ + +#include "FileReassembler.h" +#include "File.h" + + +namespace file_analysis { + +class File; + +FileReassembler::FileReassembler(File *f, int starting_offset) + : Reassembler(starting_offset), the_file(f) + { + } + +FileReassembler::~FileReassembler() + { + } + +void FileReassembler::BlockInserted(DataBlock* start_block) + { + if ( seq_delta(start_block->seq, last_reassem_seq) > 0 || + seq_delta(start_block->upper, last_reassem_seq) <= 0 ) + return; + + + // We've filled a leading hole. Deliver as much as possible. + // Note that the new block may include both some old stuff + // and some new stuff. AddAndCheck() will have split the + // new stuff off into its own block(s), but in the following + // loop we have to take care not to deliver already-delivered + // data. + for ( DataBlock* b = start_block; + b && seq_delta(b->seq, last_reassem_seq) <= 0; b = b->next ) + { + if ( b->seq == last_reassem_seq ) + { // New stuff. + int len = b->Size(); + int seq = last_reassem_seq; + last_reassem_seq += len; + the_file->DataIn(b->block, len, seq); + } + } + + //CheckEOF(); + } + +void FileReassembler::Undelivered(int up_to_seq) + { + //reporter->Warning("should probably do something here (file reassembler undelivered)\n"); + } + +void FileReassembler::Overlap(const u_char* b1, const u_char* b2, int n) + { + //reporter->Warning("should probably do something here (file reassembler overlap)\n"); + } + + +} // end file_analysis diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h new file mode 100644 index 0000000000..7f73ec6fa4 --- /dev/null +++ b/src/file_analysis/FileReassembler.h @@ -0,0 +1,45 @@ +#ifndef FILE_ANALYSIS_FILEREASSEMBLER_H +#define FILE_ANALYSIS_FILEREASSEMBLER_H + +#include "Reassem.h" +#include "File.h" + +class BroFile; +class Connection; + +namespace file_analysis { + +class File; + +//const int STOP_ON_GAP = 1; +//const int PUNT_ON_PARTIAL = 1; + +class FileReassembler : public Reassembler { +public: + + FileReassembler(File* f, int starting_offset); + virtual ~FileReassembler(); + + void Done(); + + // Checks if we have delivered all contents that we can possibly + // deliver for this endpoint. Calls TCP_Analyzer::EndpointEOF() + // when so. + //void CheckEOF(); + +private: + //DECLARE_SERIAL(FileReassembler); + + void Undelivered(int up_to_seq); + void BlockInserted(DataBlock* b); + void Overlap(const u_char* b1, const u_char* b2, int n); + + unsigned int had_gap:1; + unsigned int did_EOF:1; + unsigned int skip_deliveries:1; + File* the_file; +}; + +} // namespace analyzer::* + +#endif diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out index 077fb5282c..0eace71c67 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out @@ -10,3 +10,6 @@ file #0, 555523, 0 [orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp] total bytes: 555523 source: HTTP +MD5: 5a484ada9c816c0e8b6d2d3978e3f503 +SHA1: 54e7d39e99eb9d40d6251c0361a1090a0d278571 +SHA256: 61c0718bd534ab55716eba161e91bb49155562ddc7c08f0c20f6359d7b808b66 From 38dbba762275e7ce2281445b56344eb6c82d49e1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sun, 5 Jan 2014 04:58:01 -0500 Subject: [PATCH 02/48] More file reassembly work. - The reassembly behavior can be modified per-file by enabling or disabling the reassembler and/or modifying the size of the reassembly buffer. - Changed the file extraction analyzer to use the stream to avoid issues with the chunk based approach not immediately triggering the file_new event due to mime-type detection delay. Early chunks frequently ended up lost before. - Generally things are working now and I'd consider this in testing. --- scripts/base/frameworks/files/main.bro | 60 +++++- scripts/base/init-bare.bro | 5 +- src/SerialTypes.h | 1 + src/event.bif | 19 ++ src/file_analysis/File.cc | 195 +++++++++--------- src/file_analysis/File.h | 39 +++- src/file_analysis/FileReassembler.cc | 28 +-- src/file_analysis/FileReassembler.h | 12 +- src/file_analysis/Manager.cc | 33 +++ src/file_analysis/Manager.h | 15 ++ src/file_analysis/analyzer/extract/Extract.cc | 27 ++- src/file_analysis/analyzer/extract/Extract.h | 3 +- src/file_analysis/analyzer/extract/events.bif | 4 +- src/file_analysis/file_analysis.bif | 21 ++ .../out | 1 + .../bro..stdout | 12 +- .../out | 8 + .../a.out | 2 + .../b.out | 12 +- .../c.out | 9 +- .../out | 8 + .../out | 16 ++ .../files.log | 4 +- 23 files changed, 375 insertions(+), 159 deletions(-) diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index cf2c11be45..14e1228fc4 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -99,8 +99,9 @@ export { ## during the process of analysis e.g. due to dropped packets. missing_bytes: count &log &default=0; - ## The number of not all-in-sequence bytes in the file stream that - ## were delivered to file analyzers due to reassembly buffer overflow. + ## The number of bytes in the file stream that were not delivered to + ## stream file analyzers. This could be overlapping bytes or + ## bytes that couldn't be reassembled. overflow_bytes: count &log &default=0; ## Whether the file analysis timed out at least once for the file. @@ -123,6 +124,33 @@ export { ## generate two handles that would hash to the same file id. const salt = "I recommend changing this." &redef; + ## The default setting for if the file reassembler is enabled for + ## each file. + const enable_reassembler = T &redef; + + ## The default allow per-file reassembly buffer size. + const reassembly_buffer_size = 1048576 &redef; + + ## Allows the file reassembler to be used if it's necessary because the + ## file is transferred out of order. + ## + ## f: the file. + global enable_reassembly: function(f: fa_file); + + ## Disables the file reassembler on this file. If the file is not + ## transferred out of order this will have no effect. + ## + ## f: the file. + global disable_reassembly: function(f: fa_file); + + ## Set the maximum size the reassembly buffer is allowed to grow + ## for the given file. + ## + ## f: the file. + ## + ## max: Maximum allowed size of the reassembly buffer. + global set_reassembly_buffer_size: function(f: fa_file, max: count); + ## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is ## used to determine the length of inactivity that is allowed for a file ## before internal state related to it is cleaned up. When used within @@ -273,6 +301,21 @@ function set_timeout_interval(f: fa_file, t: interval): bool return __set_timeout_interval(f$id, t); } +function enable_reassembly(f: fa_file) + { + __enable_reassembly(f$id); + } + +function disable_reassembly(f: fa_file) + { + __disable_reassembly(f$id); + } + +function set_reassembly_buffer_size(f: fa_file, max: count) + { + __set_reassembly_buffer(f$id, max); + } + function add_analyzer(f: fa_file, tag: Files::Tag, args: AnalyzerArgs): bool { add f$info$analyzers[Files::analyzer_name(tag)]; @@ -311,11 +354,24 @@ function analyzer_name(tag: Files::Tag): string event file_new(f: fa_file) &priority=10 { set_info(f); + + if ( enable_reassembler ) + { + Files::enable_reassembly(f); + Files::set_reassembly_buffer_size(f, reassembly_buffer_size); + } } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10 { set_info(f); + + if ( enable_reassembler ) + { + Files::enable_reassembly(f); + Files::set_reassembly_buffer_size(f, reassembly_buffer_size); + } + add f$info$conn_uids[c$uid]; local cid = c$id; add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h]; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index c58559bd9a..5c60ec6690 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -355,8 +355,9 @@ type fa_file: record { ## during the process of analysis e.g. due to dropped packets. missing_bytes: count &default=0; - ## The number of not all-in-sequence bytes in the file stream that - ## were not delivered to file analyzers due to reassembly buffer overflow. + ## The number of bytes in the file stream that were not delivered to + ## stream file analyzers. This could be overlapping bytes or + ## bytes that couldn't be reassembled. overflow_bytes: count &default=0; ## The amount of time between receiving new data for this file that diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 69927afb74..7f79328083 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -87,6 +87,7 @@ SERIAL_TCP_CONTENTS(TCP_NVT, 3) #define SERIAL_REASSEMBLER(name, val) SERIAL_CONST(name, val, REASSEMBLER) SERIAL_REASSEMBLER(REASSEMBLER, 1) SERIAL_REASSEMBLER(TCP_REASSEMBLER, 2) +SERIAL_REASSEMBLER(FILE_REASSEMBLER, 3) #define SERIAL_VAL(name, val) SERIAL_CONST(name, val, VAL) SERIAL_VAL(VAL, 1) diff --git a/src/event.bif b/src/event.bif index 4237bebc7b..25df2d823f 100644 --- a/src/event.bif +++ b/src/event.bif @@ -935,8 +935,27 @@ event file_timeout%(f: fa_file%); ## len: The number of missing bytes. ## ## .. bro:see:: file_new file_over_new_connection file_timeout file_state_remove +## file_reassembly_buffer_overflow event file_gap%(f: fa_file, offset: count, len: count%); +## Indicates that the file had an overflow of the reassembly buffer. +## This is a specialization of the :bro:id:`file_gap` event. +## +## f: The file. +## +## offset: The byte offset from the start of the file at which the reassembly +## couldn't continue due to running out of reassembly buffer space. +## +## skipped: The number of bytes of the file skipped over to flush some +## file data and get back under the reassembly buffer size limit. +## This value will also be represented as a gap. +## +## .. bro:see:: file_new file_over_new_connection file_timeout file_state_remove +## file_gap Files::enable_reassembler Files::reassembly_buffer_size +## Files::enable_reassembly Files::disable_reassembly +## Files::set_reassembly_buffer_size +event file_reassembly_buffer_overflow%(f: fa_file, offset: count, skipped: count%); + ## This event is generated each time file analysis is ending for a given file. ## ## f: The file. diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index d53c45fe06..269a78e396 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -3,7 +3,6 @@ #include #include "File.h" -#include "FileReassembler.h" #include "FileTimer.h" #include "Analyzer.h" #include "Manager.h" @@ -77,8 +76,8 @@ void File::StaticInit() File::File(const string& file_id, Connection* conn, analyzer::Tag tag, bool is_orig) - : id(file_id), val(0), postpone_timeout(false), first_chunk(true), - missed_bof(false), need_reassembly(false), done(false), + : id(file_id), val(0), stream_offset(0), reassembly_max_buffer(0), + reassembly_enabled(false), postpone_timeout(false), done(false), did_file_new_event(false), analyzers(this) { StaticInit(); @@ -88,7 +87,6 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag, val = new RecordVal(fa_file_type); val->Assign(id_idx, new StringVal(file_id.c_str())); - forwarded_offset = 0; file_reassembler = 0; if ( conn ) { @@ -244,7 +242,7 @@ bool File::IsComplete() const if ( ! total ) return false; - if ( LookupFieldDefaultCount(seen_bytes_idx) >= total->AsCount() ) + if ( stream_offset >= total->AsCount() ) return true; return false; @@ -302,6 +300,26 @@ bool File::DetectMIME(const u_char* data, uint64 len) return mime; } +void File::EnableReassembly() + { + reassembly_enabled = true; + } + +void File::DisableReassembly() + { + reassembly_enabled = false; + if ( file_reassembler ) + { + delete file_reassembler; + file_reassembler = NULL; + } + } + +void File::SetReassemblyBuffer(uint64 max) + { + reassembly_max_buffer = max; + } + void File::ReplayBOF() { if ( bof_buffer.replayed ) @@ -311,141 +329,122 @@ void File::ReplayBOF() if ( bof_buffer.chunks.empty() ) { - // Since we missed the beginning, try file type detect on next data in. - missed_bof = true; + // We definitely can't do anything if we don't have any chunks. return; } BroString* bs = concatenate(bof_buffer.chunks); val->Assign(bof_buffer_idx, new StringVal(bs)); - DetectMIME(bs->Bytes(), bs->Len()); - - FileEvent(file_new); - for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i ) DataIn(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len()); } -void File::DataIn(const u_char* data, uint64 len, uint64 offset) +void File::DeliverStream(const u_char* data, uint64 len) { - analyzers.DrainModifications(); + // Buffer enough data send to libmagic. + if ( BufferBOF(data, len) ) + return; - if ( file_reassembler ) + if ( stream_offset == 0 ) { - // If there is a file reassembler we must forward any data there. - // But this only happens if the incoming data doesn't happen - // to align with the current forwarded_offset - file_reassembler->NewBlock(network_time, offset, len, data); + DetectMIME(data, len); + FileEvent(file_new); + } - if ( !file_reassembler->HasBlocks() ) + file_analysis::Analyzer* a = 0; + IterCookie* c = analyzers.InitForIteration(); + while ( (a = analyzers.NextEntry(c)) ) + { + if ( !a->DeliverStream(data, len) ) { - delete file_reassembler; - file_reassembler = 0; + analyzers.QueueRemove(a->Tag(), a->Args()); } } - else if ( forwarded_offset == offset ) + + stream_offset += len; + IncrementByteCount(len, seen_bytes_idx); + } + +void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) + { + // Potentially handle reassembly and deliver to the stream analyzers. + if ( file_reassembler ) + { + if ( reassembly_max_buffer > 0 && + reassembly_max_buffer < file_reassembler->TotalSize() ) + { + uint64 first_offset = file_reassembler->GetFirstBlockOffset(); + int gap_bytes = file_reassembler->TrimToSeq(first_offset); + + if ( FileEventAvailable(file_reassembly_buffer_overflow) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(new Val(stream_offset, TYPE_COUNT)); + vl->append(new Val(gap_bytes, TYPE_COUNT)); + FileEvent(file_reassembly_buffer_overflow, vl); + } + + Gap(stream_offset, gap_bytes); + } + + // Forward data to the reassembler. + file_reassembler->NewBlock(network_time, offset, len, data); + } + else if ( stream_offset == offset ) { // This is the normal case where a file is transferred linearly. - // Nothing should be done here. + // Nothing special should be done here. + DeliverStream(data, len); } - else if ( forwarded_offset > offset && forwarded_offset < offset+len ) + else if ( reassembly_enabled ) { - // This is a segment that begins before the forwarded_offset - // but proceeds past the forwarded_offset. It needs - // trimmed but the reassembler is not enabled. - uint64 adjustment = forwarded_offset - offset; - data = data + adjustment; - len = len - adjustment; - offset = forwarded_offset; - IncrementByteCount(adjustment, overflow_bytes_idx); - } - else if ( forwarded_offset < offset ) - { - // This is data past a gap and the reassembler needs to be enabled. - file_reassembler = new FileReassembler(this, forwarded_offset); + // This is data that doesn't match the offset and the reassembler + // needs to be enabled. + file_reassembler = new FileReassembler(this, stream_offset); file_reassembler->NewBlock(network_time, offset, len, data); - return; } else { - // This is data that was already seen so it can be completely ignored. + // We can't reassemble so we throw out the data for streaming. IncrementByteCount(len, overflow_bytes_idx); - return; } - if ( first_chunk ) + // Deliver to the chunk analyzers. + file_analysis::Analyzer* a = 0; + IterCookie* c = analyzers.InitForIteration(); + while ( (a = analyzers.NextEntry(c)) ) { - // TODO: this should all really be delayed until we attempt reassembly. - DetectMIME(data, len); - FileEvent(file_new); - first_chunk = false; + if ( !a->DeliverChunk(data, len, offset) ) + { + analyzers.QueueRemove(a->Tag(), a->Args()); + } } if ( IsComplete() ) { + // If the file is complete we can automatically go and close out the file from here. EndOfFile(); } - else - { - file_analysis::Analyzer* a = 0; - IterCookie* c = analyzers.InitForIteration(); + } - while ( (a = analyzers.NextEntry(c)) ) - { - //if ( ! a->DeliverChunk(data, len, offset) ) - // { - // analyzers.QueueRemove(a->Tag(), a->Args()); - // } - if ( ! a->DeliverStream(data, len) ) - { - analyzers.QueueRemove(a->Tag(), a->Args()); - } - - } - - analyzers.DrainModifications(); - - forwarded_offset += len; - IncrementByteCount(len, seen_bytes_idx); - } +void File::DataIn(const u_char* data, uint64 len, uint64 offset) + { + analyzers.DrainModifications(); + DeliverChunk(data, len, offset); + analyzers.DrainModifications(); } void File::DataIn(const u_char* data, uint64 len) { analyzers.DrainModifications(); - - if ( BufferBOF(data, len) ) - return; - - if ( missed_bof ) - { - DetectMIME(data, len); - FileEvent(file_new); - missed_bof = false; - } - - file_analysis::Analyzer* a = 0; - IterCookie* c = analyzers.InitForIteration(); - - while ( (a = analyzers.NextEntry(c)) ) - { - if ( ! a->DeliverStream(data, len) ) - { - analyzers.QueueRemove(a->Tag(), a->Args()); - continue; - } - - uint64 offset = LookupFieldDefaultCount(seen_bytes_idx) + - LookupFieldDefaultCount(missing_bytes_idx); - - if ( ! a->DeliverChunk(data, len, offset) ) - analyzers.QueueRemove(a->Tag(), a->Args()); - } - + + uint64 offset = LookupFieldDefaultCount(seen_bytes_idx) + + LookupFieldDefaultCount(missing_bytes_idx); + DeliverChunk(data, len, offset); analyzers.DrainModifications(); - IncrementByteCount(len, seen_bytes_idx); } void File::EndOfFile() @@ -501,6 +500,8 @@ void File::Gap(uint64 offset, uint64 len) } analyzers.DrainModifications(); + + stream_offset += len; IncrementByteCount(len, missing_bytes_idx); } diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 3422982303..14a168d0f9 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -169,6 +169,7 @@ public: protected: friend class Manager; + friend class FileReassembler; /** * Constructor; only file_analysis::Manager should be creating these. @@ -236,6 +237,33 @@ protected: */ bool DetectMIME(const u_char* data, uint64 len); + /** + * Enables reassembly on the file. + */ + void EnableReassembly(); + + /** + * Disables reassembly on the file. If there is an existing reassembler + * for the file, this will cause it to be deleted and won't allow a new + * one to be created until reassembly is reenabled. + */ + void DisableReassembly(); + + /** + * Set a maximum allowed bytes of memory for file reassembly for this file. + */ + void SetReassemblyBuffer(uint64 max); + + /** + * Perform stream-wise delivery for analyzers that need it. + */ + void DeliverStream(const u_char* data, uint64 len); + + /** + * Perform chunk-wise delivery for analyzers that need it. + */ + void DeliverChunk(const u_char* data, uint64 len, uint64 offset); + /** * Lookup a record field index/offset by name. * @param field_name the name of the \c fa_file record field. @@ -248,18 +276,17 @@ protected: */ static void StaticInit(); -private: +protected: string id; /**< A pretty hash that likely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ - uint64 forwarded_offset; /**< The offset of the file which has been forwarded. */ FileReassembler *file_reassembler; /**< A reassembler for the file if it's needed. */ + uint64 stream_offset; /**< The offset of the file which has been forwarded. */ + uint64 reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */ + bool reassembly_enabled; /**< Whether file stream reassembly is needed. */ bool postpone_timeout; /**< Whether postponing timeout is requested. */ - bool first_chunk; /**< Track first non-linear chunk. */ - bool missed_bof; /**< Flags that we missed start of file. */ - bool need_reassembly; /**< Whether file stream reassembly is needed. */ bool done; /**< If this object is about to be deleted. */ bool did_file_new_event; /**< Whether the file_new event has been done. */ - AnalyzerSet analyzers; /**< A set of attached file analyzer. */ + AnalyzerSet analyzers; /**< A set of attached file analyzers. */ queue > fonc_queue; struct BOF_Buffer { diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc index 8440fdca83..d05a573682 100644 --- a/src/file_analysis/FileReassembler.cc +++ b/src/file_analysis/FileReassembler.cc @@ -22,13 +22,6 @@ void FileReassembler::BlockInserted(DataBlock* start_block) seq_delta(start_block->upper, last_reassem_seq) <= 0 ) return; - - // We've filled a leading hole. Deliver as much as possible. - // Note that the new block may include both some old stuff - // and some new stuff. AddAndCheck() will have split the - // new stuff off into its own block(s), but in the following - // loop we have to take care not to deliver already-delivered - // data. for ( DataBlock* b = start_block; b && seq_delta(b->seq, last_reassem_seq) <= 0; b = b->next ) { @@ -36,23 +29,34 @@ void FileReassembler::BlockInserted(DataBlock* start_block) { // New stuff. int len = b->Size(); int seq = last_reassem_seq; + the_file->DeliverStream(b->block, len); last_reassem_seq += len; - the_file->DataIn(b->block, len, seq); } } - - //CheckEOF(); } void FileReassembler::Undelivered(int up_to_seq) { - //reporter->Warning("should probably do something here (file reassembler undelivered)\n"); + // Not doing anything here yet. } void FileReassembler::Overlap(const u_char* b1, const u_char* b2, int n) { - //reporter->Warning("should probably do something here (file reassembler overlap)\n"); + // Not doing anything here yet. } +IMPLEMENT_SERIAL(FileReassembler, SER_FILE_REASSEMBLER); + +bool FileReassembler::DoSerialize(SerialInfo* info) const + { + reporter->InternalError("FileReassembler::DoSerialize not implemented"); + return false; // Cannot be reached. + } + +bool FileReassembler::DoUnserialize(UnserialInfo* info) + { + reporter->InternalError("FileReassembler::DoUnserialize not implemented"); + return false; // Cannot be reached. + } } // end file_analysis diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h index 7f73ec6fa4..146171b6ed 100644 --- a/src/file_analysis/FileReassembler.h +++ b/src/file_analysis/FileReassembler.h @@ -21,14 +21,16 @@ public: virtual ~FileReassembler(); void Done(); + uint64 GetFirstBlockOffset() { return blocks->seq; } // Checks if we have delivered all contents that we can possibly - // deliver for this endpoint. Calls TCP_Analyzer::EndpointEOF() - // when so. - //void CheckEOF(); + // deliver for this endpoint. + void CheckEOF(); -private: - //DECLARE_SERIAL(FileReassembler); +protected: + FileReassembler() { } + + DECLARE_SERIAL(FileReassembler); void Undelivered(int up_to_seq); void BlockInserted(DataBlock* b); diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 0337dbb098..5585c6c33c 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -183,6 +183,39 @@ bool Manager::SetTimeoutInterval(const string& file_id, double interval) const return true; } +bool Manager::EnableReassembly(const string& file_id) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->EnableReassembly(); + return true; + } + +bool Manager::DisableReassembly(const string& file_id) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->DisableReassembly(); + return true; + } + +bool Manager::SetReassemblyBuffer(const string& file_id, uint64 max) + { + File* file = LookupFile(file_id); + + if ( ! file ) + return false; + + file->SetReassemblyBuffer(max); + return true; + } + bool Manager::SetExtractionLimit(const string& file_id, RecordVal* args, uint64 n) const { diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index cf73c6b52d..1d30e73e8a 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -173,6 +173,21 @@ public: */ bool SetTimeoutInterval(const string& file_id, double interval) const; + /** + * Enable the reassembler for a file. + */ + bool EnableReassembly(const string& file_id); + + /** + * Disable the reassembler for a file. + */ + bool DisableReassembly(const string& file_id); + + /** + * Set the reassembly for a file in bytes. + */ + bool SetReassemblyBuffer(const string& file_id, uint64 max); + /** * Sets a limit on the maximum size allowed for extracting the file * to local disk; diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index 1a3917cd0e..032a176564 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -14,7 +14,7 @@ Extract::Extract(RecordVal* args, File* file, const string& arg_filename, : file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"), args, file), filename(arg_filename), limit(arg_limit) { - fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666); + fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, 0666); if ( fd < 0 ) { @@ -53,7 +53,7 @@ file_analysis::Analyzer* Extract::Instantiate(RecordVal* args, File* file) limit->AsCount()); } -static bool check_limit_exceeded(uint64 lim, uint64 off, uint64 len, uint64* n) +static bool check_limit_exceeded(uint64 lim, uint64 len, uint64* n) { if ( lim == 0 ) { @@ -61,13 +61,13 @@ static bool check_limit_exceeded(uint64 lim, uint64 off, uint64 len, uint64* n) return false; } - if ( off >= lim ) - { - *n = 0; - return true; - } - - *n = lim - off; + //if ( off >= lim ) + // { + // *n = 0; + // return true; + // } + // + //*n = lim - off; if ( len > *n ) return true; @@ -77,13 +77,13 @@ static bool check_limit_exceeded(uint64 lim, uint64 off, uint64 len, uint64* n) return false; } -bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset) +bool Extract::DeliverStream(const u_char* data, uint64 len) { if ( ! fd ) return false; uint64 towrite = 0; - bool limit_exceeded = check_limit_exceeded(limit, offset, len, &towrite); + bool limit_exceeded = check_limit_exceeded(limit, len, &towrite); if ( limit_exceeded && file_extraction_limit ) { @@ -92,16 +92,15 @@ bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset) vl->append(f->GetVal()->Ref()); vl->append(Args()->Ref()); vl->append(new Val(limit, TYPE_COUNT)); - vl->append(new Val(offset, TYPE_COUNT)); vl->append(new Val(len, TYPE_COUNT)); f->FileEvent(file_extraction_limit, vl); // Limit may have been modified by BIF, re-check it. - limit_exceeded = check_limit_exceeded(limit, offset, len, &towrite); + limit_exceeded = check_limit_exceeded(limit, len, &towrite); } if ( towrite > 0 ) - safe_pwrite(fd, data, towrite, offset); + safe_write(fd, (const char *) data, towrite); return ( ! limit_exceeded ); } diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h index 00c4dbe2b7..59130fa230 100644 --- a/src/file_analysis/analyzer/extract/Extract.h +++ b/src/file_analysis/analyzer/extract/Extract.h @@ -28,11 +28,10 @@ public: * Write a chunk of file data to the local extraction file. * @param data pointer to a chunk of file data. * @param len number of bytes in the data chunk. - * @param offset number of bytes from start of file at which chunk starts. * @return false if there was no extraction file open and the data couldn't * be written, else true. */ - virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); + virtual bool DeliverStream(const u_char* data, uint64 len); /** * Create a new instance of an Extract analyzer. diff --git a/src/file_analysis/analyzer/extract/events.bif b/src/file_analysis/analyzer/extract/events.bif index 1c08736416..f5ebb6816b 100644 --- a/src/file_analysis/analyzer/extract/events.bif +++ b/src/file_analysis/analyzer/extract/events.bif @@ -11,9 +11,7 @@ ## ## limit: The limit, in bytes, the extracted file is about to breach. ## -## offset: The offset at which a file chunk is about to be written. -## ## len: The length of the file chunk about to be written. ## ## .. bro:see:: Files::add_analyzer Files::ANALYZER_EXTRACT -event file_extraction_limit%(f: fa_file, args: any, limit: count, offset: count, len: count%); +event file_extraction_limit%(f: fa_file, args: any, limit: count, len: count%); diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 0e904f298f..4e4b4c6cdb 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -15,6 +15,27 @@ function Files::__set_timeout_interval%(file_id: string, t: interval%): bool return new Val(result, TYPE_BOOL); %} +## :bro:see:`Files::enable_reassembly`. +function Files::__enable_reassembly%(file_id: string%): bool + %{ + bool result = file_mgr->EnableReassembly(file_id->CheckString()); + return new Val(result, TYPE_BOOL); + %} + +## :bro:see:`Files::disable_reassembly`. +function Files::__disable_reassembly%(file_id: string%): bool + %{ + bool result = file_mgr->DisableReassembly(file_id->CheckString()); + return new Val(result, TYPE_BOOL); + %} + +## :bro:see:`Files::set_reassembly_buffer`. +function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool + %{ + bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); + return new Val(result, TYPE_BOOL); + %} + ## :bro:see:`Files::add_analyzer`. function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool %{ diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out index cbd60840bf..c9b5e20466 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out @@ -7,6 +7,7 @@ text/plain FILE_OVER_NEW_CONNECTION file_stream, file #0, 1500, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-relea file_chunk, file #0, 1500, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-relea +file_chunk, file #0, 1500, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-relea file_stream, file #0, 1024, se script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D "^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices f file_chunk, file #0, 1024, 1500, se script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D "^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices f file_stream, file #0, 476, ormat for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tools/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout index e78f5c8c17..8b2826a925 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout @@ -1,5 +1,7 @@ FILE_NEW file #0, 0, 0 +FILE_BOF_BUFFER +MZ\x90\0^C\0\0\0^D\0\0 MIME_TYPE application/x-dosexec FILE_OVER_NEW_CONNECTION @@ -8,15 +10,13 @@ file #0, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] total bytes: 1022920 source: HTTP -FILE_NEW -file #1, 0, 0 -MIME_TYPE -application/octet-stream -FILE_OVER_NEW_CONNECTION +MD5: fc13fee1d44ef737a3133f1298b21d28 +SHA1: 7d99803eaf3b6e8dfa3581348bc694089579d25a +SHA256: dcb87a62a2b5d449abc138776000fd1b14edc690e9da6ea325b8f352ab033202 FILE_TIMEOUT FILE_TIMEOUT FILE_STATE_REMOVE -file #1, 206024, 0 +file #0, 0, 0 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out index da42f4fd68..9870cd8888 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out @@ -55,3 +55,11 @@ source: HTTP MD5: 226244811006caf4ac904344841168dd SHA1: 7222902b8b8e68e25c0422e7f8bdf344efeda54d SHA256: dd485ecf240e12807516b0a27718fc3ab9a17c1158a452967343c98cefba07a0 +FILE_STATE_REMOVE +file #3, 465, 0 +[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +total bytes: 465 +source: HTTP +MD5: 226244811006caf4ac904344841168dd +SHA1: 7222902b8b8e68e25c0422e7f8bdf344efeda54d +SHA256: dd485ecf240e12807516b0a27718fc3ab9a17c1158a452967343c98cefba07a0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out index 0eace71c67..47c42efd13 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out @@ -1,5 +1,7 @@ FILE_NEW file #0, 0, 0 +FILE_BOF_BUFFER +%PDF-1.4^J%\xd0 MIME_TYPE application/pdf FILE_OVER_NEW_CONNECTION diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 9c05f311f3..9c123887e7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,5 +1,7 @@ FILE_NEW file #0, 0, 0 +FILE_BOF_BUFFER +MZ\x90\0^C\0\0\0^D\0\0 MIME_TYPE application/x-dosexec FILE_OVER_NEW_CONNECTION @@ -8,14 +10,12 @@ file #0, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] total bytes: 1022920 source: HTTP -FILE_NEW -file #1, 0, 0 -MIME_TYPE -application/octet-stream -FILE_OVER_NEW_CONNECTION +MD5: fc13fee1d44ef737a3133f1298b21d28 +SHA1: 7d99803eaf3b6e8dfa3581348bc694089579d25a +SHA256: dcb87a62a2b5d449abc138776000fd1b14edc690e9da6ea325b8f352ab033202 FILE_TIMEOUT FILE_STATE_REMOVE -file #1, 206024, 0 +file #0, 0, 0 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index d85a9de314..b344249aa1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -1,12 +1,17 @@ FILE_NEW file #0, 0, 0 +FILE_BOF_BUFFER +%PDF-1.4^M%\xe2 MIME_TYPE -application/octet-stream +application/pdf FILE_OVER_NEW_CONNECTION FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -file #0, 498702, 0 +file #0, 498668, 0 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp] total bytes: 498668 source: HTTP +MD5: 94046a5fb1c5802d0f1e6d704cf3e10e +SHA1: 250aa71dd1594363bc7083d25cfd0240e441b119 +SHA256: 5c3bc213c9eff85f98feceac8810b955f8415564e50e3889b447e847c50c5ba7 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out index b85485cd1a..b3c4bd3e31 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out @@ -41,6 +41,14 @@ source: HTTP MD5: d903de7e30db1691d3130ba5eae6b9a7 SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315 +FILE_STATE_REMOVE +file #2, 94, 0 +[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp] +total bytes: 94 +source: HTTP +MD5: d903de7e30db1691d3130ba5eae6b9a7 +SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e +SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315 FILE_NEW file #3, 0, 0 FILE_BOF_BUFFER diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out index cedc396254..f130f2d270 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out @@ -13,6 +13,14 @@ source: HTTP MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3 SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 +FILE_STATE_REMOVE +file #0, 11, 0 +[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp] +total bytes: 11 +source: HTTP +MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3 +SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed +SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 FILE_NEW file #1, 0, 