diff --git a/.cirrus.yml b/.cirrus.yml index 826890ad1c..fdda43e6da 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -3,7 +3,8 @@ btest_jobs: &BTEST_JOBS 4 btest_retries: &BTEST_RETRIES 2 memory: &MEMORY 4GB -config: &CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install +config: &CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install +static_config: &STATIC_CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install sanitizer_config: &SANITIZER_CONFIG --build-type=debug --enable-cpp-tests --disable-broker-tests --sanitizers=address,undefined --enable-fuzzers --enable-coverage resources_template: &RESOURCES_TEMPLATE @@ -87,13 +88,6 @@ fedora32_task: << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE -fedora31_task: - container: - # Fedora 31 EOL: Nov 24 2020 - dockerfile: ci/fedora-31/Dockerfile - << : *RESOURCES_TEMPLATE - << : *CI_TEMPLATE - centos8_task: container: # CentOS 8 EOL: May 31, 2029 @@ -120,6 +114,16 @@ debian10_task: << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE +debian10_static_task: + container: + # Just uses a recent/common distro to run a static compile test. + # Debian 10 EOL: June 2024 + dockerfile: ci/debian-10/Dockerfile + << : *RESOURCES_TEMPLATE + << : *CI_TEMPLATE + env: + ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG + debian9_task: container: # Debian 9 EOL: June 2022 diff --git a/.gitignore b/.gitignore index e0efa6d316..e06e3a71d5 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,6 @@ cmake-build-* # skip DS Store for MacOS .DS_Store + +# ignore pyenv local settings +.python-version diff --git a/CHANGES b/CHANGES index 99fcf27f8b..e75813a38a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,121 @@ + +3.3.0-dev.607 | 2020-12-04 11:16:09 -0800 + + * Fix the CMake 'dist' target of Zeek plugins to only run when outdated (Benjamin Bannier, Corelight) + +3.3.0-dev.604 | 2020-12-04 18:40:03 +0000 + + * Sumstats: allow users to manage epoch manually + + This change allows users to specify an epoch length of 0, which means + that the user manually has to finish the epochs. A new next_epoch + function is introduced to allow users to manually end epochs. + + Addresses GH-348 (Johanna Amann, Corelight) + + * Sumstats: epoch_finished was not called under certain circumstances + + In non-clustered mode, epoch_finished was not called when there was no + data during the epoch. + + This behavior does not fit the documentation, and also is different in + cluster-mode, where epoch_finished is, indeed, called after every epoch. + + This small change fixes this behavior. (Johanna Amann, Corelight) + +3.3.0-dev.600 | 2020-12-03 18:02:22 -0800 + + * Add a CI task for compiling with static broker/binpac (Johanna Amann, Corelight) + +3.3.0-dev.596 | 2020-12-03 09:35:42 -0700 + + * Fix a couple of life-time issues when plugin loading fails. + + Reported by Coverity. + + Follow-up to #1179. (Robin Sommer, Corelight) + +3.3.0-dev.593 | 2020-12-02 12:53:04 -0800 + + * Add `count_to_double` and `int_to_double` bif functions (Yacin Nadji, Corelight) + +3.3.0-dev.590 | 2020-12-02 11:11:26 -0800 + + * Update minimum required CMake to 3.5 (Jon Siwek, Corelight) + + Also now uses CMake's ENABLE_EXPORTS target property for the zeek + executable to ensure symbols are visible to plugins. Prior to CMake + 3.4, the policy was to export symbols by default for certain platforms, + but later versions need either the explicit target property or policy. + +3.3.0-dev.587 | 2020-12-01 10:17:42 -0700 + + * GH-1184: Add 'source' field to weird log denoting where the weird was reported (Tim Wojtulewicz, Corelight) + +3.3.0-dev.585 | 2020-12-01 14:42:54 +0000 + + * Retry loading plugins on failure to resolve to dependencies. + Closes #1179. (Robin Sommer, Corelight) + +3.3.0-dev.580 | 2020-11-30 14:07:39 -0700 + + * Find correct zeek namespace in debug logger macros. + + These macros forward to functionality in `zeek::detail::debug_logger` + and are not intended for customization. This patch fixes the macros to + always use `::zeek::detail::debug_logger` as without the leading `::` + lookup could happen in any potentially local namespace `zeek` which does + not need to provide this symbol. + + This closes zeek/spicy#597. (Benjamin Bannier, Corelight) + +3.3.0-dev.576 | 2020-11-26 18:16:07 +0000 + + * Remove Python2 compatibility logic. We now require at least Python 3.5. + This includes script changes, improves the cmake logic to find python3, + makes scripts explicitly call python3 and documentation updates. + + (Jon Siwek, Corelight) + + * Remove Fedora 31 (EOL) from CI (Jon Siwek, Corelight) + +3.3.0-dev.564 | 2020-11-24 15:23:50 -0800 + + * Improve support for custom libdir locations (Christian Kreibich, Corelight) + + - Remove hardwiring of $ZEEK_ROOT/lib throughout the three and + defaults the name of Zeek's library directory to the default on the + given platform (e.g. lib64), via GNUInstallDirs. + + - Consistently use that lib directory, instead of two lib folders + resulting when using a custom libdir. + + - Remove the old lib directory in the installation prefix, if one exists + + - Add --lib_dir to zeek-config (and sort its options a bit). + +3.3.0-dev.561 | 2020-11-23 21:50:19 -0800 + + * Move implementation of internal_{type,var,etc} methods back into global namespace. + (Tim Wojtulewicz, Corelight) + + This fixes an unknown symbol error if using those methods. They're defined + as extern in the global namespace in Var.h, but Var.cc had their + implementations defined in the zeek::detail namespace. + +3.3.0-dev.559 | 2020-11-23 21:39:29 -0800 + + * Simplify Debian/Ubuntu CI dependencies and setup (Dominik Charousset, Corelight) + + * Update .gitignore to ignore pyenv .python-version (Otto Fowler) + +3.3.0-dev.554 | 2020-11-19 18:09:01 -0800 + + * Reverts the SMTP regex change in dead3226a545e264072ced40284f86ac41528ba8. (Tim Wojtulewicz, Corelight) + + The regex change broke some of the external tests. I added some more cases + to the regular email btest to hopefully cover all of the cases better. + 3.3.0-dev.551 | 2020-11-17 15:01:04 -0700 * Added unit tests for regex fix (christina23) diff --git a/CMakeLists.txt b/CMakeLists.txt index f307c632ce..ab87906ec0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,17 +1,10 @@ # When changing the minimum version here, also adapt # auxil/zeek-aux/plugin-support/skeleton/CMakeLists.txt -cmake_minimum_required(VERSION 3.0 FATAL_ERROR) +cmake_minimum_required(VERSION 3.5 FATAL_ERROR) project(Zeek C CXX) -if ( NOT CMAKE_INSTALL_LIBDIR ) - # Currently, some sub-projects may use GNUInstallDirs.cmake to choose the - # library install dir, while others just default to "lib". For sake of - # consistency, this just overrides the former to always use "lib" in case - # it would have chosen something else, like "lib64", but a thing for the - # future may be to standardize all sub-projects to use GNUInstallDirs. - set(CMAKE_INSTALL_LIBDIR lib) -endif () +include(GNUInstallDirs) include(cmake/CommonCMakeConfig.cmake) include(cmake/FindClangTidy.cmake) @@ -60,7 +53,8 @@ endif () get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH} ABSOLUTE) -set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/zeek/plugins CACHE STRING "Installation path for plugins" FORCE) +set(BRO_PLUGIN_INSTALL_PATH ${CMAKE_INSTALL_FULL_LIBDIR}/zeek/plugins CACHE STRING "Installation path for plugins" FORCE) +set(PY_MOD_INSTALL_DIR ${CMAKE_INSTALL_FULL_LIBDIR}/zeekctl CACHE STRING "Installation path for Python modules" FORCE) configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev) execute_process(COMMAND "${CMAKE_COMMAND}" -E create_symlink @@ -126,7 +120,7 @@ if ( NOT BINARY_PACKAGING_MODE ) # before Zeek 3.0. _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek") _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek") - _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_PREFIX}/lib/zeek") + _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_FULL_LIBDIR}/zeek") endif () if ( ZEEK_SANITIZERS ) @@ -242,6 +236,7 @@ if (NOT SED_EXE) endif () endif () +list(APPEND Python_ADDITIONAL_VERSIONS 3) FindRequiredPackage(PythonInterp) FindRequiredPackage(FLEX) FindRequiredPackage(BISON) @@ -288,6 +283,12 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () +set(ZEEK_PYTHON_MIN 3.5.0) + +if ( PYTHON_VERSION_STRING VERSION_LESS ${ZEEK_PYTHON_MIN} ) + message(FATAL_ERROR "Python ${ZEEK_PYTHON_MIN} or greater is required.") +endif () + if ( CAF_ROOT_DIR ) find_package(CAF COMPONENTS core io openssl REQUIRED) endif () @@ -514,12 +515,29 @@ CheckOptionalBuildSources(auxil/zeekctl ZeekControl INSTALL_ZEEKCTL) CheckOptionalBuildSources(auxil/zeek-aux Zeek-Aux INSTALL_AUX_TOOLS) CheckOptionalBuildSources(auxil/zeek-archiver ZeekArchiver INSTALL_ZEEK_ARCHIVER) +######################################################################## +## Transitions and cleanups + +if ( NOT BINARY_PACKAGING_MODE ) + # Remove pre-existing libdir of the old hardwired name if it is not + # the name we're now installing under. + set(_old_libdir ${CMAKE_INSTALL_PREFIX}/lib) + + install(CODE " + if ( EXISTS \"${_old_libdir}\" AND IS_DIRECTORY \"${_old_libdir}\" + AND NOT \"${_old_libdir}\" STREQUAL \"${CMAKE_INSTALL_FULL_LIBDIR}\" ) + message(STATUS \"WARNING: removing old library directory ${_old_libdir}\") + execute_process(COMMAND \"${CMAKE_COMMAND}\" -E remove_directory \"${_old_libdir}\") + endif () + ") +endif () + ######################################################################## ## Packaging Setup if (INSTALL_ZEEKCTL) # CPack RPM Generator may not automatically detect this - set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0") + set(CPACK_RPM_PACKAGE_REQUIRES "python >= ${ZEEK_PYTHON_MIN}") endif () # If this CMake project is a sub-project of another, we will not diff --git a/NEWS b/NEWS index 849664440e..e7179b402d 100644 --- a/NEWS +++ b/NEWS @@ -84,6 +84,42 @@ New Functionality is a special version indicating that the server/client supports both SSH2 and SSH1. +- Added ``count_to_double()`` and ``int_to_double()`` type-conversion BIFs. + +- Added these string-processing BIFs: + + - count_substr + - find_str + - rfind_str + - starts_with + - ends_with + - is_num + - is_alpha + - is_alnum + - ljust + - rjust + - swap_case + - to_title + - zfill + - remove_prefix + - remove_suffix + +- Added a new ``Weird::sampling_global_list`` option to configure global + rate-limiting of certain weirds instead of per connection/flow. + +- Added a ``Pcap::findalldevs()`` for obtaining available network devices. + +- Added ``enum_names()`` BIF to return names of an enum type's values + +- Added ``type_aliases`` BIF for introspecting type-names of types/values + +- Added composite-index support for ``&backend`` (Broker-backed tables). + An example of a set with composite index is ``set[string, count, count]``. + +- Sumstats now allows manual epochs. If an ``epoch`` interval of 0 is specified, + epochs will have to be manually ended by callis ``SumStats::next_epoch``. This + can be convenient because epochs can be synced to other events. + Changed Functionality --------------------- @@ -127,6 +163,27 @@ Changed Functionality to a behavior that favors consistency. For reference, see https://github.com/zeek/zeek/pull/251#issuecomment-713956976 +- The Zeek installation tree is now more consistent in using a ``lib64/`` + (rather than ``lib/``) subdirectory for platforms where that's the common + convention. If the old hardcoded ``lib/`` path exists while installing Zeek + 4.0 and the new subdirectory differs, then the old ``lib/`` will be removed. + This potentially wipes out binary plugins that have already been installed + there, but Zeek plugins generally have to be re-built/re-installed upon any + Zeek upgrade anyway, so no part of the usual upgrade process is expected to + be complicated by this cleanup operation. + +- Continued renaming/namespacing of many classes into either ``zeek`` or + ``zeek::detail`` namespaces as already explained in Zeek 3.2's release notes. + Deprecation warnings should generally help notify plugin developers of these + changes. + +- Changed HTTP DPD signatures to trigger analyzer independent of peer state. + + This is to avoid missing large sessions where a single side exceeds + the DPD buffer size. It comes with the trade-off that now the analyzer + can be triggered by anybody controlling one of the endpoints (instead + of both). For discussion, see https://github.com/zeek/zeek/issues/343. + Removed Functionality --------------------- @@ -146,6 +203,10 @@ Removed Functionality ``connection_state_remove`` handler can now be resolved with a less-confusing approach: see the ``Conn::register_removal_hook`` function. +- Python 2 is no longer supported. Python 3.5 is the new minimum requirement. + +- CMake versions less than 3.5 are no longer supported. + Deprecated Functionality ------------------------ diff --git a/VERSION b/VERSION index 40e3177ad6..d17636d9d3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.3.0-dev.551 +3.3.0-dev.607 diff --git a/auxil/bifcl b/auxil/bifcl index 1eaa6aff1d..5a45ae8d0f 160000 --- a/auxil/bifcl +++ b/auxil/bifcl @@ -1 +1 @@ -Subproject commit 1eaa6aff1d991307b134d85b64e1ab7b68c89c92 +Subproject commit 5a45ae8d0f61e7ae7fa3ed0ea5841e8347e40926 diff --git a/auxil/binpac b/auxil/binpac index bc719c1565..1078f4e9d6 160000 --- a/auxil/binpac +++ b/auxil/binpac @@ -1 +1 @@ -Subproject commit bc719c1565de9454b04a4b9aade14460268bcfbe +Subproject commit 1078f4e9d6065ae47cf6fca9bd8e98183f913b98 diff --git a/auxil/broker b/auxil/broker index 28fbb63d06..8899280694 160000 --- a/auxil/broker +++ b/auxil/broker @@ -1 +1 @@ -Subproject commit 28fbb63d06c9192923effc930a4b60226c35fb0e +Subproject commit 8899280694d8d5ad3aaa0a03cc99e4c3d3fd7887 diff --git a/auxil/btest b/auxil/btest index 8ce78fe388..26c180e0c6 160000 --- a/auxil/btest +++ b/auxil/btest @@ -1 +1 @@ -Subproject commit 8ce78fe388fbb583b47e1a9ea956c94cb9b5be6d +Subproject commit 26c180e0c6a14ced1853dfb42be0e7b99c71eca0 diff --git a/auxil/netcontrol-connectors b/auxil/netcontrol-connectors index 92d1bee12b..94e1c36512 160000 --- a/auxil/netcontrol-connectors +++ b/auxil/netcontrol-connectors @@ -1 +1 @@ -Subproject commit 92d1bee12b0d92d36d784367c3c33646a7db990d +Subproject commit 94e1c36512adb47b43c157b87c500176ffb668e2 diff --git a/auxil/paraglob b/auxil/paraglob index 512c911c27..f7b6c45661 160000 --- a/auxil/paraglob +++ b/auxil/paraglob @@ -1 +1 @@ -Subproject commit 512c911c27aeb319430093187f85c70610d80035 +Subproject commit f7b6c4566187e8a7968ceab58bb329da25142ea2 diff --git a/auxil/zeek-archiver b/auxil/zeek-archiver index 107b7bd51d..37d9e97833 160000 --- a/auxil/zeek-archiver +++ b/auxil/zeek-archiver @@ -1 +1 @@ -Subproject commit 107b7bd51d530df888996553123992d05f1ee27b +Subproject commit 37d9e97833aab3e6c24fdeb8c8f5385b878f8290 diff --git a/auxil/zeek-aux b/auxil/zeek-aux index fbb5a21719..037bd04115 160000 --- a/auxil/zeek-aux +++ b/auxil/zeek-aux @@ -1 +1 @@ -Subproject commit fbb5a21719d4d00244bdd9f0d0a2f8543580a016 +Subproject commit 037bd04115ee0176536d85374f39980a45e9ff92 diff --git a/auxil/zeekctl b/auxil/zeekctl index f99e3265c5..0abed02b22 160000 --- a/auxil/zeekctl +++ b/auxil/zeekctl @@ -1 +1 @@ -Subproject commit f99e3265c5e7d6c45361b7d8dc03e772f66b0d4b +Subproject commit 0abed02b22f75d40d8c089fa1185681a6a9ee6d6 diff --git a/ci/centos-7/Dockerfile b/ci/centos-7/Dockerfile index 759d08d19a..5ab9df2d68 100644 --- a/ci/centos-7/Dockerfile +++ b/ci/centos-7/Dockerfile @@ -5,7 +5,7 @@ FROM centos:7 RUN yum -y install \ https://repo.ius.io/ius-release-el7.rpm \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ - && yum -y install git2u \ + && yum -y install git224 \ && yum clean all && rm -rf /var/cache/yum RUN yum -y install \ @@ -38,13 +38,7 @@ RUN yum -y install \ which \ && yum clean all && rm -rf /var/cache/yum -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html RUN echo 'unset BASH_ENV PROMPT_COMMAND ENV' > /usr/bin/zeek-ci-env && \ echo 'source /opt/rh/devtoolset-7/enable' >> /usr/bin/zeek-ci-env diff --git a/ci/centos-8/Dockerfile