0 FILE_BOF_BUFFER @@ -28,3 +36,11 @@ source: HTTP MD5: c9337794df612aeaa901dcf9fa446bca SHA1: 6a1582672c203210c6d18d700322060b676365e7 SHA256: 8eb24c16df7cb45cb6a1790b0d26ad2571f754228d0ac111b3ac59adbfecbeb8 +FILE_STATE_REMOVE +file #1, 366, 0 +[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp] +total bytes: 366 +source: HTTP +MD5: c9337794df612aeaa901dcf9fa446bca +SHA1: 6a1582672c203210c6d18d700322060b676365e7 +SHA256: 8eb24c16df7cb45cb6a1790b0d26ad2571f754228d0ac111b3ac59adbfecbeb8 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log index 447d991f3e..643176a6b3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2013-08-26-18-39-03 +#open 2014-01-05-09-08-10 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string table[addr] table[addr] table[string] string count table[string] string string interval bool bool count count count count bool string string string string string 1362692527.009721 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000054 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file -#close 2013-08-26-18-39-03 +#close 2014-01-05-09-08-10 From cd81eaedca4fca6cff14a9189af4e00e97c470da Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Tue, 5 Aug 2014 15:43:33 -0500 Subject: [PATCH 03/48] modify DNP3.cc and DNP3.h to add DNP3_UDP_Analyzer; binpac unchanged --- src/analyzer/protocol/dnp3/DNP3.cc | 270 +++++++++++++++++++++++++++++ src/analyzer/protocol/dnp3/DNP3.h | 47 +++++ 2 files changed, 317 insertions(+) diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 9d9ddf0c35..7931b31462 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -112,6 +112,10 @@ const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Lay bool DNP3_Analyzer::crc_table_initialized = false; unsigned int DNP3_Analyzer::crc_table[256]; +bool DNP3_UDP_Analyzer::crc_table_initialized = false; +unsigned int DNP3_UDP_Analyzer::crc_table[256]; + + DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c) { interp = new binpac::DNP3::DNP3_Conn(this); @@ -374,3 +378,269 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) return ~crc & 0xFFFF; } + +// ?? For DNP3 over UDP analyzer. most of the codes are copied and pasted. Better way to reuse the code? + +DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DHCP", c) + { + interp = new binpac::DNP3::DNP3_Conn(this); + + ClearEndpointState(true); + ClearEndpointState(false); + + if ( ! crc_table_initialized ) + PrecomputeCRCTable(); + } + +DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer() + { + delete interp; + } + +void DNP3_UDP_Analyzer::Done() + { + Analyzer::Done(); + + interp->FlowEOF(true); + interp->FlowEOF(false); + } + +void DNP3_UDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + Analyzer::DeliverStream(len, data, orig); + + try + { + if ( ! ProcessData(len, data, orig) ) + SetSkip(1); + } + + catch ( const binpac::Exception& e ) + { + SetSkip(1); + throw; + } + } +/* +void DNP3_UDP_Analyzer::Undelivered(uint64 seq, int len, bool orig) + { + Analyzer::Undelivered(seq, len, orig); + interp->NewGap(orig, len); + } + +void DNP3_UDP_Analyzer::EndpointEOF(bool is_orig) + { + Analyzer::EndpointEOF(is_orig); + interp->FlowEOF(is_orig); + } +*/ + +bool DNP3_UDP_Analyzer::ProcessData(int len, const u_char* data, bool orig) + { + Endpoint* endp = orig ? &orig_state : &resp_state; + + while ( len ) + { + if ( endp->in_hdr ) + { + // We're parsing the DNP3 header and link layer, get that in full. + if ( ! AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len) ) + return true; + + // The first two bytes must always be 0x0564. + if( endp->buffer[0] != 0x05 || endp->buffer[1] != 0x64 ) + { + Weird("dnp3_header_lacks_magic"); + return false; + } + + // Make sure header checksum is correct. + if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") ) + { + ProtocolViolation("broken_checksum"); + return false; + } + + // If the checksum works out, we're pretty certainly DNP3. + ProtocolConfirmation(); + + // DNP3 packets without transport and application + // layers can happen, we ignore them. + if ( (endp->buffer[PSEUDO_LENGTH_INDEX] + 3) == (char)PSEUDO_LINK_LAYER_LEN ) + { + ClearEndpointState(orig); + return true; + } + + // Double check the direction in case the first + // received packet is a response. + u_char ctrl = endp->buffer[PSEUDO_CONTROL_FIELD_INDEX]; + + if ( orig != (bool)(ctrl & 0x80) ) + Weird("dnp3_unexpected_flow_direction"); + + // Update state. + endp->pkt_length = endp->buffer[PSEUDO_LENGTH_INDEX]; + endp->tpflags = endp->buffer[PSEUDO_TRANSPORT_INDEX]; + endp->in_hdr = false; // Now parsing application layer. + + // For the first packet, we submit the header to + // BinPAC. + if ( ++endp->pkt_cnt == 1 ) + interp->NewData(orig, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN); + } + + if ( ! endp->in_hdr ) + { + assert(endp->pkt_length); + + // We're parsing the DNP3 application layer, get that + // in full now as well. We calculate the number of + // raw bytes the application layer consists of from + // the packet length by determining how much 16-byte + // chunks fit in there, and then add 2 bytes CRC for + // each. + int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + 2 - 1; + + if ( ! AddToBuffer(endp, n, &data, &len) ) + return true; + + // Parse the the application layer data. + if ( ! ParseAppLayer(endp) ) + return false; + + // Done with this packet, prepare for next. + endp->buffer_len = 0; + endp->in_hdr = true; + } + } + + return true; + } + +bool DNP3_UDP_Analyzer::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len) + { + if ( ! target_len ) + return true; + + int to_copy = min(*len, target_len - endp->buffer_len); + + memcpy(endp->buffer + endp->buffer_len, *data, to_copy); + *data += to_copy; + *len -= to_copy; + endp->buffer_len += to_copy; + + return endp->buffer_len == target_len; + } + +bool DNP3_UDP_Analyzer::ParseAppLayer(Endpoint* endp) + { + bool orig = (endp == &orig_state); + binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow(); + + u_char* data = endp->buffer + PSEUDO_TRANSPORT_INDEX; // The transport layer byte counts as app-layer it seems. + int len = endp->pkt_length - 5; + + // DNP3 Packet : DNP3 Pseudo Link Layer | DNP3 Pseudo Transport Layer | DNP3 Pseudo Application Layer + // DNP3 Serial Transport Layer data is always 1 byte. + // Get FIN FIR seq field in transport header. + // FIR indicate whether the following DNP3 Serial Application Layer is first chunk of bytes or not. + // FIN indicate whether the following DNP3 Serial Application Layer is last chunk of bytes or not. + + int is_first = (endp->tpflags & 0x40) >> 6; // Initial chunk of data in this packet. + int is_last = (endp->tpflags & 0x80) >> 7; // Last chunk of data in this packet. + + int transport = PSEUDO_TRANSPORT_LEN; + + int i = 0; + while ( len > 0 ) + { + int n = min(len, 16); + + // Make sure chunk has a correct checksum. + if ( ! CheckCRC(n, data, data + n, "app_chunk") ) + return false; + + // Pass on to BinPAC. + assert(data + n < endp->buffer + endp->buffer_len); + flow->flow_buffer()->BufferData(data + transport, data + n); + transport = 0; + + data += n + 2; + len -= n; + } + + if ( is_first ) + endp->encountered_first_chunk = true; + + if ( ! is_first && ! endp->encountered_first_chunk ) + { + // We lost the first chunk. + Weird("dnp3_first_application_layer_chunk_missing"); + return false; + } + + if ( is_last ) + { + flow->flow_buffer()->FinishBuffer(); + flow->FlowEOF(); + ClearEndpointState(orig); + } + + return true; + } + +void DNP3_UDP_Analyzer::ClearEndpointState(bool orig) + { + Endpoint* endp = orig ? &orig_state : &resp_state; + binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow(); + + endp->in_hdr = true; + endp->encountered_first_chunk = false; + endp->buffer_len = 0; + endp->pkt_length = 0; + endp->tpflags = 0; + endp->pkt_cnt = 0; + } + +bool DNP3_UDP_Analyzer::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where) + { + unsigned int crc = CalcCRC(len, data); + + if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 ) + return true; + + Weird(fmt("dnp3_corrupt_%s_checksum", where)); + return false; + } + +void DNP3_UDP_Analyzer::PrecomputeCRCTable() + { + for( unsigned int i = 0; i < 256; i++) + { + unsigned int crc = i; + + for ( unsigned int j = 0; j < 8; ++j ) + { + if ( crc & 0x0001 ) + crc = (crc >> 1) ^ 0xA6BC; // Generating polynomial. + else + crc >>= 1; + } + + crc_table[i] = crc; + } + } + +unsigned int DNP3_UDP_Analyzer::CalcCRC(int len, const u_char* data) + { + unsigned int crc = 0x0000; + + for ( int i = 0; i < len; i++ ) + { + unsigned int index = (crc ^ data[i]) & 0xFF; + crc = crc_table[index] ^ (crc >> 8); + } + + return ~crc & 0xFFFF; + } diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index 9cccf04d4d..ff3aff3594 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -3,6 +3,8 @@ #define ANALYZER_PROTOCOL_DNP3_DNP3_H #include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" + #include "dnp3_pac.h" namespace analyzer { namespace dnp3 { @@ -51,6 +53,51 @@ private: static unsigned int crc_table[256]; }; +class DNP3_UDP_Analyzer : public analyzer::Analyzer { +public: + DNP3_UDP_Analyzer(Connection* conn); + virtual ~DNP3_UDP_Analyzer(); + + virtual void Done(); + virtual void DeliverStream(int len, const u_char* data, bool orig); + //virtual void Undelivered(uint64 seq, int len, bool orig); + //virtual void EndpointEOF(bool is_orig); + + static Analyzer* Instantiate(Connection* conn) + { return new DNP3_UDP_Analyzer(conn); } + +private: + static const int MAX_BUFFER_SIZE = 300; + + struct Endpoint { + u_char buffer[MAX_BUFFER_SIZE]; + int buffer_len; + bool in_hdr; + int tpflags; + int pkt_length; + int pkt_cnt; + bool encountered_first_chunk; + }; + + bool ProcessData(int len, const u_char* data, bool orig); + void ClearEndpointState(bool orig); + bool AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len); + bool ParseAppLayer(Endpoint* endp); + bool CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where); + unsigned int CalcCRC(int len, const u_char* data); + + binpac::DNP3::DNP3_Conn* interp; + + Endpoint orig_state; + Endpoint resp_state; + + static void PrecomputeCRCTable(); + + static bool crc_table_initialized; + static unsigned int crc_table[256]; +}; + + } } // namespace analyzer::* #endif From 51e936ec59d37b3d906f876730a950420a346abb Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Wed, 6 Aug 2014 15:07:11 -0500 Subject: [PATCH 04/48] changed a bug, but still not working --- src/analyzer/protocol/dnp3/DNP3.cc | 25 +++++++++++++++---------- src/analyzer/protocol/dnp3/DNP3.h | 10 ++++++---- src/analyzer/protocol/dnp3/Plugin.cc | 6 ++++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 7931b31462..f07e999ad0 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -97,7 +97,7 @@ // Binpac DNP3 Analyzer #include "DNP3.h" -#include "analyzer/protocol/tcp/TCP_Reassembler.h" +//#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" using namespace analyzer::dnp3; @@ -109,13 +109,13 @@ const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-laye const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer -bool DNP3_Analyzer::crc_table_initialized = false; -unsigned int DNP3_Analyzer::crc_table[256]; +//bool DNP3_Analyzer::crc_table_initialized = false; +//unsigned int DNP3_Analyzer::crc_table[256]; bool DNP3_UDP_Analyzer::crc_table_initialized = false; unsigned int DNP3_UDP_Analyzer::crc_table[256]; - +/* DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c) { interp = new binpac::DNP3::DNP3_Conn(this); @@ -378,11 +378,14 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) return ~crc & 0xFFFF; } +*/ // ?? For DNP3 over UDP analyzer. most of the codes are copied and pasted. Better way to reuse the code? -DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DHCP", c) +DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DNP3", c) { + + printf("enter DNP3_UDP_Analyzer\n"); interp = new binpac::DNP3::DNP3_Conn(this); ClearEndpointState(true); @@ -400,14 +403,13 @@ DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer() void DNP3_UDP_Analyzer::Done() { Analyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); } -void DNP3_UDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) +void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - Analyzer::DeliverStream(len, data, orig); + printf("enter DNP3_UDP_Analyzer DeliverPacket\n"); + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try { @@ -437,8 +439,11 @@ void DNP3_UDP_Analyzer::EndpointEOF(bool is_orig) bool DNP3_UDP_Analyzer::ProcessData(int len, const u_char* data, bool orig) { + printf("enter DNP3_UDP_Analyzer process Data\n"); + Endpoint* endp = orig ? &orig_state : &resp_state; + while ( len ) { if ( endp->in_hdr ) diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index ff3aff3594..fcb1758ddb 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -2,13 +2,13 @@ #ifndef ANALYZER_PROTOCOL_DNP3_DNP3_H #define ANALYZER_PROTOCOL_DNP3_DNP3_H -#include "analyzer/protocol/tcp/TCP.h" +//#include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/udp/UDP.h" #include "dnp3_pac.h" namespace analyzer { namespace dnp3 { - +/* class DNP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DNP3_Analyzer(Connection* conn); @@ -52,6 +52,7 @@ private: static bool crc_table_initialized; static unsigned int crc_table[256]; }; +*/ class DNP3_UDP_Analyzer : public analyzer::Analyzer { public: @@ -59,11 +60,12 @@ public: virtual ~DNP3_UDP_Analyzer(); virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); //virtual void Undelivered(uint64 seq, int len, bool orig); //virtual void EndpointEOF(bool is_orig); - static Analyzer* Instantiate(Connection* conn) + static analyzer::Analyzer* Instantiate(Connection* conn) { return new DNP3_UDP_Analyzer(conn); } private: diff --git a/src/analyzer/protocol/dnp3/Plugin.cc b/src/analyzer/protocol/dnp3/Plugin.cc index 614ff38773..0ebc49355a 100644 --- a/src/analyzer/protocol/dnp3/Plugin.cc +++ b/src/analyzer/protocol/dnp3/Plugin.cc @@ -12,11 +12,13 @@ class Plugin : public plugin::Plugin { public: plugin::Configuration Configure() { - AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate)); + //AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate)); + AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); plugin::Configuration config; config.name = "Bro::DNP3"; - config.description = "DNP3 analyzer"; + //config.description = "DNP3 analyzer"; + config.description = "DNP3 UDP analyzer"; return config; } } plugin; From b83d4a9c849378c30a16f8b775d961616ad8dff2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 6 Aug 2014 15:41:53 -0500 Subject: [PATCH 05/48] Fix some things in DNP3 UDP analyzer. - DeliverPacket override had a wrong parameter. - Change the DNP3 plugin to provide both UDP and TCP analyzer versions. - Add a DPD signature. --- scripts/base/protocols/dnp3/dpd.sig | 6 ++++++ src/analyzer/protocol/dnp3/DNP3.cc | 10 ++++------ src/analyzer/protocol/dnp3/DNP3.h | 8 ++++---- src/analyzer/protocol/dnp3/Plugin.cc | 7 +++---- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/scripts/base/protocols/dnp3/dpd.sig b/scripts/base/protocols/dnp3/dpd.sig index c482661a43..24fa740626 100644 --- a/scripts/base/protocols/dnp3/dpd.sig +++ b/scripts/base/protocols/dnp3/dpd.sig @@ -7,3 +7,9 @@ signature dpd_dnp3_server { tcp-state responder enable "dnp3" } + +signature dpd_dnp3_server_udp { + ip-proto == udp + payload /\x05\x64/ + enable "dnp3_udp" +} diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index f07e999ad0..b6b4a5ea3d 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -109,13 +109,12 @@ const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-laye const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer -//bool DNP3_Analyzer::crc_table_initialized = false; -//unsigned int DNP3_Analyzer::crc_table[256]; +bool DNP3_Analyzer::crc_table_initialized = false; +unsigned int DNP3_Analyzer::crc_table[256]; bool DNP3_UDP_Analyzer::crc_table_initialized = false; unsigned int DNP3_UDP_Analyzer::crc_table[256]; -/* DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c) { interp = new binpac::DNP3::DNP3_Conn(this); @@ -378,11 +377,10 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) return ~crc & 0xFFFF; } -*/ // ?? For DNP3 over UDP analyzer. most of the codes are copied and pasted. Better way to reuse the code? -DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DNP3", c) +DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DNP3_UDP", c) { printf("enter DNP3_UDP_Analyzer\n"); @@ -405,7 +403,7 @@ void DNP3_UDP_Analyzer::Done() Analyzer::Done(); } -void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) +void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) { printf("enter DNP3_UDP_Analyzer DeliverPacket\n"); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index fcb1758ddb..0cc7fc9c85 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -2,13 +2,13 @@ #ifndef ANALYZER_PROTOCOL_DNP3_DNP3_H #define ANALYZER_PROTOCOL_DNP3_DNP3_H -//#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/udp/UDP.h" #include "dnp3_pac.h" namespace analyzer { namespace dnp3 { -/* + class DNP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DNP3_Analyzer(Connection* conn); @@ -52,7 +52,7 @@ private: static bool crc_table_initialized; static unsigned int crc_table[256]; }; -*/ + class DNP3_UDP_Analyzer : public analyzer::Analyzer { public: @@ -61,7 +61,7 @@ public: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - int seq, const IP_Hdr* ip, int caplen); + uint64 seq, const IP_Hdr* ip, int caplen); //virtual void Undelivered(uint64 seq, int len, bool orig); //virtual void EndpointEOF(bool is_orig); diff --git a/src/analyzer/protocol/dnp3/Plugin.cc b/src/analyzer/protocol/dnp3/Plugin.cc index 0ebc49355a..c2462b7af7 100644 --- a/src/analyzer/protocol/dnp3/Plugin.cc +++ b/src/analyzer/protocol/dnp3/Plugin.cc @@ -12,13 +12,12 @@ class Plugin : public plugin::Plugin { public: plugin::Configuration Configure() { - //AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate)); - AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); + AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate)); + AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate)); plugin::Configuration config; config.name = "Bro::DNP3"; - //config.description = "DNP3 analyzer"; - config.description = "DNP3 UDP analyzer"; + config.description = "DNP3 UDP/TCP analyzers"; return config; } } plugin; From 11f7e2d74bcbde3ced7bcbce90b3aef7b1dab5e6 Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Mon, 11 Aug 2014 15:41:25 -0500 Subject: [PATCH 06/48] fixed the bug of deciding the size of object 1 varition 1 in DNP3 --- src/analyzer/protocol/dnp3/dnp3-protocol.pac | 10 +- .../output | 2342 +++++++++++++---- 2 files changed, 1795 insertions(+), 557 deletions(-) diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac index 9407b000eb..7fa14320dc 100644 --- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac +++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac @@ -90,7 +90,7 @@ type DNP3_Application_Response_Header = record { type Request_Objects(function_code: uint8) = record { object_header: Object_Header(function_code); data: case (object_header.object_type_field) of { - 0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; + 0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; 0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item] &check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01); default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; @@ -112,10 +112,10 @@ type Request_Objects(function_code: uint8) = record { type Response_Objects(function_code: uint8) = record { object_header: Object_Header(function_code); data: case (object_header.object_type_field) of { - 0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; - 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ]; + 0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; + 0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ]; + 0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; + 0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )]; default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]; }; }; diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output index 0ddd6632ba..01c66d72f4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output @@ -260,622 +260,1860 @@ dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 0 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 0 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 10 -dnp3_object_header, F, 513, 0, 256, 0, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_prefix, F, 0 -dnp3_response_data_object, F, 255 -dnp3_object_header, F, 257, 1, 1, 257, 257 +dnp3_object_header, F, 2562, 1, 512, 0, 511 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 257, 1, 1, 257, 257 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 1 -dnp3_object_header, F, 286, 5, 0, 16777235, 16861313 -dnp3_object_header, F, 26940, 1, 4294964795, 49930, 47428 -dnp3_object_header, F, 457, 102, 0, 65535, 65535 -dnp3_object_header, F, 55993, 1, 4294962261, 19986, 14950 -dnp3_object_header, F, 274, 174, 0, 0, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_header, F, 7685, 1, 276, 0, 275 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 1013547336 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 3108291338 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 3118098121 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 979783186 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 1013100050 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 976559429 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 1069427906 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 1114636174 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 982332387 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 987182644 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 3121874082 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 dnp3_header_block, F, 25605, 255, 68, 100, 1 dnp3_application_response_header, F, 129, 5120 dnp3_object_header, F, 7685, 1, 224, 276, 499 From ff60706742926f6b98b21141062f8924a9720409 Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Fri, 15 Aug 2014 14:26:47 -0500 Subject: [PATCH 07/48] Removing the debug printf in DNP3.cc --- src/analyzer/protocol/dnp3/DNP3.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index b6b4a5ea3d..bd5d7ebc94 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -383,7 +383,6 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data) DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c) : Analyzer("DNP3_UDP", c) { - printf("enter DNP3_UDP_Analyzer\n"); interp = new binpac::DNP3::DNP3_Conn(this); ClearEndpointState(true); @@ -405,7 +404,7 @@ void DNP3_UDP_Analyzer::Done() void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) { - printf("enter DNP3_UDP_Analyzer DeliverPacket\n"); + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -437,8 +436,7 @@ void DNP3_UDP_Analyzer::EndpointEOF(bool is_orig) bool DNP3_UDP_Analyzer::ProcessData(int len, const u_char* data, bool orig) { - printf("enter DNP3_UDP_Analyzer process Data\n"); - + Endpoint* endp = orig ? &orig_state : &resp_state; From fb21236661414d205b5a909b93510765f5e39d03 Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Sat, 16 Aug 2014 11:01:30 -0500 Subject: [PATCH 08/48] quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header --- scripts/base/protocols/dnp3/main.bro | 4 +- src/analyzer/protocol/dnp3/dnp3-analyzer.pac | 10 +- src/analyzer/protocol/dnp3/events.bif | 4 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../output | 22 +- .../dnp3.log | 4 +- .../output | 12 +- .../output | 6 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../output | 8 +- .../dnp3.log | 4 +- .../output | 4 +- .../dnp3.log | 4 +- .../scripts.base.protocols.dnp3.events/output | 230 +++++++++--------- .../scripts/base/protocols/dnp3/events.bro | 8 +- 25 files changed, 185 insertions(+), 183 deletions(-) diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.bro index 3e5eede462..38b767c87d 100644 --- a/scripts/base/protocols/dnp3/main.bro +++ b/scripts/base/protocols/dnp3/main.bro @@ -40,7 +40,7 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, ports); } -event dnp3_application_request_header(c: connection, is_orig: bool, fc: count) +event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count) { if ( ! c?$dnp3 ) c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; @@ -49,7 +49,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, fc: count) c$dnp3$fc_request = function_codes[fc]; } -event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count) +event dnp3_application_response_header(c: connection, is_orig: bool, application_control: count, fc: count, iin: count) { if ( ! c?$dnp3 ) c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id]; diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac index 2ae783c82e..96b7c09bce 100644 --- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac +++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac @@ -20,7 +20,7 @@ flow DNP3_Flow(is_orig: bool) { return true; %} - function get_dnp3_application_request_header(fc: uint8): bool + function get_dnp3_application_request_header(application_control: uint8, fc: uint8): bool %{ if ( ::dnp3_application_request_header ) { @@ -28,13 +28,14 @@ flow DNP3_Flow(is_orig: bool) { connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), + application_control, fc ); } return true; %} - function get_dnp3_application_response_header(fc: uint8, iin: uint16): bool + function get_dnp3_application_response_header(application_control: uint8, fc: uint8, iin: uint16): bool %{ if ( ::dnp3_application_response_header ) { @@ -42,6 +43,7 @@ flow DNP3_Flow(is_orig: bool) { connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), + application_control, fc, iin ); @@ -725,11 +727,11 @@ refine typeattr Header_Block += &let { }; refine typeattr DNP3_Application_Request_Header += &let { - process_request: bool = $context.flow.get_dnp3_application_request_header(function_code); + process_request: bool = $context.flow.get_dnp3_application_request_header(application_control, function_code); }; refine typeattr DNP3_Application_Response_Header += &let { - process_request: bool = $context.flow.get_dnp3_application_response_header(function_code, internal_indications); + process_request: bool = $context.flow.get_dnp3_application_response_header(application_control, function_code, internal_indications); }; refine typeattr Object_Header += &let { diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif index 80f9504a9e..bd3aa5c647 100644 --- a/src/analyzer/protocol/dnp3/events.bif +++ b/src/analyzer/protocol/dnp3/events.bif @@ -7,7 +7,7 @@ ## ## fc: function code. ## -event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%); +event dnp3_application_request_header%(c: connection, is_orig: bool, application: count, fc: count%); ## Generated for a DNP3 response header. ## @@ -19,7 +19,7 @@ event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%) ## ## iin: internal indication number. ## -event dnp3_application_response_header%(c: connection, is_orig: bool, fc: count, iin: count%); +event dnp3_application_response_header%(c: connection, is_orig: bool, application: count, fc: count, iin: count%); ## Generated for the object header found in both DNP3 requests and responses. ## diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log index 68931eb81e..c18fa59ef0 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dnp3 -#open 2013-08-26-19-04-04 +#open 2014-08-16-15-58-44 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin #types time string addr port addr port string string count 1324503054.884183 CXWv6p3arKYeMETxOg 130.126.142.250 49413 130.126.140.229 20000 DELAY_MEASURE RESPONSE 0 -#close 2013-08-26-19-04-04 +#close 2014-08-16-15-58-44 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output index 5bd7d932bc..85c7c845f0 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output @@ -1,7 +1,7 @@ dnp3_header_block, T, 25605, 8, 196, 2, 3 -dnp3_application_request_header, T, 23 +dnp3_application_request_header, T, 196, 23 dnp3_header_block, F, 25605, 16, 68, 3, 2 -dnp3_application_response_header, F, 129, 0 +dnp3_application_response_header, F, 196, 129, 0 dnp3_object_header, F, 13314, 7, 1, 1, 0 dnp3_object_prefix, F, 0 dnp3_response_data_object, F, 255 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log index 90c7e9dfd3..ffca7690c4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dnp3 -#open 2013-08-26-19-04-04 +#open 2014-08-16-15-58-46 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin #types time string addr port addr port string string count 1324916729.150101 CXWv6p3arKYeMETxOg 130.126.142.250 50059 130.126.140.229 20000 ENABLE_UNSOLICITED RESPONSE 0 -#close 2013-08-26-19-04-04 +#close 2014-08-16-15-58-46 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output index 16491bb3a5..53c6dc8700 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output @@ -1,7 +1,7 @@ dnp3_header_block, T, 25605, 17, 196, 2, 3 -dnp3_application_request_header, T, 20 +dnp3_application_request_header, T, 203, 20 dnp3_object_header, T, 15362, 6, 0, 65535, 65535 dnp3_object_header, T, 15363, 6, 0, 65535, 65535 dnp3_object_header, T, 15364, 6, 0, 65535, 65535 dnp3_header_block, F, 25605, 10, 68, 3, 2 -dnp3_application_response_header, F, 129, 0 +dnp3_application_response_header, F, 203, 129, 0 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log index 4a1fb6329a..3d0033bd1a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path dnp3 -#open 2013-08-26-19-04-05 +#open 2014-08-16-15-58-47 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin #types time string addr port addr port string string count 1325044377.992570 CXWv6p3arKYeMETxOg 130.126.142.250 50301 130.126.140.229 20000 DELETE_FILE RESPONSE 0 -#close 2013-08-26-19-04-05 +#close 2014-08-16-15-58-47 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output index 37ccbc5bc9..9c63a41ae4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output @@ -1,9 +1,9 @@ dnp3_header_block, T, 25605, 99, 196, 4, 3 -dnp3_application_request_header, T, 27 +dnp3_application_request_header, T, 201, 27 dnp3_object_header, T, 17923, 91, 1, 1, 0 dnp3_object_prefix, T, 85 dnp3_header_block, F, 25605, 29, 68, 3, 4 -dnp3_application_response_header, F, 129, 0 +dnp3_application_response_header, F, 201, 129, 0 dnp3_object_header, F, 17924, 91, 1, 1, 0 dnp3_object_prefix, F, 13 dnp3_response_data_object, F, 255 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log index 9db6d6468d..7acf3a1608 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path dnp3 -#open 2013-08-26-19-04-05 +#open 2014-08-16-15-58-48 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin #types time string addr port addr port string string count 1325036012.621691 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 OPEN_FILE RESPONSE 4096 @@ -11,4 +11,4 @@ 1325036019.765502 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0 1325036022.292689 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0 1325036024.820857 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 CLOSE_FILE RESPONSE 0 -#close 2013-08-26-19-04-05 +#close 2014-08-16-15-58-48 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output index 1a4971a9e3..feb59be3f3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output @@ -1,45 +1,45 @@ dnp3_header_block, T, 25605, 50, 196, 4, 3 -dnp3_application_request_header, T, 25 +dnp3_application_request_header, T, 206, 25 dnp3_object_header, T, 17923, 91, 1, 1, 0 dnp3_object_prefix, T, 36 dnp3_header_block, F, 25605, 29, 68, 3, 4 -dnp3_application_response_header, F, 129, 4096 +dnp3_application_response_header, F, 206, 129, 4096 dnp3_object_header, F, 17924, 91, 1, 1, 0 dnp3_object_prefix, F, 13 dnp3_response_data_object, F, 255 dnp3_header_block, T, 25605, 22, 196, 4, 3 -dnp3_application_request_header, T, 1 +dnp3_application_request_header, T, 207, 1 dnp3_object_header, T, 17925, 91, 1, 1, 0 dnp3_object_prefix, T, 8 dnp3_file_transport, T, 305419896, 0 ^J dnp3_header_block, F, 25605, 255, 68, 3, 4 -dnp3_application_response_header, F, 129, 4096 +dnp3_application_response_header, F, 239, 129, 4096 dnp3_object_header, F, 17925, 91, 1, 1, 0 dnp3_object_prefix, F, 838 dnp3_file_transport, F, 305419896, 2147483648 0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e .......^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. ^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=, u2_events=] + +1254722770.692804 file_over_new_connection + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692804, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [2] is_orig: bool = F + 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692804, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -393,17 +393,17 @@ [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692823 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] - -1254722770.692823 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] - [2] is_orig: bool = F - 1254722770.695115 new_connection [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1254722771.469814 file_new + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.469814, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] + +1254722771.469814 file_over_new_connection + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.469814, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722771.469814, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [2] is_orig: bool = F + 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -413,7 +413,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722771.469814, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP From 7ee34981aa0873207a39c6077164a50fddca9071 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 5 Nov 2014 11:31:48 -0500 Subject: [PATCH 14/48] Improve TAR file detection and other small changes. - Remove all of the x-c detections. Nearly all false positives. - Remove the back up TAR detections. Not very helpful. - Remove one of the x-elc detections that was too loose and caused many false positives. --- .../base/frameworks/files/magic/general.sig | 6 +- .../base/frameworks/files/magic/libmagic.sig | 72 +++++++++---------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index a36e32ef28..500c4f7be0 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -6,8 +6,8 @@ signature file-plaintext { } signature file-tar { - file-magic /^([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ - file-mime "application/x-tar", 150 + file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/ + file-mime "application/x-tar", 100 } signature file-zip { @@ -120,7 +120,7 @@ signature file-python { } signature file-php { - file-magic /.*<\?php/ + file-magic /^.*<\?php/ file-mime "text/x-php", 40 } diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig index 92e1da68ae..72ec40dff8 100644 --- a/scripts/base/frameworks/files/magic/libmagic.sig +++ b/scripts/base/frameworks/files/magic/libmagic.sig @@ -616,10 +616,10 @@ signature file-magic-auto116 { } # >257 string,=ustar \000 (len=8), ["GNU tar archive"], swap_endian=0 -signature file-magic-auto117 { - file-mime "application/x-tar", 110 - file-magic /(.{257})(ustar \x00)/ -} +#signature file-magic-auto117 { +# file-mime "application/x-tar", 110 +# file-magic /(.{257})(ustar \x00)/ +#} # >0 string,=257 string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0 -signature file-magic-auto131 { - file-mime "application/x-tar", 90 - file-magic /(.{257})(ustar\x00)/ -} +#signature file-magic-auto131 { +# file-mime "application/x-tar", 90 +# file-magic /(.{257})(ustar\x00)/ +#} # >0 string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0 signature file-magic-auto132 { @@ -2882,10 +2882,10 @@ signature file-magic-auto480 { } # >0 string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0 -signature file-magic-auto481 { - file-mime "application/x-elc", 50 - file-magic /(\x0a\x28)/ -} +#signature file-magic-auto481 { +# file-mime "application/x-elc", 50 +# file-magic /(\x0a\x28)/ +#} # >0 string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0 signature file-magic-auto482 { @@ -3148,10 +3148,10 @@ signature file-magic-auto521 { } # >0 regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0 -signature file-magic-auto522 { - file-mime "text/x-c++", 47 - file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ -} +#signature file-magic-auto522 { +# file-mime "text/x-c++", 47 +# file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ +#} # >0 search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0 signature file-magic-auto528 { @@ -3363,10 +3363,10 @@ signature file-magic-auto556 { } # >0 regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto557 { - file-mime "text/x-c", 43 - file-magic /(.*)(extern[ \x09\x0a]+)/ -} +#signature file-magic-auto557 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(extern[ \x09\x0a]+)/ +#} # >0 search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0 signature file-magic-auto558 { @@ -3382,10 +3382,10 @@ signature file-magic-auto558 { #} # >0 regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto560 { - file-mime "text/x-c", 43 - file-magic /(.*)(struct[ \x09\x0a]+)/ -} +#signature file-magic-auto560 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(struct[ \x09\x0a]+)/ +#} # >0 search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto561 { @@ -3438,10 +3438,10 @@ signature file-magic-auto567 { } # >0 regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0 -signature file-magic-auto568 { - file-mime "text/x-c", 41 - file-magic /(.*)(char[ \x09\x0a]+)/ -} +#signature file-magic-auto568 { +# file-mime "text/x-c", 41 +# file-magic /(.*)(char[ \x09\x0a]+)/ +#} # >0 search/1,=#! (len=2), [""], swap_endian=0 # >>0 regex,=^#!.*/bin/perl$ (len=15), ["Perl script text executable"], swap_endian=0 @@ -3524,10 +3524,10 @@ signature file-magic-auto578 { } # >0 search/8192,=main( (len=5), ["C source text"], swap_endian=0 -signature file-magic-auto581 { - file-mime "text/x-c", 40 - file-magic /(.*)(main\x28)/ -} +#signature file-magic-auto581 { +# file-mime "text/x-c", 40 +# file-magic /(.*)(main\x28)/ +#} # Not specific enough. # >0 search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0 @@ -3556,10 +3556,10 @@ signature file-magic-auto584 { #} # >0 regex,=^#include (len=9), ["C source text"], swap_endian=0 -signature file-magic-auto586 { - file-mime "text/x-c", 39 - file-magic /(.*)(#include)/ -} +#signature file-magic-auto586 { +# file-mime "text/x-c", 39 +# file-magic /(.*)(#include)/ +#} # >0 search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0 #signature file-magic-auto587 { From cbbe7b52dc163b6a535545767cf36c596b2a9000 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Dec 2014 14:05:15 -0600 Subject: [PATCH 15/48] Review/fix/change file reassembly functionality. - Re-arrange how some fa_file fields (e.g. source, connection info, mime type) get updated/set for consistency. - Add more robust mechanisms for flushing the reassembly buffer. The goal being to report all gaps and deliveries to file analyzers regardless of the state of the reassembly buffer at the time it has to be flushed. --- scripts/base/frameworks/files/main.bro | 3 +- scripts/base/init-bare.bro | 10 +- src/analyzer/protocol/tcp/TCP_Reassembler.h | 3 - src/file_analysis/Analyzer.h | 19 +- src/file_analysis/AnalyzerSet.cc | 8 +- src/file_analysis/AnalyzerSet.h | 6 +- src/file_analysis/File.cc | 232 ++++++++++-------- src/file_analysis/File.h | 29 +-- src/file_analysis/FileReassembler.cc | 64 ++++- src/file_analysis/FileReassembler.h | 32 ++- src/file_analysis/Manager.cc | 26 +- src/file_analysis/Manager.h | 4 +- src/file_analysis/analyzer/extract/Extract.cc | 1 - testing/btest/Baseline/core.bits_per_uid/128 | 4 +- testing/btest/Baseline/core.bits_per_uid/256 | 4 +- testing/btest/Baseline/core.bits_per_uid/32 | 4 +- testing/btest/Baseline/core.bits_per_uid/64 | 4 +- testing/btest/Baseline/core.bits_per_uid/96 | 4 +- testing/btest/Baseline/plugins.hooks/output | 87 ++++--- .../files.log | 6 +- .../bro..stdout | 5 +- .../out | 6 +- .../b.out | 5 +- .../files.log | 6 +- .../all-events-no-args.log | 8 +- .../all-events.log | 28 +-- 26 files changed, 370 insertions(+), 238 deletions(-) diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro index f1f381a141..e335d4be9d 100644 --- a/scripts/base/frameworks/files/main.bro +++ b/scripts/base/frameworks/files/main.bro @@ -133,7 +133,7 @@ export { ## each file. const enable_reassembler = T &redef; - ## The default allow per-file reassembly buffer size. + ## The default per-file reassembly buffer size. const reassembly_buffer_size = 1048576 &redef; ## Allows the file reassembler to be used if it's necessary because the @@ -490,7 +490,6 @@ event file_mime_type(f: fa_file, mime_type: string) &priority=10 f$info$mime_type = mime_type; - if ( analyze_by_mime_type_automatically && mime_type in mime_type_to_analyzers ) { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b112d3ea0f..4a1bcfbe72 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -353,8 +353,9 @@ type connection: record { ## gives up and discards any internal state related to the file. const default_file_timeout_interval: interval = 2 mins &redef; -## Default amount of bytes that file analysis will buffer to provide -## data back in time to attached analyzers +## Default amount of bytes that file analysis will buffer in order to use +## for mime type matching. File analyzers attached at the time of mime type +## matching or later, will receive a copy of this buffer. const default_file_bof_buffer_size: count = 4096 &redef; ## A file that Bro is analyzing. This is Bro's type for describing the basic @@ -395,8 +396,9 @@ type fa_file: record { missing_bytes: count &default=0; ## The number of bytes in the file stream that were not delivered to - ## stream file analyzers. This could be overlapping bytes or - ## bytes that couldn't be reassembled. + ## stream file analyzers. Generally, this consists of bytes that + ## couldn't be reassembled, either because reassembly simply isn't + ## enabled, or due to size limitations of the reassembly buffer. overflow_bytes: count &default=0; ## The amount of time between receiving new data for this file that diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h index 5d8badcef1..c2ed0175ca 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h @@ -11,9 +11,6 @@ namespace analyzer { namespace tcp { class TCP_Analyzer; -const int STOP_ON_GAP = 1; -const int PUNT_ON_PARTIAL = 1; - class TCP_Reassembler : public Reassembler { public: enum Type { diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 619a72c81d..dcb8434a6f 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -111,6 +111,18 @@ public: */ void SetAnalyzerTag(const file_analysis::Tag& tag); + /** + * @return true if the analyzer has ever seen a stream-wise delivery. + */ + bool GotStreamDelivery() const + { return got_stream_delivery; } + + /** + * Flag the analyzer as having seen a stream-wise delivery. + */ + void SetGotStreamDelivery() + { got_stream_delivery = true; } + protected: /** @@ -123,7 +135,8 @@ protected: Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file) : tag(arg_tag), args(arg_args->Ref()->AsRecordVal()), - file(arg_file) + file(arg_file), + got_stream_delivery(false) { id = ++id_counter; } @@ -140,7 +153,8 @@ protected: Analyzer(RecordVal* arg_args, File* arg_file) : tag(), args(arg_args->Ref()->AsRecordVal()), - file(arg_file) + file(arg_file), + got_stream_delivery(false) { id = ++id_counter; } @@ -151,6 +165,7 @@ private: file_analysis::Tag tag; /**< The particular type of the analyzer instance. */ RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ File* file; /**< The file to which the analyzer is attached. */ + bool got_stream_delivery; static ID id_counter; }; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index 2657a5b709..8425e5d3c7 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -72,20 +72,20 @@ bool AnalyzerSet::Add(file_analysis::Tag tag, RecordVal* args) return true; } -bool AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args, file_analysis::Analyzer* a) +Analyzer* AnalyzerSet::QueueAdd(file_analysis::Tag tag, RecordVal* args) { HashKey* key = GetKey(tag, args); - a = InstantiateAnalyzer(tag, args); + file_analysis::Analyzer* a = InstantiateAnalyzer(tag, args); if ( ! a ) { delete key; - return false; + return 0; } mod_queue.push(new AddMod(a, key)); - return true; + return a; } bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set) diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index 839425980c..642792f776 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -57,10 +57,10 @@ public: * Queue the attachment of an analyzer to #file. * @param tag the analyzer tag of the file analyzer to add. * @param args an \c AnalyzerArgs value which specifies an analyzer. - * @param a an analyzer pointer to return the instantiated analyzer to the caller. - * @return true if analyzer was able to be instantiated, else false. + * @return if successful, a pointer to a newly instantiated analyzer else + * a null pointer. The caller does *not* take ownership of the memory. */ - bool QueueAdd(file_analysis::Tag tag, RecordVal* args, file_analysis::Analyzer* a); + file_analysis::Analyzer* QueueAdd(file_analysis::Tag tag, RecordVal* args); /** * Remove an analyzer from #file immediately. diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index e4e9b6dc9d..d893d7a088 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -74,8 +74,8 @@ void File::StaticInit() bof_buffer_idx = Idx("bof_buffer"); } -File::File(const string& file_id, Connection* conn, analyzer::Tag tag, - bool is_orig) +File::File(const string& file_id, const string& source_name, Connection* conn, + analyzer::Tag tag, bool is_orig) : id(file_id), val(0), file_reassembler(0), stream_offset(0), reassembly_max_buffer(0), did_mime_type(false), reassembly_enabled(false), postpone_timeout(false), done(false), @@ -87,12 +87,12 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag, val = new RecordVal(fa_file_type); val->Assign(id_idx, new StringVal(file_id.c_str())); + SetSource(source_name); if ( conn ) { - // add source, connection, is_orig fields - SetSource(analyzer_mgr->GetComponentName(tag)); val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL)); + UpdateConnectionFields(conn, is_orig); } UpdateLastActivityTime(); @@ -102,11 +102,7 @@ File::~File() { DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str()); Unref(val); - - if ( file_reassembler ) - { - delete file_reassembler; - } + delete file_reassembler; } void File::UpdateLastActivityTime() @@ -119,10 +115,10 @@ double File::GetLastActivityTime() const return val->Lookup(last_active_idx)->AsTime(); } -void File::UpdateConnectionFields(Connection* conn, bool is_orig) +bool File::UpdateConnectionFields(Connection* conn, bool is_orig) { if ( ! conn ) - return; + return false; Val* conns = val->Lookup(conns_idx); @@ -133,23 +129,28 @@ void File::UpdateConnectionFields(Connection* conn, bool is_orig) } Val* idx = get_conn_id_val(conn); - if ( ! conns->AsTableVal()->Lookup(idx) ) + + if ( conns->AsTableVal()->Lookup(idx) ) { - Val* conn_val = conn->BuildConnVal(); - conns->AsTableVal()->Assign(idx, conn_val); - - if ( FileEventAvailable(file_over_new_connection) ) - { - val_list* vl = new val_list(); - vl->append(val->Ref()); - vl->append(conn_val->Ref()); - vl->append(new Val(is_orig, TYPE_BOOL)); - - FileEvent(file_over_new_connection, vl); - } + Unref(idx); + return false; } + conns->AsTableVal()->Assign(idx, conn->BuildConnVal()); Unref(idx); + return true; + } + +void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig) + { + if ( conn && FileEventAvailable(file_over_new_connection) ) + { + val_list* vl = new val_list(); + vl->append(val->Ref()); + vl->append(conn->BuildConnVal()->Ref()); + vl->append(new Val(is_orig, TYPE_BOOL)); + FileEvent(file_over_new_connection, vl); + } } uint64 File::LookupFieldDefaultCount(int idx) const @@ -252,20 +253,7 @@ bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args) if ( done ) return false; - file_analysis::Analyzer *a = 0; - bool success = analyzers.QueueAdd(tag, args, a); - if ( success && a ) - { - // Catch up this analyzer with the BOF buffer - for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i ) - { - if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len()) ) - { - analyzers.QueueRemove(a->Tag(), a->Args()); - } - } - } - return success; + return analyzers.QueueAdd(tag, args) != 0; } bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args) @@ -284,11 +272,8 @@ void File::EnableReassembly() void File::DisableReassembly() { reassembly_enabled = false; - if ( file_reassembler ) - { - delete file_reassembler; - file_reassembler = NULL; - } + delete file_reassembler; + file_reassembler = 0; } void File::SetReassemblyBuffer(uint64 max) @@ -298,11 +283,23 @@ void File::SetReassemblyBuffer(uint64 max) bool File::DetectMIME() { - RuleMatcher::MIME_Matches matches; + did_mime_type = true; - BroString *bs = concatenate(bof_buffer.chunks); - const u_char* data = bs->Bytes(); - uint64 len = bs->Len(); + Val* bof_buffer_val = val->Lookup(bof_buffer_idx); + + if ( ! bof_buffer_val ) + { + if ( bof_buffer.size == 0 ) + return false; + + BroString* bs = concatenate(bof_buffer.chunks); + bof_buffer_val = new StringVal(bs); + val->Assign(bof_buffer_idx, bof_buffer_val); + } + + RuleMatcher::MIME_Matches matches; + const u_char* data = bof_buffer_val->AsString()->Bytes(); + uint64 len = bof_buffer_val->AsString()->Len(); len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); file_mgr->DetectMIME(data, len, &matches); @@ -338,45 +335,70 @@ bool File::BufferBOF(const u_char* data, uint64 len) bof_buffer.chunks.push_back(new BroString(data, len, 0)); bof_buffer.size += len; - if ( bof_buffer.size >= desired_size ) + if ( bof_buffer.size < desired_size ) + return true; + + bof_buffer.full = true; + + if ( bof_buffer.size > 0 ) { - bof_buffer.full = true; - } - - return true; - } - -void File::DeliverStream(const u_char* data, uint64 len) - { - // Buffer enough data for the BOF buffer - BufferBOF(data, len); - - // TODO: mime matching size needs defined. - if ( ! did_mime_type && - bof_buffer.size >= 1024 && - LookupFieldDefaultCount(missing_bytes_idx) == 0 ) - { - did_mime_type = true; - DetectMIME(); - - // TODO: this needs to be done elsewhere. For now it's here. BroString* bs = concatenate(bof_buffer.chunks); val->Assign(bof_buffer_idx, new StringVal(bs)); } - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] %" PRIu64 " bytes in at offset %" PRIu64 "; %s [%s]", - id.c_str(), len, stream_offset, - IsComplete() ? "complete" : "incomplete", - fmt_bytes((const char*) data, min((uint64)40, len)), len > 40 ? "..." : ""); + return false; + } + +void File::DeliverStream(const u_char* data, uint64 len) + { + bool bof_was_full = bof_buffer.full; + // Buffer enough data for the BOF buffer + BufferBOF(data, len); + + if ( ! did_mime_type && bof_buffer.full && + LookupFieldDefaultCount(missing_bytes_idx) == 0 ) + DetectMIME(); + + DBG_LOG(DBG_FILE_ANALYSIS, + "[%s] %" PRIu64 " stream bytes in at offset %" PRIu64 "; %s [%s%s]", + id.c_str(), len, stream_offset, + IsComplete() ? "complete" : "incomplete", + fmt_bytes((const char*) data, min((uint64)40, len)), + len > 40 ? "..." : ""); file_analysis::Analyzer* a = 0; IterCookie* c = analyzers.InitForIteration(); + while ( (a = analyzers.NextEntry(c)) ) { - if ( !a->DeliverStream(data, len) ) + if ( ! a->GotStreamDelivery() ) { - analyzers.QueueRemove(a->Tag(), a->Args()); + int num_bof_chunks_behind = bof_buffer.chunks.size(); + + if ( ! bof_was_full ) + // We just added a chunk to the BOF buffer, don't count it + // as it will get delivered on its own. + num_bof_chunks_behind -= 1; + + uint64 bytes_delivered = 0; + + // Catch this analyzer up with the BOF buffer. + for ( int i = 0; i < num_bof_chunks_behind; ++i ) + { + if ( ! a->DeliverStream(bof_buffer.chunks[i]->Bytes(), + bof_buffer.chunks[i]->Len()) ) + analyzers.QueueRemove(a->Tag(), a->Args()); + + bytes_delivered += bof_buffer.chunks[i]->Len(); + } + + a->SetGotStreamDelivery(); + // May need to catch analyzer up on missed gap? + // Analyzer should be fully caught up to stream_offset now. } + + if ( ! a->DeliverStream(data, len) ) + analyzers.QueueRemove(a->Tag(), a->Args()); } stream_offset += len; @@ -389,21 +411,20 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) if ( file_reassembler ) { if ( reassembly_max_buffer > 0 && - reassembly_max_buffer < file_reassembler->TotalSize() ) + reassembly_max_buffer < file_reassembler->TotalSize() ) { - uint64 first_offset = file_reassembler->GetFirstBlockOffset(); - int gap_bytes = file_reassembler->TrimToSeq(first_offset); - + uint64 current_offset = stream_offset; + uint64 gap_bytes = file_reassembler->Flush(); + IncrementByteCount(gap_bytes, overflow_bytes_idx); + if ( FileEventAvailable(file_reassembly_overflow) ) { val_list* vl = new val_list(); vl->append(val->Ref()); - vl->append(new Val(stream_offset, TYPE_COUNT)); + vl->append(new Val(current_offset, TYPE_COUNT)); vl->append(new Val(gap_bytes, TYPE_COUNT)); FileEvent(file_reassembly_overflow, vl); } - - Gap(stream_offset, gap_bytes); } // Forward data to the reassembler. @@ -428,29 +449,28 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset) IncrementByteCount(len, overflow_bytes_idx); } - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] %" PRIu64 " bytes in; %s [%s]", - id.c_str(), len, - IsComplete() ? "complete" : "incomplete", - fmt_bytes((const char*) data, min((uint64)40, len)), len > 40 ? "..." : ""); + DBG_LOG(DBG_FILE_ANALYSIS, + "[%s] %" PRIu64 " chunk bytes in at offset %" PRIu64 "; %s [%s%s]", + id.c_str(), len, offset, + IsComplete() ? "complete" : "incomplete", + fmt_bytes((const char*) data, min((uint64)40, len)), + len > 40 ? "..." : ""); file_analysis::Analyzer* a = 0; IterCookie* c = analyzers.InitForIteration(); + while ( (a = analyzers.NextEntry(c)) ) { - if ( !a->DeliverChunk(data, len, offset) ) + if ( ! a->DeliverChunk(data, len, offset) ) { analyzers.QueueRemove(a->Tag(), a->Args()); } } if ( IsComplete() ) - { - // If the file is complete we can automatically go and close out the file from here. EndOfFile(); - } } - void File::DataIn(const u_char* data, uint64 len, uint64 offset) { analyzers.DrainModifications(); @@ -461,10 +481,7 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset) void File::DataIn(const u_char* data, uint64 len) { analyzers.DrainModifications(); - - uint64 offset = LookupFieldDefaultCount(seen_bytes_idx) + - LookupFieldDefaultCount(missing_bytes_idx); - DeliverChunk(data, len, offset); + DeliverChunk(data, len, stream_offset); analyzers.DrainModifications(); } @@ -475,20 +492,18 @@ void File::EndOfFile() if ( done ) return; - if ( ! did_mime_type ) - { + if ( ! did_mime_type && + LookupFieldDefaultCount(missing_bytes_idx) == 0 ) DetectMIME(); - // TODO: this also needs to be done elsewhere. - if ( bof_buffer.size > 0 ) - { - BroString* bs = concatenate(bof_buffer.chunks); - val->Assign(bof_buffer_idx, new StringVal(bs)); - } - } - analyzers.DrainModifications(); + if ( file_reassembler ) + { + file_reassembler->Flush(); + analyzers.DrainModifications(); + } + done = true; file_analysis::Analyzer* a = 0; @@ -507,9 +522,16 @@ void File::EndOfFile() void File::Gap(uint64 offset, uint64 len) { - DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %" PRIu64, + DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %," PRIu64, id.c_str(), len, offset); + if ( file_reassembler && ! file_reassembler->IsCurrentlyFlushing() ) + { + file_reassembler->FlushTo(offset + len); + // The reassembler will call us back with all the gaps we need to know. + return; + } + analyzers.DrainModifications(); file_analysis::Analyzer* a = 0; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index bfd38a263c..645f7d5111 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -3,7 +3,6 @@ #ifndef FILE_ANALYSIS_FILE_H #define FILE_ANALYSIS_FILE_H -#include #include #include #include @@ -89,10 +88,10 @@ public: void SetTotalBytes(uint64 size); /** - * Compares "seen_bytes" field to "total_bytes" field of #val record to - * determine if the full file has been seen. - * @return false if "total_bytes" hasn't been set yet or "seen_bytes" is - * less than it, else true. + * @return true if file analysis is complete for the file, else false. + * It is incomplete if the total size is unknown or if the number of bytes + * streamed to analyzers (either as data delivers or gap information) + * matches the known total size. */ bool IsComplete() const; @@ -175,13 +174,14 @@ protected: * Constructor; only file_analysis::Manager should be creating these. * @param file_id an identifier string for the file in pretty hash form * (similar to connection uids). + * @param source_name the value for the source field to fill in. * @param conn a network connection over which the file is transferred. * @param tag the network protocol over which the file is transferred. * @param is_orig true if the file is being transferred from the originator * of the connection to the responder. False indicates the other * direction. */ - File(const string& file_id, Connection* conn = 0, + File(const string& file_id, const string& source_name, Connection* conn = 0, analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false); /** @@ -189,8 +189,14 @@ protected: * \c conn_id and UID taken from \a conn. * @param conn the connection over which a part of the file has been seen. * @param is_orig true if the connection originator is sending the file. + * @return true if the connection was previously unknown. */ - void UpdateConnectionFields(Connection* conn, bool is_orig); + bool UpdateConnectionFields(Connection* conn, bool is_orig); + + /** + * Raise the file_over_new_connection event with given arguments. + */ + void RaiseFileOverNewConnection(Connection* conn, bool is_orig); /** * Increment a byte count field of #val record by \a size. @@ -223,15 +229,10 @@ protected: */ bool BufferBOF(const u_char* data, uint64 len); - /** - * Forward any beginning-of-file buffered data on to DataIn stream. - */ - void ReplayBOF(); - /** * Does mime type detection via file magic signatures and assigns * strongest matching mime type (if available) to \c mime_type - * field in #val. It uses the data in the BOF buffer + * field in #val. It uses the data in the BOF buffer. * @return whether a mime type match was found. */ bool DetectMIME(); @@ -278,7 +279,7 @@ protected: protected: string id; /**< A pretty hash that likely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ - FileReassembler *file_reassembler; /**< A reassembler for the file if it's needed. */ + FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */ uint64 stream_offset; /**< The offset of the file which has been forwarded. */ uint64 reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */ bool did_mime_type; /**< Whether the mime type ident has already been attempted. */ diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc index 71e4c30bca..d2b4eda23d 100644 --- a/src/file_analysis/FileReassembler.cc +++ b/src/file_analysis/FileReassembler.cc @@ -8,7 +8,7 @@ namespace file_analysis { class File; FileReassembler::FileReassembler(File *f, uint64 starting_offset) - : Reassembler(starting_offset), the_file(f) + : Reassembler(starting_offset), the_file(f), flushing(false) { } @@ -16,6 +16,35 @@ FileReassembler::~FileReassembler() { } +uint64 FileReassembler::Flush() + { + if ( flushing ) + return 0; + + if ( last_block ) + { + // This is expected to call back into FileReassembler::Undelivered(). + flushing = true; + uint64 rval = TrimToSeq(last_block->upper); + flushing = false; + return rval; + } + + return 0; + } + +uint64 FileReassembler::FlushTo(uint64 sequence) + { + if ( flushing ) + return 0; + + flushing = true; + uint64 rval = TrimToSeq(sequence); + flushing = false; + last_reassem_seq = sequence; + return rval; + } + void FileReassembler::BlockInserted(DataBlock* start_block) { if ( start_block->seq > last_reassem_seq || @@ -28,7 +57,6 @@ void FileReassembler::BlockInserted(DataBlock* start_block) if ( b->seq == last_reassem_seq ) { // New stuff. uint64 len = b->Size(); - uint64 seq = last_reassem_seq; last_reassem_seq += len; the_file->DeliverStream(b->block, len); } @@ -40,7 +68,37 @@ void FileReassembler::BlockInserted(DataBlock* start_block) void FileReassembler::Undelivered(uint64 up_to_seq) { - // Not doing anything here yet. + // If we have blocks that begin below up_to_seq, deliver them. + DataBlock* b = blocks; + + while ( b ) + { + if ( b->seq < last_reassem_seq ) + { + // Already delivered this block. + b = b->next; + continue; + } + + if ( b->seq >= up_to_seq ) + // Block is beyond what we need to process at this point. + break; + + uint64 gap_at_seq = last_reassem_seq; + uint64 gap_len = b->seq - last_reassem_seq; + the_file->Gap(gap_at_seq, gap_len); + last_reassem_seq += gap_len; + BlockInserted(b); + // Inserting a block may cause trimming of what's buffered, + // so have to assume 'b' is invalid, hence re-assign to start. + b = blocks; + } + + if ( up_to_seq > last_reassem_seq ) + { + the_file->Gap(last_reassem_seq, up_to_seq - last_reassem_seq); + last_reassem_seq = up_to_seq; + } } void FileReassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h index c29563efc8..aa68e865ad 100644 --- a/src/file_analysis/FileReassembler.h +++ b/src/file_analysis/FileReassembler.h @@ -11,9 +11,6 @@ namespace file_analysis { class File; -//const int STOP_ON_GAP = 1; -//const int PUNT_ON_PARTIAL = 1; - class FileReassembler : public Reassembler { public: @@ -21,12 +18,35 @@ public: virtual ~FileReassembler(); void Done(); - uint64 GetFirstBlockOffset() { return blocks->seq; } // Checks if we have delivered all contents that we can possibly // deliver for this endpoint. void CheckEOF(); + /** + * Discards all contents of the reassembly buffer. This will spin through + * the buffer and call File::DeliverStream() and File::Gap() wherever + * appropriate. + * @return the number of new bytes now detected as gaps in the file. + */ + uint64 Flush(); + + /** + * Discards all contents of the reassembly buffer up to a given sequence + * number. This will spin through the buffer and call + * File::DeliverStream() and File::Gap() wherever appropriate. + * @param sequence the sequence number to flush until. + * @return the number of new bytes now detected as gaps in the file. + */ + uint64 FlushTo(uint64 sequence); + + /** + * @return whether the reassembler is currently is the process of flushing + * out the contents of its buffer. + */ + bool IsCurrentlyFlushing() const + { return flushing; } + protected: FileReassembler() { } @@ -36,10 +56,8 @@ protected: void BlockInserted(DataBlock* b); void Overlap(const u_char* b1, const u_char* b2, uint64 n); - unsigned int had_gap:1; - unsigned int did_EOF:1; - unsigned int skip_deliveries:1; File* the_file; + bool flushing; }; } // namespace analyzer::* diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 191bd1e1e4..995d422a37 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -154,14 +154,12 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag, void Manager::DataIn(const u_char* data, uint64 len, const string& file_id, const string& source) { - File* file = GetFile(file_id); + File* file = GetFile(file_id, 0, analyzer::Tag::Error, false, false, + source.c_str()); if ( ! file ) return; - if ( file->GetSource().empty() ) - file->SetSource(source); - file->DataIn(data, len); if ( file->IsComplete() ) @@ -299,7 +297,8 @@ bool Manager::RemoveAnalyzer(const string& file_id, file_analysis::Tag tag, } File* Manager::GetFile(const string& file_id, Connection* conn, - analyzer::Tag tag, bool is_orig, bool update_conn) + analyzer::Tag tag, bool is_orig, bool update_conn, + const char* source_name) { if ( file_id.empty() ) return 0; @@ -311,15 +310,18 @@ File* Manager::GetFile(const string& file_id, Connection* conn, if ( ! rval ) { - rval = new File(file_id, conn, tag, is_orig); + rval = new File(file_id, + source_name ? source_name + : analyzer_mgr->GetComponentName(tag), + conn, tag, is_orig); id_map.Insert(file_id.c_str(), rval); rval->ScheduleInactivityTimer(); - // Generate file_new here so the manager knows about the file. + // Generate file_new after inserting it into manager's mapping + // in case script-layer calls back in to core from the event. rval->FileEvent(file_new); - // Same for file_over_new_connection which is generated by - // updating the connection fields. - rval->UpdateConnectionFields(conn, is_orig); + // Same for file_over_new_connection. + rval->RaiseFileOverNewConnection(conn, is_orig); if ( IsIgnored(file_id) ) return 0; @@ -328,8 +330,8 @@ File* Manager::GetFile(const string& file_id, Connection* conn, { rval->UpdateLastActivityTime(); - if ( update_conn ) - rval->UpdateConnectionFields(conn, is_orig); + if ( update_conn && rval->UpdateConnectionFields(conn, is_orig) ) + rval->RaiseFileOverNewConnection(conn, is_orig); } return rval; diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 2e8efefcb0..93c8e7f613 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -319,6 +319,7 @@ protected: * this file isn't related to a connection). * @param update_conn whether we need to update connection-related field * in the \c fa_file record value associated with the file. + * @param an optional value of the source field to fill in. * @return the File object mapped to \a file_id or a null pointer if * analysis is being ignored for the associated file. An File * object may be created if a mapping doesn't exist, and if it did @@ -327,7 +328,8 @@ protected: */ File* GetFile(const string& file_id, Connection* conn = 0, analyzer::Tag tag = analyzer::Tag::Error, - bool is_orig = false, bool update_conn = true); + bool is_orig = false, bool update_conn = true, + const char* source_name = 0); /** * Try to retrieve a file that's being analyzed, using its identifier/hash. diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index 8b3ed4cdad..eeec8ef464 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -68,7 +68,6 @@ static bool check_limit_exceeded(uint64 lim, uint64 depth, uint64 len, uint64* n } else if ( depth + len > lim ) { - printf("exceeded the maximum extraction lenght depth: %llu len: %llu lim: %llu\n", depth, len, lim); *n = lim - depth; return true; } diff --git a/testing/btest/Baseline/core.bits_per_uid/128 b/testing/btest/Baseline/core.bits_per_uid/128 index 95ef343262..1cbf61a906 100644 --- a/testing/btest/Baseline/core.bits_per_uid/128 +++ b/testing/btest/Baseline/core.bits_per_uid/128 @@ -1,9 +1,9 @@ CUWkUyAuUGXfarKYeMETxOg Ck6kgXLOoSKlnQcgTWjvg4c -Cj4u32Pc5bifTEfuqmmG4bh Fj3nTWNjezo6G6xBmyo58Tf +Cj4u32Pc5bifTEfuqmmG4bh F4VAnSiNGSQhKEoCPd4zuQd CFrJExwHcSal5OKnoww6xl4 -C3PKsZ2Uye21VW0XPVINV8a FaJg8mtdsS86cWjSe4spPPl +C3PKsZ2Uye21VW0XPVINV8a FvBr89nD30GgGAp3wgtm6qf diff --git a/testing/btest/Baseline/core.bits_per_uid/256 b/testing/btest/Baseline/core.bits_per_uid/256 index 95ef343262..1cbf61a906 100644 --- a/testing/btest/Baseline/core.bits_per_uid/256 +++ b/testing/btest/Baseline/core.bits_per_uid/256 @@ -1,9 +1,9 @@ CUWkUyAuUGXfarKYeMETxOg Ck6kgXLOoSKlnQcgTWjvg4c -Cj4u32Pc5bifTEfuqmmG4bh Fj3nTWNjezo6G6xBmyo58Tf +Cj4u32Pc5bifTEfuqmmG4bh F4VAnSiNGSQhKEoCPd4zuQd CFrJExwHcSal5OKnoww6xl4 -C3PKsZ2Uye21VW0XPVINV8a FaJg8mtdsS86cWjSe4spPPl +C3PKsZ2Uye21VW0XPVINV8a FvBr89nD30GgGAp3wgtm6qf diff --git a/testing/btest/Baseline/core.bits_per_uid/32 b/testing/btest/Baseline/core.bits_per_uid/32 index a20d05dbd5..27965ff04a 100644 --- a/testing/btest/Baseline/core.bits_per_uid/32 +++ b/testing/btest/Baseline/core.bits_per_uid/32 @@ -1,9 +1,9 @@ CXWv6p30 CCyvnA30 -CjhGID40 F75yAm10 +CjhGID40 FmGk6O30 CdfHBz20 -CCvvfg30 Fuh3fj10 +CCvvfg30 Ftwuyy30 diff --git a/testing/btest/Baseline/core.bits_per_uid/64 b/testing/btest/Baseline/core.bits_per_uid/64 index b34eb4879d..e268d02801 100644 --- a/testing/btest/Baseline/core.bits_per_uid/64 +++ b/testing/btest/Baseline/core.bits_per_uid/64 @@ -1,9 +1,9 @@ CUWkUyAuUGXf0 CarKYeMETxOg0 -Ck6kgXLOoSKl0 Fj3nTWNjezo60 +Ck6kgXLOoSKl0 F4VAnSiNGSQh0 CnQcgTWjvg4c0 -Cj4u32Pc5bif0 FaJg8mtdsS860 +Cj4u32Pc5bif0 FvBr89nD30Gg0 diff --git a/testing/btest/Baseline/core.bits_per_uid/96 b/testing/btest/Baseline/core.bits_per_uid/96 index 3ba0f50e04..655122649b 100644 --- a/testing/btest/Baseline/core.bits_per_uid/96 +++ b/testing/btest/Baseline/core.bits_per_uid/96 @@ -1,9 +1,9 @@ CXWv6p3arKYeMETxOg CjhGID4nQcgTWjvg4c -CCvvfg3TEfuqmmG4bh F75yAm1G6xBmyo58Tf +CCvvfg3TEfuqmmG4bh FmGk6O3KEoCPd4zuQd CsRx2w45OKnoww6xl4 -CRJuHdVW0XPVINV8a Fuh3fj1cWjSe4spPPl +CRJuHdVW0XPVINV8a Ftwuyy3GAp3wgtm6qf diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 31dd415e1b..f42c8ec042 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -189,7 +189,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> @@ -283,8 +283,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> @@ -724,7 +724,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG)) @@ -818,8 +818,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) @@ -1259,7 +1259,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1353,8 +1353,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1418743793.447552, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1566,17 +1566,19 @@ 1362692527.008509 MetaHookPre UpdateNetworkTime(1362692527.008509) 1362692527.008509 | HookUpdateNetworkTime 1362692527.008509 1362692527.008509 | HookDrainEvents -1362692527.009512 MetaHookPost CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0])) -> -1362692527.009512 MetaHookPost CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> -1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3)) -> +1362692527.009512 MetaHookPost CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576)) -> +1362692527.009512 MetaHookPost CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::code_in_range, (200, 100, 199)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> 1362692527.009512 MetaHookPost CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> +1362692527.009512 MetaHookPost CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> 1362692527.009512 MetaHookPost CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009512 MetaHookPost CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> 1362692527.009512 MetaHookPost CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> @@ -1595,7 +1597,7 @@ 1362692527.009512 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> 1362692527.009512 MetaHookPost CallFunction(split_all, (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> -1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) -> false +1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> false 1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -1610,17 +1612,19 @@ 1362692527.009512 MetaHookPost QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false 1362692527.009512 MetaHookPost QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> false 1362692527.009512 MetaHookPost UpdateNetworkTime(1362692527.009512) -> -1362692527.009512 MetaHookPre CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0])) -1362692527.009512 MetaHookPre CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::__enable_reassembly, (FakNcS1Jfe01uljb3)) +1362692527.009512 MetaHookPre CallFunction(Files::__set_reassembly_buffer, (FakNcS1Jfe01uljb3, 1048576)) +1362692527.009512 MetaHookPre CallFunction(Files::enable_reassembly, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(Files::set_reassembly_buffer_size, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576)) 1362692527.009512 MetaHookPre CallFunction(HTTP::code_in_range, (200, 100, 199)) 1362692527.009512 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) 1362692527.009512 MetaHookPre CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) 1362692527.009512 MetaHookPre CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1639,7 +1643,7 @@ 1362692527.009512 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) 1362692527.009512 MetaHookPre CallFunction(split_all, (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() -1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=])) +1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009512 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1655,17 +1659,19 @@ 1362692527.009512 MetaHookPre QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre UpdateNetworkTime(1362692527.009512) 1362692527.009512 | HookUpdateNetworkTime 1362692527.009512 -1362692527.009512 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=, stream_event=, extract_filename=, extract_limit=0]) -1362692527.009512 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) -1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3) +1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 1048576) +1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=]) +1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=], 1048576) 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) 1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1684,7 +1690,7 @@ 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) 1362692527.009512 | HookCallFunction split_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents -1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=, u2_events=]) +1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1710,7 +1716,8 @@ 1362692527.009765 MetaHookPre UpdateNetworkTime(1362692527.009765) 1362692527.009765 | HookUpdateNetworkTime 1362692527.009765 1362692527.009765 | HookDrainEvents -1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::code_in_range, (200, 100, 199)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> 1362692527.009775 MetaHookPost CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) -> @@ -1721,7 +1728,8 @@ 1362692527.009775 MetaHookPost CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) -> 1362692527.009775 MetaHookPost CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) -> 1362692527.009775 MetaHookPost CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> +1362692527.009775 MetaHookPost CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> +1362692527.009775 MetaHookPost CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s, Files::LOG)) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s, HTTP::LOG)) -> 1362692527.009775 MetaHookPost CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> @@ -1737,12 +1745,14 @@ 1362692527.009775 MetaHookPost CallFunction(to_lower, (Files)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (HTTP)) -> 1362692527.009775 MetaHookPost DrainEvents() -> -1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) -> false +1362692527.009775 MetaHookPost QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> false +1362692527.009775 MetaHookPost QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) -> false 1362692527.009775 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false 1362692527.009775 MetaHookPost QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false 1362692527.009775 MetaHookPost UpdateNetworkTime(1362692527.009775) -> -1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) +1362692527.009775 MetaHookPre CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(HTTP::code_in_range, (200, 100, 199)) 1362692527.009775 MetaHookPre CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F)) @@ -1753,7 +1763,8 @@ 1362692527.009775 MetaHookPre CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=])) 1362692527.009775 MetaHookPre CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1])) 1362692527.009775 MetaHookPre CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre CallFunction(file_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) +1362692527.009775 MetaHookPre CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s, Files::LOG)) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s, HTTP::LOG)) 1362692527.009775 MetaHookPre CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) @@ -1769,13 +1780,15 @@ 1362692527.009775 MetaHookPre CallFunction(to_lower, (Files)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (HTTP)) 1362692527.009775 MetaHookPre DrainEvents() -1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=])) +1362692527.009775 MetaHookPre QueueEvent(file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) +1362692527.009775 MetaHookPre QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=])) 1362692527.009775 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) 1362692527.009775 MetaHookPre QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre UpdateNetworkTime(1362692527.009775) 1362692527.009775 | HookUpdateNetworkTime 1362692527.009775 -1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) +1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199) 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, F) @@ -1786,7 +1799,8 @@ 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=, duration=262.0 usecs, local_orig=, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=]) 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]) 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookCallFunction file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) +1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookCallFunction fmt(%s, Files::LOG) 1362692527.009775 | HookCallFunction fmt(%s, HTTP::LOG) 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp) @@ -1802,7 +1816,8 @@ 1362692527.009775 | HookCallFunction to_lower(Files) 1362692527.009775 | HookCallFunction to_lower(HTTP) 1362692527.009775 | HookDrainEvents -1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=]) +1362692527.009775 | HookQueueEvent file_mime_type([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain) +1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1], irc=, u2_events=]) 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) 1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log index dcb1c18c97..ca56378a9b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-10-08-03-58-17 +#open 2014-12-16-15-30-20 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009765 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5 text/plain - 0.000010 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - -#close 2014-10-08-03-58-17 +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - +#close 2014-12-16-15-30-20 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout index e1e0eb2da4..89ee79cad4 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout @@ -18,8 +18,11 @@ file #1, 0, 0 FILE_OVER_NEW_CONNECTION FILE_TIMEOUT FILE_TIMEOUT +FILE_GAP FILE_STATE_REMOVE -file #1, 0, 0 +file #1, 206024, 816896 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] +FILE_BOF_BUFFER +\x1b\xb8=\xb1\xff^PU^P\xce\xc3^ total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out index 6499401f8d..d6b94e5372 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out @@ -5,7 +5,7 @@ FILE_STATE_REMOVE file #0, 4, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] FILE_BOF_BUFFER -test^M^J +test source: HTTP MD5: 098f6bcd4621d373cade4e832627b4f6 SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 @@ -17,7 +17,7 @@ FILE_STATE_REMOVE file #1, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] FILE_BOF_BUFFER -test2^M^J +test2 source: HTTP MD5: ad0234829205b9033196ba818f7a872b SHA1: 109f4b3c50d7b0df729d299bc6f8e9ef9066971f @@ -29,7 +29,7 @@ FILE_STATE_REMOVE file #2, 5, 0 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] FILE_BOF_BUFFER -test3^M^J +test3 source: HTTP MD5: 8ad8757baa8564dc136c1e07507f4a98 SHA1: 3ebfa301dc59196f18593c45e519287a23297589 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 2b3d76e59d..36202f285b 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -17,8 +17,11 @@ FILE_NEW file #1, 0, 0 FILE_OVER_NEW_CONNECTION FILE_TIMEOUT +FILE_GAP FILE_STATE_REMOVE -file #1, 0, 0 +file #1, 206024, 816896 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] +FILE_BOF_BUFFER +\x1b\xb8=\xb1\xff^PU^P\xce\xc3^ total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log index 7edaa67263..dfce362b50 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-10-08-03-59-03 +#open 2014-12-16-15-30-30 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009765 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000010 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file -#close 2014-10-08-03-59-03 +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file +#close 2014-12-16-15-30-30 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index da79bfd5a4..f5e53044b9 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -68,11 +68,9 @@ 1254722770.692743 get_file_handle 1254722770.692743 file_new 1254722770.692743 file_over_new_connection -1254722770.692786 file_mime_type 1254722770.692804 mime_end_entity 1254722770.692804 get_file_handle -1254722770.692804 file_new -1254722770.692804 file_over_new_connection +1254722770.692804 file_mime_type 1254722770.692804 file_state_remove 1254722770.692804 get_file_handle 1254722770.692804 mime_end_entity @@ -85,10 +83,8 @@ 1254722770.692804 get_file_handle 1254722770.692804 file_new 1254722770.692804 file_over_new_connection -1254722770.692823 file_mime_type 1254722770.695115 new_connection -1254722771.469814 file_new -1254722771.469814 file_over_new_connection +1254722771.494181 file_mime_type 1254722771.858334 mime_end_entity 1254722771.858334 get_file_handle 1254722771.858334 file_state_remove diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index c01df6bc41..1aa93d5a04 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -297,7 +297,7 @@ [2] is_orig: bool = F 1254722770.692743 file_new - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns=, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] 1254722770.692743 file_over_new_connection [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] @@ -313,7 +313,7 @@ [2] is_orig: bool = T 1254722770.692743 file_mime_type - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] mime_type: string = text/plain 1254722770.692743 file_state_remove @@ -341,17 +341,13 @@ [2] is_orig: bool = F 1254722770.692743 file_new - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns=, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] 1254722770.692743 file_over_new_connection [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692786 file_mime_type - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692786, seen_bytes=1013, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] - [1] mime_type: string = text/html - 1254722770.692804 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] @@ -360,8 +356,12 @@ [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = T +1254722770.692804 file_mime_type + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [1] mime_type: string = text/html + 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -402,20 +402,20 @@ [2] is_orig: bool = F 1254722770.692804 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns=, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] 1254722770.692804 file_over_new_connection [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692823 file_mime_type - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=966, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] - [1] mime_type: string = text/plain - 1254722770.695115 new_connection [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1254722771.494181 file_mime_type + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [1] mime_type: string = text/plain + 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -425,7 +425,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=18.0 usecs, local_orig=, is_orig=F, seen_bytes=966, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP From f6257618e579400150787bbf8c52f240be86b8bb Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Dec 2014 20:56:15 -0600 Subject: [PATCH 16/48] Change file extraction to explicitly NUL-fill gaps Instead of expecting pwrite to do it. --- src/file_analysis/analyzer/extract/Extract.cc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index eeec8ef464..c758414a6e 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -103,7 +103,7 @@ bool Extract::DeliverStream(const u_char* data, uint64 len) if ( towrite > 0 ) { - safe_pwrite(fd, (const u_char *) data, towrite, depth); + safe_write(fd, reinterpret_cast(data), towrite); depth += towrite; } @@ -112,6 +112,13 @@ bool Extract::DeliverStream(const u_char* data, uint64 len) bool Extract::Undelivered(uint64 offset, uint64 len) { - depth += len; + if ( depth == offset ) + { + char* tmp = new char[len](); + safe_write(fd, tmp, len); + delete [] tmp; + depth += len; + } + return true; } From 6941538f8168fc7c25607e9d4019bac37006e277 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 16 Dec 2014 20:58:27 -0600 Subject: [PATCH 17/48] Fix reference counting bug in refactored file reassembly code. --- src/file_analysis/File.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index d893d7a088..50617f27b6 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -147,7 +147,7 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig) { val_list* vl = new val_list(); vl->append(val->Ref()); - vl->append(conn->BuildConnVal()->Ref()); + vl->append(conn->BuildConnVal()); vl->append(new Val(is_orig, TYPE_BOOL)); FileEvent(file_over_new_connection, vl); } From 1a03a95f355bcc8e68aa096b074714a879fac902 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 17 Dec 2014 09:57:06 -0600 Subject: [PATCH 18/48] Workaround race condition in unified2 file module. This makes the unit test pass consistently, but need to see about fixing it in the unified2 file module directly. --- .../scripts/base/files/unified2/alert.bro | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/testing/btest/scripts/base/files/unified2/alert.bro b/testing/btest/scripts/base/files/unified2/alert.bro index eca1ca036c..189e35bd8e 100644 --- a/testing/btest/scripts/base/files/unified2/alert.bro +++ b/testing/btest/scripts/base/files/unified2/alert.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b %INPUT Unified2::watch_file=$FILES/unified2.u2 +# @TEST-EXEC: bro -b %INPUT test_watch_file=$FILES/unified2.u2 # @TEST-EXEC: btest-diff unified2.log @TEST-START-FILE sid_msg.map @@ -68,9 +68,39 @@ redef Unified2::gen_msg = @DIR+"/gen_msg.map"; redef Unified2::classification_config = @DIR+"/classification.config"; global i = 0; +# TODO: can't currently use Unified2::watch_file directly for the test as +# there's a race between reading that file and the map/classification +# config files, which leads to not all fields of the unified2.log being +# populated on occassion. +const test_watch_file: string = "" &redef; + +event start_test() + { + Input::add_analysis([$source=test_watch_file, + $reader=Input::READER_BINARY, + $mode=Input::STREAM, + $name=test_watch_file]); + } + +# TODO: this should be handled by unified2 module, but it's here for +# working around the issue mentioned in comment above. +event file_new(f: fa_file) + { + if ( f$source == test_watch_file ) + { + Files::add_analyzer(f, Files::ANALYZER_UNIFIED2); + f$u2_events = table(); + } + } + +event bro_init() + { + schedule 2sec { start_test() }; + } + event Unified2::alert(f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet) { ++i; if ( i == 2 ) terminate(); - } \ No newline at end of file + } From 15ec117da678d8df54d018b93f9460dea782700b Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 18 Dec 2014 11:57:32 -0600 Subject: [PATCH 19/48] Correct a typo in the Notice framework doc --- doc/frameworks/notice.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst index 2c20149ce5..d8197c13af 100644 --- a/doc/frameworks/notice.rst +++ b/doc/frameworks/notice.rst @@ -271,7 +271,7 @@ script that is generating the notice has indicated to the notice framework how to identify notices that are intrinsically the same. Identification of these "intrinsically duplicate" notices is implemented with an optional field in :bro:see:`Notice::Info` records named ``$identifier`` which is a simple string. -If the ``$identifier`` and ``$type`` fields are the same for two notices, the +If the ``$identifier`` and ``$note`` fields are the same for two notices, the notice framework actually considers them to be the same thing and can use that information to suppress duplicates for a configurable period of time. From 9af5fb1302239a5b88e0ce35857f7005f4e48fb0 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 31 Dec 2014 09:14:55 -0800 Subject: [PATCH 20/48] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 90f9ca0ffa..eb1d029e51 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 90f9ca0ffa2306f0d1d2ac208cdbb7787199f890 +Subproject commit eb1d029e5161c4dfff00fd190d8da22c0bf8ba50 From bd8893f0d0d4ce48423c696f6706a985267e6398 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 31 Dec 2014 09:19:09 -0800 Subject: [PATCH 21/48] Changing Makefile's test-all to run test-all for broctl. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9feaecd656..207ce72780 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ test: @( cd testing && make ) test-all: test - test -d aux/broctl && ( cd aux/broctl && make test ) + test -d aux/broctl && ( cd aux/broctl && make test-all ) test -d aux/btest && ( cd aux/btest && make test ) test -d aux/bro-aux && ( cd aux/bro-aux && make test ) test -d aux/plugins && ( cd aux/plugins && make test-all ) From 494545f1ebfd569e39a41863ccfd38b884b50127 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 31 Dec 2014 09:19:34 -0800 Subject: [PATCH 22/48] Updating submodule(s). [nomail] --- CHANGES | 5 +++++ VERSION | 2 +- aux/broctl | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 2d41f9ad1b..4c546131db 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.3-348 | 2014-12-31 09:19:34 -0800 + + * Changing Makefile's test-all to run test-all for broctl, which now + executes trace-summary tests as well. (Robin Sommer) + 2.3-345 | 2014-12-31 09:06:15 -0800 * Correct a typo in the Notice framework doc. (Daniel Thayer) diff --git a/VERSION b/VERSION index 196c840941..378e5b5ce8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-345 +2.3-348 diff --git a/aux/broctl b/aux/broctl index eb1d029e51..8c9b87bc73 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit eb1d029e5161c4dfff00fd190d8da22c0bf8ba50 +Subproject commit 8c9b87bc73e1ddaa304e3d89028c1e7b95d37a91 From a3d78cc830c7e6f200f617560908e84cd6a8a9f5 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 5 Jan 2015 14:51:58 -0600 Subject: [PATCH 23/48] Revert "Workaround race condition in unified2 file module." This reverts commit 1a03a95f355bcc8e68aa096b074714a879fac902. --- .../scripts/base/files/unified2/alert.bro | 34 ++----------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/testing/btest/scripts/base/files/unified2/alert.bro b/testing/btest/scripts/base/files/unified2/alert.bro index 189e35bd8e..eca1ca036c 100644 --- a/testing/btest/scripts/base/files/unified2/alert.bro +++ b/testing/btest/scripts/base/files/unified2/alert.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b %INPUT test_watch_file=$FILES/unified2.u2 +# @TEST-EXEC: bro -b %INPUT Unified2::watch_file=$FILES/unified2.u2 # @TEST-EXEC: btest-diff unified2.log @TEST-START-FILE sid_msg.map @@ -68,39 +68,9 @@ redef Unified2::gen_msg = @DIR+"/gen_msg.map"; redef Unified2::classification_config = @DIR+"/classification.config"; global i = 0; -# TODO: can't currently use Unified2::watch_file directly for the test as -# there's a race between reading that file and the map/classification -# config files, which leads to not all fields of the unified2.log being -# populated on occassion. -const test_watch_file: string = "" &redef; - -event start_test() - { - Input::add_analysis([$source=test_watch_file, - $reader=Input::READER_BINARY, - $mode=Input::STREAM, - $name=test_watch_file]); - } - -# TODO: this should be handled by unified2 module, but it's here for -# working around the issue mentioned in comment above. -event file_new(f: fa_file) - { - if ( f$source == test_watch_file ) - { - Files::add_analyzer(f, Files::ANALYZER_UNIFIED2); - f$u2_events = table(); - } - } - -event bro_init() - { - schedule 2sec { start_test() }; - } - event Unified2::alert(f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet) { ++i; if ( i == 2 ) terminate(); - } + } \ No newline at end of file From 1971d25a5cb895f039ac809d02d986c9dc118b18 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 5 Jan 2015 15:21:13 -0600 Subject: [PATCH 24/48] Fix race condition in unified2 file analyzer startup. Retrieval of extended alert information from sid-msg.map, gen-msg.map, and classification.config files uses Bro's input framework, but since the unified2 file analyzer also relies on the input framework, coordination is needed to start analysis only after extended info has been read at least once. --- CHANGES | 4 + VERSION | 2 +- scripts/base/files/unified2/main.bro | 95 ++++++++++++++++----- testing/btest/Baseline/plugins.hooks/output | 24 ++++-- 4 files changed, 94 insertions(+), 31 deletions(-) diff --git a/CHANGES b/CHANGES index 4c546131db..60c40cbce6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-349 | 2015-01-05 15:21:13 -0600 + + * Fix race condition in unified2 file analyzer startup. (Jon siwek) + 2.3-348 | 2014-12-31 09:19:34 -0800 * Changing Makefile's test-all to run test-all for broctl, which now diff --git a/VERSION b/VERSION index 378e5b5ce8..f2b1636819 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-348 +2.3-349 diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 2f6ae79f4f..627bcc9fee 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -71,11 +71,50 @@ global classification_map: table[count] of string; global sid_map: table[count] of string; global gen_map: table[count] of string; +global num_classification_map_reads = 0; +global num_sid_map_reads = 0; +global num_gen_map_reads = 0; +global watching = F; + # For reading in config files. type OneLine: record { line: string; }; +function mappings_initialized(): bool + { + return num_classification_map_reads > 0 && + num_sid_map_reads > 0 && + num_gen_map_reads > 0; + } + +function start_watching() + { + if ( watching ) + return; + + watching = T; + + if ( watch_dir != "" ) + { + Dir::monitor(watch_dir, function(fname: string) + { + Input::add_analysis([$source=fname, + $reader=Input::READER_BINARY, + $mode=Input::STREAM, + $name=fname]); + }, 10secs); + } + + if ( watch_file != "" ) + { + Input::add_analysis([$source=watch_file, + $reader=Input::READER_BINARY, + $mode=Input::STREAM, + $name=watch_file]); + } + } + function create_info(ev: IDSEvent): Info { local info = Info($ts=ev$ts, @@ -136,11 +175,33 @@ event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Inp } } +event Input::end_of_data(name: string, source: string) + { + if ( name == classification_config ) + ++num_classification_map_reads; + else if ( name == sid_msg ) + ++num_sid_map_reads; + else if ( name == gen_msg ) + ++num_gen_map_reads; + else + return; + + if ( watching ) + return; + + if ( mappings_initialized() ) + start_watching(); + } + event bro_init() &priority=5 { Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2]); - if ( sid_msg != "" ) + if ( sid_msg == "" ) + { + num_sid_map_reads = 1; + } + else { Input::add_event([$source=sid_msg, $reader=Input::READER_RAW, @@ -151,7 +212,11 @@ event bro_init() &priority=5 $ev=Unified2::read_sid_msg_line]); } - if ( gen_msg != "" ) + if ( gen_msg == "" ) + { + num_gen_map_reads = 1; + } + else { Input::add_event([$source=gen_msg, $name=gen_msg, @@ -162,7 +227,11 @@ event bro_init() &priority=5 $ev=Unified2::read_gen_msg_line]); } - if ( classification_config != "" ) + if ( classification_config == "" ) + { + num_classification_map_reads = 1; + } + else { Input::add_event([$source=classification_config, $name=classification_config, @@ -173,24 +242,8 @@ event bro_init() &priority=5 $ev=Unified2::read_classification_line]); } - if ( watch_dir != "" ) - { - Dir::monitor(watch_dir, function(fname: string) - { - Input::add_analysis([$source=fname, - $reader=Input::READER_BINARY, - $mode=Input::STREAM, - $name=fname]); - }, 10secs); - } - - if ( watch_file != "" ) - { - Input::add_analysis([$source=watch_file, - $reader=Input::READER_BINARY, - $mode=Input::STREAM, - $name=watch_file]); - } + if ( mappings_initialized() ) + start_watching(); } event file_new(f: fa_file) diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 31dd415e1b..d18499d5dd 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -189,7 +189,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> @@ -283,8 +283,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> @@ -303,6 +303,8 @@ 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> 0.000000 MetaHookPost CallFunction(SumStats::register_observe_plugins, ()) -> +0.000000 MetaHookPost CallFunction(Unified2::mappings_initialized, ()) -> +0.000000 MetaHookPost CallFunction(Unified2::start_watching, ()) -> 0.000000 MetaHookPost CallFunction(bro_init, ()) -> 0.000000 MetaHookPost CallFunction(cat, (Packe, t, _, Filter)) -> 0.000000 MetaHookPost CallFunction(current_time, ()) -> @@ -724,7 +726,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG)) @@ -818,8 +820,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) @@ -838,6 +840,8 @@ 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) 0.000000 MetaHookPre CallFunction(SumStats::register_observe_plugins, ()) +0.000000 MetaHookPre CallFunction(Unified2::mappings_initialized, ()) +0.000000 MetaHookPre CallFunction(Unified2::start_watching, ()) 0.000000 MetaHookPre CallFunction(bro_init, ()) 0.000000 MetaHookPre CallFunction(cat, (Packe, t, _, Filter)) 0.000000 MetaHookPre CallFunction(current_time, ()) @@ -1259,7 +1263,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1353,8 +1357,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1414788015.369883, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1420492465.686432, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1373,6 +1377,8 @@ 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}) 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}) 0.000000 | HookCallFunction SumStats::register_observe_plugins() +0.000000 | HookCallFunction Unified2::mappings_initialized() +0.000000 | HookCallFunction Unified2::start_watching() 0.000000 | HookCallFunction bro_init() 0.000000 | HookCallFunction cat(Packe, t, _, Filter) 0.000000 | HookCallFunction current_time() From 58a9162ce71c18e68942af97449a2346c6fcea12 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 5 Jan 2015 16:57:24 -0600 Subject: [PATCH 25/48] Add NEWS items related to file analysis changes. --- NEWS | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/NEWS b/NEWS index 6de9bd8f3e..5e2ef52ca1 100644 --- a/NEWS +++ b/NEWS @@ -28,11 +28,31 @@ New Functionality - Bro now has supoprt for the MySQL wire protocol. Activity gets logged into mysql.log. +- Bro's file analysis now supports reassembly of files that are not + transferred/seen sequentially. + Changed Functionality --------------------- - bro-cut has been rewritten in C, and is hence much faster. +- File analysis + + * Removed ``fa_file`` record's ``mime_type`` and ``mime_types`` + fields. The events ``file_mime_type`` and ``file_mime_types`` + have been added which contain the same information. The + ``mime_type`` field of ``Files::Info`` also still has this info. + + * Removed ``Files::add_analyzers_for_mime_type`` function. + + * Removed ``offset`` parameter of the ``file_extraction_limit`` + event. Since file extraction now internally depends on file + reassembly for non-sequential files, "offset" can be obtained + with other information already available -- adding together + ``seen_bytes`` and ``missed_bytes`` fields of the ``fa_file`` + record gives the how many bytes have been written so far (i.e. + the "offset"). + Bro 2.3 ======= From 593e74d4b7adb55e6cffd9f6cd4a616c44d0a90c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 6 Jan 2015 15:12:28 -0600 Subject: [PATCH 26/48] Updating