b/ci/centos-8/Dockerfile index 9a9df30a1e..9f4084c8b5 100644 --- a/ci/centos-8/Dockerfile +++ b/ci/centos-8/Dockerfile @@ -23,13 +23,8 @@ RUN dnf -y update && dnf -y install \ zlib-devel \ libsqlite3x-devel \ findutils \ + diffutils \ which \ && dnf clean all && rm -rf /var/cache/dnf -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html diff --git a/ci/debian-10/Dockerfile b/ci/debian-10/Dockerfile index ea5a9ab0b3..a0f05b6f6a 100644 --- a/ci/debian-10/Dockerfile +++ b/ci/debian-10/Dockerfile @@ -25,10 +25,4 @@ RUN apt-get update && apt-get -y install \ xz-utils \ && rm -rf /var/lib/apt/lists/* -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html diff --git a/ci/debian-9-32bit/Dockerfile b/ci/debian-9-32bit/Dockerfile index 9ff5c2161d..3a6990216d 100644 --- a/ci/debian-9-32bit/Dockerfile +++ b/ci/debian-9-32bit/Dockerfile @@ -31,12 +31,6 @@ RUN apt-get update && apt-get -y install \ RUN update-alternatives --install /usr/bin/cc cc /usr/bin/clang-7 100 RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-7 100 -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html ENV CXXFLAGS=-stdlib=libc++ diff --git a/ci/debian-9/Dockerfile b/ci/debian-9/Dockerfile index e8fcd03e16..2fcde5fc01 100644 --- a/ci/debian-9/Dockerfile +++ b/ci/debian-9/Dockerfile @@ -28,15 +28,8 @@ RUN apt-get update && apt-get -y install \ libc++abi-7-dev \ && rm -rf /var/lib/apt/lists/* -RUN update-alternatives --install /usr/bin/cc cc /usr/bin/clang-7 100 -RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++-7 100 - -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html +ENV CC=/usr/bin/clang-7 +ENV CXX=/usr/bin/clang++-7 ENV CXXFLAGS=-stdlib=libc++ diff --git a/ci/fedora-31/Dockerfile b/ci/fedora-31/Dockerfile deleted file mode 100644 index bc71a8a795..0000000000 --- a/ci/fedora-31/Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -FROM fedora:31 - -RUN yum -y install \ - bison \ - cmake \ - diffutils \ - findutils \ - flex \ - git \ - gcc \ - gcc-c++ \ - libpcap-devel \ - make \ - openssl \ - openssl-devel \ - python3 \ - python3-devel \ - python3-pip\ - sqlite \ - swig \ - which \ - zlib-devel \ - && yum clean all && rm -rf /var/cache/yum - -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html diff --git a/ci/fedora-32/Dockerfile b/ci/fedora-32/Dockerfile index 80b833fdb3..87e072753c 100644 --- a/ci/fedora-32/Dockerfile +++ b/ci/fedora-32/Dockerfile @@ -22,10 +22,4 @@ RUN yum -y install \ zlib-devel \ && yum clean all && rm -rf /var/cache/yum -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html diff --git a/ci/fedora-33/Dockerfile b/ci/fedora-33/Dockerfile index 3124d85bf5..15d5f9244e 100644 --- a/ci/fedora-33/Dockerfile +++ b/ci/fedora-33/Dockerfile @@ -22,10 +22,4 @@ RUN yum -y install \ zlib-devel \ && yum clean all && rm -rf /var/cache/yum -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html diff --git a/ci/freebsd/prepare.sh b/ci/freebsd/prepare.sh index 097c25e243..0ec60513cf 100755 --- a/ci/freebsd/prepare.sh +++ b/ci/freebsd/prepare.sh @@ -9,5 +9,4 @@ env ASSUME_ALWAYS_YES=YES pkg bootstrap pkg install -y bash git cmake swig bison python3 base64 pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'` pkg install -y $pyver-sqlite3 $pyver-pip -( cd && mkdir -p ./bin && ln -s /usr/local/bin/python3 ./bin/python ) pip install junit2html diff --git a/ci/ubuntu-16.04/Dockerfile b/ci/ubuntu-16.04/Dockerfile index 5eeda5894f..5b65acd55f 100644 --- a/ci/ubuntu-16.04/Dockerfile +++ b/ci/ubuntu-16.04/Dockerfile @@ -15,6 +15,9 @@ RUN apt-get update && apt-get -y install \ python3 \ python3-dev \ python3-pip\ + clang-8 \ + libc++-8-dev \ + libc++abi-8-dev \ swig \ zlib1g-dev \ libkrb5-dev \ @@ -25,19 +28,8 @@ RUN apt-get update && apt-get -y install \ xz-utils \ && rm -rf /var/lib/apt/lists/* -RUN wget -q https://releases.llvm.org/9.0.0/clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz -RUN mkdir /clang-9 -RUN tar --strip-components=1 -C /clang-9 -xvf clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz -RUN update-alternatives --install /usr/bin/cc cc /clang-9/bin/clang 100 -RUN update-alternatives --install /usr/bin/c++ c++ /clang-9/bin/clang++ 100 - -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html +ENV CC=/usr/bin/clang-8 +ENV CXX=/usr/bin/clang++-8 ENV CXXFLAGS=-stdlib=libc++ -ENV LD_LIBRARY_PATH=/clang-9/lib diff --git a/ci/ubuntu-18.04/Dockerfile b/ci/ubuntu-18.04/Dockerfile index e298595f39..ed5ecb3b8e 100644 --- a/ci/ubuntu-18.04/Dockerfile +++ b/ci/ubuntu-18.04/Dockerfile @@ -29,11 +29,5 @@ RUN apt-get update && apt-get -y install \ lcov \ && rm -rf /var/lib/apt/lists/* -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html RUN gem install coveralls-lcov diff --git a/ci/ubuntu-20.04/Dockerfile b/ci/ubuntu-20.04/Dockerfile index 3c48668794..74cf7b571e 100644 --- a/ci/ubuntu-20.04/Dockerfile +++ b/ci/ubuntu-20.04/Dockerfile @@ -29,11 +29,5 @@ RUN apt-get update && apt-get -y install \ lcov \ && rm -rf /var/lib/apt/lists/* -# Many distros adhere to PEP 394's recommendation for `python` = `python2` so -# this is a simple workaround until we drop Python 2 support and explicitly -# use `python3` for all invocations (e.g. in shebangs). -RUN ln -sf /usr/bin/python3 /usr/local/bin/python -RUN ln -sf /usr/bin/pip3 /usr/local/bin/pip - -RUN pip install junit2html +RUN pip3 install junit2html RUN gem install coveralls-lcov diff --git a/cmake b/cmake index cf652b8459..40251ae850 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit cf652b845908a15c02e11dca3162f3eecca0a9c5 +Subproject commit 40251ae850dee52eae8eb05e552c165e2deef354 diff --git a/configure b/configure index 0014f30834..7b74d3edf7 100755 --- a/configure +++ b/configure @@ -148,7 +148,6 @@ prefix=/usr/local/zeek CMakeCacheEntries="" append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix append_cache_entry ZEEK_ROOT_DIR PATH $prefix -append_cache_entry PY_MOD_INSTALL_DIR PATH $prefix/lib/zeekctl append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc append_cache_entry ENABLE_DEBUG BOOL false @@ -203,7 +202,6 @@ while [ $# -ne 0 ]; do prefix=$optarg append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg append_cache_entry ZEEK_ROOT_DIR PATH $optarg - append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg/lib/zeekctl ;; --libdir=*) append_cache_entry CMAKE_INSTALL_LIBDIR PATH $optarg diff --git a/doc b/doc index 7658414ac4..63264729ec 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 7658414ac454522ecd5710c13ca6e0bc4a842e12 +Subproject commit 63264729ec6d342892a925cd3f003105544ea1d5 diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index 3b5ffb6a4e..2817ee04f4 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -54,6 +54,10 @@ export { ## trouble to help identify which node is having trouble. peer: string &log &optional &default=peer_description; + ## The source of the weird. When reported by an analyzer, this + ## should be the name of the analyzer. + source: string &log &optional; + ## This field is to be provided when a weird is generated for ## the purpose of deduplicating weirds. The identifier string ## should be unique for a single instance of the weird. This field @@ -257,7 +261,7 @@ export { ## This table is used to track identifier and name pairs that should be ## temporarily ignored because the problem has already been reported. - ## This helps reduce the volume of high volume weirds by only allowing + ## This helps reduce the volume of high volume weirds by only allowing ## a unique weird every ``create_expire`` interval. global weird_ignore: set[string, string] &create_expire=10min &redef; @@ -400,16 +404,19 @@ function weird(w: Weird::Info) } # The following events come from core generated weirds typically. -event conn_weird(name: string, c: connection, addl: string) +event conn_weird(name: string, c: connection, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $conn=c, $identifier=id_string(c$id)); if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string) +event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $uid=uid, $id=id, $identifier=id_string(id)); @@ -417,10 +424,13 @@ event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string) if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event flow_weird(name: string, src: addr, dst: addr, addl: string) +event flow_weird(name: string, src: addr, dst: addr, addl: string, source: string) { # We add the source and destination as port 0/unknown because that is # what fits best here. @@ -432,25 +442,34 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string) if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event net_weird(name: string, addl: string) +event net_weird(name: string, addl: string, source: string) { local i = Info($ts=network_time(), $name=name); if ( addl != "" ) i$addl = addl; + if ( source != "" ) + i$source = source; + weird(i); } -event file_weird(name: string, f: fa_file, addl: string) +event file_weird(name: string, f: fa_file, addl: string, source: string) { local i = Info($ts=network_time(), $name=name, $addl=f$id); if ( addl != "" ) i$addl += fmt(": %s", addl); + if ( source != "" ) + i$source = source; + weird(i); } diff --git a/scripts/base/frameworks/sumstats/cluster.zeek b/scripts/base/frameworks/sumstats/cluster.zeek index 86125884a5..2296a4e38c 100644 --- a/scripts/base/frameworks/sumstats/cluster.zeek +++ b/scripts/base/frameworks/sumstats/cluster.zeek @@ -272,7 +272,8 @@ event SumStats::finish_epoch(ss: SumStat) } # Schedule the next finish_epoch event. - schedule ss$epoch { SumStats::finish_epoch(ss) }; + if ( ss$epoch != 0secs ) + schedule ss$epoch { SumStats::finish_epoch(ss) }; } # This is unlikely to be called often, but it's here in diff --git a/scripts/base/frameworks/sumstats/main.zeek b/scripts/base/frameworks/sumstats/main.zeek index 3f73d278e5..ade7190748 100644 --- a/scripts/base/frameworks/sumstats/main.zeek +++ b/scripts/base/frameworks/sumstats/main.zeek @@ -89,16 +89,20 @@ export { ## is no assurance provided as to where the callbacks ## will be executed on clusters. type SumStat: record { - ## An arbitrary name for the sumstat so that it can + ## An arbitrary name for the sumstat so that it can ## be referred to later. name: string; - - ## The interval at which this filter should be "broken" - ## and the *epoch_result* callback called. The + + ## The interval at which this sumstat should be "broken" + ## and the *epoch_result* callback called. The ## results are also reset at this time so any threshold ## based detection needs to be set to a ## value that should be expected to happen within ## this epoch. + ## + ## Passing an epoch of zero (e.g. ``0 secs``) causes this + ## sumstat to be set to manual epochs. You will have to manually + ## end the epoch by calling :zeek:see:`SumStats::next_epoch`. epoch: interval; ## The reducers for the SumStat. @@ -129,12 +133,12 @@ export { threshold_crossed: function(key: SumStats::Key, result: SumStats::Result) &optional; ## A callback that receives each of the results at the - ## end of the analysis epoch. The function will be + ## end of the analysis epoch. The function will be ## called once for each key. epoch_result: function(ts: time, key: SumStats::Key, result: SumStats::Result) &optional; - - ## A callback that will be called when a single collection - ## interval is completed. The *ts* value will be the time of + + ## A callback that will be called when a single collection + ## interval is completed. The *ts* value will be the time of ## when the collection started. epoch_finished: function(ts:time) &optional; }; @@ -156,8 +160,8 @@ export { global observe: function(id: string, key: SumStats::Key, obs: SumStats::Observation); ## Dynamically request a sumstat key. This function should be - ## used sparingly and not as a replacement for the callbacks - ## from the :zeek:see:`SumStats::SumStat` record. The function is only + ## used sparingly and not as a replacement for the callbacks + ## from the :zeek:see:`SumStats::SumStat` record. The function is only ## available for use within "when" statements as an asynchronous ## function. ## @@ -175,6 +179,23 @@ export { ## ## Returns: A string representation of the metric key. global key2str: function(key: SumStats::Key): string; + + ## Manually end the current epoch for a sumstat. Calling this function will + ## cause the end of the epoch processing of sumstats to start. Note that the + ## epoch will not end immediately - especially in a cluster settings, a number + ## of messages need to be exchanged between the cluster nodes. + ## + ## Note that this function only can be called if the sumstat was created with + ## an epoch time of zero (manual epochs). + ## + ## In a cluster, this function must be called on the manager; it will not have + ## any effect when called on workers. + ## + ## ss_name: SumStat name. + ## + ## Returns: true on success, false on failure. Failures can be: sumstat not found, + ## or sumstat not created for manual epochs. + global next_epoch: function(ss_name: string): bool; } # The function prototype for plugins to do calculations. @@ -248,6 +269,19 @@ global data_added: function(ss: SumStat, key: Key, result: Result); # framework for clustered or non-clustered usage. global finish_epoch: event(ss: SumStat); +function next_epoch(ss_name: string): bool + { + if ( ss_name !in stats_store ) + return F; + + local ss = stats_store[ss_name]; + if ( ss$epoch != 0secs ) + return F; + + event SumStats::finish_epoch(ss); + return T; + } + function key2str(key: Key): string { local out = ""; @@ -331,7 +365,7 @@ function reset(ss: SumStat) } } -# This could potentially recurse forever, but plugin authors +# This could potentially recurse forever, but plugin authors # should be making sure they aren't causing reflexive dependencies. function add_calc_deps(calcs: vector of Calculation, c: Calculation) { @@ -377,8 +411,8 @@ function create(ss: SumStat) if ( calc in calc_deps ) add_calc_deps(reducer$calc_funcs, calc); - # Don't add this calculation to the vector if - # it was already added by something else as a + # Don't add this calculation to the vector if + # it was already added by something else as a # dependency. local skip_calc=F; for ( j in reducer$calc_funcs ) @@ -396,7 +430,10 @@ function create(ss: SumStat) } reset(ss); - schedule ss$epoch { SumStats::finish_epoch(ss) }; + + ## do not schedule epoch if this is set to manual epochs. + if ( ss$epoch != 0secs ) + schedule ss$epoch { SumStats::finish_epoch(ss) }; } function observe(id: string, orig_key: Key, obs: Observation) diff --git a/scripts/base/frameworks/sumstats/non-cluster.zeek b/scripts/base/frameworks/sumstats/non-cluster.zeek index 630f36bbcd..c905d56e37 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.zeek +++ b/scripts/base/frameworks/sumstats/non-cluster.zeek @@ -43,19 +43,26 @@ event SumStats::finish_epoch(ss: SumStat) if ( ss?$epoch_finished ) ss$epoch_finished(now); } - else if ( |data| > 0 ) + else { - event SumStats::process_epoch_result(ss, now, copy(data)); + if ( |data| > 0 ) + event SumStats::process_epoch_result(ss, now, copy(data)); + else + { + if ( ss?$epoch_finished ) + ss$epoch_finished(now); + } } } - + # We can reset here because we know that the reference # to the data will be maintained by the process_epoch_result # event. reset(ss); } - schedule ss$epoch { SumStats::finish_epoch(ss) }; + if ( ss$epoch != 0secs ) + schedule ss$epoch { SumStats::finish_epoch(ss) }; } function data_added(ss: SumStat, key: Key, result: Result) diff --git a/scripts/base/utils/email.zeek b/scripts/base/utils/email.zeek index 903048eafd..b647149bdc 100644 --- a/scripts/base/utils/email.zeek +++ b/scripts/base/utils/email.zeek @@ -19,7 +19,7 @@ function extract_email_addrs_vec(str: string): string_vec ## ## str: A string potentially containing email addresses. ## -## Returns: A set of extracted email addresses. An empty set is returned +## Returns: A set of extracted email addresses. An empty set is returned ## if no email addresses are discovered. function extract_email_addrs_set(str: string): set[string] { @@ -58,8 +58,7 @@ function extract_first_email_addr(str: string): string function split_mime_email_addresses(line: string): set[string] { local output = string_set(); - - local addrs = find_all(line, /(\"[^"]*\")?[^,]+@[^,]+/); + local addrs = find_all(line, /(\"[^"]*\")?[^,]+/); for ( part in addrs ) { add output[strip(part)]; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e3b4b9c2f3..ca7736485f 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -406,10 +406,8 @@ add_executable(zeek main.cc ${bro_PLUGIN_LIBS} ) target_link_libraries(zeek ${zeekdeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) - -if ( NOT "${bro_LINKER_FLAGS}" STREQUAL "" ) - set_target_properties(zeek PROPERTIES LINK_FLAGS "${bro_LINKER_FLAGS}") -endif () +# Export symbols from zeek executable for use by plugins +set_target_properties(zeek PROPERTIES ENABLE_EXPORTS TRUE) install(TARGETS zeek DESTINATION bin) diff --git a/src/Conn.cc b/src/Conn.cc index 93a2f94520..8baf383cfb 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -530,10 +530,10 @@ void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a, event_mgr.Enqueue(f, std::move(args), util::detail::SOURCE_LOCAL, a ? a->GetID() : 0, this); } -void Connection::Weird(const char* name, const char* addl) +void Connection::Weird(const char* name, const char* addl, const char* source) { weird = 1; - reporter->Weird(this, name, addl ? addl : ""); + reporter->Weird(this, name, addl ? addl : "", source ? source : ""); } void Connection::AddTimer(timer_func timer, double t, bool do_expire, diff --git a/src/Conn.h b/src/Conn.h index a99456ce33..d3f75fcac4 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -238,7 +238,7 @@ public: EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args) { return EnqueueEvent(h, analyzer, zeek::Args{std::forward(args)...}); } - void Weird(const char* name, const char* addl = ""); + void Weird(const char* name, const char* addl = "", const char* source = ""); bool DidWeird() const { return weird != 0; } // Cancel all associated timers. diff --git a/src/DebugLogger.h b/src/DebugLogger.h index f7c3a04e55..736ade5aac 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -12,15 +12,15 @@ #include #define DBG_LOG(stream, args...) \ - if ( zeek::detail::debug_logger.IsEnabled(stream) ) \ - zeek::detail::debug_logger.Log(stream, args) + if ( ::zeek::detail::debug_logger.IsEnabled(stream) ) \ + ::zeek::detail::debug_logger.Log(stream, args) #define DBG_LOG_VERBOSE(stream, args...) \ - if ( zeek::detail::debug_logger.IsVerbose() && zeek::detail::debug_logger.IsEnabled(stream) ) \ - zeek::detail::debug_logger.Log(stream, args) -#define DBG_PUSH(stream) zeek::detail::debug_logger.PushIndent(stream) -#define DBG_POP(stream) zeek::detail::debug_logger.PopIndent(stream) + if ( ::zeek::detail::debug_logger.IsVerbose() && ::zeek::detail::debug_logger.IsEnabled(stream) ) \ + ::zeek::detail::debug_logger.Log(stream, args) +#define DBG_PUSH(stream) ::zeek::detail::debug_logger.PushIndent(stream) +#define DBG_POP(stream) ::zeek::detail::debug_logger.PopIndent(stream) -#define PLUGIN_DBG_LOG(plugin, args...) zeek::detail::debug_logger.Log(plugin, args) +#define PLUGIN_DBG_LOG(plugin, args...) ::zeek::detail::debug_logger.Log(plugin, args) ZEEK_FORWARD_DECLARE_NAMESPACED(Plugin, zeek, plugin); diff --git a/src/Reporter.cc b/src/Reporter.cc index abea82b3ae..241c8aa050 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -396,7 +396,7 @@ bool Reporter::PermitExpiredConnWeird(const char* name, const RecordVal& conn_id return false; } -void Reporter::Weird(const char* name, const char* addl) +void Reporter::Weird(const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -406,10 +406,10 @@ void Reporter::Weird(const char* name, const char* addl) return; } - WeirdHelper(net_weird, {new StringVal(addl)}, "%s", name); + WeirdHelper(net_weird, {new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) +void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -424,11 +424,11 @@ void Reporter::Weird(file_analysis::File* f, const char* name, const char* addl) return; } - WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl)}, + WeirdHelper(file_weird, {f->ToVal()->Ref(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(Connection* conn, const char* name, const char* addl) +void Reporter::Weird(Connection* conn, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -443,12 +443,12 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl) return; } - WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)}, + WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, - const char* name, const char* addl) +void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, const char* name, + const char* addl, const char* source) { UpdateWeirdStats(name); @@ -463,11 +463,11 @@ void Reporter::Weird(RecordValPtr conn_id, StringValPtr uid, } WeirdHelper(expired_conn_weird, - {conn_id.release(), uid.release(), new StringVal(addl)}, + {conn_id.release(), uid.release(), new StringVal(addl), new StringVal(source)}, "%s", name); } -void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl) +void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl, const char* source) { UpdateWeirdStats(name); @@ -482,7 +482,7 @@ void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name, c } WeirdHelper(flow_weird, - {new AddrVal(orig), new AddrVal(resp), new StringVal(addl)}, + {new AddrVal(orig), new AddrVal(resp), new StringVal(addl), new StringVal(source)}, "%s", name); } diff --git a/src/Reporter.h b/src/Reporter.h index 494bed79cd..a3036d4a85 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -95,12 +95,15 @@ public: // Report a traffic weirdness, i.e., an unexpected protocol situation // that may lead to incorrectly processing a connnection. - void Weird(const char* name, const char* addl = ""); // Raises net_weird(). - void Weird(file_analysis::File* f, const char* name, const char* addl = ""); // Raises file_weird(). - void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird(). + void Weird(const char* name, const char* addl = "", const char* source = ""); // Raises net_weird(). + void Weird(file_analysis::File* f, const char* name, + const char* addl = "", const char* source = ""); // Raises file_weird(). + void Weird(Connection* conn, const char* name, + const char* addl = "", const char* source = ""); // Raises conn_weird(). void Weird(RecordValPtr conn_id, StringValPtr uid, - const char* name, const char* addl = ""); // Raises expired_conn_weird(). - void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, const char* addl = ""); // Raises flow_weird(). + const char* name, const char* addl = "", const char* source = ""); // Raises expired_conn_weird(). + void Weird(const IPAddr& orig, const IPAddr& resp, const char* name, + const char* addl = "", const char* source = ""); // Raises flow_weird(). // Syslog a message. This methods does nothing if we're running // offline from a trace. diff --git a/src/Sessions.cc b/src/Sessions.cc index ba8231d369..15dfb91cb1 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -681,7 +681,7 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port, return true; } -void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl) +void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl, const char* source) { const char* weird_name = name; @@ -694,12 +694,12 @@ void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl) if ( pkt->ip_hdr ) { - reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl); + reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl, source); return; } } - reporter->Weird(weird_name, addl); + reporter->Weird(weird_name, addl, source); } void NetSessions::Weird(const char* name, const IP_Hdr* ip, const char* addl) diff --git a/src/Sessions.h b/src/Sessions.h index 740590641f..634e1f549c 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -70,7 +70,7 @@ public: void GetStats(SessionStats& s) const; void Weird(const char* name, const Packet* pkt, - const char* addl = ""); + const char* addl = "", const char* source = ""); void Weird(const char* name, const IP_Hdr* ip, const char* addl = ""); diff --git a/src/Var.cc b/src/Var.cc index b6da41e4f2..1dd55c822c 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -749,11 +749,6 @@ void end_func(StmtPtr body) ingredients.release(); } -Val* internal_val(const char* name) - { - return id::find_val(name).get(); - } - IDPList gather_outer_ids(Scope* scope, Stmt* body) { OuterIDBindingFinder cb(scope); @@ -774,20 +769,27 @@ IDPList gather_outer_ids(Scope* scope, Stmt* body) return idl; } -Val* internal_const_val(const char* name) +} // namespace zeek::detail + +zeek::Val* internal_val(const char* name) { - return id::find_const(name).get(); + return zeek::id::find_val(name).get(); } -Val* opt_internal_val(const char* name) +zeek::Val* internal_const_val(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + return zeek::id::find_const(name).get(); + } + +zeek::Val* opt_internal_val(const char* name) + { + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); return id ? id->GetVal().get() : nullptr; } double opt_internal_double(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return 0.0; const auto& v = id->GetVal(); return v ? v->InternalDouble() : 0.0; @@ -795,7 +797,7 @@ double opt_internal_double(const char* name) bro_int_t opt_internal_int(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return 0; const auto& v = id->GetVal(); return v ? v->InternalInt() : 0; @@ -803,63 +805,63 @@ bro_int_t opt_internal_int(const char* name) bro_uint_t opt_internal_unsigned(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return 0; const auto& v = id->GetVal(); return v ? v->InternalUnsigned() : 0; } -StringVal* opt_internal_string(const char* name) +zeek::StringVal* opt_internal_string(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return nullptr; const auto& v = id->GetVal(); return v ? v->AsStringVal() : nullptr; } -TableVal* opt_internal_table(const char* name) +zeek::TableVal* opt_internal_table(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return nullptr; const auto& v = id->GetVal(); return v ? v->AsTableVal() : nullptr; } -ListVal* internal_list_val(const char* name) +zeek::ListVal* internal_list_val(const char* name) { - const auto& id = lookup_ID(name, GLOBAL_MODULE_NAME); + const auto& id = zeek::detail::lookup_ID(name, zeek::detail::GLOBAL_MODULE_NAME); if ( ! id ) return nullptr; - Val* v = id->GetVal().get(); + zeek::Val* v = id->GetVal().get(); if ( v ) { - if ( v->GetType()->Tag() == TYPE_LIST ) - return (ListVal*) v; + if ( v->GetType()->Tag() == zeek::TYPE_LIST ) + return (zeek::ListVal*) v; else if ( v->GetType()->IsSet() ) { - TableVal* tv = v->AsTableVal(); + zeek::TableVal* tv = v->AsTableVal(); auto lv = tv->ToPureListVal(); return lv.release(); } else - reporter->InternalError("internal variable %s is not a list", name); + zeek::reporter->InternalError("internal variable %s is not a list", name); } return nullptr; } -Type* internal_type(const char* name) +zeek::Type* internal_type(const char* name) { - return id::find_type(name).get(); + return zeek::id::find_type(name).get(); } -Func* internal_func(const char* name) +zeek::Func* internal_func(const char* name) { - const auto& v = id::find_val(name); + const auto& v = zeek::id::find_val(name); if ( v ) return v->AsFunc(); @@ -867,9 +869,7 @@ Func* internal_func(const char* name) return nullptr; } -EventHandlerPtr internal_handler(const char* name) +zeek::EventHandlerPtr internal_handler(const char* name) { return event_registry->Register(name); } - -} // namespace zeek::detail diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index fa9ea1c414..0ff3971aa1 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -838,7 +838,7 @@ void Analyzer::EnqueueConnEvent(EventHandlerPtr f, Args args) void Analyzer::Weird(const char* name, const char* addl) { - conn->Weird(name, addl); + conn->Weird(name, addl, GetAnalyzerName()); } SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac index b36f8acb59..427a08c510 100644 --- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac +++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac @@ -21,7 +21,7 @@ flow AYIYA_Flow if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) { - zeek::reporter->Weird(c, "tunnel_depth"); + connection()->zeek_analyzer()->Weird("tunnel_depth"); return false; } @@ -34,7 +34,7 @@ flow AYIYA_Flow if ( ${pdu.next_header} != IPPROTO_IPV6 && ${pdu.next_header} != IPPROTO_IPV4 ) { - zeek::reporter->Weird(c, "ayiya_tunnel_non_ip"); + connection()->zeek_analyzer()->Weird("ayiya_tunnel_non_ip"); return false; } diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index 1d09dfdf98..7527df7360 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -119,6 +119,8 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig) void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bittorrent_peer_weird ) + + // TODO: why does bittorrent have a different set of weirds? EnqueueConnEvent(bittorrent_peer_weird, ConnVal(), val_mgr->Bool(orig), diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index f294f564b2..c044110584 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -190,8 +190,7 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( it != fb.end() ) { // We already had a first frag earlier. - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "multiple_first_fragments_in_dce_rpc_reassembly"); + connection()->zeek_analyzer()->Weird("multiple_first_fragments_in_dce_rpc_reassembly"); connection()->zeek_analyzer()->SetSkip(true); return false; } @@ -212,15 +211,13 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_many_dce_rpc_msgs_in_reassembly"); + connection()->zeek_analyzer()->Weird("too_many_dce_rpc_msgs_in_reassembly"); connection()->zeek_analyzer()->SetSkip(true); } if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_much_dce_rpc_fragment_data"); + connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data"); connection()->zeek_analyzer()->SetSkip(true); } @@ -235,8 +232,7 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), - "too_much_dce_rpc_fragment_data"); + connection()->zeek_analyzer()->Weird("too_much_dce_rpc_fragment_data"); connection()->zeek_analyzer()->SetSkip(true); } diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index 25c5f8a9da..c595373496 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -655,7 +655,7 @@ flow GTPv1_Flow(is_orig: bool) if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) { - zeek::reporter->Weird(c, "tunnel_depth"); + a->Weird("tunnel_depth"); return false; } diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index efb6ed49c3..852581c2b6 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -1262,11 +1262,11 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) return 1; bad_http_request_with_version: - reporter->Weird(Conn(), "bad_HTTP_request_with_version"); + Weird("bad_HTTP_request_with_version"); return 0; error: - reporter->Weird(Conn(), "bad_HTTP_request"); + Weird("bad_HTTP_request"); return 0; } diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index ca50de03a5..f4efdbbdaa 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -33,7 +33,7 @@ refine connection IMAP_Conn += { if ( is_orig && commands == "starttls" ) { if ( !client_starttls_id.empty() ) - zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS"); + zeek_analyzer()->Weird("IMAP: client sent duplicate StartTLS"); client_starttls_id = tags; } @@ -48,7 +48,7 @@ refine connection IMAP_Conn += { zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else - zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS"); + zeek_analyzer()->Weird("IMAP: server refused StartTLS"); } return true; diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index 341c90f224..f35790f583 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -539,7 +539,7 @@ void NVT_Analyzer::DeliverChunk(int& len, const u_char*& data) else { if ( Conn()->FlagEvent(SINGULAR_LF) ) - Conn()->Weird("line_terminated_with_single_LF"); + Weird("line_terminated_with_single_LF"); buf[offset++] = c; } break; diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 8f6a090b39..0653497585 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -96,7 +96,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) case RSH_PRESUMED_REJECTED: if ( state == RSH_PRESUMED_REJECTED ) { - Conn()->Weird("rsh_text_after_rejected"); + Weird("rsh_text_after_rejected"); state = RSH_UNKNOWN; } @@ -140,7 +140,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rsh_Analyzer::BadProlog() { - Conn()->Weird("bad_rsh_prolog"); + Weird("bad_rsh_prolog"); state = RSH_UNKNOWN; } diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 7bd927d797..b943f04610 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -161,7 +161,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) if ( state == RLOGIN_LINE_MODE && peer->state == RLOGIN_PRESUMED_REJECTED ) { - Conn()->Weird("rlogin_text_after_rejected"); + Weird("rlogin_text_after_rejected"); state = RLOGIN_UNKNOWN; } @@ -203,7 +203,7 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) void Contents_Rlogin_Analyzer::BadProlog() { - Conn()->Weird("bad_rlogin_prolog"); + Weird("bad_rlogin_prolog"); state = RLOGIN_UNKNOWN; } diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 2226c1aa7f..ec633341de 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -175,13 +175,13 @@ refine connection SOCKS_Conn += { function socks5_unsupported_authentication_method(auth_method: uint8): bool %{ - zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); + zeek_analyzer()->Weird("socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); return true; %} function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool %{ - zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); + zeek_analyzer()->Weird("socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); return true; %} diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index a82772d2b4..a739a35d05 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -1,38 +1,39 @@ - function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool - %{ - if ( certificates->size() == 0 ) - return true; - - zeek::ODesc common; - common.AddRaw("Analyzer::ANALYZER_SSL"); - common.Add(zeek_analyzer()->Conn()->StartTime()); - common.AddRaw(is_orig ? "T" : "F", 1); - zeek_analyzer()->Conn()->IDString(&common); - - static const string user_mime = "application/x-x509-user-cert"; - static const string ca_mime = "application/x-x509-ca-cert"; - - for ( unsigned int i = 0; i < certificates->size(); ++i ) - { - const bytestring& cert = (*certificates)[i]; - - if ( cert.length() <= 0 ) - { - zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate"); - continue; - } - - zeek::ODesc file_handle; - file_handle.Add(common.Description()); - file_handle.Add(i); - - string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - - zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), zeek_analyzer()->GetAnalyzerTag(), - zeek_analyzer()->Conn(), is_orig, - file_id, i == 0 ? user_mime : ca_mime); - zeek::file_mgr->EndOfFile(file_id); - } +function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool + %{ + if ( certificates->size() == 0 ) return true; - %} + + zeek::ODesc common; + common.AddRaw("Analyzer::ANALYZER_SSL"); + common.Add(zeek_analyzer()->Conn()->StartTime()); + common.AddRaw(is_orig ? "T" : "F", 1); + zeek_analyzer()->Conn()->IDString(&common); + + static const string user_mime = "application/x-x509-user-cert"; + static const string ca_mime = "application/x-x509-ca-cert"; + + for ( unsigned int i = 0; i < certificates->size(); ++i ) + { + const bytestring& cert = (*certificates)[i]; + + if ( cert.length() <= 0 ) + { + zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate", "", + zeek_analyzer()->GetAnalyzerName()); + continue; + } + + zeek::ODesc file_handle; + file_handle.Add(common.Description()); + file_handle.Add(i); + + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); + + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), is_orig, + file_id, i == 0 ? user_mime : ca_mime); + zeek::file_mgr->EndOfFile(file_id); + } + return true; + %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index f28ba40b76..9806fe31f1 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -322,7 +322,7 @@ refine connection Handshake_Conn += { } else if ( response.length() == 0 ) { - zeek::reporter->Weird(zeek_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message"); + zeek_analyzer()->Weird("SSL_zero_length_stapled_OCSP_message"); } return true; diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc index 1e5953dfe2..679f8c1f37 100644 --- a/src/analyzer/protocol/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -263,7 +263,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) else { if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_LF) ) - Conn()->Weird("line_terminated_with_single_LF"); + Weird("line_terminated_with_single_LF"); buf[offset++] = c; } break; @@ -282,7 +282,7 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data) if ( last_char == '\r' ) if ( ! suppress_weirds && Conn()->FlagEvent(SINGULAR_CR) ) - Conn()->Weird("line_terminated_with_single_CR"); + Weird("line_terminated_with_single_CR"); last_char = c; } @@ -312,7 +312,7 @@ void ContentLine_Analyzer::CheckNUL() else { if ( ! suppress_weirds && Conn()->FlagEvent(NUL_IN_LINE) ) - Conn()->Weird("NUL_in_line"); + Weird("NUL_in_line"); flag_NULs = false; } } diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index bea7dd0209..549612e501 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -461,20 +461,20 @@ static void update_window(TCP_Endpoint* endpoint, unsigned int window, } } -static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) +void TCP_Analyzer::SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const { if ( flags.RST() ) - endpoint->Conn()->Weird("TCP_christmas"); + endpoint->Conn()->Weird("TCP_christmas", "", GetAnalyzerName()); if ( flags.URG() ) - endpoint->Conn()->Weird("baroque_SYN"); + endpoint->Conn()->Weird("baroque_SYN", "", GetAnalyzerName()); if ( data_len > 0 ) // Not technically wrong according to RFC 793, but the other side // would be forced to buffer data until the handshake succeeds, and // that could be bad in some cases, e.g. SYN floods. // T/TCP definitely complicates this. - endpoint->Conn()->Weird("SYN_with_data"); + endpoint->Conn()->Weird("SYN_with_data", "", GetAnalyzerName()); } void TCP_Analyzer::UpdateInactiveState(double t, @@ -1097,7 +1097,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( flags.SYN() ) { - syn_weirds(flags, endpoint, len); + SynWeirds(flags, endpoint, len); RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp); init_window(endpoint, peer, flags, SYN_vals->GetField(5)->CoerceToInt(), base_seq, ack_seq); diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h index 705bb157f0..6197afbd1a 100644 --- a/src/analyzer/protocol/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -167,6 +167,9 @@ protected: static int get_segment_len(int payload_len, TCP_Flags flags); private: + + void SynWeirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len) const; + TCP_Endpoint* orig; TCP_Endpoint* resp; diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h index 41a82d9b01..8f57f72a9e 100644 --- a/src/analyzer/protocol/teredo/Teredo.h +++ b/src/analyzer/protocol/teredo/Teredo.h @@ -31,7 +31,7 @@ public: void Weird(const char* name, bool force = false) const { if ( ProtocolConfirmed() || force ) - reporter->Weird(Conn(), name); + reporter->Weird(Conn(), name, "", GetAnalyzerName()); } /** diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index a66a3b17fc..780c2573eb 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -51,7 +51,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth ) { - reporter->Weird(Conn(), "tunnel_depth"); + Weird("tunnel_depth"); return; } diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index 2520cbe6e2..7c0bfa9701 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -36,7 +36,7 @@ refine connection XMPP_Conn += { zeek::BifEvent::enqueue_xmpp_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else if ( !is_orig && token == "proceed" ) - zeek::reporter->Weird(zeek_analyzer()->Conn(), "XMPP: proceed without starttls"); + zeek_analyzer()->Weird("XMPP: proceed without starttls"); // printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str()); diff --git a/src/event.bif b/src/event.bif index a6829b833f..0c4bb8448a 100644 --- a/src/event.bif +++ b/src/event.bif @@ -453,12 +453,16 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird net_weird file_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event conn_weird%(name: string, c: connection, addl: string, source: string%); event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a specific connection whose @@ -482,12 +486,16 @@ event conn_weird%(name: string, c: connection, addl: string%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird net_weird file_weird conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string, source: string%); event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent @@ -507,12 +515,16 @@ event expired_conn_weird%(name: string, id: conn_id, uid: string, addl: string%) ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: conn_weird net_weird file_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event flow_weird%(name: string, src: addr, dst: addr, addl: string, source: string%); event flow_weird%(name: string, src: addr, dst: addr, addl: string%); ## Generated for unexpected activity that is not tied to a specific connection @@ -527,12 +539,16 @@ event flow_weird%(name: string, src: addr, dst: addr, addl: string%); ## ## addl: Optional additional context further describing the situation. ## +## source: Optional source for the weird. When called by analyzers, this should +## be filled in with the name of the analyzer. +## ## .. zeek:see:: flow_weird file_weird conn_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event net_weird%(name: string, addl: string, source: string%); event net_weird%(name: string, addl: string%); ## Generated for unexpected activity that is tied to a file. @@ -548,12 +564,15 @@ event net_weird%(name: string, addl: string%); ## ## addl: Additional information related to the weird. ## +## source: The name of the file analyzer that generated the weird. +## ## .. zeek:see:: flow_weird net_weird conn_weird expired_conn_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic ## than one would intuitively expect. While in principle, any protocol ## violation could be an attack attempt, it's much more likely that an ## endpoint's implementation interprets an RFC quite liberally. +event file_weird%(name: string, f: fa_file, addl: string, source: string%); event file_weird%(name: string, f: fa_file, addl: string%); ## Generated regularly for the purpose of profiling Zeek's processing. This event diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 997ef52b78..129393aee5 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -76,11 +76,6 @@ Packet::~Packet() delete [] data; } -void Packet::Weird(const char* name) - { - sessions->Weird(name, this); - } - RecordValPtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 43e2ed1b4f..6bf2a506e6 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -124,9 +124,6 @@ public: [[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]] RecordVal* BuildPktHdrVal() const; - // Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it. - void Weird(const char* name); - /** * Maximal length of a layer 2 address. */ diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index d6e053fa1a..50fa3b6182 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -135,7 +135,7 @@ void PktSrc::Info(const std::string& msg) void PktSrc::Weird(const std::string& msg, const Packet* p) { - sessions->Weird(msg.c_str(), p, nullptr); + sessions->Weird(msg.c_str(), p); } void PktSrc::InternalError(const std::string& msg) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 871e2c6e3f..d0662c9a67 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -5,6 +5,8 @@ #include "zeek/Dict.h" #include "zeek/DebugLogger.h" #include "zeek/RunState.h" +#include "zeek/Sessions.h" +#include "zeek/util.h" namespace zeek::packet_analysis { @@ -70,7 +72,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const } bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, - uint32_t identifier) const + uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); if ( ! inner_analyzer ) @@ -96,7 +98,8 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", GetAnalyzerName()); - packet->Weird("no_suitable_analyzer_found"); + + Weird("no_suitable_analyzer_found", packet); return true; } @@ -116,4 +119,9 @@ void Analyzer::RegisterProtocol(uint32_t identifier, AnalyzerPtr child) dispatcher.Register(identifier, std::move(child)); } -} +void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const + { + sessions->Weird(name, packet, addl, GetAnalyzerName()); + } + +} // namespace zeek::packet_analysis diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index a8da218a93..90a3508aca 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -148,6 +148,18 @@ protected: */ bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; + /** + * Reports a Weird with the analyzer's name included in the addl field. + * + * @param name The name of the weird. + * @param packet An optional pointer to a packet to be used for additional + * information in the weird output. + * @param addl An optional string containing additional information about + * the weird. If this is passed, the analyzer's name will be prepended to + * it before output. + */ + void Weird(const char* name, Packet* packet=nullptr, const char* addl="") const; + private: Tag tag; Dispatcher dispatcher; diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index 0edf0816dd..f63d385ed1 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -89,7 +89,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Check whether the header is complete. if ( sizeof(struct arp_pkthdr) > len ) { - packet->Weird("truncated_ARP"); + Weird("truncated_ARP", packet); return false; } @@ -100,7 +100,7 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) size_t min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; if ( min_length > len ) { - packet->Weird("truncated_ARP"); + Weird("truncated_ARP", packet); return false; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 42a620a83f..a64a5c0f7c 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -25,7 +25,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // to pull bytes out of it. if ( 16 >= len ) { - packet->Weird("truncated_ethernet_frame"); + Weird("truncated_ethernet_frame", packet); return false; } @@ -36,7 +36,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa if ( cfplen + 14 >= len ) { - packet->Weird("truncated_link_header_cfp"); + Weird("truncated_link_header_cfp", packet); return false; } @@ -60,7 +60,7 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa { if ( 16 >= len ) { - packet->Weird("truncated_ethernet_frame"); + Weird("truncated_ethernet_frame", packet); return false; } @@ -86,6 +86,6 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa } // Undefined (1500 < EtherType < 1536) - packet->Weird("undefined_ether_type"); + Weird("undefined_ether_type", packet); return false; } diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 7e8f8bf616..e296ab67e4 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -15,7 +15,7 @@ bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet if ( hdr_size >= len ) { - packet->Weird("FDDI_analyzer_failed"); + Weird("FDDI_analyzer_failed"); return false; } diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc index cb3516a50f..6a36442b93 100644 --- a/src/packet_analysis/protocol/gre/GRE.cc +++ b/src/packet_analysis/protocol/gre/GRE.cc @@ -51,13 +51,13 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! BifConst::Tunnel::enable_gre ) { - sessions->Weird("GRE_tunnel", packet); + Weird("GRE_tunnel", packet); return false; } if ( len < gre_header_len() ) { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } @@ -75,7 +75,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( gre_version != 0 && gre_version != 1 ) { - sessions->Weird("unknown_gre_version", packet, util::fmt("%d", gre_version)); + Weird("unknown_gre_version", packet, util::fmt("version=%d", gre_version)); return false; } @@ -92,7 +92,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -109,7 +109,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -132,7 +132,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) erspan_len += 8; else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -141,7 +141,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } } @@ -152,7 +152,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( proto_typ != 0x880b ) { // Enhanced GRE payload must be PPP. - sessions->Weird("egre_protocol_type", packet, util::fmt("%d", proto_typ)); + Weird("egre_protocol_type", packet, util::fmt("proto=%d", proto_typ)); return false; } } @@ -162,20 +162,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // RFC 2784 deprecates the variable length routing field // specified by RFC 1701. It could be parsed here, but easiest // to just skip for now. - sessions->Weird("gre_routing", packet); + Weird("gre_routing", packet); return false; } if ( flags_ver & 0x0078 ) { // Expect last 4 bits of flags are reserved, undefined. - sessions->Weird("unknown_gre_flags", packet); + Weird("unknown_gre_flags", packet); return false; } if ( len < gre_len + ppp_len + eth_len + erspan_len ) { - sessions->Weird("truncated_GRE", packet); + Weird("truncated_GRE", packet); return false; } @@ -185,7 +185,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 ) { - sessions->Weird("non_ip_packet_in_encap", packet); + Weird("non_ip_packet_in_encap", packet); return false; } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 4a46046a90..d3ee996dc5 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -15,7 +15,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } @@ -47,7 +47,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } @@ -82,7 +82,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* len_80211 += 8; if ( len_80211 >= len ) { - packet->Weird("truncated_802_11_header"); + Weird("truncated_802_11_header", packet); return false; } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 8f66b79437..04d6702254 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -15,7 +15,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa { if ( 3 >= len ) { - packet->Weird("truncated_radiotap_header"); + Weird("truncated_radiotap_header", packet); return false; } @@ -24,7 +24,7 @@ bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Pa if ( rtheader_len >= len ) { - packet->Weird("truncated_radiotap_header"); + Weird("truncated_radiotap_header", packet); return false; } diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 90757dacd7..df3a9dfabc 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -35,7 +35,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header. if ( len < sizeof(struct ip) ) { - sessions->Weird("truncated_IP", packet); + Weird("truncated_IP", packet); return false; } @@ -56,7 +56,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( len < sizeof(struct ip6_hdr) ) { - sessions->Weird("truncated_IP", packet); + Weird("truncated_IP", packet); return false; } @@ -65,7 +65,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } else { - sessions->Weird("unknown_ip_version", packet); + Weird("unknown_ip_version", packet); return false; } @@ -76,7 +76,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( total_len == 0 ) { // TCP segmentation offloading can zero out the ip_len field. - sessions->Weird("ip_hdr_len_zero", packet); + Weird("ip_hdr_len_zero", packet); // Cope with the zero'd out ip_len field by using the caplen. total_len = packet->cap_len - hdr_size; @@ -84,7 +84,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( packet->len < total_len + hdr_size ) { - sessions->Weird("truncated_IPv6", packet); + Weird("truncated_IPv6", packet); return false; } @@ -93,13 +93,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) uint16_t ip_hdr_len = packet->ip_hdr->HdrLen(); if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", packet); + Weird("invalid_IP_header_size", packet); return false; } if ( ip_hdr_len > len ) { - sessions->Weird("internally_truncated_header", packet); + Weird("internally_truncated_header", packet); return false; } @@ -107,7 +107,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( ip_hdr_len < sizeof(struct ip) ) { - sessions->Weird("IPv4_min_header_size", packet); + Weird("IPv4_min_header_size", packet); return false; } } @@ -115,7 +115,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( ip_hdr_len < sizeof(struct ip6_hdr) ) { - sessions->Weird("IPv6_min_header_size", packet); + Weird("IPv6_min_header_size", packet); return false; } } @@ -129,7 +129,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) ! zeek::id::find_val("ignore_checksums_nets")->Contains(packet->ip_hdr->IPHeaderSrcAddr()) && detail::in_cksum(reinterpret_cast(ip4), ip_hdr_len) != 0xffff ) { - sessions->Weird("bad_IP_checksum", packet); + Weird("bad_IP_checksum", packet); return false; } @@ -144,7 +144,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( len < total_len ) { - sessions->Weird("incompletely_captured_fragment", packet); + Weird("incompletely_captured_fragment", packet); // Don't try to reassemble, that's doomed. // Discard all except the first fragment (which @@ -174,7 +174,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ip_hdr_len > total_len ) { - sessions->Weird("invalid_IP_header_size", packet); + Weird("invalid_IP_header_size", packet); return false; } } @@ -203,7 +203,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff ) { - sessions->Weird("bad_MH_checksum", packet); + Weird("bad_MH_checksum", packet); return false; } @@ -211,7 +211,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal()); if ( packet->ip_hdr->NextProto() != IPPROTO_NONE ) - sessions->Weird("mobility_piggyback", packet); + Weird("mobility_piggyback", packet); return true; } @@ -249,7 +249,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( ! ( packet->encap && packet->encap->LastType() == BifEnum::Tunnel::TEREDO ) ) { - sessions->Weird("ipv6_no_next", packet); + Weird("ipv6_no_next", packet); return_val = false; } break; diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index a7455cb214..ca91c26a61 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -29,14 +29,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa if ( ! BifConst::Tunnel::enable_ip ) { - sessions->Weird("IP_tunnel", packet); + Weird("IP_tunnel", packet); return false; } if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { - sessions->Weird("exceeded_tunnel_max_depth", packet); + Weird("exceeded_tunnel_max_depth", packet); return false; } @@ -52,11 +52,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa // Check for a valid inner packet first. int result = sessions->ParseIPPacket(len, data, proto, inner); if ( result == -2 ) - sessions->Weird("invalid_inner_IP_version", packet); + Weird("invalid_inner_IP_version", packet); else if ( result < 0 ) - sessions->Weird("truncated_inner_IP", packet); + Weird("truncated_inner_IP", packet); else if ( result > 0 ) - sessions->Weird("inner_IP_payload_length_mismatch", packet); + Weird("inner_IP_payload_length_mismatch", packet); if ( result != 0 ) { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 35273cd961..77b5d780f4 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -14,7 +14,7 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa auto len_sll_hdr = sizeof(SLLHeader); if ( len_sll_hdr >= len ) { - packet->Weird("truncated_Linux_SLL_header"); + Weird("truncated_Linux_SLL_header", packet); return false; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 7314d507fa..b1394f6c18 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -18,7 +18,7 @@ bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index c7ae625784..dde1dfe11c 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -13,7 +13,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 4 >= len ) { - packet->Weird("truncated_nflog_header"); + Weird("truncated_nflog_header", packet); return false; } @@ -23,7 +23,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe if ( version != 0 ) { - packet->Weird("unknown_nflog_version"); + Weird("unknown_nflog_version", packet); return false; } @@ -38,7 +38,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 4 >= len ) { - packet->Weird("nflog_no_pcap_payload"); + Weird("nflog_no_pcap_payload", packet); return false; } @@ -66,7 +66,7 @@ bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe if ( tlv_len < 4 ) { - packet->Weird("nflog_bad_tlv_len"); + Weird("nflog_bad_tlv_len", packet); return false; } else diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 5a28c360c7..87fe28e844 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -13,7 +13,7 @@ bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("null_analyzer_failed"); + Weird("null_analyzer_failed", packet); return false; } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index 90214f7b76..83e66b2f22 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -13,7 +13,7 @@ bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* p { if ( 4 >= len ) { - packet->Weird("truncated_ppp_serial_header"); + Weird("truncated_ppp_serial_header", packet); return false; } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 7eac6d5736..d5d09f0f98 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -13,7 +13,7 @@ bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe { if ( 8 >= len ) { - packet->Weird("truncated_pppoe_header"); + Weird("truncated_pppoe_header", packet); return false; } diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 2700d814db..cb685c3aa7 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -13,7 +13,7 @@ bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet { if ( 4 >= len ) { - packet->Weird("truncated_VLAN_header"); + Weird("truncated_VLAN_header", packet); return false; } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index c17244b4dc..d8bcf990c8 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -25,7 +25,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) if ( data + cfplen + 14 >= end_of_data ) { - packet->Weird("truncated_link_header_cfp"); + Weird("truncated_link_header_cfp", packet); return false; } @@ -55,7 +55,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -73,7 +73,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 8 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -87,7 +87,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("non_ip_packet_in_pppoe_encapsulation"); + Weird("non_ip_packet_in_pppoe_encapsulation", packet); return false; } } @@ -111,7 +111,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("non_ip_packet_in_ethernet"); + Weird("non_ip_packet_in_ethernet", packet); return false; } } @@ -125,7 +125,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= end_of_data ) { - packet->Weird("truncated_link_header"); + Weird("truncated_link_header", packet); return false; } @@ -136,7 +136,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) // We assume that what remains is IP if ( data + sizeof(struct ip) >= end_of_data ) { - packet->Weird("no_ip_in_mpls_payload"); + Weird("no_ip_in_mpls_payload", packet); return false; } @@ -149,7 +149,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) else { // Neither IPv4 nor IPv6. - packet->Weird("no_ip_in_mpls_payload"); + Weird("no_ip_in_mpls_payload", packet); return false; } } diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 6f20c7b516..731c9d9a1c 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -140,8 +140,10 @@ void Manager::SearchDynamicPlugins(const std::string& dir) closedir(d); } -bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found) +bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found, std::vector* errors) { + errors->clear(); // caller should pass it in empty, but just to be sure + dynamic_plugin_map::iterator m = dynamic_plugins.find(util::strtolower(name)); if ( m == dynamic_plugins.end() ) @@ -160,7 +162,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ return true; } - reporter->Error("plugin %s is not available", name.c_str()); + errors->push_back(util::fmt("plugin %s is not available", name.c_str())); return false; } @@ -175,6 +177,74 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ DBG_LOG(DBG_PLUGINS, "Activating plugin %s", name.c_str()); + // Load shared libraries. + + string dypattern = dir + "/lib/*." + HOST_ARCHITECTURE + DYNAMIC_PLUGIN_SUFFIX; + + DBG_LOG(DBG_PLUGINS, " Searching for shared libraries %s", dypattern.c_str()); + + glob_t gl; + + if ( glob(dypattern.c_str(), 0, 0, &gl) == 0 ) + { + for ( size_t i = 0; i < gl.gl_pathc; i++ ) + { + const char* path = gl.gl_pathv[i]; + + current_plugin = nullptr; + current_dir = dir.c_str(); + current_sopath = path; + void* hdl = dlopen(path, RTLD_NOW | RTLD_GLOBAL); + current_dir = nullptr; + current_sopath = nullptr; + + if ( ! hdl ) + { + const char* err = dlerror(); + errors->push_back(util::fmt("cannot load plugin library %s: %s", path, err ? err : "")); + continue; + } + + if ( ! current_plugin ) { + errors->push_back(util::fmt("load plugin library %s did not instantiate a plugin", path)); + continue; + } + + current_plugin->SetDynamic(true); + current_plugin->DoConfigure(); + DBG_LOG(DBG_PLUGINS, " InitialzingComponents"); + current_plugin->InitializeComponents(); + + plugins_by_path.insert(std::make_pair(util::detail::normalize_path(dir), current_plugin)); + + // We execute the pre-script initialization here; this in + // fact could be *during* script initialization if we got + // triggered via @load-plugin. + current_plugin->InitPreScript(); + + // Make sure the name the plugin reports is consistent with + // what we expect from its magic file. + if ( util::strtolower(current_plugin->Name()) != util::strtolower(name) ) { + errors->push_back(util::fmt("inconsistent plugin name: %s vs %s", + current_plugin->Name().c_str(), name.c_str())); + continue; + } + + current_plugin = nullptr; + DBG_LOG(DBG_PLUGINS, " Loaded %s", path); + } + + globfree(&gl); + + if ( ! errors->empty() ) + return false; + } + + else + { + DBG_LOG(DBG_PLUGINS, " No shared library found"); + } + // Add the "scripts" and "bif" directories to ZEEKPATH. std::string scripts = dir + "scripts"; @@ -227,104 +297,72 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ } } - // Load shared libraries. - - string dypattern = dir + "/lib/*." + HOST_ARCHITECTURE + DYNAMIC_PLUGIN_SUFFIX; - - DBG_LOG(DBG_PLUGINS, " Searching for shared libraries %s", dypattern.c_str()); - - glob_t gl; - - if ( glob(dypattern.c_str(), 0, 0, &gl) == 0 ) - { - for ( size_t i = 0; i < gl.gl_pathc; i++ ) - { - const char* path = gl.gl_pathv[i]; - - current_plugin = nullptr; - current_dir = dir.c_str(); - current_sopath = path; - void* hdl = dlopen(path, RTLD_LAZY | RTLD_GLOBAL); - - if ( ! hdl ) - { - const char* err = dlerror(); - reporter->FatalError("cannot load plugin library %s: %s", path, err ? err : ""); - } - - if ( ! current_plugin ) - reporter->FatalError("load plugin library %s did not instantiate a plugin", path); - - current_plugin->SetDynamic(true); - current_plugin->DoConfigure(); - DBG_LOG(DBG_PLUGINS, " InitialzingComponents"); - current_plugin->InitializeComponents(); - - plugins_by_path.insert(std::make_pair(util::detail::normalize_path(dir), current_plugin)); - - // We execute the pre-script initialization here; this in - // fact could be *during* script initialization if we got - // triggered via @load-plugin. - current_plugin->InitPreScript(); - - // Make sure the name the plugin reports is consistent with - // what we expect from its magic file. - if ( util::strtolower(current_plugin->Name()) != util::strtolower(name) ) - reporter->FatalError("inconsistent plugin name: %s vs %s", - current_plugin->Name().c_str(), name.c_str()); - - current_dir = nullptr; - current_sopath = nullptr; - current_plugin = nullptr; - - DBG_LOG(DBG_PLUGINS, " Loaded %s", path); - } - - globfree(&gl); - } - - else - { - DBG_LOG(DBG_PLUGINS, " No shared library found"); - } - // Mark this plugin as activated by clearing the path. m->second.clear(); return true; } -bool