submodule(s). [nomail] --- aux/broccoli | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broccoli b/aux/broccoli index acb8fbe8e7..d43cc790e5 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca +Subproject commit d43cc790e5b8709b5e032e52ad0e00936494739b From b5e9433b043bd354024b9945d00de22f50c26cad Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 7 Jan 2015 00:01:35 -0600 Subject: [PATCH 27/48] Improve documentation of the Intelligence Framework Added some missing information and rearranged a few sentences so the order makes more sense. --- doc/frameworks/intel.rst | 72 +++++++++++++++++--------- scripts/base/frameworks/intel/main.bro | 3 +- 2 files changed, 49 insertions(+), 26 deletions(-) diff --git a/doc/frameworks/intel.rst b/doc/frameworks/intel.rst index f90092aac3..965fba4c14 100644 --- a/doc/frameworks/intel.rst +++ b/doc/frameworks/intel.rst @@ -14,32 +14,35 @@ consume that data, make it available for matching, and provide infrastructure around improving performance, memory utilization, and generally making all of this easier. -Data in the Intelligence Framework is the atomic piece of intelligence +Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address along with a suite of metadata about it such as a freeform source field, a freeform descriptive field and a URL which might lead to more information about the specific item. The metadata in the default scripts has been deliberately kept minimal so that the community can find the -appropriate fields that need added by writing scripts which extend the +appropriate fields that need to be added by writing scripts which extend the base record using the normal record extension mechanism. Quick Start ----------- -Load the package of scripts that sends data into the Intelligence -Framework to be checked by loading this script in local.bro:: - - @load policy/frameworks/intel/seen - Refer to the "Loading Intelligence" section below to see the format for Intelligence Framework text files, then load those text files with this line in local.bro:: redef Intel::read_files += { "/somewhere/yourdata.txt" }; -The data itself only needs to reside on the manager if running in a +The text files need to reside only on the manager if running in a cluster. +Add the following line to local.bro in order to load the scripts +that send "seen" data into the Intelligence Framework to be checked against +the loaded intelligence data:: + + @load policy/frameworks/intel/seen + +Intelligence data matches will be logged to the intel.log file. + Architecture ------------ @@ -58,8 +61,10 @@ manager is the only node that needs the intelligence data. The intelligence framework has distribution mechanisms which will push data out to all of the nodes that need it. -Here is an example of the intelligence data format. Note that all -whitespace field separators are literal tabs and fields containing only a +Here is an example of the intelligence data format (note that there will be +additional fields if you are using CIF intelligence data or if you are +using the policy/frameworks/intel/do_notice script). Note that all fields +must be separated by a single tab character and fields containing only a hyphen are considered to be null values. :: #fields indicator indicator_type meta.source meta.desc meta.url @@ -69,8 +74,21 @@ hyphen are considered to be null values. :: For a list of all built-in `indicator_type` values, please refer to the documentation of :bro:see:`Intel::Type`. -To load the data once files are created, use the following example -code to define files to load with your own file names of course:: +Note that if you are using data from the Collective Intelligence Framework, +then you will need to add the following line to your local.bro in order +to support additional metadata fields used by CIF:: + + @load policy/integration/collective-intel + +There is a simple mechanism to raise a Bro notice (of type Intel::Notice) +for user-specified intelligence matches. To use this feature, add the +following line to local.bro in order to support additional metadata fields +(documented in the :bro:see:`Intel::MetaData` record):: + + @load policy/frameworks/intel/do_notice + +To load the data once the files are created, use the following example +to specify which files to load (with your own file names of course):: redef Intel::read_files += { "/somewhere/feed1.txt", @@ -85,24 +103,23 @@ Seen Data When some bit of data is extracted (such as an email address in the "From" header in a message over SMTP), the Intelligence Framework -needs to be informed that this data was discovered and it's presence -should be checked within the intelligence data set. This is -accomplished through the :bro:see:`Intel::seen` function. +needs to be informed that this data was discovered so that its presence +will be checked within the loaded intelligence data. This is +accomplished through the :bro:see:`Intel::seen` function, however +typically users won't need to work with this function due to the +scripts included with Bro that will call this function. -Typically users won't need to work with this function due to built in -hook scripts that Bro ships with that will "see" data and send it into -the intelligence framework. A user may only need to load the entire -package of hook scripts as a module or pick and choose specific -scripts to load. Keep in mind that as more data is sent into the +To load all of the scripts included with Bro for sending "seen" data to +the intelligence framework, just add this line to local.bro:: + + @load policy/frameworks/intel/seen + +Alternatively, specific scripts in that directory can be loaded. +Keep in mind that as more data is sent into the intelligence framework, the CPU load consumed by Bro will increase depending on how many times the :bro:see:`Intel::seen` function is being called which is heavily traffic dependent. -The full package of hook scripts that Bro ships with for sending this -"seen" data into the intelligence framework can be loading by adding -this line to local.bro:: - - @load policy/frameworks/intel/seen Intelligence Matches ******************** @@ -111,6 +128,7 @@ Against all hopes, most networks will eventually have a hit on intelligence data which could indicate a possible compromise or other unwanted activity. The Intelligence Framework provides an event that is generated whenever a match is discovered named :bro:see:`Intel::match`. + Due to design restrictions placed upon the intelligence framework, there is no assurance as to where this event will be generated. It could be generated on the worker where @@ -119,3 +137,7 @@ handled, only the data given as event arguments to the event can be assured since the host where the data was seen may not be where ``Intel::match`` is handled. +Intelligence matches are logged to the intel.log file. For a description of +each field in that file, see the documentation for the :bro:see:`Intel::Info` +record. + diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index b5f305a7fc..4866766df4 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -67,6 +67,7 @@ export { IN_ANYWHERE, }; + ## Information about a piece of "seen" data. type Seen: record { ## The string if the data is about a string. indicator: string &log &optional; @@ -124,7 +125,7 @@ export { sources: set[string] &log &default=string_set(); }; - ## Intelligence data manipulation functions. + ## Intelligence data manipulation function. global insert: function(item: Item); ## Function to declare discovery of a piece of data in order to check From 794273913fc1c9ef0a8b7c2c250e680d5bb52e23 Mon Sep 17 00:00:00 2001 From: Hui Lin Date: Wed, 7 Jan 2015 15:04:22 -0600 Subject: [PATCH 28/48] add test trace in which DNP3 packets are over UDP; update test scripts and baseline results --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/plugins | 2 +- cmake | 2 +- scripts/base/protocols/dnp3/main.bro | 2 +- .../coverage | 1 + .../dnp3.log | 10 + .../output | 7 + .../coverage | 1 + .../dnp3.log | 11 + .../output | 2995 +++++++++++++++++ .../coverage | 1 + .../dnp3.log | 12 + .../output | 1055 ++++++ .../coverage | 1 + .../dnp3.log | 10 + .../output | 6 + .../btest/Traces/dnp3/dnp3_udp_en_spon.pcap | Bin 0 -> 326 bytes testing/btest/Traces/dnp3/dnp3_udp_read.pcap | Bin 0 -> 5800 bytes .../Traces/dnp3/dnp3_udp_select_operate.pcap | Bin 0 -> 1427 bytes testing/btest/Traces/dnp3/dnp3_udp_write.pcap | Bin 0 -> 179 bytes .../base/protocols/dnp3/dnp3_udp_en_spon.bro | 9 + .../base/protocols/dnp3/dnp3_udp_read.bro | 9 + .../dnp3/dnp3_udp_select_operate.bro | 9 + .../base/protocols/dnp3/dnp3_udp_write.bro | 9 + 27 files changed, 4153 insertions(+), 7 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/coverage create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/dnp3.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/coverage create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/dnp3.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/coverage create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/dnp3.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/coverage create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/dnp3.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output create mode 100755 testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap create mode 100755 testing/btest/Traces/dnp3/dnp3_udp_read.pcap create mode 100755 testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap create mode 100755 testing/btest/Traces/dnp3/dnp3_udp_write.pcap create mode 100644 testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro create mode 100644 testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro create mode 100644 testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro create mode 100644 testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro diff --git a/aux/binpac b/aux/binpac index 4e5969f5a4..77a86591dc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 4e5969f5a40f5cc192a751375cb61131d32c0fc1 +Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073 diff --git a/aux/bro-aux b/aux/bro-aux index 181f084432..977654dc51 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 181f084432e277f899140647d9b788059b3cccb1 +Subproject commit 977654dc51ab08a2afde32241f108cdb4a581d8f diff --git a/aux/broccoli b/aux/broccoli index 6be54279bb..acb8fbe8e7 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 6be54279bb7ecb5e03d8bcdc7660d323dc4de1bc +Subproject commit acb8fbe8e7bc6ace5135fb73dca8e29432cdc1ca diff --git a/aux/broctl b/aux/broctl index f0e0efda05..39e865dec9 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit f0e0efda05e4b20924efc1b826ad5d85c8b65f83 +Subproject commit 39e865dec9611b9b53b609cbc8df519cebae0a1e diff --git a/aux/plugins b/aux/plugins index 6de518922e..ad600b5bdc 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 6de518922e5f89d52d831ea6fb6adb7fff94437e +Subproject commit ad600b5bdcd56a2723e323c0f2c8e1708956ca4f diff --git a/cmake b/cmake index aa15263ae3..1316c07f70 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit aa15263ae39667e5e9bd73690b05aa4af9147ca3 +Subproject commit 1316c07f7059647b6c4a496ea36e4b83bb5d8f0f diff --git a/scripts/base/protocols/dnp3/main.bro b/scripts/base/protocols/dnp3/main.bro index 60fcab0c26..c00934a65b 100644 --- a/scripts/base/protocols/dnp3/main.bro +++ b/scripts/base/protocols/dnp3/main.bro @@ -31,7 +31,7 @@ redef record connection += { dnp3: Info &optional; }; -const ports = { 20000/tcp }; +const ports = { 20000/tcp , 20000/udp }; redef likely_server_ports += { ports }; event bro_init() &priority=5 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/coverage b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/coverage new file mode 100644 index 0000000000..8369d1fd9b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/coverage @@ -0,0 +1 @@ +4 of 51 events triggered by trace diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/dnp3.log new file mode 100644 index 0000000000..1d5c0e56c6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/dnp3.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dnp3 +#open 2015-01-07-21-02-21 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin +#types time string addr port addr port string string count +1420058797.673799 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 ENABLE_UNSOLICITED RESPONSE 1 +#close 2015-01-07-21-02-21 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output new file mode 100644 index 0000000000..ea77e744fb --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output @@ -0,0 +1,7 @@ +dnp3_header_block, T, 25605, 17, 196, 1, 100 +dnp3_application_request_header, T, 207, 20 +dnp3_object_header, T, 15362, 6, 0, 65535, 65535 +dnp3_object_header, T, 15363, 6, 0, 65535, 65535 +dnp3_object_header, T, 15364, 6, 0, 65535, 65535 +dnp3_header_block, F, 25605, 10, 68, 100, 1 +dnp3_application_response_header, F, 207, 129, 1 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/coverage b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/coverage new file mode 100644 index 0000000000..e49a3133a9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/coverage @@ -0,0 +1 @@ +7 of 51 events triggered by trace diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/dnp3.log new file mode 100644 index 0000000000..dcd3facf87 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/dnp3.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dnp3 +#open 2015-01-07-21-02-12 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin +#types time string addr port addr port string string count +1420058427.969342 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864 +1420058427.972303 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 - RESPONSE 36864 +#close 2015-01-07-21-02-12 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output new file mode 100644 index 0000000000..c875efced0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output @@ -0,0 +1,2995 @@ +dnp3_header_block, T, 25605, 20, 196, 1, 100 +dnp3_application_request_header, T, 199, 1 +dnp3_object_header, T, 15362, 6, 0, 65535, 65535 +dnp3_object_header, T, 15363, 6, 0, 65535, 65535 +dnp3_object_header, T, 15364, 6, 0, 65535, 65535 +dnp3_object_header, T, 15361, 6, 0, 65535, 65535 +dnp3_header_block, F, 25605, 255, 68, 100, 1 +dnp3_application_response_header, F, 135, 129, 36864 +dnp3_object_header, F, 257, 1, 1024, 0, 1023 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 3 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 0 +dnp3_object_header, F, 2562, 1, 512, 0, 511 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_header, F, 7685, 1, 276, 0, 275 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 1124382111 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 3242862076 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_header_block, F, 25605, 255, 68, 100, 1 +dnp3_application_response_header, F, 72, 129, 36864 +dnp3_object_header, F, 7685, 1, 224, 276, 499 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_analog_input_SPwFlag, F, 1, 0 +dnp3_response_data_object, F, 255 +dnp3_object_header, F, 10243, 0, 100, 0, 99 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 255 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/coverage b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/coverage new file mode 100644 index 0000000000..e49a3133a9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/coverage @@ -0,0 +1 @@ +7 of 51 events triggered by trace diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/dnp3.log new file mode 100644 index 0000000000..c826e9bcd8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/dnp3.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dnp3 +#open 2015-01-07-21-02-26 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin +#types time string addr port addr port string string count +1420058517.353161 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 SELECT RESPONSE 36864 +1420058517.467502 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 OPERATE RESPONSE 36864 +1420058517.574061 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864 +#close 2015-01-07-21-02-26 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output new file mode 100644 index 0000000000..394bdb1fe9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output @@ -0,0 +1,1055 @@ +dnp3_header_block, T, 25605, 26, 196, 1, 100 +dnp3_application_request_header, T, 201, 3 +dnp3_object_header, T, 3073, 40, 1, 256, 0 +dnp3_object_prefix, T, 1 +dnp3_crob, T, 3, 1, 100, 100, 0 +dnp3_header_block, F, 25605, 28, 68, 100, 1 +dnp3_application_response_header, F, 201, 129, 36864 +dnp3_object_header, F, 3073, 40, 1, 256, 0 +dnp3_object_prefix, F, 1 +dnp3_crob, F, 3, 1, 100, 100, 0 +dnp3_response_data_object, F, 255 +dnp3_header_block, T, 25605, 26, 196, 1, 100 +dnp3_application_request_header, T, 202, 4 +dnp3_object_header, T, 3073, 40, 1, 256, 0 +dnp3_object_prefix, T, 1 +dnp3_crob, T, 3, 1, 100, 100, 0 +dnp3_header_block, F, 25605, 28, 68, 100, 1 +dnp3_application_response_header, F, 202, 129, 36864 +dnp3_object_header, F, 3073, 40, 1, 256, 0 +dnp3_object_prefix, F, 1 +dnp3_crob, F, 3, 1, 100, 100, 0 +dnp3_response_data_object, F, 255 +dnp3_header_block, T, 25605, 20, 196, 1, 100 +dnp3_application_request_header, T, 203, 1 +dnp3_object_header, T, 15362, 6, 0, 65535, 65535 +dnp3_object_header, T, 15363, 6, 0, 65535, 65535 +dnp3_object_header, T, 15364, 6, 0, 65535, 65535 +dnp3_object_header, T, 2560, 6, 0, 65535, 65535 +dnp3_header_block, F, 25605, 255, 68, 100, 1 +dnp3_application_response_header, F, 203, 129, 36864 +dnp3_object_header, F, 2562, 1, 512, 0, 511 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 129 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 +dnp3_object_prefix, F, 0 +dnp3_response_data_object, F, 1 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/coverage b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/coverage new file mode 100644 index 0000000000..3f1d5d583a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/coverage @@ -0,0 +1 @@ +5 of 51 events triggered by trace diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/dnp3.log b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/dnp3.log new file mode 100644 index 0000000000..bab97b0ee7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/dnp3.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dnp3 +#open 2015-01-07-21-02-34 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin +#types time string addr port addr port string string count +1420058753.490949 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 WRITE RESPONSE 0 +#close 2015-01-07-21-02-34 diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output new file mode 100644 index 0000000000..f8ee638f76 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output @@ -0,0 +1,6 @@ +dnp3_header_block, T, 25605, 14, 196, 1, 100 +dnp3_application_request_header, T, 206, 2 +dnp3_object_header, T, 20481, 0, 1, 7, 7 +dnp3_object_prefix, T, 0 +dnp3_header_block, F, 25605, 10, 68, 100, 1 +dnp3_application_response_header, F, 206, 129, 0 diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap new file mode 100755 index 0000000000000000000000000000000000000000..79881f62e734c6714ea1a20d36ce60e3cd7f3941 GIT binary patch literal 326 zcmca|c+)~A1{MY+z{m*XtW8)Fa>|*D!3oF)VTOQ1{!>yI#LAAJyUoGi%D`Z9N1TD7 zLC|K&ffWG@fS89R!%u-hp{k5EMeqnCLkhz?y|d>hhX1FgOT$_kc_Tnd+y&lEEOk^%iRimrDu*Bg5&3Kh8HYFfvN5+5~c) z3m&u7crCzYO+qnCXs$VH3acl`th)GBPyjM($zCo76QGko7{jM(cXGf!jRm<0WFFY3 PLREW#W_5#nx?nm0LhfDq literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap new file mode 100755 index 0000000000000000000000000000000000000000..7bc9d4add2dd73d0eb883d0dd37cbc26e07b9791 GIT binary patch literal 5800 zcmd^@Ye-Z<6vxl3dzYwX!!qkb*rvHk*#n9UT*#i5mI;|)eX#OE`lYfUdJ#rMA9_$^ z6h&lEBo*1iK15Holr-1(_R`YqO+*iff@nK4SDia!PDN$QdSRBi=iWW{e||IP&biZ2 zdj6;dtYA6_!IOy@$5O+VYT(8`Z4kPq-187pO6KM1eP9NF%YGLiJ~-*)je-9FukA|;GH0K7--ADaUf7YyICk$AB6@6_d zphN!tIP`Jtky6h+rsu=Y^-y1D(`_m}JDDE0TF0iEZ@_D$H5zfMgs2+GOY?-hQ73nRwS6B#Bw%)O6o;3f(t$ z@wUyofzUDZ1qGptTpRufhtDUR;z>_g`dSDiECe6QGadOMrW4k^T>AGdJ2z0e<4cru zA27OJk#6i|PItH@Y^_H!kbj}wc!ocFHt2?yD(OCCbQ?vwr=vODa0%v{A(Fu#>4s^T zYXb>6a?v`Ce2q*!lUPhs7n8C5=Tjr^8@(+#ofq3LO^@ohyW`#oFSw8Tesu0e-BQwR zVsslsx|dv>ZUlG8dYSaSE(lp(C>g-jEZza|yV{Ls__ODk8!6qvWlFlujBdS1H?NJ; z9f5(GSxp@(8NfWE{!hhF|L2+y4Wo1|B`CSzT(%jhi6^j&2OV7 zOs`YYea7fkigdq)aJn%@nsg$qc`X@!l0n8y54;-Os0k-EDCs_DbSp%?6mNO`Hf1t_;rcBAUR;;0t7fFhjs0|0yX9Vr9qA-R59$Wni#Bf0BWr zLD1v*ffWG@fS89R!%u-h+ixXniqsKCh7^V*_2Va*c^EYq85kLu8B>5pBuauv28L*m z;ho8>4E{h42t$m8SOGTNk>?i!gM*;=R*=CU3;YyVG8l9V4OvrUTvC7rUjFpqWa9(| zB;%DgG5{?F0kH9pWZCh#{S?^k&rscdy#nF(6Q@{^3};}t=7D6mo)SAgxBmvaeG97F zc_t&={_zy5+uQw6++MX490;IL#te7!^JllWLFdYDsTq9@z literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap new file mode 100755 index 0000000000000000000000000000000000000000..a2dd31b3b721409e32b617bb2b43ef8609ec5ca3 GIT binary patch literal 179 zcmca|c+)~A1{MY+z{m*XG$t$wQK({Pum`e1m?7Yh|CAI4v9jamZgViWGB6n4Y-V6+ z5VW^Gup(dq5c9BP_$e^RT1;h4;XA^}kiu|Q=*&5$07eFOb_NSmka0(A*%@qrCV?=- yAc&!0<8*oT7#JJ`y{CeV0vYM2z>>irS@(f8h07&{fsx_#!|&%B85rIKtpWgLGchy( literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro new file mode 100644 index 0000000000..a5f1f895cc --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro new file mode 100644 index 0000000000..073e758df4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro new file mode 100644 index 0000000000..c8708b10cd --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# diff --git a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro new file mode 100644 index 0000000000..d832d937a7 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.bro @@ -0,0 +1,9 @@ +# +# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.bro >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total +# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage +# @TEST-EXEC: btest-diff coverage +# @TEST-EXEC: btest-diff dnp3.log +# From d8890ea009fdb94ecffcf826bbfd23577396365e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 8 Jan 2015 13:10:09 -0600 Subject: [PATCH 29/48] Increase minimum required CMake version to 2.8. --- CHANGES | 4 ++++ CMakeLists.txt | 2 +- VERSION | 2 +- aux/bro-aux | 2 +- doc/install/install.rst | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index e7006e0ab0..cf1b682f81 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-375 | 2015-01-08 13:10:09 -0600 + + * Increase minimum required CMake version to 2.8. (Jon Siwek) + 2.3-374 | 2015-01-07 10:03:17 -0600 * Improve documentation of the Intelligence Framework. (Daniel Thayer) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7a287ef5b4..c0ff6c09d4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ project(Bro C CXX) # When changing the minimum version here, also adapt # aux/bro-aux/plugin-support/skeleton/CMakeLists.txt -cmake_minimum_required(VERSION 2.6.3 FATAL_ERROR) +cmake_minimum_required(VERSION 2.8 FATAL_ERROR) include(cmake/CommonCMakeConfig.cmake) diff --git a/VERSION b/VERSION index feb900b5ab..41ff87b741 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-374 +2.3-375 diff --git a/aux/bro-aux b/aux/bro-aux index 43a9f360c9..0b713c027d 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 43a9f360c9bf6b35fcb25d61ebff80c7feb1812b +Subproject commit 0b713c027d3efaaca50e5df995c02656175573cd diff --git a/doc/install/install.rst b/doc/install/install.rst index 0052acafb0..a3531f70c3 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -35,7 +35,7 @@ before you begin: To build Bro from source, the following additional dependencies are required: - * CMake 2.6.3 or greater (http://www.cmake.org) + * CMake 2.8 or greater (http://www.cmake.org) * Make * C/C++ compiler * SWIG (http://www.swig.org) From 39d51ca99c1e994fd48bfccc89c070522ca7deca Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 12 Jan 2015 09:38:10 -0600 Subject: [PATCH 30/48] Improve documentation for connection_established event. --- CHANGES | 4 ++++ VERSION | 2 +- src/analyzer/protocol/tcp/events.bif | 6 ++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index cf1b682f81..5fd76c8b06 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-376 | 2015-01-12 09:38:10 -0600 + + * Improve documentation for connection_established event. (Jon Siwek) + 2.3-375 | 2015-01-08 13:10:09 -0600 * Increase minimum required CMake version to 2.8. (Jon Siwek) diff --git a/VERSION b/VERSION index 41ff87b741..05511b04c1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-375 +2.3-376 diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index f52fadaebb..5cf2710804 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -29,8 +29,10 @@ event new_connection_contents%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); -## Generated when a SYN-ACK packet is seen in response to a SYN packet during -## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may +## Generated when seeing a SYN-ACK packet from the responder in a TCP +## handshake. An associated SYN packet was not seen from the originator +## side if its state is not set to :bro:see:`TCP_ESTABLISHED`. +## The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of ## :bro:type:`connection` to see if the originator sent an ACK, indicated by ## 'A' in the history string. From 0480f0d81160e19f17f4107608c0f2fafdb15ef9 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 13 Jan 2015 08:38:18 -0800 Subject: [PATCH 31/48] small changes to ec curve names in a newer draft --- scripts/base/protocols/ssl/consts.bro | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 278a2a37ae..3d115419d4 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -158,12 +158,11 @@ export { [26] = "brainpoolP256r1", [27] = "brainpoolP384r1", [28] = "brainpoolP512r1", - # draft-ietf-tls-negotiated-ff-dhe-02 - [256] = "ffdhe2432", + # draft-ietf-tls-negotiated-ff-dhe-05 + [256] = "ffdhe2048", [257] = "ffdhe3072", [258] = "ffdhe4096", - [259] = "ffdhe6144", - [260] = "ffdhe8192", + [259] = "ffdhe8192", [0xFF01] = "arbitrary_explicit_prime_curves", [0xFF02] = "arbitrary_explicit_char2_curves" } &default=function(i: count):string { return fmt("unknown-%d", i); }; From 272916c18922575add906fde9ec85be9e03d8a19 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 13 Jan 2015 14:39:25 -0500 Subject: [PATCH 32/48] Updating MySQL with Robin's suggestions: - Use a boolean success instead of a result string - Change the affected_rows response detail string to a "rows" count - Fix the state tracking to log incomplete commands --- scripts/base/protocols/mysql/main.bro | 42 ++++++++++++------ .../mysql.log | 32 +++++++------- .../mysql.log | 44 +++++++++---------- 3 files changed, 67 insertions(+), 51 deletions(-) diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.bro index d0d3d4b3d6..49bb6e7564 100644 --- a/scripts/base/protocols/mysql/main.bro +++ b/scripts/base/protocols/mysql/main.bro @@ -18,8 +18,10 @@ export { cmd: string &log; ## The argument issued to the command arg: string &log; - ## The result (error, OK, etc.) from the server - result: string &log &optional; + ## Did the server tell us that the command succeeded? + success: bool &log &optional; + ## The number of affected rows, if any + rows: count &log &optional; ## Server message, if any response: string &log &optional; }; @@ -57,16 +59,21 @@ event mysql_handshake(c: connection, username: string) event mysql_command_request(c: connection, command: count, arg: string) &priority=5 { - if ( ! c?$mysql ) + if ( c?$mysql ) { - local info: Info; - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - info$cmd = commands[command]; - info$arg = sub(arg, /\0$/, ""); - c$mysql = info; + # We got a request, but we haven't logged our + # previous request yet, so let's do that now. + Log::write(mysql::LOG, c$mysql); + delete c$mysql; } + + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$cmd = commands[command]; + info$arg = sub(arg, /\0$/, ""); + c$mysql = info; } event mysql_command_request(c: connection, command: count, arg: string) &priority=-5 @@ -83,7 +90,7 @@ event mysql_error(c: connection, code: count, msg: string) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "error"; + c$mysql$success = F; c$mysql$response = msg; } } @@ -101,8 +108,8 @@ event mysql_ok(c: connection, affected_rows: count) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "ok"; - c$mysql$response = fmt("Affected rows: %d", affected_rows); + c$mysql$success = T; + c$mysql$rows = affected_rows; } } @@ -114,3 +121,12 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5 delete c$mysql; } } + +event connection_state_remove(c: connection) &priority=-5 + { + if ( c?