Manager::ActivateDynamicPlugin(const std::string& name) +void Manager::ActivateDynamicPlugin(const std::string& name) { - if ( ! ActivateDynamicPluginInternal(name) ) - return false; - - UpdateInputFiles(); - return true; + std::vector errors; + if ( ActivateDynamicPluginInternal(name, false, &errors) ) + UpdateInputFiles(); + else + // Reschedule for another attempt later. + requested_plugins.insert(std::move(name)); } -bool Manager::ActivateDynamicPlugins(bool all) - { +void Manager::ActivateDynamicPlugins(bool all) { + // Tracks plugins we need to activate as pairs of their names and booleans + // indicating whether an activation failure is to be deemed a fatal error. + std::set> plugins_to_activate; + + // Activate plugins that were specifically requested. + for ( const auto& x : requested_plugins ) + plugins_to_activate.emplace(x, false); + // Activate plugins that our environment tells us to. vector p; util::tokenize_string(util::zeek_plugin_activate(), ",", &p); - for ( size_t n = 0; n < p.size(); ++n ) - ActivateDynamicPluginInternal(p[n], true); + for ( const auto& x : p ) + plugins_to_activate.emplace(x, true); if ( all ) { - for ( dynamic_plugin_map::const_iterator i = dynamic_plugins.begin(); - i != dynamic_plugins.end(); i++ ) + // Activate all other ones we discovered. + for ( const auto& x : dynamic_plugins ) + plugins_to_activate.emplace(x.first, false); + } + + // Now we keep iterating over all the plugins, trying to load them, for as + // long as we're successful for at least one further of them each round. + // Doing so ensures that we can resolve (non-cyclic) load dependencies + // independent of any particular order. + while ( ! plugins_to_activate.empty() ) { + std::vector errors; + auto plugins_left = plugins_to_activate; + + for ( const auto& x : plugins_to_activate ) { - if ( ! ActivateDynamicPluginInternal(i->first) ) - return false; + if ( ActivateDynamicPluginInternal(x.first, x.second, &errors) ) + plugins_left.erase(x); } + + if ( plugins_left.size() == plugins_to_activate.size() ) + { + // Could not load a single further plugin this round, that's fatal. + for ( const auto& msg : errors ) + reporter->Error("%s", msg.c_str()); + + reporter->FatalError("aborting after plugin errors"); + } + + plugins_to_activate = std::move(plugins_left); } UpdateInputFiles(); - - return true; } void Manager::UpdateInputFiles() diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index d34c5db07e..2fbb9570c7 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -2,9 +2,10 @@ #pragma once -#include #include +#include #include +#include #include "zeek/plugin/Plugin.h" #include "zeek/plugin/Component.h" @@ -79,28 +80,25 @@ public: * Activating a plugin involves loading its dynamic module, making its * bifs available, and adding its script paths to ZEEKPATH. * + * This attempts to activate the plugin immediately. If that fails for + * some reason, we schedule it to be retried later with + * ActivateDynamicPlugins(). + * * @param name The name of the plugin, as found previously by - * SearchPlugin(). - * - * @return True if the plugin has been loaded successfully. - * + ·* SearchPlugin(). */ - bool ActivateDynamicPlugin(const std::string& name); + void ActivateDynamicPlugin(const std::string& name); /** - * Activates plugins that SearchDynamicPlugins() has previously discovered. - * The effect is the same all calling \a ActivePlugin(name) for each plugin. + * Activates plugins that SearchDynamicPlugins() has previously discovered, + * including any that have failed to load in prior calls to + * ActivateDynamicPlugin(). Aborts if any plugins fails to activate. * * @param all If true, activates all plugins that are found. If false, * activates only those that should always be activated unconditionally, - * as specified via the ZEEK_PLUGIN_ACTIVATE enviroment variable. In other - * words, it's \c true in standard mode and \c false in bare mode. - * - * @return True if all plugins have been loaded successfully. If one - * fails to load, the method stops there without loading any further ones - * and returns false. + * as specified via the ZEEK_PLUGIN_ACTIVATE environment variable. */ - bool ActivateDynamicPlugins(bool all); + void ActivateDynamicPlugins(bool all); /** * First-stage initializion of the manager. This is called early on @@ -413,11 +411,15 @@ public: static void RegisterBifFile(const char* plugin, bif_init_func c); private: - bool ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found = false); + bool ActivateDynamicPluginInternal(const std::string& name, bool ok_if_not_found, std::vector* errors); void UpdateInputFiles(); void MetaHookPre(HookType hook, const HookArgumentList& args) const; void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) const; + // Plugins that were explicitly requested to be activated, but failed to + // load at first. + std::set requested_plugins; + // All found dynamic plugins, mapping their names to base directory. using dynamic_plugin_map = std::map; dynamic_plugin_map dynamic_plugins; diff --git a/src/reporter.bif b/src/reporter.bif index 0d942697ec..7b5c6ff356 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -91,9 +91,9 @@ function Reporter::fatal_error_with_core%(msg: string%): bool ## name: the name of the weird. ## ## Returns: Always true. -function Reporter::net_weird%(name: string%): bool +function Reporter::net_weird%(name: string, addl: string &default="", source: string &default=""%): bool %{ - reporter->Weird(name->CheckString()); + reporter->Weird(name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} @@ -106,9 +106,9 @@ function Reporter::net_weird%(name: string%): bool ## resp: the responder host associated with the weird. ## ## Returns: Always true. -function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool +function Reporter::flow_weird%(name: string, orig: addr, resp: addr, addl: string &default="", source: string &default=""%): bool %{ - reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString()); + reporter->Weird(orig->AsAddr(), resp->AsAddr(), name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} @@ -121,17 +121,17 @@ function Reporter::flow_weird%(name: string, orig: addr, resp: addr%): bool ## addl: additional information to accompany the weird. ## ## Returns: Always true. -function Reporter::conn_weird%(name: string, c: connection, addl: string &default=""%): bool +function Reporter::conn_weird%(name: string, c: connection, addl: string &default="", source: string &default=""%): bool %{ if ( c ) - reporter->Weird(c, name->CheckString(), addl->CheckString()); + reporter->Weird(c, name->CheckString(), addl->CheckString(), source->CheckString()); else { auto connection_record = @ARG@[1]->AsRecordVal(); auto conn_id_val = connection_record->GetField("id"); auto uid_val = connection_record->GetField("uid"); reporter->Weird(conn_id_val, uid_val, - name->CheckString(), addl->CheckString()); + name->CheckString(), addl->CheckString(), source->CheckString()); } return zeek::val_mgr->True(); @@ -146,7 +146,7 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul ## addl: additional information to accompany the weird. ## ## Returns: true if the file was still valid, else false. -function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool +function Reporter::file_weird%(name: string, f: fa_file, addl: string &default="", source: string&default=""%): bool %{ auto fuid = f->AsRecordVal()->GetField(0)->AsStringVal(); auto file = zeek::file_mgr->LookupFile(fuid->CheckString()); @@ -154,7 +154,7 @@ function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=" if ( ! file ) return zeek::val_mgr->False(); - reporter->Weird(file, name->CheckString(), addl->CheckString()); + reporter->Weird(file, name->CheckString(), addl->CheckString(), source->CheckString()); return zeek::val_mgr->True(); %} diff --git a/src/strings.bif b/src/strings.bif index ecabe195c8..7e4bbfdfcd 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -1405,7 +1405,7 @@ function swap_case%(str: string%) : string %} ## Converts a string to Title Case. This changes the first character of each sequence of non-space characters -## in the string to be capitalized. See https://docs.python.org/2/library/stdtypes.html#str.title for more info. +## in the string to be capitalized. See https://docs.python.org/3/library/stdtypes.html#str.title for more info. ## ## str: The string to convert. ## diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 0f54566f94..c08dfa2e23 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -606,17 +606,8 @@ SetupResult setup(int argc, char** argv, Options* zopts) file_mgr->InitPreScript(); zeekygen_mgr->InitPreScript(); - bool missing_plugin = false; - - for ( set::const_iterator i = requested_plugins.begin(); - i != requested_plugins.end(); i++ ) - { - if ( ! plugin_mgr->ActivateDynamicPlugin(*i) ) - missing_plugin = true; - } - - if ( missing_plugin ) - reporter->FatalError("Failed to activate requested dynamic plugin(s)."); + for ( const auto& x : requested_plugins ) + plugin_mgr->ActivateDynamicPlugin(std::move(x)); plugin_mgr->ActivateDynamicPlugins(! options.bare_mode); diff --git a/src/zeek.bif b/src/zeek.bif index 5a81879ddf..40fd80444b 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -2537,6 +2537,30 @@ function interval_to_double%(i: interval%): double return zeek::make_intrusive(i); %} +## Converts a :zeek:type:`count` to a :zeek:type:`double`. +## +## c: The :zeek:type:`count` to convert. +## +## Returns: The :zeek:type:`count` *c* as :zeek:type:`double`. +## +## .. zeek:see:: int_to_double double_to_count +function count_to_double%(c: count%): double + %{ + return zeek::make_intrusive(c); + %} + +## Converts an :zeek:type:`int` to a :zeek:type:`double`. +## +## i: The :zeek:type:`int` to convert. +## +## Returns: The :zeek:type:`int` *i* as :zeek:type:`double`. +## +## .. zeek:see:: count_to_double double_to_count +function int_to_double%(i: int%): double + %{ + return zeek::make_intrusive(i); + %} + ## Converts a :zeek:type:`time` value to a :zeek:type:`double`. ## ## t: The :zeek:type:`time` to convert. diff --git a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log index cdee200f0b..82f7fa8a9b 100644 --- a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log +++ b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log @@ -1,12 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-01-59-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1254722767.875996 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -1437831787.861602 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -1437831799.610433 C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek -#close 2019-06-07-01-59-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/bifs.to_double/out b/testing/btest/Baseline/bifs.to_double/out index 8e172dcaa6..55f4f21829 100644 --- a/testing/btest/Baseline/bifs.to_double/out +++ b/testing/btest/Baseline/bifs.to_double/out @@ -4,3 +4,6 @@ 3600.0 86400.0 1342748947.655087 +0.0 +10000.0 +-41.0 diff --git a/testing/btest/Baseline/core.checksums/bad.out b/testing/btest/Baseline/core.checksums/bad.out index df84841c36..5d1748a8e6 100644 --- a/testing/btest/Baseline/core.checksums/bad.out +++ b/testing/btest/Baseline/core.checksums/bad.out @@ -1,103 +1,104 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784981.078396 - 127.0.0.1 0 127.0.0.1 0 bad_IP_checksum - F zeek -#close 2020-10-14-18-44-07 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 127.0.0.1 0 127.0.0.1 0 bad_IP_checksum - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-08 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-09 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-09 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-10 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-10 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-10 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-10 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek -#close 2020-10-14-18-44-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek TCP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek UDP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.checksums/good.out b/testing/btest/Baseline/core.checksums/good.out index d7116bca16..72eab9b642 100644 --- a/testing/btest/Baseline/core.checksums/good.out +++ b/testing/btest/Baseline/core.checksums/good.out @@ -1,70 +1,71 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-12 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek -#close 2020-10-14-18-44-12 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek ICMP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-44-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek -#close 2020-10-14-18-44-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log index 4274eb2986..97c99cf663 100644 --- a/testing/btest/Baseline/core.ip-broken-header/weird.log +++ b/testing/btest/Baseline/core.ip-broken-header/weird.log @@ -1,471 +1,472 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-18-45-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557630.000000 - - - - - unknown_ip_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F zeek -1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek -1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 ip_hdr_len_zero - F zeek -1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek -1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F zeek -1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 ip_hdr_len_zero - F zeek -1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek -1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek -1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F zeek -1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -#close 2020-10-14-18-45-20 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - - - - - unknown_ip_version - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.65.95 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.255.255 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.53.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.255.255.255 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 71.97.99.109 0 0.16.0.41 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 143.9.0.0 0 0.98.0.237 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 68.80.95.104 0 109.115.117.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.255.255.