$mysql ) + { + Log::write(mysql::LOG, c$mysql); + delete c$mysql; + } + } \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log index 536ac3aaac..df7f3b800b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path mysql -#open 2014-09-05-03-02-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg result response -#types time string addr port addr port string string string string -1362452327.618353 CsRx2w45OKnoww6xl4 192.168.1.3 55845 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: NO) -1362452330.947463 CRJuHdVW0XPVINV8a 192.168.1.3 55846 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452332.571339 CPbrpk1qSsw6ESzHV4 192.168.1.3 55847 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452334.559420 C6pKV8GSxOnSLghOa 192.168.1.3 55857 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452336.361958 CIPOse170MGiRM1Qf4 192.168.1.3 55860 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452357.320858 C7XEbhP654jzLoe3a 192.168.1.3 55861 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: NO) -1362452358.565340 CJ3xTn1c4Zw9TmAE05 192.168.1.3 55862 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452360.410803 CMXxB5GvmoxJFXdTa 192.168.1.3 55863 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452361.886123 Caby8b1slFea8xwSmb 192.168.1.3 55864 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452372.452858 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 login root ok Affected rows: 0 -1362452372.454995 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 ok Affected rows: 1 -1362452372.991997 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 quit (empty) - - -#close 2014-09-05-03-02-01 +#open 2015-01-13-18-11-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response +#types time string addr port addr port string string bool count string +1362452327.618353 CsRx2w45OKnoww6xl4 192.168.1.3 55845 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: NO) +1362452330.947463 CRJuHdVW0XPVINV8a 192.168.1.3 55846 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452332.571339 CPbrpk1qSsw6ESzHV4 192.168.1.3 55847 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452334.559420 C6pKV8GSxOnSLghOa 192.168.1.3 55857 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452336.361958 CIPOse170MGiRM1Qf4 192.168.1.3 55860 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452357.320858 C7XEbhP654jzLoe3a 192.168.1.3 55861 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: NO) +1362452358.565340 CJ3xTn1c4Zw9TmAE05 192.168.1.3 55862 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452360.410803 CMXxB5GvmoxJFXdTa 192.168.1.3 55863 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452361.886123 Caby8b1slFea8xwSmb 192.168.1.3 55864 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452372.452858 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 login root T 0 - +1362452372.454995 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 T 1 - +1362452372.991997 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 quit (empty) - - - +#close 2015-01-13-18-11-40 diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log index 7baf2954ae..a35f1a136d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log @@ -3,25 +3,25 @@ #empty_field (empty) #unset_field - #path mysql -#open 2014-09-05-03-02-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg result response -#types time string addr port addr port string string string string -1216281025.136728 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 login tfoerste ok Affected rows: 0 -1216281025.137062 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 ok Affected rows: 1 -1216281030.835001 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() ok Affected rows: 1 -1216281030.835395 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 init_db test ok Affected rows: 0 -1216281030.835742 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show databases ok Affected rows: 1 -1216281030.836349 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show tables ok Affected rows: 1 -1216281030.836757 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 field_list agent ok Affected rows: 3 -1216281048.287657 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM ok Affected rows: 0 -1216281057.746222 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") ok Affected rows: 1 -1216281061.713980 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") ok Affected rows: 1 -1216281066.549786 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo ok Affected rows: 3 -1216281072.304467 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' ok Affected rows: 1 -1216281079.450037 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 ok Affected rows: 0 -1216281087.437392 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo ok Affected rows: 1 -1216281109.107769 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo ok Affected rows: 3 -1216281116.209268 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo ok Affected rows: 1 -1216281122.880561 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query drop table foo ok Affected rows: 0 -1216281124.418765 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - -#close 2014-09-05-03-02-01 +#open 2015-01-13-18-12-10 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response +#types time string addr port addr port string string bool count string +1216281025.136728 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 login tfoerste T 0 - +1216281025.137062 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 1 - +1216281030.835001 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 1 - +1216281030.835395 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 init_db test T 0 - +1216281030.835742 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show databases T 1 - +1216281030.836349 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show tables T 1 - +1216281030.836757 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 field_list agent T 3 - +1216281048.287657 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM T 0 - +1216281057.746222 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") T 1 - +1216281061.713980 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") T 1 - +1216281066.549786 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281072.304467 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' T 1 - +1216281079.450037 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 T 0 - +1216281087.437392 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 1 - +1216281109.107769 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281116.209268 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo T 1 - +1216281122.880561 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query drop table foo T 0 - +1216281124.418765 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - - +#close 2015-01-13-18-12-10 From f51dc5cbb87bc4fa65d124b4e4f3c49001435a2a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 17 Jan 2015 08:07:18 -0800 Subject: [PATCH 33/48] Fixing (harmless) Coverity warning. --- src/file_analysis/FileReassembler.cc | 5 +++++ src/file_analysis/FileReassembler.h | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc index d2b4eda23d..8b678e5209 100644 --- a/src/file_analysis/FileReassembler.cc +++ b/src/file_analysis/FileReassembler.cc @@ -12,6 +12,11 @@ FileReassembler::FileReassembler(File *f, uint64 starting_offset) { } +FileReassembler::FileReassembler() + : Reassembler(), the_file(0), flushing(false) + { + } + FileReassembler::~FileReassembler() { } diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h index aa68e865ad..396aa062e1 100644 --- a/src/file_analysis/FileReassembler.h +++ b/src/file_analysis/FileReassembler.h @@ -48,7 +48,7 @@ public: { return flushing; } protected: - FileReassembler() { } + FileReassembler(); DECLARE_SERIAL(FileReassembler); From 87962a48dd452f766062a70e1f8d97dd4f6d3626 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 20 Jan 2015 16:18:49 -0600 Subject: [PATCH 34/48] Add a new attribute: &deprecated. While scripts are parsed, a warning is raised for each usage of an identifier marked as &deprecated. This also works for BIFs. Addresses BIT-924, BIT-757. --- src/Attr.cc | 3 +- src/Attr.h | 3 +- src/Expr.cc | 35 +++++++--- src/ID.h | 3 + src/Type.cc | 18 +++-- src/Type.h | 7 +- src/builtin-func.y | 19 ++++-- src/parse.y | 37 ++++++++-- src/plugin/ComponentManager.h | 3 +- src/scan.l | 1 + .../btest/Baseline/language.deprecated/out | 26 +++++++ testing/btest/language/deprecated.bro | 68 +++++++++++++++++++ 12 files changed, 192 insertions(+), 31 deletions(-) create mode 100644 testing/btest/Baseline/language.deprecated/out create mode 100644 testing/btest/language/deprecated.bro diff --git a/src/Attr.cc b/src/Attr.cc index 13106b02b7..fc8d3000d1 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -18,7 +18,7 @@ const char* attr_name(attr_tag t) "&encrypt", "&raw_output", "&mergeable", "&priority", "&group", "&log", "&error_handler", "&type_column", - "(&tracked)", + "(&tracked)", "&deprecated", }; return attr_names[int(t)]; @@ -212,6 +212,7 @@ void Attributes::DescribeReST(ODesc* d) const void Attributes::CheckAttr(Attr* a) { switch ( a->Tag() ) { + case ATTR_DEPRECATED: case ATTR_OPTIONAL: case ATTR_REDEF: break; diff --git a/src/Attr.h b/src/Attr.h index 228bc2e5fc..63f2524c21 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -34,7 +34,8 @@ typedef enum { ATTR_ERROR_HANDLER, ATTR_TYPE_COLUMN, // for input framework ATTR_TRACKED, // hidden attribute, tracked by NotifierRegistry -#define NUM_ATTRS (int(ATTR_TRACKED) + 1) + ATTR_DEPRECATED, +#define NUM_ATTRS (int(ATTR_DEPRECATED) + 1) } attr_tag; class Attr : public BroObj { diff --git a/src/Expr.cc b/src/Expr.cc index 671f9b2d41..d2dcb1585b 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3213,6 +3213,10 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name) { SetType(rt->FieldType(field)->Ref()); td = rt->FieldDecl(field); + + if ( td->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", rt->GetName().c_str(), + field_name); } } } @@ -3333,6 +3337,9 @@ HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name) if ( field < 0 ) ExprError("no such field in record"); + else if ( rt->FieldDecl(field)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s?$%s)", rt->GetName().c_str(), + field_name); SetType(base_type(TYPE_BOOL)); } @@ -4147,16 +4154,28 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r) } for ( i = 0; i < map_size; ++i ) - if ( map[i] == -1 && - ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + if ( map[i] == -1 ) { - char buf[512]; - safe_snprintf(buf, sizeof(buf), - "non-optional field \"%s\" missing", t_r->FieldName(i)); - Error(buf); - SetError(); - break; + if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) ) + { + char buf[512]; + safe_snprintf(buf, sizeof(buf), + "non-optional field \"%s\" missing", + t_r->FieldName(i)); + Error(buf); + SetError(); + break; + } } + else + { + if ( t_r->FieldDecl(i)->FindAttr(ATTR_DEPRECATED) ) + reporter->Warning("deprecated (%s$%s)", + t_r->GetName().c_str(), + t_r->FieldName(i)); + } + } } } diff --git a/src/ID.h b/src/ID.h index 31cfad4191..ca5d222373 100644 --- a/src/ID.h +++ b/src/ID.h @@ -80,6 +80,9 @@ public: Attr* FindAttr(attr_tag t) const { return attrs ? attrs->FindAttr(t) : 0; } + bool IsDeprecated() const + { return FindAttr(ATTR_DEPRECATED) != 0; } + void Error(const char* msg, const BroObj* o2 = 0); void Describe(ODesc* d) const; diff --git a/src/Type.cc b/src/Type.cc index ead31f1b7d..b5466c27ba 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1434,7 +1434,7 @@ EnumType::~EnumType() // Note, we use reporter->Error() here (not Error()) to include the current script // location in the error message, rather than the one where the type was // originally defined. -void EnumType::AddName(const string& module_name, const char* name, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bool is_export, bool deprecated) { /* implicit, auto-increment */ if ( counter < 0) @@ -1443,11 +1443,11 @@ void EnumType::AddName(const string& module_name, const char* name, bool is_expo SetError(); return; } - CheckAndAddName(module_name, name, counter, is_export); + CheckAndAddName(module_name, name, counter, is_export, deprecated); counter++; } -void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export) +void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated) { /* explicit value specified */ if ( counter > 0 ) @@ -1457,11 +1457,11 @@ void EnumType::AddName(const string& module_name, const char* name, bro_int_t va return; } counter = -1; - CheckAndAddName(module_name, name, val, is_export); + CheckAndAddName(module_name, name, val, is_export, deprecated); } void EnumType::CheckAndAddName(const string& module_name, const char* name, - bro_int_t val, bool is_export) + bro_int_t val, bool is_export, bool deprecated) { if ( Lookup(val) ) { @@ -1477,6 +1477,14 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, id = install_ID(name, module_name.c_str(), true, is_export); id->SetType(this->Ref()); id->SetEnumConst(); + + if ( deprecated ) + { + attr_list* attr = new attr_list; + attr->append(new Attr(ATTR_DEPRECATED)); + id->AddAttrs(new Attributes(attr, id->Type(), false)); + } + broxygen_mgr->Identifier(id); } else diff --git a/src/Type.h b/src/Type.h index a9f1e42a6d..f902b0d907 100644 --- a/src/Type.h +++ b/src/Type.h @@ -554,12 +554,12 @@ public: // The value of this name is next internal counter value, starting // with zero. The internal counter is incremented. - void AddName(const string& module_name, const char* name, bool is_export); + void AddName(const string& module_name, const char* name, bool is_export, bool deprecated); // The value of this name is set to val. Once a value has been // explicitly assigned using this method, no further names can be // added that aren't likewise explicitly initalized. - void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export); + void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated); // -1 indicates not found. bro_int_t Lookup(const string& module_name, const char* name) const; @@ -580,7 +580,8 @@ protected: const char* name, bro_int_t val, bool is_export); void CheckAndAddName(const string& module_name, - const char* name, bro_int_t val, bool is_export); + const char* name, bro_int_t val, bool is_export, + bool deprecated); typedef std::map< const char*, bro_int_t, ltstr > NameMap; NameMap names; diff --git a/src/builtin-func.y b/src/builtin-func.y index 1b22436fff..0f895ced52 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -287,7 +287,7 @@ void record_bif_item(const char* id, const char* type) %left ',' ':' -%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list +%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs %type TOK_ATOM TOK_BOOL %union { @@ -372,7 +372,13 @@ type_def_types: TOK_RECORD { set_definition_type(TYPE_DEF, "Table"); } ; -event_def: event_prefix opt_ws plain_head opt_attr_list +opt_func_attrs: attr_list opt_ws + { $$ = $1; } + | /* nothing */ + { $$ = ""; } + ; + +event_def: event_prefix opt_ws plain_head opt_func_attrs { fprintf(fp_bro_init, "%s", $4); } end_of_head ';' { print_event_c_prototype(fp_func_h, true); @@ -380,13 +386,16 @@ event_def: event_prefix opt_ws plain_head opt_attr_list print_event_c_body(fp_func_def); } -func_def: func_prefix opt_ws typed_head end_of_head body +func_def: func_prefix opt_ws typed_head opt_func_attrs + { fprintf(fp_bro_init, "%s", $4); } end_of_head body ; -enum_def: enum_def_1 enum_list TOK_RPB +enum_def: enum_def_1 enum_list TOK_RPB opt_attr_list { // First, put an end to the enum type decl. - fprintf(fp_bro_init, "};\n"); + fprintf(fp_bro_init, "} "); + fprintf(fp_bro_init, "%s", $4); + fprintf(fp_bro_init, ";\n"); if ( decl.module_name != GLOBAL_MODULE_NAME ) fprintf(fp_netvar_h, "}; } }\n"); else diff --git a/src/parse.y b/src/parse.y index 83760dbbf0..9261775932 100644 --- a/src/parse.y +++ b/src/parse.y @@ -2,7 +2,7 @@ // See the file "COPYING" in the main distribution directory for copyright. %} -%expect 75 +%expect 78 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF @@ -24,7 +24,7 @@ %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE %token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER -%token TOK_ATTR_TYPE_COLUMN +%token TOK_ATTR_TYPE_COLUMN TOK_ATTR_DEPRECATED %token TOK_DEBUG @@ -44,7 +44,7 @@ %right '!' %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR -%type opt_no_test opt_no_test_block +%type opt_no_test opt_no_test_block opt_deprecated %type TOK_ID TOK_PATTERN_TEXT single_pattern %type local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func %type local_id_list @@ -671,6 +671,9 @@ expr: } else $$ = new NameExpr(id); + + if ( id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } } @@ -759,7 +762,7 @@ enum_body_elem: error messages if someboy tries to use constant variables as enumerator. */ - TOK_ID '=' TOK_CONSTANT + TOK_ID '=' TOK_CONSTANT opt_deprecated { set_location(@1, @3); assert(cur_enum_type); @@ -768,7 +771,7 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); else cur_enum_type->AddName(current_module, $1, - $3->InternalUnsigned(), is_export); + $3->InternalUnsigned(), is_export, $4); } | TOK_ID '=' '-' TOK_CONSTANT @@ -780,11 +783,11 @@ enum_body_elem: reporter->Error("enumerator is not a count constant"); } - | TOK_ID + | TOK_ID opt_deprecated { set_location(@1); assert(cur_enum_type); - cur_enum_type->AddName(current_module, $1, is_export); + cur_enum_type->AddName(current_module, $1, is_export, $2); } ; @@ -963,7 +966,12 @@ type: $$ = error_type(); } else + { Ref($$); + + if ( $1->IsDeprecated() ) + reporter->Warning("deprecated (%s)", $1->Name()); + } } ; @@ -1265,6 +1273,8 @@ attr: { $$ = new Attr(ATTR_LOG); } | TOK_ATTR_ERROR_HANDLER { $$ = new Attr(ATTR_ERROR_HANDLER); } + | TOK_ATTR_DEPRECATED + { $$ = new Attr(ATTR_DEPRECATED); } ; stmt: @@ -1450,6 +1460,10 @@ event: { set_location(@1, @4); $$ = new EventExpr($1, $3); + ID* id = lookup_ID($1, current_module.c_str()); + + if ( id && id->IsDeprecated() ) + reporter->Warning("deprecated (%s)", id->Name()); } ; @@ -1556,6 +1570,9 @@ global_or_event_id: if ( ! $$->IsGlobal() ) $$->Error("already a local identifier"); + if ( $$->IsDeprecated() ) + reporter->Warning("deprecated (%s)", $$->Name()); + delete [] $1; } @@ -1597,6 +1614,12 @@ opt_no_test_block: | { $$ = false; } +opt_deprecated: + TOK_ATTR_DEPRECATED + { $$ = true; } + | + { $$ = false; } + %% int yyerror(const char msg[]) diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h index 7337cf069a..0069c77359 100644 --- a/src/plugin/ComponentManager.h +++ b/src/plugin/ComponentManager.h @@ -243,7 +243,8 @@ void ComponentManager::RegisterComponent(C* component, // Install an identfier for enum value string id = fmt("%s%s", prefix.c_str(), cname.c_str()); tag_enum_type->AddName(module, id.c_str(), - component->Tag().AsEnumVal()->InternalInt(), true); + component->Tag().AsEnumVal()->InternalInt(), true, + false); } } // namespace plugin diff --git a/src/scan.l b/src/scan.l index 0820567c30..ae11382fb3 100644 --- a/src/scan.l +++ b/src/scan.l @@ -260,6 +260,7 @@ when return TOK_WHEN; &create_expire return TOK_ATTR_EXPIRE_CREATE; &default return TOK_ATTR_DEFAULT; &delete_func return TOK_ATTR_DEL_FUNC; +&deprecated return TOK_ATTR_DEPRECATED; &raw_output return TOK_ATTR_RAW_OUTPUT; &encrypt return TOK_ATTR_ENCRYPT; &error_handler return TOK_ATTR_ERROR_HANDLER; diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out new file mode 100644 index 0000000000..9587bf033f --- /dev/null +++ b/testing/btest/Baseline/language.deprecated/out @@ -0,0 +1,26 @@ +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) +ZERO +ONE +TWO +RED +GREEN +BLUE +generate my_hook please +generate my_event please +schedule my_event please diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.bro new file mode 100644 index 0000000000..0a6d269fad --- /dev/null +++ b/testing/btest/language/deprecated.bro @@ -0,0 +1,68 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +type blah: string &deprecated; + +global my_event: event(arg: string) &deprecated; + +global my_hook: hook(arg: string) &deprecated; + +type my_record: record { + a: count &default = 1; + b: string &optional &deprecated; +}; + +type my_enum: enum { + RED, + GREEN &deprecated, + BLUE &deprecated +}; + +type my_other_enum: enum { + ZERO = 0, + ONE = 1 &deprecated, + TWO = 2 &deprecated +}; + +event bro_init() + { + print ZERO; + print ONE; + print TWO; + print RED; + print GREEN; + print BLUE; + + local l: blah = "testing"; + + local ls: string = " test"; + + event my_event("generate my_event please"); + schedule 1sec { my_event("schedule my_event please") }; + hook my_hook("generate my_hook please"); + + local mr = my_record($a = 3, $b = "yeah"); + mr = [$a = 4, $b = "ye"]; + mr = record($a = 5, $b = "y"); + + if ( ! mr?$b ) + mr$b = "nooooooo"; + + mr$a = 2; + mr$b = "noooo"; + } + +event my_event(arg: string) + { + print arg; + } + +hook my_hook(arg: string) + { + print arg; + } + +function hmm(b: blah) + { + print b; + } From 011e2cdd323d36bae0ecf3a716af0afe0f9cabdf Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 21 Jan 2015 12:27:09 -0600 Subject: [PATCH 35/48] Improve use of &deprecated on functions. - Don't report warnings on function definition if declaration is marked deprecated. - Allow &deprecated to apply to a standalone function definition. --- src/ID.cc | 10 ++++++++ src/ID.h | 2 ++ src/Type.cc | 6 +---- src/Var.cc | 4 ++++ src/parse.y | 23 ++++++++++++++++++- .../btest/Baseline/language.deprecated/out | 2 ++ testing/btest/language/deprecated.bro | 12 ++++++++++ 7 files changed, 53 insertions(+), 6 deletions(-) diff --git a/src/ID.cc b/src/ID.cc index aa965b880e..a308ffa81d 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -248,6 +248,16 @@ void ID::UpdateValAttrs() } } +void ID::MakeDeprecated() + { + if ( IsDeprecated() ) + return; + + attr_list* attr = new attr_list; + attr->append(new Attr(ATTR_DEPRECATED)); + AddAttrs(new Attributes(attr, Type(), false)); + } + void ID::AddAttrs(Attributes* a) { if ( attrs ) diff --git a/src/ID.h b/src/ID.h index ca5d222373..805a8e391b 100644 --- a/src/ID.h +++ b/src/ID.h @@ -83,6 +83,8 @@ public: bool IsDeprecated() const { return FindAttr(ATTR_DEPRECATED) != 0; } + void MakeDeprecated(); + void Error(const char* msg, const BroObj* o2 = 0); void Describe(ODesc* d) const; diff --git a/src/Type.cc b/src/Type.cc index b5466c27ba..9aa86da8dc 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1479,11 +1479,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name, id->SetEnumConst(); if ( deprecated ) - { - attr_list* attr = new attr_list; - attr->append(new Attr(ATTR_DEPRECATED)); - id->AddAttrs(new Attributes(attr, id->Type(), false)); - } + id->MakeDeprecated(); broxygen_mgr->Identifier(id); } diff --git a/src/Var.cc b/src/Var.cc index 0a196b9cac..95ec5802ef 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -435,6 +435,10 @@ void end_func(Stmt* body, attr_list* attrs) loop_over_list(*attrs, i) { Attr* a = (*attrs)[i]; + + if ( a->Tag() == ATTR_DEPRECATED ) + continue; + if ( a->Tag() != ATTR_PRIORITY ) { a->Error("illegal attribute for function body"); diff --git a/src/parse.y b/src/parse.y index 9261775932..f74880dc13 100644 --- a/src/parse.y +++ b/src/parse.y @@ -227,6 +227,18 @@ static bool expr_is_table_type_name(const Expr* expr) return false; } + +static bool has_attr(const attr_list* al, attr_tag tag) + { + if ( ! al ) + return false; + + for ( int i = 0; i < al->length(); ++i ) + if ( (*al)[i]->Tag() == tag ) + return true; + + return false; + } %} %union { @@ -1147,6 +1159,9 @@ func_body: { saved_in_init.push_back(in_init); in_init = 0; + + if ( has_attr($1, ATTR_DEPRECATED) ) + current_scope()->ScopeID()->MakeDeprecated(); } stmt_list @@ -1571,7 +1586,13 @@ global_or_event_id: $$->Error("already a local identifier"); if ( $$->IsDeprecated() ) - reporter->Warning("deprecated (%s)", $$->Name()); + { + BroType* t = $$->Type(); + + if ( t->Tag() != TYPE_FUNC || + t->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION ) + reporter->Warning("deprecated (%s)", $$->Name()); + } delete [] $1; } diff --git a/testing/btest/Baseline/language.deprecated/out b/testing/btest/Baseline/language.deprecated/out index 9587bf033f..5bdf87a62b 100644 --- a/testing/btest/Baseline/language.deprecated/out +++ b/testing/btest/Baseline/language.deprecated/out @@ -15,6 +15,8 @@ warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event) warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook) warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me) +warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either) ZERO ONE TWO diff --git a/testing/btest/language/deprecated.bro b/testing/btest/language/deprecated.bro index 0a6d269fad..ec9c3c9e1e 100644 --- a/testing/btest/language/deprecated.bro +++ b/testing/btest/language/deprecated.bro @@ -66,3 +66,15 @@ function hmm(b: blah) { print b; } + +global dont_use_me: function() &deprecated; + +function dont_use_me() + { + dont_use_me(); + } + +function dont_use_me_either() &deprecated + { + dont_use_me_either(); + } From 23f04835c6173c1fee0c202de2c4a9e83f691203 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 21 Jan 2015 15:34:42 -0600 Subject: [PATCH 36/48] Deprecate split* family of BIFs. These functions are now deprecated in favor of alternative versions that return a vector of strings rather than a table of strings. Deprecated functions: - split: use split_string instead. - split1: use split_string1 instead. - split_all: use split_string_all instead. - split_n: use split_string_n instead. - cat_string_array: see join_string_vec instead. - cat_string_array_n: see join_string_vec instead. - join_string_array: see join_string_vec instead. - sort_string_array: use sort instead instead. - find_ip_addresses: use extract_ip_addresses instead. Changed functions: - has_valid_octets: uses a string_vec parameter instead of string_array. Addresses BIT-924, BIT-757. --- scripts/base/files/unified2/main.bro | 22 +- scripts/base/frameworks/logging/main.bro | 24 +- scripts/base/frameworks/software/main.bro | 122 ++++---- scripts/base/protocols/dhcp/utils.bro | 4 +- scripts/base/protocols/ftp/main.bro | 2 +- scripts/base/protocols/http/main.bro | 8 +- scripts/base/protocols/http/utils.bro | 8 +- scripts/base/protocols/smtp/main.bro | 12 +- scripts/base/utils/active-http.bro | 10 +- scripts/base/utils/addrs.bro | 36 ++- scripts/base/utils/exec.bro | 12 +- scripts/base/utils/files.bro | 2 +- scripts/base/utils/numbers.bro | 8 +- scripts/base/utils/paths.bro | 24 +- scripts/base/utils/patterns.bro | 4 +- scripts/base/utils/urls.bro | 42 +-- .../policy/frameworks/files/detect-MHR.bro | 6 +- .../frameworks/intel/seen/http-headers.bro | 2 +- scripts/policy/frameworks/intel/seen/smtp.bro | 20 +- .../policy/frameworks/software/vulnerable.bro | 16 +- .../policy/misc/detect-traceroute/main.bro | 8 +- .../http/software-browser-plugins.bro | 8 +- scripts/policy/protocols/smtp/blocklists.bro | 2 +- scripts/policy/protocols/ssl/notary.bro | 12 +- src/strings.bif | 162 ++++++++++- testing/btest/Baseline/bifs.split_string/out | 32 +++ testing/btest/Baseline/plugins.hooks/output | 264 +++++++++--------- .../Baseline/scripts.base.utils.addrs/output | 14 +- testing/btest/bifs/split_string.bro | 36 +++ testing/btest/scripts/base/utils/addrs.test | 11 +- 30 files changed, 574 insertions(+), 359 deletions(-) create mode 100644 testing/btest/Baseline/bifs.split_string/out create mode 100644 testing/btest/bifs/split_string.bro diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 627bcc9fee..73f98aa5f8 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -152,26 +152,26 @@ redef record fa_file += { event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 100); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - sid_map[to_count(parts[1])] = parts[2]; + local parts = split_string_n(line, / \|\| /, F, 100); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + sid_map[to_count(parts[0])] = parts[1]; } event Unified2::read_gen_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, / \|\| /, F, 3); - if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] ) - gen_map[to_count(parts[1])] = parts[3]; + local parts = split_string_n(line, / \|\| /, F, 3); + if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] ) + gen_map[to_count(parts[0])] = parts[2]; } event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Input::Event, line: string) { - local parts = split_n(line, /: /, F, 2); + local parts = split_string_n(line, /: /, F, 2); if ( |parts| == 2 ) { - local parts2 = split_n(parts[2], /,/, F, 4); + local parts2 = split_string_n(parts[1], /,/, F, 4); if ( |parts2| > 1 ) - classification_map[|classification_map|+1] = parts2[1]; + classification_map[|classification_map|+1] = parts2[0]; } } @@ -249,9 +249,9 @@ event bro_init() &priority=5 event file_new(f: fa_file) { local file_dir = ""; - local parts = split_all(f$source, /\/[^\/]*$/); + local parts = split_string_all(f$source, /\/[^\/]*$/); if ( |parts| == 3 ) - file_dir = parts[1]; + file_dir = parts[0]; if ( (watch_file != "" && f$source == watch_file) || (watch_dir != "" && compress_path(watch_dir) == file_dir) ) diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index bf1affcb01..d4d5c0244e 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -405,30 +405,30 @@ function default_path_func(id: ID, path: string, rec: any) : string local id_str = fmt("%s", id); - local parts = split1(id_str, /::/); + local parts = split_string1(id_str, /::/); if ( |parts| == 2 ) { # Example: Notice::LOG -> "notice" - if ( parts[2] == "LOG" ) + if ( parts[1] == "LOG" ) { - local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4); + local module_parts = split_string_n(parts[0], /[^A-Z][A-Z][a-z]*/, T, 4); local output = ""; - if ( 1 in module_parts ) - output = module_parts[1]; + if ( 0 in module_parts ) + output = module_parts[0]; + if ( 1 in module_parts && module_parts[1] != "" ) + output = cat(output, sub_bytes(module_parts[1],1,1), "_", sub_bytes(module_parts[1], 2, |module_parts[1]|)); if ( 2 in module_parts && module_parts[2] != "" ) - output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|)); + output = cat(output, "_", module_parts[2]); if ( 3 in module_parts && module_parts[3] != "" ) - output = cat(output, "_", module_parts[3]); - if ( 4 in module_parts && module_parts[4] != "" ) - output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|)); + output = cat(output, sub_bytes(module_parts[3],1,1), "_", sub_bytes(module_parts[3], 2, |module_parts[3]|)); return to_lower(output); } # Example: Notice::POLICY_LOG -> "notice_policy" - if ( /_LOG$/ in parts[2] ) - parts[2] = sub(parts[2], /_LOG$/, ""); + if ( /_LOG$/ in parts[1] ) + parts[1] = sub(parts[1], /_LOG$/, ""); - return cat(to_lower(parts[1]),"_",to_lower(parts[2])); + return cat(to_lower(parts[0]),"_",to_lower(parts[1])); } else return to_lower(id_str); diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro index f5c9927126..f7b8ce9326 100644 --- a/scripts/base/frameworks/software/main.bro +++ b/scripts/base/frameworks/software/main.bro @@ -133,62 +133,62 @@ function parse(unparsed_version: string): Description { # The regular expression should match the complete version number # and software name. - local version_parts = split_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); - if ( 1 in version_parts ) + local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1); + if ( 0 in version_parts ) { - if ( /^\(/ in version_parts[1] ) - software_name = strip(sub(version_parts[1], /[\(]/, "")); + if ( /^\(/ in version_parts[0] ) + software_name = strip(sub(version_parts[0], /[\(]/, "")); else - software_name = strip(version_parts[1]); + software_name = strip(version_parts[0]); } if ( |version_parts| >= 2 ) { # Remove the name/version separator if it's left at the beginning # of the version number from the previous split_all. - local sv = strip(version_parts[2]); + local sv = strip(version_parts[1]); if ( /^[\/\-\._v\(]/ in sv ) - sv = strip(sub(version_parts[2], /^\(?[\/\-\._v\(]/, "")); - local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 3); - if ( 5 in version_numbers && version_numbers[5] != "" ) - v$addl = strip(version_numbers[5]); - else if ( 3 in version_parts && version_parts[3] != "" && - version_parts[3] != ")" ) + sv = strip(sub(version_parts[1], /^\(?[\/\-\._v\(]/, "")); + local version_numbers = split_string_n(sv, /[\-\._,\[\(\{ ]/, F, 3); + if ( 4 in version_numbers && version_numbers[4] != "" ) + v$addl = strip(version_numbers[4]); + else if ( 2 in version_parts && version_parts[2] != "" && + version_parts[2] != ")" ) { - if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] ) + if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[2] ) { - v$addl = split_n(version_parts[3], /[\(\)]/, F, 2)[2]; + v$addl = split_string_n(version_parts[2], /[\(\)]/, F, 2)[1]; } else { - local vp = split_n(version_parts[3], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); - if ( |vp| >= 1 && vp[1] != "" ) + local vp = split_string_n(version_parts[2], /[\-\._,;\[\]\(\)\{\} ]/, F, 3); + if ( |vp| >= 1 && vp[0] != "" ) + { + v$addl = strip(vp[0]); + } + else if ( |vp| >= 2 && vp[1] != "" ) { v$addl = strip(vp[1]); } - else if ( |vp| >= 2 && vp[2] != "" ) + else if ( |vp| >= 3 && vp[2] != "" ) { v$addl = strip(vp[2]); } - else if ( |vp| >= 3 && vp[3] != "" ) - { - v$addl = strip(vp[3]); - } else { - v$addl = strip(version_parts[3]); + v$addl = strip(version_parts[2]); } } } - if ( 4 in version_numbers && version_numbers[4] != "" ) - v$minor3 = extract_count(version_numbers[4]); if ( 3 in version_numbers && version_numbers[3] != "" ) - v$minor2 = extract_count(version_numbers[3]); + v$minor3 = extract_count(version_numbers[3]); if ( 2 in version_numbers && version_numbers[2] != "" ) - v$minor = extract_count(version_numbers[2]); + v$minor2 = extract_count(version_numbers[2]); if ( 1 in version_numbers && version_numbers[1] != "" ) - v$major = extract_count(version_numbers[1]); + v$minor = extract_count(version_numbers[1]); + if ( 0 in version_numbers && version_numbers[0] != "" ) + v$major = extract_count(version_numbers[0]); } } @@ -200,14 +200,14 @@ function parse_mozilla(unparsed_version: string): Description { local software_name = ""; local v: Version; - local parts: table[count] of string; + local parts: string_vec; if ( /Opera [0-9\.]*$/ in unparsed_version ) { software_name = "Opera"; - parts = split_all(unparsed_version, /Opera [0-9\.]*$/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera [0-9\.]*$/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / MSIE |Trident\// in unparsed_version ) { @@ -222,28 +222,28 @@ function parse_mozilla(unparsed_version: string): Description v = [$major=11,$minor=0]; else { - parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /Version\/.*Safari\// in unparsed_version ) { software_name = "Safari"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) { - v = parse(parts[2])$version; + v = parse(parts[1])$version; if ( / Mobile\/?.* Safari/ in unparsed_version ) v$addl = "Mobile"; } } else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version ) { - parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); - if ( 2 in parts ) + parts = split_string_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/); + if ( 1 in parts ) { - local tmp_s = parse(parts[2]); + local tmp_s = parse(parts[1]); software_name = tmp_s$name; v = tmp_s$version; } @@ -251,48 +251,48 @@ function parse_mozilla(unparsed_version: string): Description else if ( /Chrome\/.*Safari\// in unparsed_version ) { software_name = "Chrome"; - parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Chrome\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( /^Opera\// in unparsed_version ) { if ( /Opera M(ini|obi)\// in unparsed_version ) { - parts = split_all(unparsed_version, /Opera M(ini|obi)/); - if ( 2 in parts ) - software_name = parts[2]; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera M(ini|obi)/); + if ( 1 in parts ) + software_name = parts[1]; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; else { - parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Opera Mini\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else { software_name = "Opera"; - parts = split_all(unparsed_version, /Version\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } } else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version ) { software_name = "Unspecified WebKit"; - parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /AppleWebKit\/[0-9\.]