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek IP +XXXXXXXXXX.XXXXXX - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F zeek IP +XXXXXXXXXX.XXXXXX - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +XXXXXXXXXX.XXXXXX - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/core.negative-time/weird.log index ccc9a520af..49c7011a3b 100644 --- a/testing/btest/Baseline/core.negative-time/weird.log +++ b/testing/btest/Baseline/core.negative-time/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-01-59-25 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1425182592.408334 - - - - - negative_packet_timestamp - F zeek -#close 2019-06-07-01-59-25 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - negative_packet_timestamp - F zeek - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 8c738a6546..882692db5e 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -1,81 +1,82 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334160095.895421 - - - - - truncated_IP - F zeek -#close 2020-10-14-19-20-15 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_IP - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334156241.519125 - - - - - truncated_IP - F zeek -#close 2020-10-14-19-20-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_IP - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1334094648.590126 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 truncated_IPv6 - F zeek -#close 2020-10-14-19-20-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 truncated_IPv6 - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-17 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1338328954.078361 - 10.0.0.1 0 192.0.43.10 0 internally_truncated_header - F zeek -1338328954.099743 - 192.0.43.10 0 10.0.0.1 0 internally_truncated_header - F zeek -#close 2020-10-14-19-20-17 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 10.0.0.1 0 192.0.43.10 0 internally_truncated_header - F zeek - +XXXXXXXXXX.XXXXXX - 192.0.43.10 0 10.0.0.1 0 internally_truncated_header - F zeek - +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-18 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1404148886.981015 - - - - - truncated_ethernet_frame - F zeek -#close 2020-10-14-19-20-18 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - - - - - truncated_ethernet_frame - F zeek ETHERNET +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek -#close 2020-10-14-19-20-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek -#close 2020-10-14-19-20-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek IP +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-10-14-19-20-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek -#close 2020-10-14-19-20-20 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek IP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output index bf3356a6df..86a3a3677e 100644 --- a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output @@ -1,20 +1,21 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F zeek -#close 2019-06-07-02-20-03 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek -#close 2019-06-07-02-20-03 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek IPTUNNEL +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log index cec0f48ddb..d1e4c93415 100644 --- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-06-17-36-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F zeek -1340127577.346849 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F zeek -#close 2020-07-06-17-36-24 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F zeek TEREDO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F zeek TEREDO +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/plugins.plugin-load-dependency/output b/testing/btest/Baseline/plugins.plugin-load-dependency/output new file mode 100644 index 0000000000..e788232bd8 --- /dev/null +++ b/testing/btest/Baseline/plugins.plugin-load-dependency/output @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0) +Testing::Plugin3 - Plugin3 has a load dependency on Plugin2 (dynamic, version 1.0.0) +in Plugin2 +in Plugin3 + +Testing::Plugin1 - Plugin1 has a load dependency on Plugin2 (dynamic, version 1.0.0) +Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0) +in Plugin1 +in Plugin2 + +Testing::Plugin1 - Plugin1 has a load dependency on Plugin2 (dynamic, version 1.0.0) +Testing::Plugin2 - Plugin2 provides a load dependency for Plugin1 and Plugin3 (dynamic, version 1.0.0) +Testing::Plugin3 - Plugin3 has a load dependency on Plugin2 (dynamic, version 1.0.0) +in Plugin1 +in Plugin2 +in Plugin2 +in Plugin3 diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout new file mode 100644 index 0000000000..24adb52783 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch-cluster/manager-1..stdout @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +### NOTE: This file has been sorted with diff-sort. +Host: 1.2.3.4 - num:9 - sum:437.0 - avg:48.6 - max:95.0 - min:3.0 - var:758.8 - std_dev:27.5 - unique:8 - hllunique:8 +Host: 10.10.10.10 - num:1 - sum:5.0 - avg:5.0 - max:5.0 - min:5.0 - var:0.0 - std_dev:0.0 - unique:1 - hllunique:1 +Host: 6.5.4.3 - num:2 - sum:6.0 - avg:3.0 - max:5.0 - min:1.0 - var:8.0 - std_dev:2.8 - unique:2 - hllunique:2 +Host: 7.2.1.5 - num:2 - sum:145.0 - avg:72.5 - max:91.0 - min:54.0 - var:684.5 - std_dev:26.2 - unique:2 - hllunique:2 +Performing first epoch, no observations +Performing second epoch with overvations +Sending ready for data +epoch finished, F +epoch finished, T diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout new file mode 100644 index 0000000000..67c235c609 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.manual-epoch/standalone..stdout @@ -0,0 +1,8 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Performing first epoch, no observations +epoch_finished +Performing second epoch with overvations +Host: 1.2.3.4 - num:5 - sum:221.0 - var:1144.2 - avg:44.2 - max:94.0 - min:5.0 - std_dev:33.8 - unique:4 - hllunique:4 +Host: 6.5.4.3 - num:1 - sum:2.0 - var:0.0 - avg:2.0 - max:2.0 - min:2.0 - std_dev:0.0 - unique:1 - hllunique:1 +Host: 7.2.1.5 - num:1 - sum:1.0 - var:0.0 - avg:1.0 - max:1.0 - min:1.0 - std_dev:0.0 - unique:1 - hllunique:1 +epoch_finished diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log index a64ac860c3..03d7f6491d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.bad-adat-encoding/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-01-15-20-41-16 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1348168976.514202 CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 base64_illegal_encoding character 32 ignored by Base64 decoding F zeek -1348168976.514202 CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 ftp_adat_bad_first_token_encoding - F zeek -#close 2020-01-15-20-41-16 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 base64_illegal_encoding character 32 ignored by Base64 decoding F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 ftp_adat_bad_first_token_encoding - F zeek FTP_ADAT +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log index 246fbdc751..c40e200e0a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-04 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1523627611.748118 CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 HTTP_range_not_matching_len - F zeek -#close 2020-04-30-00-47-04 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58128 127.0.0.1 80 HTTP_range_not_matching_len - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log index 5c04b34c37..bdbecc9688 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1452204358.172926 CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version - F zeek -#close 2020-04-30-00-47-07 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log index e363aa1cf3..3d9f1e995a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log @@ -1,36 +1,37 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1354328874.237327 ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F zeek -1354328874.278822 C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F zeek -1354328874.321792 CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F zeek -1354328882.908690 C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F zeek -1354328882.949510 C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F zeek -1354328887.094494 C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.141058 CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.183942 C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version - F zeek -1354328891.226199 Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek -1354328891.267625 C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek -1354328891.309065 CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328895.355012 C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328895.396634 CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek -1354328895.438812 CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek -1354328895.480865 CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek -1354328903.614145 CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek -1354328903.656369 CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek -1354328911.832856 Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek -1354328911.876341 CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek -1354328920.052085 CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek -1354328920.094072 CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.266693 CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.308714 CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.476011 CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek -1354328924.518204 CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek -1354328932.734579 CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek -1354328932.776609 CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek -#close 2020-04-30-00-47-11 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F zeek HTTP +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP +XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F zeek HTTP +XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F zeek - +XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CzmEfj4RValNyLfT58 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CCk2V03QgWwIurU3f 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CKJVAj1rNx0nolFFc4 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CD7vfu1qu4YJKe1nGi 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CRJ9x54IaE7bkVEpad 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +XXXXXXXXXX.XXXXXX CAvUKGaEgLlR4i6t2 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log index a95be12135..6d764d1be6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-19 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1362692526.939527 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 missing_HTTP_uri - F zeek -#close 2020-04-30-00-47-19 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 missing_HTTP_uri - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log index f2e97c1d1b..85edec0db9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log @@ -1,11 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-04-30-00-47-20 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1501217955.063524 CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F zeek -1501217957.423701 ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F zeek -#close 2020-04-30-00-47-21 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.9 57322 192.150.187.12 80 illegal_%_at_end_of_URI - F zeek HTTP +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.9 57323 192.150.187.12 80 partial_escape_at_end_of_URI - F zeek HTTP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log index b6298a5dec..b603b26968 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log @@ -1,12 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-08-08-04-23-29 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek -1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek -1509735981.241042 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek -#close 2020-08-08-04-23-29 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek CONTENTLINE +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek IRC +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek IRC +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log index 82f82027e9..cfd8f7893e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-08-08-04-25-02 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1536797872.428637 CHhAvVGS1DHFjwGM9 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek -#close 2020-08-08-04-25-02 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek IRC +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.utils.email/output b/testing/btest/Baseline/scripts.base.utils.email/output index 936a5ffed2..dc0958ff64 100644 --- a/testing/btest/Baseline/scripts.base.utils.email/output +++ b/testing/btest/Baseline/scripts.base.utils.email/output @@ -26,3 +26,9 @@ john.smith@email.com john.smith@email.com, jane.doe@email.com } +john.smith@email.com +[john.smith@email.com, jane.doe@email.com] +{ +john.smith@email.com, +jane.doe@email.com +} diff --git a/testing/btest/bifs/to_double.zeek b/testing/btest/bifs/to_double.zeek index d62d30d5af..0247ae9ef3 100644 --- a/testing/btest/bifs/to_double.zeek +++ b/testing/btest/bifs/to_double.zeek @@ -17,4 +17,11 @@ event zeek_init() local f = current_time(); print time_to_double(f); + + local g = 0; + print count_to_double(g); + local h = 10000; + print count_to_double(h); + local i = -41; + print int_to_double(i); } diff --git a/testing/btest/coverage/find-bro-logs.test b/testing/btest/coverage/find-bro-logs.test index 82b5df2445..01e822deef 100644 --- a/testing/btest/coverage/find-bro-logs.test +++ b/testing/btest/coverage/find-bro-logs.test @@ -4,7 +4,7 @@ # # If this test fails, then the "Log Files" documentation page should be updated. -# @TEST-REQUIRES: which python +# @TEST-REQUIRES: which python3 # @TEST-EXEC: bash %INPUT # @TEST-EXEC: btest-diff out @@ -15,7 +15,7 @@ if [ ! -d "${BROSCRIPTS}" ]; then exit 1 fi -python find_logs.py "${BROSCRIPTS}" | sort > out +python3 find_logs.py "${BROSCRIPTS}" | sort > out @TEST-START-FILE find_logs.py import os, sys diff --git a/testing/btest/plugins/bifs-and-scripts.sh b/testing/btest/plugins/bifs-and-scripts.sh index 911d279c11..345c1faa8f 100644 --- a/testing/btest/plugins/bifs-and-scripts.sh +++ b/testing/btest/plugins/bifs-and-scripts.sh @@ -51,7 +51,7 @@ EOF cat >src/foo.bif <("Hello from the plugin!"); %} event plugin_event%(foo: count%); diff --git a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt index a2e5f4687b..9632726412 100644 --- a/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt +++ b/testing/btest/plugins/binpac-flowbuffer-frame-length-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Foo-FOO) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/file-plugin/CMakeLists.txt b/testing/btest/plugins/file-plugin/CMakeLists.txt index d2af209beb..6fc782e2ca 100644 --- a/testing/btest/plugins/file-plugin/CMakeLists.txt +++ b/testing/btest/plugins/file-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT BRO_DIST ) message(FATAL_ERROR "BRO_DIST not set") diff --git a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt index 4a58a114c5..dcac95fbb6 100644 --- a/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt +++ b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Packet-Plugin-Demo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc index f8bc8be53f..5ecb526505 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc @@ -1,6 +1,7 @@ #include "LLCDemo.h" -#include "Event.h" -#include "Val.h" +#include "zeek/Event.h" +#include "zeek/Val.h" +#include "zeek/Sessions.h" #include "events.bif.h" using namespace zeek::packet_analysis::PacketDemo; @@ -15,7 +16,7 @@ bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) // Rudimentary parsing of 802.2 LLC if ( 17 >= len ) { - packet->Weird("truncated_llc_header"); + sessions->Weird("truncated_llc_header", packet); return false; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h index a649970e85..f71e973c80 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h @@ -1,7 +1,7 @@ #pragma once -#include -#include +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" namespace zeek::packet_analysis::PacketDemo { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc index a1bb9af237..d1c3e348d0 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc @@ -1,6 +1,8 @@ #include "RawLayer.h" -#include "Event.h" -#include "Val.h" +#include "zeek/Event.h" +#include "zeek/Val.h" +#include "zeek/Sessions.h" + #include "events.bif.h" using namespace zeek::packet_analysis::PacketDemo; @@ -15,7 +17,7 @@ bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) constexpr auto layer_size = 21; if ( layer_size >= len ) { - packet->Weird("truncated_raw_layer"); + sessions->Weird("truncated_raw_layer", packet); return false; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h index bf47e933ab..fce732d347 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h @@ -1,7 +1,7 @@ #pragma once -#include -#include +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" namespace zeek::packet_analysis::PacketDemo { diff --git a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt index 0b92f3b0ca..f611ab6b80 100644 --- a/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt +++ b/testing/btest/plugins/pktdumper-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt index 0b92f3b0ca..f611ab6b80 100644 --- a/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt +++ b/testing/btest/plugins/pktsrc-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/plugin-load-dependency.zeek b/testing/btest/plugins/plugin-load-dependency.zeek new