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } else if ( / Java\/[0-9]\./ in unparsed_version ) { software_name = "Java"; - parts = split_all(unparsed_version, /Java\/[0-9\._]*/); - if ( 2 in parts ) - v = parse(parts[2])$version; + parts = split_string_all(unparsed_version, /Java\/[0-9\._]*/); + if ( 1 in parts ) + v = parse(parts[1])$version; } return [$version=v, $unparsed_version=unparsed_version, $name=software_name]; diff --git a/scripts/base/protocols/dhcp/utils.bro b/scripts/base/protocols/dhcp/utils.bro index e49bfe6af9..9d5a422128 100644 --- a/scripts/base/protocols/dhcp/utils.bro +++ b/scripts/base/protocols/dhcp/utils.bro @@ -13,7 +13,7 @@ export { function reverse_ip(ip: addr): addr { - local octets = split(cat(ip), /\./); - return to_addr(cat(octets[4], ".", octets[3], ".", octets[2], ".", octets[1])); + local octets = split_string(cat(ip), /\./); + return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0])); } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9bc1f0d0f1..24195c1d7e 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -274,7 +274,7 @@ event file_transferred(c: connection, prefix: string, descr: string, if ( [id$resp_h, id$resp_p] in ftp_data_expected ) { local s = ftp_data_expected[id$resp_h, id$resp_p]; - s$mime_type = split1(mime_type, /;/)[1]; + s$mime_type = split_string1(mime_type, /;/)[0]; } } diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 0457da8ccf..2349635844 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -242,7 +242,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr else if ( name == "HOST" ) # The split is done to remove the occasional port value that shows up here. - c$http$host = split1(value, /:/)[1]; + c$http$host = split_string1(value, /:/)[0]; else if ( name == "RANGE" ) c$http$range_request = T; @@ -262,12 +262,12 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( /^[bB][aA][sS][iI][cC] / in value ) { local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, "")); - local up = split(userpass, /:/); + local up = split_string(userpass, /:/); if ( |up| >= 2 ) { - c$http$username = up[1]; + c$http$username = up[0]; if ( c$http$capture_password ) - c$http$password = up[2]; + c$http$password = up[1]; } else { diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro index 3c75ae254b..88549f8404 100644 --- a/scripts/base/protocols/http/utils.bro +++ b/scripts/base/protocols/http/utils.bro @@ -42,12 +42,12 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec { local key_vec: vector of string = vector(); - local parts = split(data, kv_splitter); + local parts = split_string(data, kv_splitter); for ( part_index in parts ) { - local key_val = split1(parts[part_index], /=/); - if ( 1 in key_val ) - key_vec[|key_vec|] = key_val[1]; + local key_val = split_string1(parts[part_index], /=/); + if ( 0 in key_val ) + key_vec[|key_vec|] = key_val[0]; } return key_vec; } diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index a22d93d2fa..925b0f4da5 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -98,7 +98,7 @@ event bro_init() &priority=5 function find_address_in_smtp_header(header: string): string { - local ips = find_ip_addresses(header); + local ips = extract_ip_addresses(header); # If there are more than one IP address found, return the second. if ( |ips| > 1 ) return ips[1]; @@ -163,7 +163,7 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & { if ( ! c$smtp?$rcptto ) c$smtp$rcptto = set(); - add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]]; + add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]]; c$smtp$has_client_activity = T; } @@ -172,8 +172,8 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) & # Flush last message in case we didn't see the server's acknowledgement. smtp_message(c); - local partially_done = split1(arg, /:[[:blank:]]*/)[2]; - c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1]; + local partially_done = split_string1(arg, /:[[:blank:]]*/)[1]; + c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0]; c$smtp$has_client_activity = T; } } @@ -234,14 +234,14 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5 if ( ! c$smtp?$to ) c$smtp$to = set(); - local to_parts = split(h$value, /[[:blank:]]*,[[:blank:]]*/); + local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/); for ( i in to_parts ) add c$smtp$to[to_parts[i]]; } else if ( h$name == "X-ORIGINATING-IP" ) { - local addresses = find_ip_addresses(h$value); + local addresses = extract_ip_addresses(h$value); if ( 1 in addresses ) c$smtp$x_originating_ip = to_addr(addresses[1]); } diff --git a/scripts/base/utils/active-http.bro b/scripts/base/utils/active-http.bro index 5dc512408a..de78eeac6d 100644 --- a/scripts/base/utils/active-http.bro +++ b/scripts/base/utils/active-http.bro @@ -105,21 +105,21 @@ function request(req: Request): ActiveHTTP::Response # The reply is the first line. if ( i == 0 ) { - local response_line = split_n(headers[0], /[[:blank:]]+/, F, 2); + local response_line = split_string_n(headers[0], /[[:blank:]]+/, F, 2); if ( |response_line| != 3 ) return resp; - resp$code = to_count(response_line[2]); - resp$msg = response_line[3]; + resp$code = to_count(response_line[1]); + resp$msg = response_line[2]; resp$body = join_string_vec(result$files[bodyfile], ""); } else { local line = headers[i]; - local h = split1(line, /:/); + local h = split_string1(line, /:/); if ( |h| != 2 ) next; - resp$headers[h[1]] = sub_bytes(h[2], 0, |h[2]|-1); + resp$headers[h[0]] = sub_bytes(h[1], 0, |h[1]|-1); } } return resp; diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro index 9e33e6d585..e8fd746e5e 100644 --- a/scripts/base/utils/addrs.bro +++ b/scripts/base/utils/addrs.bro @@ -32,7 +32,7 @@ const ip_addr_regex = ## octets: an array of strings to check for valid octet values. ## ## Returns: T if every element is between 0 and 255, inclusive, else F. -function has_valid_octets(octets: string_array): bool +function has_valid_octets(octets: string_vec): bool { local num = 0; for ( i in octets ) @@ -51,10 +51,10 @@ function has_valid_octets(octets: string_array): bool ## Returns: T if the string is a valid IPv4 or IPv6 address format. function is_valid_ip(ip_str: string): bool { - local octets: string_array; + local octets: string_vec; if ( ip_str == ipv4_addr_regex ) { - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; @@ -67,13 +67,13 @@ function is_valid_ip(ip_str: string): bool { # the regexes for hybrid IPv6-IPv4 address formats don't for valid # octets within the IPv4 part, so do that now - octets = split(ip_str, /\./); + octets = split_string(ip_str, /\./); if ( |octets| != 4 ) return F; # get rid of remaining IPv6 stuff in first octet - local tmp = split(octets[1], /:/); - octets[1] = tmp[|tmp|]; + local tmp = split_string(octets[0], /:/); + octets[0] = tmp[|tmp| - 1]; return has_valid_octets(octets); } @@ -92,14 +92,32 @@ function is_valid_ip(ip_str: string): bool ## input: a string that may contain an IP address anywhere within it. ## ## Returns: an array containing all valid IP address strings found in *input*. -function find_ip_addresses(input: string): string_array +function find_ip_addresses(input: string): string_array &deprecated { - local parts = split_all(input, ip_addr_regex); + local parts = split_string_all(input, ip_addr_regex); local output: string_array; for ( i in parts ) { - if ( i % 2 == 0 && is_valid_ip(parts[i]) ) + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) + output[|output|] = parts[i]; + } + return output; + } + +## Extracts all IP (v4 or v6) address strings from a given string. +## +## input: a string that may contain an IP address anywhere within it. +## +## Returns: an array containing all valid IP address strings found in *input*. +function extract_ip_addresses(input: string): string_vec + { + local parts = split_string_all(input, ip_addr_regex); + local output: string_vec; + + for ( i in parts ) + { + if ( i % 2 == 1 && is_valid_ip(parts[i]) ) output[|output|] = parts[i]; } return output; diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro index 37ec35cb2c..15d88e9851 100644 --- a/scripts/base/utils/exec.bro +++ b/scripts/base/utils/exec.bro @@ -82,9 +82,9 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s: string) { - local parts = split1(description$name, /_/); - local name = parts[1]; - local track_file = parts[2]; + local parts = split_string1(description$name, /_/); + local name = parts[0]; + local track_file = parts[1]; local result = results[name]; if ( ! result?$files ) @@ -99,13 +99,13 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s event Input::end_of_data(orig_name: string, source:string) { local name = orig_name; - local parts = split1(name, /_/); - name = parts[1]; + local parts = split_string1(name, /_/); + name = parts[0]; if ( name !in pending_commands || |parts| < 2 ) return; - local track_file = parts[2]; + local track_file = parts[1]; # If the file is empty, still add it to the result$files table. This is needed # because it is expected that the file was read even if it was empty. diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro index b88ae5763e..766efd649c 100644 --- a/scripts/base/utils/files.bro +++ b/scripts/base/utils/files.bro @@ -23,7 +23,7 @@ function extract_filename_from_content_disposition(data: string): string # Remove quotes around the filename if they are there. if ( /^\"/ in filename ) - filename = split_n(filename, /\"/, F, 2)[2]; + filename = split_string_n(filename, /\"/, F, 2)[1]; # Remove the language and encoding if it's there. if ( /^[a-zA-Z0-9\!#$%&+-^_`{}~]+'[a-zA-Z0-9\!#$%&+-^_`{}~]*'/ in filename ) diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro index 9b100862d4..da8c15d7a0 100644 --- a/scripts/base/utils/numbers.bro +++ b/scripts/base/utils/numbers.bro @@ -2,9 +2,9 @@ ## If no integer can be found, 0 is returned. function extract_count(s: string): count { - local parts = split_n(s, /[0-9]+/, T, 1); - if ( 2 in parts ) - return to_count(parts[2]); + local parts = split_string_n(s, /[0-9]+/, T, 1); + if ( 1 in parts ) + return to_count(parts[1]); else return 0; - } \ No newline at end of file + } diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro index ce083eb6d0..6de5b85e2e 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.bro @@ -13,12 +13,12 @@ const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/; function extract_path(input: string): string { const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/; - local parts = split_all(input, dir_pattern); + local parts = split_string_all(input, dir_pattern); if ( |parts| < 3 ) return ""; - return parts[2]; + return parts[1]; } ## Compresses a given path by removing '..'s and the parent directory it @@ -31,27 +31,27 @@ function compress_path(dir: string): string { const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/; - local parts = split_n(dir, cdup_sep, T, 1); + local parts = split_string_n(dir, cdup_sep, T, 1); if ( |parts| > 1 ) { # reaching a point with two parent dir references back-to-back means # we don't know about anything higher in the tree to pop off - if ( parts[2] == "../.." ) - return cat_string_array(parts); - if ( sub_bytes(parts[2], 0, 1) == "/" ) - parts[2] = "/"; + if ( parts[1] == "../.." ) + return join_string_vec(parts, ""); + if ( sub_bytes(parts[1], 0, 1) == "/" ) + parts[1] = "/"; else - parts[2] = ""; - dir = cat_string_array(parts); + parts[1] = ""; + dir = join_string_vec(parts, ""); return compress_path(dir); } const multislash_sep = /(\/\.?){2,}/; - parts = split_all(dir, multislash_sep); + parts = split_string_all(dir, multislash_sep); for ( i in parts ) - if ( i % 2 == 0 ) + if ( i % 2 == 1 ) parts[i] = "/"; - dir = cat_string_array(parts); + dir = join_string_vec(parts, ""); # remove trailing slashes from path if ( |dir| > 1 && sub_bytes(dir, |dir|, 1) == "/" ) diff --git a/scripts/base/utils/patterns.bro b/scripts/base/utils/patterns.bro index 957e19a14b..47b8cf4e37 100644 --- a/scripts/base/utils/patterns.bro +++ b/scripts/base/utils/patterns.bro @@ -50,11 +50,11 @@ type PatternMatchResult: record { ## Returns: a record indicating the match status. function match_pattern(s: string, p: pattern): PatternMatchResult { - local a = split_n(s, p, T, 1); + local a = split_string_n(s, p, T, 1); if ( |a| == 1 ) # no match return [$matched = F, $str = "", $off = 0]; else - return [$matched = T, $str = a[2], $off = |a[1]| + 1]; + return [$matched = T, $str = a[1], $off = |a[0]| + 1]; } diff --git a/scripts/base/utils/urls.bro b/scripts/base/utils/urls.bro index d4279cd0ce..41a2ab5639 100644 --- a/scripts/base/utils/urls.bro +++ b/scripts/base/utils/urls.bro @@ -48,7 +48,7 @@ function find_all_urls_without_scheme(s: string): string_set function decompose_uri(s: string): URI { - local parts: string_array; + local parts: string_vec; local u: URI = [$netlocation="", $path="/"]; if ( /\?/ in s) @@ -56,55 +56,55 @@ function decompose_uri(s: string): URI # Parse query. u$params = table(); - parts = split1(s, /\?/); - s = parts[1]; - local query: string = parts[2]; + parts = split_string1(s, /\?/); + s = parts[0]; + local query: string = parts[1]; if ( /&/ in query ) { - local opv: table[count] of string = split(query, /&/); + local opv = split_string(query, /&/); for ( each in opv ) { if ( /=/ in opv[each] ) { - parts = split1(opv[each], /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(opv[each], /=/); + u$params[parts[0]] = parts[1]; } } } else { - parts = split1(query, /=/); - u$params[parts[1]] = parts[2]; + parts = split_string1(query, /=/); + u$params[parts[0]] = parts[1]; } } if ( /:\/\// in s ) { # Parse scheme and remove from s. - parts = split1(s, /:\/\//); - u$scheme = parts[1]; - s = parts[2]; + parts = split_string1(s, /:\/\//); + u$scheme = parts[0]; + s = parts[1]; } if ( /\// in s ) { # Parse path and remove from s. - parts = split1(s, /\//); - s = parts[1]; - u$path = fmt("/%s", parts[2]); + parts = split_string1(s, /\//); + s = parts[0]; + u$path = fmt("/%s", parts[1]); if ( |u$path| > 1 && u$path[|u$path| - 1] != "/" ) { local last_token: string = find_last(u$path, /\/.+/); - local full_filename = split1(last_token, /\//)[2]; + local full_filename = split_string1(last_token, /\//)[1]; if ( /\./ in full_filename ) { u$file_name = full_filename; - u$file_base = split1(full_filename, /\./)[1]; - u$file_ext = split1(full_filename, /\./)[2]; + u$file_base = split_string1(full_filename, /\./)[0]; + u$file_ext = split_string1(full_filename, /\./)[1]; } else { @@ -117,9 +117,9 @@ function decompose_uri(s: string): URI if ( /:/ in s ) { # Parse location and port. - parts = split1(s, /:/); - u$netlocation = parts[1]; - u$portnum = to_count(parts[2]); + parts = split_string1(s, /:/); + u$netlocation = parts[0]; + u$portnum = to_count(parts[1]); } else u$netlocation = s; diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro index d0b8a852e6..6917212356 100644 --- a/scripts/policy/frameworks/files/detect-MHR.bro +++ b/scripts/policy/frameworks/files/detect-MHR.bro @@ -42,15 +42,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro index a961896640..864b685126 100644 --- a/scripts/policy/frameworks/intel/seen/http-headers.bro +++ b/scripts/policy/frameworks/intel/seen/http-headers.bro @@ -31,7 +31,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) case "X-FORWARDED-FOR": if ( is_valid_ip(value) ) { - local addrs = find_ip_addresses(value); + local addrs = extract_ip_addresses(value); for ( i in addrs ) { Intel::seen([$host=to_addr(addrs[i]), diff --git a/scripts/policy/frameworks/intel/seen/smtp.bro b/scripts/policy/frameworks/intel/seen/smtp.bro index d760995e51..0393dbab7d 100644 --- a/scripts/policy/frameworks/intel/seen/smtp.bro +++ b/scripts/policy/frameworks/intel/seen/smtp.bro @@ -30,10 +30,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$mailfrom ) { - local mailfromparts = split_n(c$smtp$mailfrom, /<.+>/, T, 1); + local mailfromparts = split_string_n(c$smtp$mailfrom, /<.+>/, T, 1); if ( |mailfromparts| > 2 ) { - Intel::seen([$indicator=mailfromparts[2][1:-2], + Intel::seen([$indicator=mailfromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_MAIL_FROM]); @@ -44,10 +44,10 @@ event mime_end_entity(c: connection) { for ( rcptto in c$smtp$rcptto ) { - local rcpttoparts = split_n(rcptto, /<.+>/, T, 1); + local rcpttoparts = split_string_n(rcptto, /<.+>/, T, 1); if ( |rcpttoparts| > 2 ) { - Intel::seen([$indicator=rcpttoparts[2][1:-2], + Intel::seen([$indicator=rcpttoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_RCPT_TO]); @@ -57,10 +57,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$from ) { - local fromparts = split_n(c$smtp$from, /<.+>/, T, 1); + local fromparts = split_string_n(c$smtp$from, /<.+>/, T, 1); if ( |fromparts| > 2 ) { - Intel::seen([$indicator=fromparts[2][1:-2], + Intel::seen([$indicator=fromparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_FROM]); @@ -71,10 +71,10 @@ event mime_end_entity(c: connection) { for ( email_to in c$smtp$to ) { - local toparts = split_n(email_to, /<.+>/, T, 1); + local toparts = split_string_n(email_to, /<.+>/, T, 1); if ( |toparts| > 2 ) { - Intel::seen([$indicator=toparts[2][1:-2], + Intel::seen([$indicator=toparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_TO]); @@ -84,10 +84,10 @@ event mime_end_entity(c: connection) if ( c$smtp?$reply_to ) { - local replytoparts = split_n(c$smtp$reply_to, /<.+>/, T, 1); + local replytoparts = split_string_n(c$smtp$reply_to, /<.+>/, T, 1); if ( |replytoparts| > 2 ) { - Intel::seen([$indicator=replytoparts[2][1:-2], + Intel::seen([$indicator=replytoparts[1][1:-2], $indicator_type=Intel::EMAIL, $conn=c, $where=SMTP::IN_REPLY_TO]); diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index ee8d90b21f..527623d621 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -55,18 +55,18 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang return vvr; } - local versions = split1(vuln_sw, /\x09/); + local versions = split_string1(vuln_sw, /\x09/); for ( i in versions ) { - local field_and_ver = split1(versions[i], /=/); + local field_and_ver = split_string1(versions[i], /=/); if ( |field_and_ver| != 2 ) return vvr; #failure! - local ver = Software::parse(field_and_ver[2])$version; - if ( field_and_ver[1] == "min" ) + local ver = Software::parse(field_and_ver[1])$version; + if ( field_and_ver[0] == "min" ) vvr$min = ver; - else if ( field_and_ver[1] == "max" ) + else if ( field_and_ver[0] == "max" ) vvr$max = ver; } @@ -84,15 +84,15 @@ event grab_vulnerable_versions(i: count) when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) ) { - local parts = split1(result, /\x09/); + local parts = split_string1(result, /\x09/); if ( |parts| != 2 ) #failure or end of list! { schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) }; return; } - local sw = parts[1]; - local vvr = decode_vulnerable_version_range(parts[2]); + local sw = parts[0]; + local vvr = decode_vulnerable_version_range(parts[1]); if ( sw !in internal_vulnerable_versions ) internal_vulnerable_versions[sw] = set(); add internal_vulnerable_versions[sw][vvr]; diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index aa403e6a08..68151e209a 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -74,10 +74,10 @@ event bro_init() &priority=5 $threshold=icmp_time_exceeded_threshold, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { - local parts = split_n(key$str, /-/, F, 2); - local src = to_addr(parts[1]); - local dst = to_addr(parts[2]); - local proto = parts[3]; + local parts = split_string_n(key$str, /-/, F, 2); + local src = to_addr(parts[0]); + local dst = to_addr(parts[1]); + local proto = parts[2]; Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]); NOTICE([$note=Traceroute::Detected, $msg=fmt("%s seems to be running traceroute using %s", src, proto), diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro index b466a9da40..ab4bb93b15 100644 --- a/scripts/policy/protocols/http/software-browser-plugins.bro +++ b/scripts/policy/protocols/http/software-browser-plugins.bro @@ -45,13 +45,13 @@ event log_http(rec: Info) if ( rec$omniture && rec?$uri ) { # We do {5,} because sometimes we see p=6 in the urls. - local parts = split_n(rec$uri, /&p=([^&]{5,});&/, T, 1); - if ( 2 in parts ) + local parts = split_string_n(rec$uri, /&p=([^&]{5,});&/, T, 1); + if ( 1 in parts ) { # We do sub_bytes here just to remove the extra extracted # characters from the regex split above. - local sw = sub_bytes(parts[2], 4, |parts[2]|-5); - local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/); + local sw = sub_bytes(parts[1], 4, |parts[1]|-5); + local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/); for ( i in plugins ) Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]); diff --git a/scripts/policy/protocols/smtp/blocklists.bro b/scripts/policy/protocols/smtp/blocklists.bro index b1fb0e498d..57aef4ee48 100644 --- a/scripts/policy/protocols/smtp/blocklists.bro +++ b/scripts/policy/protocols/smtp/blocklists.bro @@ -47,7 +47,7 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string, local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h); # Determine if the originator's IP address is in the message. - local ips = find_ip_addresses(msg); + local ips = extract_ip_addresses(msg); local text_ip = ""; if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h ) { diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro index e2b0bb2faf..9e55933820 100644 --- a/scripts/policy/protocols/ssl/notary.bro +++ b/scripts/policy/protocols/ssl/notary.bro @@ -70,23 +70,23 @@ event ssl_established(c: connection) &priority=3 clear_waitlist(digest); return; } - local fields = split(str, / /); + local fields = split_string(str, / /); if ( |fields| != 5 ) # version 1 has 5 fields. { clear_waitlist(digest); return; } - local version = split(fields[1], /=/)[2]; + local version = split_string(fields[0], /=/)[2]; if ( version != "1" ) { clear_waitlist(digest); return; } local r = notary_cache[digest]; - r$first_seen = to_count(split(fields[2], /=/)[2]); - r$last_seen = to_count(split(fields[3], /=/)[2]); - r$times_seen = to_count(split(fields[4], /=/)[2]); - r$valid = split(fields[5], /=/)[2] == "1"; + r$first_seen = to_count(split_string(fields[1], /=/)[1]); + r$last_seen = to_count(split_string(fields[2], /=/)[1]); + r$times_seen = to_count(split_string(fields[3], /=/)[1]); + r$valid = split_string(fields[4], /=/)[1] == "1"; # Assign notary answer to all records waiting for this digest. if ( digest in waitlist ) diff --git a/src/strings.bif b/src/strings.bif index 4a30ca2aa4..84d6014cff 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -130,7 +130,7 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end) ## .. bro:see:: cat cat_sep string_cat cat_string_array_n ## fmt ## join_string_vec join_string_array -function cat_string_array%(a: string_array%): string +function cat_string_array%(a: string_array%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length())); @@ -149,7 +149,7 @@ function cat_string_array%(a: string_array%): string ## .. bro:see:: cat string_cat cat_string_array ## fmt ## join_string_vec join_string_array -function cat_string_array_n%(a: string_array, start: count, end: count%): string +function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated %{ TableVal* tbl = a->AsTableVal(); return new StringVal(cat_string_array_n(tbl, start, end)); @@ -168,7 +168,7 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string ## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n ## fmt ## join_string_vec -function join_string_array%(sep: string, a: string_array%): string +function join_string_array%(sep: string, a: string_array%): string &deprecated %{ vector vs; TableVal* tbl = a->AsTableVal(); @@ -230,7 +230,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string ## Returns: A sorted copy of *a*. ## ## .. bro:see:: sort -function sort_string_array%(a: string_array%): string_array +function sort_string_array%(a: string_array%): string_array &deprecated %{ TableVal* tbl = a->AsTableVal(); int n = a->AsTable()->Length(); @@ -338,6 +338,62 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) return 1; } +VectorVal* do_split_string(StringVal* str_val, RE_Matcher* re, int incl_sep, + int max_num_sep) + { + VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_STRING))); + const u_char* s = str_val->Bytes(); + int n = str_val->Len(); + const u_char* end_of_s = s + n; + int num = 0; + int num_sep = 0; + + int offset = 0; + while ( n >= 0 ) + { + offset = 0; + // Find next match offset. + int end_of_match = 0; + while ( n > 0 && + (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 ) + { + // Move on to next byte. + ++offset; + --n; + } + + if ( max_num_sep && num_sep >= max_num_sep ) + { + offset = end_of_s - s; + n=0; + } + + rval->Assign(num++, new StringVal(offset, (const char*) s)); + + // No more separators will be needed if this is the end of string. + if ( n <= 0 ) + break; + + if ( incl_sep ) + { // including the part that matches the pattern + rval->Assign(num++, new StringVal(end_of_match, (const char*) s+offset)); + } + + if ( max_num_sep && num_sep >= max_num_sep ) + break; + + ++num_sep; + + n -= end_of_match; + s += offset + end_of_match;; + + if ( s > end_of_s ) + reporter->InternalError("RegMatch in split goes beyond the string"); + } + + return rval; + } + Val* do_split(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep) { TableVal* a = new TableVal(string_array); @@ -493,17 +549,33 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all) ## Returns: An array of strings where each element corresponds to a substring ## in *str* separated by *re*. ## -## .. bro:see:: split1 split_all split_n str_split +## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split ## ## .. note:: The returned table starts at index 1. Note that conceptually the ## return value is meant to be a vector and this might change in the ## future. ## -function split%(str: string, re: pattern%): string_array +function split%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 0); %} +## Splits a string into an array of strings according to a pattern. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each element corresponds to a substring +## in *str* separated by *re*. +## +## .. bro:see:: split_string1 split_string_all split_string_n str_split +## +function split_string%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 0); + %} + ## Splits a string *once* into a two-element array of strings according to a ## pattern. This function is the same as :bro:id:`split`, but *str* is only ## split once (if possible) at the earliest position and an array of two strings @@ -518,12 +590,32 @@ function split%(str: string, re: pattern%): string_array ## second everything after *re*. An array of one string is returned ## when *s* cannot be split. ## -## .. bro:see:: split split_all split_n str_split -function split1%(str: string, re: pattern%): string_array +## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split +function split1%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 0, 1); %} +## Splits a string *once* into a two-element array of strings according to a +## pattern. This function is the same as :bro:id:`split_string`, but *str* is +## only split once (if possible) at the earliest position and an array of two +## strings is returned. +## +## str: The string to split. +## +## re: The pattern describing the separator to split *str* in two pieces. +## +## Returns: An array of strings with two elements in which the first represents +## the substring in *str* up to the first occurence of *re*, and the +## second everything after *re*. An array of one string is returned +## when *s* cannot be split. +## +## .. bro:see:: split_string split_string_all split_string_n str_split +function split_string1%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 0, 1); + %} + ## Splits a string into an array of strings according to a pattern. This ## function is the same as :bro:id:`split`, except that the separators are ## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns @@ -538,12 +630,32 @@ function split1%(str: string, re: pattern%): string_array ## to a substring in *str* of the part not matching *re* (odd-indexed) ## and the part that matches *re* (even-indexed). ## -## .. bro:see:: split split1 split_n str_split -function split_all%(str: string, re: pattern%): string_array +## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split +function split_all%(str: string, re: pattern%): string_array &deprecated %{ return do_split(str, re, 1, 0); %} +## Splits a string into an array of strings according to a pattern. This +## function is the same as :bro:id:`split_string`, except that the separators +## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)`` +## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the +## pattern and even-indexed ones do not. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## Returns: An array of strings where each two successive elements correspond +## to a substring in *str* of the part not matching *re* (even-indexed) +## and the part that matches *re* (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_n str_split +function split_string_all%(str: string, re: pattern%): string_vec + %{ + return do_split_string(str, re, 1, 0); + %} + ## Splits a string a given number of times into an array of strings according ## to a pattern. This function is similar to :bro:id:`split1` and ## :bro:id:`split_all`, but with customizable behavior with respect to @@ -563,13 +675,39 @@ function split_all%(str: string, re: pattern%): string_array ## not matching *re* (odd-indexed) and the part that matches *re* ## (even-indexed). ## -## .. bro:see:: split split1 split_all str_split +## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split function split_n%(str: string, re: pattern, - incl_sep: bool, max_num_sep: count%): string_array + incl_sep: bool, max_num_sep: count%): string_array &deprecated %{ return do_split(str, re, incl_sep, max_num_sep); %} +## Splits a string a given number of times into an array of strings according +## to a pattern. This function is similar to :bro:id:`split_string1` and +## :bro:id:`split_string_all`, but with customizable behavior with respect to +## including separators in the result and the number of times to split. +## +## str: The string to split. +## +## re: The pattern describing the element separator in *str*. +## +## incl_sep: A flag indicating whether to include the separator matches in the +## result (as in :bro:id:`split_string_all`). +## +## max_num_sep: The number of times to split *str*. +## +## Returns: An array of strings where, if *incl_sep* is true, each two +## successive elements correspond to a substring in *str* of the part +## not matching *re* (event-indexed) and the part that matches *re* +## (odd-indexed). +## +## .. bro:see:: split_string split_string1 split_string_all str_split +function split_string_n%(str: string, re: pattern, + incl_sep: bool, max_num_sep: count%): string_vec + %{ + return do_split_string(str, re, incl_sep, max_num_sep); + %} + ## Substitutes a given replacement string for the first occurrence of a pattern ## in a given string. ## diff --git a/testing/btest/Baseline/bifs.split_string/out b/testing/btest/Baseline/bifs.split_string/out new file mode 100644 index 0000000000..0ec2541f3d --- /dev/null +++ b/testing/btest/Baseline/bifs.split_string/out @@ -0,0 +1,32 @@ +t +s is a t +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a t +es +t +--------------------- +t +s is a test +--------------------- +t +hi +s is a test +--------------------- +[, thi, s i, s a tes, t] +--------------------- +X-Mailer +Testing Test (http://www.example.com) +--------------------- +A += + B += + C += + D diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index cf6cabda5e..927a64692f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -129,37 +129,37 @@ 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> +0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) -> @@ -191,7 +191,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> @@ -285,8 +285,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> @@ -319,8 +319,8 @@ 0.000000 MetaHookPost CallFunction(reading_live_traffic, ()) -> 0.000000 MetaHookPost CallFunction(reading_traces, ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(split1, (PacketFilter::LOG, <...>/)) -> -0.000000 MetaHookPost CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> +0.000000 MetaHookPost CallFunction(split_string1, (PacketFilter::LOG, <...>/)) -> +0.000000 MetaHookPost CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> 0.000000 MetaHookPost CallFunction(sub_bytes, (tFilter, 1, 1)) -> @@ -668,37 +668,37 @@ 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) +0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Cluster::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Communication::LOG, [columns=, ev=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Conn::LOG, [columns=, ev=Conn::log_conn])) @@ -730,7 +730,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG)) @@ -824,8 +824,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) @@ -858,8 +858,8 @@ 0.000000 MetaHookPre CallFunction(reading_live_traffic, ()) 0.000000 MetaHookPre CallFunction(reading_traces, ()) 0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(split1, (PacketFilter::LOG, <...>/)) -0.000000 MetaHookPre CallFunction(split_n, (PacketFilter, <...>/, T, 4)) +0.000000 MetaHookPre CallFunction(split_string1, (PacketFilter::LOG, <...>/)) +0.000000 MetaHookPre CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) 0.000000 MetaHookPre CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) 0.000000 MetaHookPre CallFunction(sub_bytes, (tFilter, 1, 1)) @@ -1207,37 +1207,37 @@ 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]) -0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) +0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=, exclude=, log_local=T, log_remote=T, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=, ev=]) 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=, ev=Conn::log_conn]) @@ -1269,7 +1269,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1363,8 +1363,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -1397,8 +1397,8 @@ 0.000000 | HookCallFunction reading_live_traffic() 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction split1(PacketFilter::LOG, <...>/) -0.000000 | HookCallFunction split_n(PacketFilter, <...>/, T, 4) +0.000000 | HookCallFunction split_string1(PacketFilter::LOG, <...>/) +0.000000 | HookCallFunction split_string_n(PacketFilter, <...>/, T, 4) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) 0.000000 | HookCallFunction sub_bytes(tFilter, 1, 1) @@ -1486,7 +1486,7 @@ 1362692526.939527 MetaHookPost CallFunction(network_time, ()) -> 1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) -> 1362692526.939527 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692526.939527 MetaHookPost CallFunction(split1, (bro.org, <...