file mode 100644 index 0000000000..d9d78d7ebb --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency.zeek @@ -0,0 +1,31 @@ +# @TEST-EXEC: mkdir 1 +# @TEST-EXEC: cd 1 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin1 +# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/1 . +# @TEST-EXEC: cd 1 && ./configure --zeek-dist=${DIST} && make + +# @TEST-EXEC: mkdir 2 +# @TEST-EXEC: cd 2 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin2 +# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/2 . +# @TEST-EXEC: cd 2 && ./configure --zeek-dist=${DIST} && make + +# @TEST-EXEC: mkdir 3 +# @TEST-EXEC: cd 3 && ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing Plugin3 +# @TEST-EXEC: cp -r %DIR/plugin-load-dependency/3 . +# @TEST-EXEC: cd 3 && ./configure --zeek-dist=${DIST} && make + +# The following run will only work if Zeek loads plugin2 before plugin3 (which +# by alphabetical loading will be the case) +# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -b -N Testing::Plugin3 Testing::Plugin2 | grep -v Zeek:: | sort >> output +# +# @TEST-EXEC: echo >>output +# +# The following run will only work if Zeek loads plugin2 before plugin1 (which +# by alphabetical loading will not be the case). +# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -b -N Testing::Plugin1 Testing::Plugin2 | grep -v Zeek:: | sort >> output +# +# @TEST-EXEC: echo >>output +# +# Finally, try it with self-discovery of all three plugins too. +# @TEST-EXEC: ZEEK_PLUGIN_PATH=. zeek -N | grep -v Zeek:: | sort >> output +# +# @TEST-EXEC: btest-diff output diff --git a/testing/btest/plugins/plugin-load-dependency/.btest-ignore b/testing/btest/plugins/plugin-load-dependency/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc new file mode 100644 index 0000000000..76501c4bc9 --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.cc @@ -0,0 +1,23 @@ + +#include "Plugin.h" + +namespace btest::plugin::Testing_Plugin1 { Plugin plugin; } + +using namespace btest::plugin::Testing_Plugin1; + +extern void Plugin2_foo(); + +zeek::plugin::Configuration Plugin::Configure() + { + zeek::plugin::Configuration config; + config.name = "Testing::Plugin1"; + config.description = "Plugin1 has a load dependency on Plugin2"; + config.version.major = 1; + config.version.minor = 0; + config.version.patch = 0; + + printf("in Plugin1\n"); + Plugin2_foo(); + + return config; + } diff --git a/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h new file mode 100644 index 0000000000..18ccb8d319 --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/1/src/Plugin.h @@ -0,0 +1,17 @@ + +#pragma once + +#include + +namespace btest::plugin::Testing_Plugin1 { + +class Plugin : public zeek::plugin::Plugin +{ +protected: + // Overridden from zeek::plugin::Plugin. + zeek::plugin::Configuration Configure() override; +}; + +extern Plugin plugin; + +} diff --git a/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc new file mode 100644 index 0000000000..fd6a28155e --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.cc @@ -0,0 +1,21 @@ + +#include "Plugin.h" + +namespace btest::plugin::Testing_Plugin2 { Plugin plugin; } + +using namespace btest::plugin::Testing_Plugin2; + +void Plugin2_foo() { + printf("in Plugin2\n"); +} + +zeek::plugin::Configuration Plugin::Configure() + { + zeek::plugin::Configuration config; + config.name = "Testing::Plugin2"; + config.description = "Plugin2 provides a load dependency for Plugin1 and Plugin3"; + config.version.major = 1; + config.version.minor = 0; + config.version.patch = 0; + return config; + } diff --git a/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h new file mode 100644 index 0000000000..8e9c69aecb --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/2/src/Plugin.h @@ -0,0 +1,17 @@ + +#pragma once + +#include + +namespace btest::plugin::Testing_Plugin2 { + +class Plugin : public zeek::plugin::Plugin +{ +protected: + // Overridden from zeek::plugin::Plugin. + zeek::plugin::Configuration Configure() override; +}; + +extern Plugin plugin; + +} diff --git a/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc new file mode 100644 index 0000000000..68d878ad55 --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.cc @@ -0,0 +1,23 @@ + +#include "Plugin.h" + +namespace btest::plugin::Testing_Plugin3 { Plugin plugin; } + +using namespace btest::plugin::Testing_Plugin3; + +extern void Plugin2_foo(); + +zeek::plugin::Configuration Plugin::Configure() + { + zeek::plugin::Configuration config; + config.name = "Testing::Plugin3"; + config.description = "Plugin3 has a load dependency on Plugin2"; + config.version.major = 1; + config.version.minor = 0; + config.version.patch = 0; + + printf("in Plugin3\n"); + Plugin2_foo(); + + return config; + } diff --git a/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h new file mode 100644 index 0000000000..b6b692f877 --- /dev/null +++ b/testing/btest/plugins/plugin-load-dependency/3/src/Plugin.h @@ -0,0 +1,17 @@ + +#pragma once + +#include + +namespace btest::plugin::Testing_Plugin3 { + +class Plugin : public zeek::plugin::Plugin +{ +protected: + // Overridden from zeek::plugin::Plugin. + zeek::plugin::Configuration Configure() override; +}; + +extern Plugin plugin; + +} diff --git a/testing/btest/plugins/protocol-plugin/CMakeLists.txt b/testing/btest/plugins/protocol-plugin/CMakeLists.txt index b8faa26ebd..53a50f3961 100644 --- a/testing/btest/plugins/protocol-plugin/CMakeLists.txt +++ b/testing/btest/plugins/protocol-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/reader-plugin/CMakeLists.txt b/testing/btest/plugins/reader-plugin/CMakeLists.txt index 0b92f3b0ca..f611ab6b80 100644 --- a/testing/btest/plugins/reader-plugin/CMakeLists.txt +++ b/testing/btest/plugins/reader-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/plugins/writer-plugin/CMakeLists.txt b/testing/btest/plugins/writer-plugin/CMakeLists.txt index 0b92f3b0ca..f611ab6b80 100644 --- a/testing/btest/plugins/writer-plugin/CMakeLists.txt +++ b/testing/btest/plugins/writer-plugin/CMakeLists.txt @@ -1,7 +1,7 @@ project(Zeek-Plugin-Demo-Foo) -cmake_minimum_required(VERSION 2.6.3) +cmake_minimum_required(VERSION 3.5) if ( NOT ZEEK_DIST ) message(FATAL_ERROR "ZEEK_DIST not set") diff --git a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek new file mode 100644 index 0000000000..92db51858b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch-cluster.zeek @@ -0,0 +1,123 @@ +# @TEST-PORT: BROKER_PORT1 +# @TEST-PORT: BROKER_PORT2 +# @TEST-PORT: BROKER_PORT3 +# +# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT +# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT +# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 30 + +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout + +@load base/frameworks/sumstats +@load base/frameworks/cluster + +@TEST-START-FILE cluster-layout.zeek +redef Cluster::nodes = { + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT2")), $manager="manager-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT3")), $manager="manager-1", $interface="eth1"], +}; +@TEST-END-FILE + +redef Log::default_rotation_interval = 0secs; + +global n = 0; +global did_data = F; + +event zeek_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE, SumStats::HLL_UNIQUE)]; + SumStats::create([$name="test", + $epoch=0secs, + $reducers=set(r1), + $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = + { + if ( ! did_data ) return; + local r = result["test"]; + print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique, r$hll_unique); + }, + $epoch_finished(ts: time) = + { + print "epoch finished", did_data; + if ( did_data ) + terminate(); + }]); + } + +event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) + { + terminate(); + } + +global ready_for_data: event(); + +event ready_for_data() + { + if ( Cluster::node == "worker-1" ) + { + SumStats::observe("test", [$host=1.2.3.4], [$num=34]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=6.5.4.3], [$num=1]); + SumStats::observe("test", [$host=7.2.1.5], [$num=54]); + } + if ( Cluster::node == "worker-2" ) + { + SumStats::observe("test", [$host=1.2.3.4], [$num=75]); + SumStats::observe("test", [$host=1.2.3.4], [$num=30]); + SumStats::observe("test", [$host=1.2.3.4], [$num=3]); + SumStats::observe("test", [$host=1.2.3.4], [$num=57]); + SumStats::observe("test", [$host=1.2.3.4], [$num=52]); + SumStats::observe("test", [$host=1.2.3.4], [$num=61]); + SumStats::observe("test", [$host=1.2.3.4], [$num=95]); + SumStats::observe("test", [$host=6.5.4.3], [$num=5]); + SumStats::observe("test", [$host=7.2.1.5], [$num=91]); + SumStats::observe("test", [$host=10.10.10.10], [$num=5]); + } + + did_data = T; + } + +@if ( Cluster::local_node_type() == Cluster::MANAGER ) + +event second_test() + { + print "Performing second epoch with overvations"; + local ret = SumStats::next_epoch("test"); + if ( ! ret ) + print "Return value false"; + } + +event send_ready_for_data() + { + print "Sending ready for data"; + event ready_for_data(); + } + + +event cont_test() + { + print "Performing first epoch, no observations"; + local ret = SumStats::next_epoch("test"); + if ( ! ret ) + print "Return value false"; + schedule 5secs { send_ready_for_data() }; + schedule 10secs { second_test() }; + } + +event zeek_init() &priority=100 + { + Broker::auto_publish(Cluster::worker_topic, ready_for_data); + } + +global peer_count = 0; + +event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) + { + ++peer_count; + + if ( peer_count == 2 ) + event cont_test(); + } + +@endif diff --git a/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek new file mode 100644 index 0000000000..b99dbc63f6 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/sumstats/manual-epoch.zeek @@ -0,0 +1,60 @@ +# @TEST-EXEC: btest-bg-run standalone zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 15 +# @TEST-EXEC: btest-diff standalone/.stdout + +@load base/frameworks/sumstats + +redef exit_only_after_terminate=T; + +event second_test() + { + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=94]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]); + SumStats::observe("test.metric", [$host=1.2.3.4], [$num=50]); + + SumStats::observe("test.metric", [$host=6.5.4.3], [$num=2]); + SumStats::observe("test.metric", [$host=7.2.1.5], [$num=1]); + print "Performing second epoch with overvations"; + local ret = SumStats::next_epoch("test"); + if ( ! ret ) + print "Return value false"; + } + +event cont_test() + { + print "Performing first epoch, no observations"; + local ret = SumStats::next_epoch("test"); + if ( ! ret ) + print "Return value false"; + schedule 2secs { second_test() }; + } + +event zeek_init() &priority=5 + { + local r1: SumStats::Reducer = [$stream="test.metric", + $apply=set(SumStats::SUM, + SumStats::VARIANCE, + SumStats::AVERAGE, + SumStats::MAX, + SumStats::MIN, + SumStats::STD_DEV, + SumStats::UNIQUE, + SumStats::HLL_UNIQUE)]; + SumStats::create([$name="test", + $epoch=0secs, + $reducers=set(r1), + $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = + { + local r = result["test.metric"]; + print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique, r$hll_unique); + terminate(); + }, + $epoch_finished(ts: time) = + { + print "epoch_finished"; + }]); + + schedule 1secs { cont_test() }; + } diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test index ff80dc5bf2..36f5ec9eab 100644 --- a/testing/btest/scripts/base/utils/active-http.test +++ b/testing/btest/scripts/base/utils/active-http.test @@ -1,7 +1,7 @@ -# @TEST-REQUIRES: which python +# @TEST-REQUIRES: which python3 # @TEST-REQUIRES: which curl # -# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 2 --addr=127.0.0.1 +# @TEST-EXEC: btest-bg-run httpd python3 $SCRIPTS/httpd.py --max 2 --addr=127.0.0.1 # @TEST-EXEC: sleep 3 # @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT # @TEST-EXEC: btest-bg-wait 15 diff --git a/testing/btest/scripts/base/utils/email.zeek b/testing/btest/scripts/base/utils/email.zeek index 5177ce8cb2..6d4838765f 100644 --- a/testing/btest/scripts/base/utils/email.zeek +++ b/testing/btest/scripts/base/utils/email.zeek @@ -19,3 +19,7 @@ s = "\"Smith, John\" , \"Doe, Jane\" " print extract_first_email_addr(s); print extract_email_addrs_vec(s); print extract_email_addrs_set(s); +s = "\"Smith, John\" ,\"Doe, Jane\" "; +print extract_first_email_addr(s); +print extract_email_addrs_vec(s); +print extract_email_addrs_set(s); diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index c7c8fe63b4..c8f696a656 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -96a87207c28441da667353eda00fe2266fa4f4cf +4abfe2f1152eeaac3dd715c95e87c7fa2c0e71bc diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index acea080ffa..ab344dce04 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -4e8c53c07ff70e693c7366bf05680744ca3110c4 +ca0c68813cf50f0a8e1d59c603ce1d6bd1e5df15 diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc index 3645f57144..016cfff5c4 100755 --- a/testing/scripts/coverage-calc +++ b/testing/scripts/coverage-calc @@ -1,4 +1,4 @@ -#! /usr/bin/env python +#! /usr/bin/env python3 # This script aggregates many files containing Zeek script coverage information # into a single file and reports the overall coverage information. Usage: diff --git a/testing/scripts/httpd.py b/testing/scripts/httpd.py index 3576f09d1a..7ecfb636e9 100755 --- a/testing/scripts/httpd.py +++ b/testing/scripts/httpd.py @@ -1,11 +1,6 @@ -#! /usr/bin/env python +#! /usr/bin/env python3 -try: - # Python 2 - import BaseHTTPServer -except ImportError: - # Python 3 - import http.server as BaseHTTPServer +import http.server as BaseHTTPServer class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): diff --git a/zeek-config.in b/zeek-config.in index dea1c37411..7c8e58d723 100755 --- a/zeek-config.in +++ b/zeek-config.in @@ -5,6 +5,7 @@ build_type=@CMAKE_BUILD_TYPE_LOWER@ prefix=@CMAKE_INSTALL_PREFIX@ script_dir=@ZEEK_SCRIPT_INSTALL_PATH@ site_dir=@ZEEK_SCRIPT_INSTALL_PATH@/site +lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@ plugin_dir=@BRO_PLUGIN_INSTALL_PATH@ config_dir=@ZEEK_ETC_INSTALL_DIR@ python_dir=@PY_MOD_INSTALL_DIR@ @@ -24,7 +25,7 @@ include_dir=${include_dir}:@ZEEK_CONFIG_LibKrb5_INCLUDE_DIR@ include_dir=${include_dir}:@ZEEK_CONFIG_GooglePerftools_INCLUDE_DIR@ usage="\ -Usage: zeek-config [--version] [--build_type] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--zeekpath] [--zeek_dist] [--binpac_root] [--caf_root] [--broker_root]" +Usage: zeek-config [--version] [--build_type] [--prefix] [--lib_dir] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--zeekpath] [--zeek_dist] [--binpac_root] [--caf_root] [--broker_root]" if [ $# -eq 0 ] ; then echo "${usage}" 1>&2 @@ -38,14 +39,44 @@ while [ $# -ne 0 ]; do esac case $1 in - --version) - echo $version + --binpac_root) + echo $binpac_root + ;; + --bro_dist) # For compatibility with legacy Bro plugins. + echo $zeek_dist + ;; + --broker_root) + echo $broker_root + ;; + --bropath) # For compatibility with legacy Bro plugins. + echo $zeekpath + ;; + --build_type) + echo $build_type + ;; + --caf_root) + echo $caf_root + ;; + --cmake_dir) + echo $cmake_dir + ;; + --config_dir) + echo $config_dir + ;; + --include_dir) + echo $include_dir + ;; + --lib_dir) + echo $lib_dir + ;; + --plugin_dir) + echo $plugin_dir ;; --prefix) echo $prefix ;; - --build_type) - echo $build_type + --python_dir) + echo $python_dir ;; --script_dir) echo $script_dir @@ -53,41 +84,14 @@ while [ $# -ne 0 ]; do --site_dir) echo $site_dir ;; - --plugin_dir) - echo $plugin_dir - ;; - --config_dir) - echo $config_dir - ;; - --python_dir) - echo $python_dir - ;; - --cmake_dir) - echo $cmake_dir - ;; - --include_dir) - echo $include_dir - ;; - --bropath) # For compatibility with legacy Bro plugins. - echo $zeekpath - ;; - --zeekpath) - echo $zeekpath - ;; - --bro_dist) # For compatibility with legacy Bro plugins. - echo $zeek_dist + --version) + echo $version ;; --zeek_dist) echo $zeek_dist ;; - --binpac_root) - echo $binpac_root - ;; - --caf_root) - echo $caf_root - ;; - --broker_root) - echo $broker_root + --zeekpath) + echo $zeekpath ;; *) echo "${usage}" 1>&2