>/)) -> +1362692526.939527 MetaHookPost CallFunction(split_string1, (bro.org, <...>/)) -> 1362692526.939527 MetaHookPost DrainEvents() -> 1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false 1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) -> false @@ -1523,7 +1523,7 @@ 1362692526.939527 MetaHookPre CallFunction(network_time, ()) 1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3)) 1362692526.939527 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692526.939527 MetaHookPre CallFunction(split1, (bro.org, <...>/)) +1362692526.939527 MetaHookPre CallFunction(split_string1, (bro.org, <...>/)) 1362692526.939527 MetaHookPre DrainEvents() 1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) 1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T)) @@ -1561,7 +1561,7 @@ 1362692526.939527 | HookCallFunction network_time() 1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], Analyzer::ANALYZER_HTTP, 3) 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692526.939527 | HookCallFunction split1(bro.org, <...>/) +1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/) 1362692526.939527 | HookDrainEvents 1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) 1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], T) @@ -1607,7 +1607,7 @@ 1362692527.009512 MetaHookPost CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) -> 1362692527.009512 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009512 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009512 MetaHookPost CallFunction(split_all, (HTTP, <...>/)) -> +1362692527.009512 MetaHookPost CallFunction(split_string_all, (HTTP, <...>/)) -> 1362692527.009512 MetaHookPost DrainEvents() -> 1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) -> false 1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) -> false @@ -1653,7 +1653,7 @@ 1362692527.009512 MetaHookPre CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK)) 1362692527.009512 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009512 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009512 MetaHookPre CallFunction(split_all, (HTTP, <...>/)) +1362692527.009512 MetaHookPre CallFunction(split_string_all, (HTTP, <...>/)) 1362692527.009512 MetaHookPre DrainEvents() 1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=])) 1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F)) @@ -1700,7 +1700,7 @@ 1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], 1.1, 200, OK) 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009512 | HookCallFunction split_all(HTTP, <...>/) +1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/) 1362692527.009512 | HookDrainEvents 1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=]) 1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_mime_types=, resp_fuids=, resp_mime_types=, current_entity=[filename=], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F) @@ -1750,10 +1750,10 @@ 1362692527.009775 MetaHookPost CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> 1362692527.009775 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> 1362692527.009775 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (Files::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split1, (HTTP::LOG, <...>/)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (Files, <...>/, T, 4)) -> -1362692527.009775 MetaHookPost CallFunction(split_n, (HTTP, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (Files::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string1, (HTTP::LOG, <...>/)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (Files, <...>/, T, 4)) -> +1362692527.009775 MetaHookPost CallFunction(split_string_n, (HTTP, <...>/, T, 4)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (Files)) -> 1362692527.009775 MetaHookPost CallFunction(to_lower, (HTTP)) -> 1362692527.009775 MetaHookPost DrainEvents() -> @@ -1785,10 +1785,10 @@ 1362692527.009775 MetaHookPre CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) 1362692527.009775 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) 1362692527.009775 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.009775 MetaHookPre CallFunction(split1, (Files::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split1, (HTTP::LOG, <...>/)) -1362692527.009775 MetaHookPre CallFunction(split_n, (Files, <...>/, T, 4)) -1362692527.009775 MetaHookPre CallFunction(split_n, (HTTP, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (Files::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string1, (HTTP::LOG, <...>/)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (Files, <...>/, T, 4)) +1362692527.009775 MetaHookPre CallFunction(split_string_n, (HTTP, <...>/, T, 4)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (Files)) 1362692527.009775 MetaHookPre CallFunction(to_lower, (HTTP)) 1362692527.009775 MetaHookPre DrainEvents() @@ -1821,10 +1821,10 @@ 1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]) 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp]) 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.009775 | HookCallFunction split1(Files::LOG, <...>/) -1362692527.009775 | HookCallFunction split1(HTTP::LOG, <...>/) -1362692527.009775 | HookCallFunction split_n(Files, <...>/, T, 4) -1362692527.009775 | HookCallFunction split_n(HTTP, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string1(Files::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string1(HTTP::LOG, <...>/) +1362692527.009775 | HookCallFunction split_string_n(Files, <...>/, T, 4) +1362692527.009775 | HookCallFunction split_string_n(HTTP, <...>/, T, 4) 1362692527.009775 | HookCallFunction to_lower(Files) 1362692527.009775 | HookCallFunction to_lower(HTTP) 1362692527.009775 | HookDrainEvents @@ -1879,8 +1879,8 @@ 1362692527.080972 MetaHookPost CallFunction(net_stats, ()) -> 1362692527.080972 MetaHookPost CallFunction(reading_traces, ()) -> 1362692527.080972 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> -1362692527.080972 MetaHookPost CallFunction(split1, (Conn::LOG, <...>/)) -> -1362692527.080972 MetaHookPost CallFunction(split_n, (Conn, <...>/, T, 4)) -> +1362692527.080972 MetaHookPost CallFunction(split_string1, (Conn::LOG, <...>/)) -> +1362692527.080972 MetaHookPost CallFunction(split_string_n, (Conn, <...>/, T, 4)) -> 1362692527.080972 MetaHookPost CallFunction(sub_bytes, (HTTP, 0, 1)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (Conn)) -> 1362692527.080972 MetaHookPost CallFunction(to_lower, (HTTP)) -> @@ -1913,8 +1913,8 @@ 1362692527.080972 MetaHookPre CallFunction(net_stats, ()) 1362692527.080972 MetaHookPre CallFunction(reading_traces, ()) 1362692527.080972 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -1362692527.080972 MetaHookPre CallFunction(split1, (Conn::LOG, <...>/)) -1362692527.080972 MetaHookPre CallFunction(split_n, (Conn, <...>/, T, 4)) +1362692527.080972 MetaHookPre CallFunction(split_string1, (Conn::LOG, <...>/)) +1362692527.080972 MetaHookPre CallFunction(split_string_n, (Conn, <...>/, T, 4)) 1362692527.080972 MetaHookPre CallFunction(sub_bytes, (HTTP, 0, 1)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (Conn)) 1362692527.080972 MetaHookPre CallFunction(to_lower, (HTTP)) @@ -1948,8 +1948,8 @@ 1362692527.080972 | HookCallFunction net_stats() 1362692527.080972 | HookCallFunction reading_traces() 1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80) -1362692527.080972 | HookCallFunction split1(Conn::LOG, <...>/) -1362692527.080972 | HookCallFunction split_n(Conn, <...>/, T, 4) +1362692527.080972 | HookCallFunction split_string1(Conn::LOG, <...>/) +1362692527.080972 | HookCallFunction split_string_n(Conn, <...>/, T, 4) 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1) 1362692527.080972 | HookCallFunction to_lower(Conn) 1362692527.080972 | HookCallFunction to_lower(HTTP) diff --git a/testing/btest/Baseline/scripts.base.utils.addrs/output b/testing/btest/Baseline/scripts.base.utils.addrs/output index d93268a565..37afcb4719 100644 --- a/testing/btest/Baseline/scripts.base.utils.addrs/output +++ b/testing/btest/Baseline/scripts.base.utils.addrs/output @@ -30,14 +30,6 @@ T F F F -============ test find_ip_addresses() -{ -[0] = 1.1.1.1, -[2] = 3.3.3.3, -[1] = 2.2.2.2 -} -{ -[0] = 1.1.1.1, -[2] = 3.3.3.3, -[1] = 0:0:0:0:0:0:0:0 -} +============ test extract_ip_addresses() +[1.1.1.1, 2.2.2.2, 3.3.3.3] +[1.1.1.1, 0:0:0:0:0:0:0:0, 3.3.3.3] diff --git a/testing/btest/bifs/split_string.bro b/testing/btest/bifs/split_string.bro new file mode 100644 index 0000000000..e4d32b7f73 --- /dev/null +++ b/testing/btest/bifs/split_string.bro @@ -0,0 +1,36 @@ +# +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +function print_string_vector(v: string_vec) + { + for ( i in v ) + print v[i]; + } + +event bro_init() + { + local a = "this is a test"; + local pat = /hi|es/; + local idx = vector( 3, 6, 13); + + print_string_vector(split_string(a, pat)); + print "---------------------"; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + print_string_vector(split_string_all(a, pat)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, F, 1)); + print "---------------------"; + print_string_vector(split_string_n(a, pat, T, 1)); + print "---------------------"; + print str_split(a, idx); + print "---------------------"; + a = "X-Mailer: Testing Test (http://www.example.com)"; + pat = /:[[:blank:]]*/; + print_string_vector(split_string1(a, pat)); + print "---------------------"; + a = "A = B = C = D"; + pat = /=/; + print_string_vector(split_string_all(a, pat)); + } diff --git a/testing/btest/scripts/base/utils/addrs.test b/testing/btest/scripts/base/utils/addrs.test index 08bce5f35f..224fd9dc62 100644 --- a/testing/btest/scripts/base/utils/addrs.test +++ b/testing/btest/scripts/base/utils/addrs.test @@ -1,8 +1,7 @@ -# @TEST-EXEC: bro %INPUT > output +# @TEST-EXEC: bro -b %INPUT > output # @TEST-EXEC: btest-diff output -# This is loaded by default -#@load base/utils/addrs +@load base/utils/addrs event bro_init() { @@ -98,8 +97,8 @@ event bro_init() ip = "2001:db8:0:0:0:FFFF:192.168.0.256"; print is_valid_ip(ip); - print "============ test find_ip_addresses()"; - print find_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); - print find_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); + print "============ test extract_ip_addresses()"; + print extract_ip_addresses("this is 1.1.1.1 a test 2.2.2.2 string with ip addresses 3.3.3.3"); + print extract_ip_addresses("this is 1.1.1.1 a test 0:0:0:0:0:0:0:0 string with ip addresses 3.3.3.3"); } From f4d18e6940b7773bbaf4bf735bf1b25dfac7a751 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 21 Jan 2015 16:15:17 -0600 Subject: [PATCH 37/48] Update NEWS for deprecated/changed functions. --- NEWS | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/NEWS b/NEWS index 5e2ef52ca1..d78d1b3fc4 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,35 @@ Changed Functionality record gives the how many bytes have been written so far (i.e. the "offset"). +- has_valid_octets: now uses a string_vec parameter instead of + string_array. + +Deprecated Functionality +------------------------ + +- The split* family of functions are to be replaced with alternate + versions that return a vector of strings rather than a table of + strings. This also allows deprecation for some related string + concatenation/extraction functions. The full list is: + + * split: use split_string instead. + + * split1: use split_string1 instead. + + * split_all: use split_string_all instead. + + * split_n: use split_string_n instead. + + * cat_string_array: see join_string_vec instead. + + * cat_string_array_n: see join_string_vec instead. + + * join_string_array: see join_string_vec instead. + + * sort_string_array: use sort instead instead. + + * find_ip_addresses: use extract_ip_addresses instead. + Bro 2.3 ======= From 7b2316262d74f061a2bca2c02348479f0f238830 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 21 Jan 2015 16:38:31 -0600 Subject: [PATCH 38/48] Update documentation (broken links, outdated tests). --- doc/script-reference/attributes.rst | 8 ++++++++ src/analyzer/protocol/mysql/events.bif | 8 ++++---- src/file_analysis/file_analysis.bif | 2 +- .../output | 4 ++-- .../output | 11 ++++------- .../output | 9 +++++---- .../output | 10 +++++----- .../include-doc_frameworks_file_analysis_02_bro.btest | 4 ++-- .../include-doc_httpmonitor_file_extraction_bro.btest | 11 ++++------- ...ripts_policy_frameworks_files_detect-MHR_bro.btest | 9 +++++---- ...pts_policy_frameworks_files_detect-MHR_bro@4.btest | 10 +++++----- 11 files changed, 45 insertions(+), 41 deletions(-) diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst index 5680a034ff..ef6c6a54a1 100644 --- a/doc/script-reference/attributes.rst +++ b/doc/script-reference/attributes.rst @@ -49,6 +49,8 @@ The Bro scripting language supports the following attributes. +-----------------------------+-----------------------------------------------+ | :bro:attr:`&type_column` |Used by input framework for "port" type. | +-----------------------------+-----------------------------------------------+ +| :bro:attr:`&deprecated` |Marks an identifier as deprecated. | ++-----------------------------+-----------------------------------------------+ Here is a more detailed explanation of each attribute: @@ -230,3 +232,9 @@ Here is a more detailed explanation of each attribute: msg: string; }; +.. bro:attr:: &deprecated + + The associated identifier is marked as deprecated and will be + removed in a future version of Bro. Look in the NEWS file for more + explanation and/or instructions to migrate code that uses deprecated + functionality. diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index d7160c1ac6..bd81e8b8a4 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -9,7 +9,7 @@ ## ## arg: The argument for the command (empty string if not provided). ## -## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake event mysql_command_request%(c: connection, command: count, arg: string%); ## Generated for an unsuccessful MySQL response. @@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%); ## ## msg: Any extra details about the error (empty string if not provided). ## -## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake event mysql_error%(c: connection, code: count, msg: string%); ## Generated for a successful MySQL response. @@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%); ## ## affected_rows: The number of rows that were affected. ## -## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); ## Generated for the initial server handshake packet, which includes the MySQL server version. @@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%); ## ## ver: The server version string. ## -## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response +## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake event mysql_server_version%(c: connection, ver: string%); ## Generated for a client handshake response packet, which includes the username the client is attempting diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index 4e4b4c6cdb..480d8c84d8 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -29,7 +29,7 @@ function Files::__disable_reassembly%(file_id: string%): bool return new Val(result, TYPE_BOOL); %} -## :bro:see:`Files::set_reassembly_buffer`. +## :bro:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output index acae92f44b..b193e4a530 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output index be9619fa1c..55950caf6b 100644 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest index 3b93ee757c..5e86c8d685 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest @@ -2,10 +2,10 @@ file_analysis_02.bro -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { print "new file", f$id; - if ( f?$mime_type && f$mime_type == "text/plain" ) + if ( mime_type == "text/plain" ) Files::add_analyzer(f, Files::ANALYZER_MD5); } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest index acae92f44b..b193e4a530 100644 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest @@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = { ["text/html"] = "html", }; -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { if ( f$source != "HTTP" ) return; - if ( ! f?$mime_type ) + if ( mime_type !in mime_to_ext ) return; - if ( f$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]); print fmt("Extracting file %s", fname); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } + } \ No newline at end of file diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest index bcf6ccd309..03ba9cb3cd 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest @@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest index be9619fa1c..55950caf6b 100644 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest @@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) when ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " - local MHR_answer = split1(MHR_result, / /); + local MHR_answer = split_string1(MHR_result, / /); if ( |MHR_answer| == 2 ) { - local mhr_detect_rate = to_count(MHR_answer[2]); + local mhr_detect_rate = to_count(MHR_answer[1]); if ( mhr_detect_rate >= notice_threshold ) { - local mhr_first_detected = double_to_time(to_double(MHR_answer[1])); + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local virustotal_url = fmt(match_sub_url, hash); @@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) event file_hash(f: fa_file, kind: string, hash: string) { - if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type ) + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) do_mhr_lookup(hash, Notice::create_file_info(f)); - } From e62c711e095454b5b29f52a4e9f384e42f72fc30 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 21 Jan 2015 16:57:16 -0600 Subject: [PATCH 39/48] Fix typo. --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index d78d1b3fc4..e09af7f17f 100644 --- a/NEWS +++ b/NEWS @@ -78,7 +78,7 @@ Deprecated Functionality * join_string_array: see join_string_vec instead. - * sort_string_array: use sort instead instead. + * sort_string_array: use sort instead. * find_ip_addresses: use extract_ip_addresses instead. From 4d0a09a0379206f0cacd0c8a8053c0d1070ca62b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 22 Jan 2015 07:25:27 -0800 Subject: [PATCH 40/48] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index d67d89aaee..93d4989ed1 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit d67d89aaee32ad5edb9068db55d1310c2f36970a +Subproject commit 93d4989ed1537e4d143cf09d44077159f869a4b2 From d6d5276d769e07a442fd27ed1b075b33972219b5 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 23 Jan 2015 10:43:28 -0600 Subject: [PATCH 41/48] Update binpac: Fix potential out-of-bounds memory reads in generated code. Field lengths derived from other data in the input could potentially lead to reading from outside the bounds of the input buffer. Reported by John Villamil and Chris Rohlf - Yahoo Paranoids --- aux/binpac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/binpac b/aux/binpac index 77a86591dc..8d56b507b8 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073 +Subproject commit 8d56b507b8b804fa83f6637f3b1f198e696cd603 From 6cedd67c381ff22fde653adf02ee31caf66c81a0 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 23 Jan 2015 10:49:15 -0600 Subject: [PATCH 42/48] DNP3: fix reachable assertion and buffer over-read/overflow. A DNP3 packet using a link layer header that specifies a zero length can trigger an assertion failure if assertions are enabled. Assertions are enabled unless Bro is compiled with the NDEBUG preprocessor macro defined. The default configuration of Bro will define this macro and so disables assertions, but using the --enable-debug option in the configure script will enable assertions. When assertions are disabled, or also for certain length values, the DNP3 parser may attempt to pass a negative value as the third argument to memcpy (number of bytes to copy) and result in a buffer over-read or overflow. Reported by Travis Emmert. --- CHANGES | 11 ++++++ VERSION | 2 +- src/analyzer/protocol/dnp3/DNP3.cc | 58 ++++++++++++++++++++++++++---- src/analyzer/protocol/dnp3/DNP3.h | 16 ++++++++- 4 files changed, 78 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index 4087615fe2..a50dc265cc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,15 @@ +2.3-396 | 2015-01-23 10:49:15 -0600 + + * DNP3: fix reachable assertion and buffer over-read/overflow. + CVE number pending. (Travis Emmert, Jon Siwek) + + * Update binpac: Fix potential out-of-bounds memory reads in generated + code. CVE-2014-9586. (John Villamil and Chris Rohlf - Yahoo + Paranoids, Jon Siwek) + + * Fixing (harmless) Coverity warning. (Robin Sommer) + 2.3-392 | 2015-01-15 09:44:15 -0800 * Small changes to EC curve names in a newer draft. (Johanna Amann) diff --git a/VERSION b/VERSION index 1cb805162d..081c98cc51 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-392 +2.3-396 diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc index 135100eb6b..b04dbf64e0 100644 --- a/src/analyzer/protocol/dnp3/DNP3.cc +++ b/src/analyzer/protocol/dnp3/DNP3.cc @@ -138,9 +138,14 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig) if ( endp->in_hdr ) { // We're parsing the DNP3 header and link layer, get that in full. - if ( ! AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len) ) + int res = AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len); + + if ( res == 0 ) return true; + if ( res < 0 ) + return false; + // The first two bytes must always be 0x0564. if( endp->buffer[0] != 0x05 || endp->buffer[1] != 0x64 ) { @@ -186,7 +191,11 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig) if ( ! endp->in_hdr ) { - assert(endp->pkt_length); + if ( endp->pkt_length <= 0 ) + { + analyzer->Weird("dnp3_negative_or_zero_length_link_layer"); + return false; + } // We're parsing the DNP3 application layer, get that // in full now as well. We calculate the number of @@ -197,9 +206,14 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig) int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + 2 * ( ((endp->pkt_length - 5) % 16 == 0) ? 0 : 1) - 1 ; - if ( ! AddToBuffer(endp, n, &data, &len) ) + int res = AddToBuffer(endp, n, &data, &len); + + if ( res == 0 ) return true; + if ( res < 0 ) + return false; + // Parse the the application layer data. if ( ! ParseAppLayer(endp) ) return false; @@ -213,19 +227,42 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig) return true; } -bool DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len) +int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len) { if ( ! target_len ) - return true; + return 1; + + if ( *len < 0 ) + { + reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len); + return -1; + } + + if ( target_len < endp->buffer_len ) + { + reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d", + target_len, endp->buffer_len); + return -1; + } int to_copy = min(*len, target_len - endp->buffer_len); + if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE ) + { + reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d", + endp->buffer_len, to_copy); + return -1; + } + memcpy(endp->buffer + endp->buffer_len, *data, to_copy); *data += to_copy; *len -= to_copy; endp->buffer_len += to_copy; - return endp->buffer_len == target_len; + if ( endp->buffer_len == target_len ) + return 1; + + return 0; } bool DNP3_Base::ParseAppLayer(Endpoint* endp) @@ -256,8 +293,15 @@ bool DNP3_Base::ParseAppLayer(Endpoint* endp) if ( ! CheckCRC(n, data, data + n, "app_chunk") ) return false; + if ( data + n >= endp->buffer + endp->buffer_len ) + { + reporter->AnalyzerError(analyzer, + "dnp3 app layer parsing overflow %d - %d", + endp->buffer_len, n); + return false; + } + // Pass on to BinPAC. - assert(data + n < endp->buffer + endp->buffer_len); flow->flow_buffer()->BufferData(data + transport, data + n); transport = 0; diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h index 12c3624cd5..aa4ef78479 100644 --- a/src/analyzer/protocol/dnp3/DNP3.h +++ b/src/analyzer/protocol/dnp3/DNP3.h @@ -31,7 +31,21 @@ protected: bool ProcessData(int len, const u_char* data, bool orig); void ClearEndpointState(bool orig); - bool AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len); + + /** + * Buffers packet data until it reaches a specified length. + * @param endp an endpoint speaking DNP3 to which data will be buffered. + * @param target_len the required length of the buffer + * @param data source buffer to copy bytes from. Will be incremented + * by the number of bytes copied by this function. + * @param len the number of bytes available in \a data. Will be decremented + * by the number of bytes copied by this function. + * @return -1 if invalid input parameters were supplied, 0 if the endpoint's + * buffer is not yet \a target_len bytes in size, or 1 the buffer is the + * required size. + */ + int AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len); + bool ParseAppLayer(Endpoint* endp); bool CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where); unsigned int CalcCRC(int len, const u_char* data); From 36bc7ba5b5d25cea881db22fb1a5bc2bc5fbc3e4 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 27 Jan 2015 10:13:10 -0600 Subject: [PATCH 43/48] Handle guess_lexer exceptions in pygments reST directive --- CHANGES | 4 ++++ VERSION | 2 +- doc/ext/rst_directive.py | 5 ++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index a50dc265cc..1b084c7f19 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-397 | 2015-01-27 10:13:10 -0600 + + * Handle guess_lexer exceptions in pygments reST directive (Jon Siwek) + 2.3-396 | 2015-01-23 10:49:15 -0600 * DNP3: fix reachable assertion and buffer over-read/overflow. diff --git a/VERSION b/VERSION index 081c98cc51..9a536ef2e7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-396 +2.3-397 diff --git a/doc/ext/rst_directive.py b/doc/ext/rst_directive.py index 434eef2c61..43c95abc52 100644 --- a/doc/ext/rst_directive.py +++ b/doc/ext/rst_directive.py @@ -135,7 +135,10 @@ class Pygments(Directive): # lexer not found, use default. lexer = TextLexer() else: - lexer = guess_lexer(content) + try: + lexer = guess_lexer(content) + except: + lexer = TextLexer() # import sys # print >>sys.stderr, self.arguments, lexer.__class__ From 21c7642f6215960e1e9faf65d581e41dacb8de7c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 2 Feb 2015 11:14:24 -0600 Subject: [PATCH 44/48] Fix memory leak in new split_string* functions. --- CHANGES | 4 ++++ VERSION | 2 +- src/strings.bif | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index f7f564b290..2d4ce98c31 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-405 | 2015-02-02 11:14:24 -0600 + + * Fix memory leak in new split_string* functions. (Jon Siwek) + 2.3-404 | 2015-01-30 14:23:27 -0800 * Update documentation (broken links, outdated tests). (Jon Siwek) diff --git a/VERSION b/VERSION index a47da723dd..57d75d10d0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-404 +2.3-405 diff --git a/src/strings.bif b/src/strings.bif index 84d6014cff..b8d21cb04a 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -341,7 +341,7 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) VectorVal* do_split_string(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep) { - VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_STRING))); + VectorVal* rval = new VectorVal(string_vec); const u_char* s = str_val->Bytes(); int n = str_val->Len(); const u_char* end_of_s = s + n; From 51203d71934436c7f30922dfc6e0f8d4800a9f62 Mon Sep 17 00:00:00 2001 From: Mike Smiley Date: Tue, 3 Feb 2015 14:29:34 -0500 Subject: [PATCH 45/48] "id" not defined for debug code "id" not defined for debug code when using -DPROFILE_BRO_FUNCTIONS --- src/Func.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Func.cc b/src/Func.cc index d66e9c71fa..693a4535d4 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -323,7 +323,7 @@ int BroFunc::IsPure() const Val* BroFunc::Call(val_list* args, Frame* parent) const { #ifdef PROFILE_BRO_FUNCTIONS - DEBUG_MSG("Function: %s\n", id->Name()); + DEBUG_MSG("Function: %s\n", Name()); #endif SegmentProfiler(segment_logger, location); From 565ad360c6f0afa0583b472eadde841b7521e9d1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 3 Feb 2015 17:02:45 -0600 Subject: [PATCH 46/48] Add x509 canonifier to a unit test. --- CHANGES | 4 ++++ VERSION | 2 +- .../btest/scripts/policy/protocols/ssl/validate-ocsp.bro | 6 +++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 2d4ce98c31..76e09d27c1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-406 | 2015-02-03 17:02:45 -0600 + + * Add x509 canonifier to a unit test. (Jon Siwek) + 2.3-405 | 2015-02-02 11:14:24 -0600 * Fix memory leak in new split_string* functions. (Jon Siwek) diff --git a/VERSION b/VERSION index 57d75d10d0..15530c9394 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-405 +2.3-406 diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro index e7e3c3ff8e..3f88638ee3 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT -# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log -# @TEST-EXEC: btest-diff ssl-twimg.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-twimg.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-digicert.log -# @TEST-EXEC: btest-diff ssl-digicert.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-digicert.log @load protocols/ssl/validate-ocsp From a97cd1f3a24d93e81190cc28ba283d26f31035c8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 5 Feb 2015 09:09:08 -0500 Subject: [PATCH 47/48] Fix a bug in the core files framework with handling the BOF buffer. - Any files where the total size was below the size of the default bof_buffer size couldn't have stream analyzers successfully attached because the bof_buffer never reached the full size and was never flushed. This branch explicitly marks the buf_buffer as full and flushes it when the file is being removed. --- src/file_analysis/File.cc | 18 +++++++++++------- .../files.log | 10 ++++++++++ .../file-analysis/big-bof-buffer.bro | 6 ++++++ 3 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log create mode 100644 testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 50617f27b6..cc1f86412c 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -492,18 +492,22 @@ void File::EndOfFile() if ( done ) return; - if ( ! did_mime_type && - LookupFieldDefaultCount(missing_bytes_idx) == 0 ) - DetectMIME(); - - analyzers.DrainModifications(); - if ( file_reassembler ) { file_reassembler->Flush(); - analyzers.DrainModifications(); } + // Mark the bof_buffer as full in case it isn't yet + // so that the whole thing can be flushed out to + // any stream analyzers. + if ( ! bof_buffer.full ) + { + bof_buffer.full = true; + DeliverStream((const u_char*) "", 0); + } + + analyzers.DrainModifications(); + done = true; file_analysis::Analyzer* a = 0; diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log new file mode 100644 index 0000000000..cebe140bda --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open 2015-02-05-13-55-41 +#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted +#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string +1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - - +#close 2015-02-05-13-55-41 diff --git a/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro new file mode 100644 index 0000000000..0f7e23ddcf --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/big-bof-buffer.bro @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: btest-diff files.log + +@load frameworks/files/hash-all-files + +redef default_file_bof_buffer_size=5000; From 8859c73bde5d392be6081bade798e26b79e0e56e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 5 Feb 2015 10:04:04 -0600 Subject: [PATCH 48/48] Add/fix log fields in x509 diff canonifier. --- testing/scripts/diff-remove-x509-names | 30 +++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names index 4863efc990..4534cb7d87 100755 --- a/testing/scripts/diff-remove-x509-names +++ b/testing/scripts/diff-remove-x509-names @@ -3,19 +3,25 @@ # A diff canonifier that removes all X.509 Distinguished Name subject fields # because that output can differ depending on installed OpenSSL version. -BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; cs_col = -1; ci_col = -1 } +BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; is_col = -1; cs_col = -1; ci_col = -1; cert_subj_col = -1; cert_issuer_col = -1 } /^#fields/ { for ( i = 2; i < NF; ++i ) { if ( $i == "subject" ) s_col = i-1; - if ( $i == "issuer_subject" ) + if ( $i == "issuer" ) i_col = i-1; + if ( $i == "issuer_subject" ) + is_col = i-1; if ( $i == "client_subject" ) cs_col = i-1; - if ( $i == "client_issuer_subject" ) + if ( $i == "client_issuer" ) ci_col = i-1; + if ( $i == "certificate.subject" ) + cert_subj_col = i-1; + if ( $i == "certificate.issuer" ) + cert_issuer_col = i-1; } } @@ -31,6 +37,12 @@ i_col >= 0 { $i_col = "+"; } +is_col >= 0 { + if ( $is_col != "-" ) + # Mark that it's set, but ignore content. + $is_col = "+"; +} + cs_col >= 0 { if ( $cs_col != "-" ) # Mark that it's set, but ignore content. @@ -43,6 +55,18 @@ ci_col >= 0 { $ci_col = "+"; } +cert_subj_col >= 0 { + if ( $cert_subj_col != "-" ) + # Mark that it's set, but ignore content. + $cert_subj_col = "+"; +} + +cert_issuer_col >= 0 { + if ( $cert_issuer_col != "-" ) + # Mark that it's set, but ignore content. + $cert_issuer_col = "+"; +} + { print; }