diff --git a/.cirrus.yml b/.cirrus.yml index 1323ce8e95..40af078b21 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -10,7 +10,7 @@ btest_jobs: &BTEST_JOBS 4 btest_retries: &BTEST_RETRIES 2 memory: &MEMORY 16GB -config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror +config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror -D FETCHCONTENT_FULLY_DISCONNECTED:BOOL=ON no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror @@ -35,8 +35,7 @@ macos_environment: &MACOS_ENVIRONMENT freebsd_resources_template: &FREEBSD_RESOURCES_TEMPLATE cpu: 8 - # Not allowed to request less than 8GB for an 8 CPU FreeBSD VM. - memory: 8GB + memory: *MEMORY # For greediness, see https://medium.com/cirruslabs/introducing-greedy-container-instances-29aad06dc2b4 greedy: true @@ -67,6 +66,12 @@ skip_task_on_pr: &SKIP_TASK_ON_PR skip: > ($CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ '.*fullci.*') +zam_skip_task_on_pr: &ZAM_SKIP_TASK_ON_PR + # Skip this task on PRs if it does not have the fullci or zamci label, + # it continues to run for direct pushes to master/release. + skip: > + ($CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ '.*fullci.*' && $CIRRUS_PR_LABELS !=~ '.*zamci.*') + benchmark_only_if_template: &BENCHMARK_ONLY_IF_TEMPLATE # only_if condition for cron-triggered benchmarking tests. # These currently do not run for release/.* @@ -389,6 +394,21 @@ asan_sanitizer_task: # Use absolute paths for coverage files. CCACHE_BASEDIR: +# ASAN task executing btests with zam alternative. +asan_sanitizer_zam_task: + container: + dockerfile: ci/ubuntu-24.04/Dockerfile + << : *RESOURCES_TEMPLATE + + << : *CI_TEMPLATE + env: + ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG + ASAN_OPTIONS: detect_leaks=1:detect_odr_violation=0 + ZEEK_CI_SKIP_UNIT_TESTS: 1 + ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1 + ZEEK_CI_BTEST_EXTRA_ARGS: -a zam + << : *ZAM_SKIP_TASK_ON_PR + ubsan_sanitizer_task: container: # Just uses a recent/common distro to run undefined behavior checks. @@ -406,6 +426,23 @@ ubsan_sanitizer_task: ZEEK_TAILORED_UB_CHECKS: 1 UBSAN_OPTIONS: print_stacktrace=1 +ubsan_sanitizer_zam_task: + container: + dockerfile: ci/ubuntu-24.04/Dockerfile + << : *RESOURCES_TEMPLATE + + << : *CI_TEMPLATE + env: + CC: clang-18 + CXX: clang++-18 + ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG + ZEEK_TAILORED_UB_CHECKS: 1 + UBSAN_OPTIONS: print_stacktrace=1 + ZEEK_CI_SKIP_UNIT_TESTS: 1 + ZEEK_CI_SKIP_EXTERNAL_BTESTS: 1 + ZEEK_CI_BTEST_EXTRA_ARGS: -a zam + << : *ZAM_SKIP_TASK_ON_PR + tsan_sanitizer_task: container: # Just uses a recent/common distro to run memory error/leak checks. diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml index be60b0cc9f..49b04394f7 100644 --- a/.github/workflows/generate-docs.yml +++ b/.github/workflows/generate-docs.yml @@ -17,7 +17,7 @@ jobs: permissions: contents: write # for Git to git push if: github.repository == 'zeek/zeek' - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: # We only perform a push if the action was triggered via a schedule diff --git a/.typos.toml b/.typos.toml index dfa60bd504..d162b1d842 100644 --- a/.typos.toml +++ b/.typos.toml @@ -30,6 +30,7 @@ extend-ignore-re = [ "\"BaR\"", "\"xFoObar\"", "\"FoO\"", + "Steve Smoot", ] extend-ignore-identifiers-re = [ diff --git a/CHANGES b/CHANGES index 55d064321b..7307571637 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,564 @@ +7.0.5 | 2024-12-16 11:12:33 -0700 + + * Update CHANGES, VERSION, and NEWS for 7.0.5 release (Tim Wojtulewicz, Corelight) + +7.0.4-10 | 2024-12-16 10:21:46 -0700 + + * QUIC/decrypt_crypto: Actually check if decryption was successful (Arne Welzel, Corelight) + + ...and bail if it wasn't. + + PCAP was produced using OSS-Fuzz input from issue 383379789. + + * QUIC/decrypt_crypto: Limit payload_length to 10k (Arne Welzel, Corelight) + + Given we dynamically allocate memory for decryption, employ a limit + that is unlikely to be hit, but allows for large payloads produced + by the fuzzer or jumbo frames. + + * QUIC/decrypt_crypto: Fix decrypting into too small stack buffer (Arne Welzel, Corelight) + + A QUIC initial packet larger than 1500 bytes could lead to crashes + due to the usage of a fixed size stack buffer for decryption. + + Allocate the necessary memory dynamically on the heap instead. + +7.0.4-5 | 2024-12-13 12:25:43 -0700 + + * fix for memory management associated with ZAM table iteration (Vern Paxson, Corelight) + + (cherry picked from commit 805e9db58840671c866c85461ad88198eeeec967) + +7.0.4-4 | 2024-12-12 13:12:30 -0700 + + * Fix ZAM's implementation of Analyzer::name() BiF (Christian Kreibich, Corelight) + + (cherry picked from commit e100a8e698d1dba0fc339eae800d13b298e55d46) + +7.0.4-3 | 2024-12-12 13:04:44 -0700 + + * GH-4052: More robust memory management for ZAM execution - fixes #4052 (Vern Paxson, Corelight) + + (cherry picked from commit c3b30b187e44de593d0ec685dc313e6aa10ff5e5) + +7.0.4-2 | 2024-12-12 12:44:36 -0700 + + * Bump zeekjs to v0.14.0 (Arne Welzel, Corelight) + 79b0c21 version: 0.14.0 + b75b384 docker: Use Fedora 41 packages + d65cbc8 Minor header cleanup + 4fd7e8b scripts: Remove __preload__.zeek and types.zeek + 93a8113 CreateEnvironment: Unset kOwnsProcessState and kOwnsInspector + 3b1f5d3 Instance::Init(): Replace parameters with Options struct + + (cherry picked from commit aac640ebffdd58b1e25e42eee538b7c8669b1dd4) + + * Fix documentation for `have_spicy` [skip CI] (Benjamin Bannier, Corelight) + + The continued line was incorrectly marked up (as a plain comment instead + of a Zeekygen comment) which caused only half of the docstring to be + rendered by Zeekygen. + + (cherry picked from commit 4a96d34af6fe68bad6afe12dffff6bd795e6b4b1) + +7.0.4 | 2024-11-19 12:31:05 -0700 + + * Update CHANGES, VERSION, and NEWS for 7.0.4 release (Tim Wojtulewicz, Corelight) + +7.0.3-27 | 2024-11-19 11:19:00 -0700 + + * Bump zeekjs to 0.13.2 (Arne Welzel, Corelight) + + (cherry picked from commit 6e916efe8d9470cdca7b4f4933c44b8c1cab66b0) + +7.0.3-26 | 2024-11-19 10:56:06 -0700 + + * Merge remote-tracking branch 'origin/topic/timw/speed-up-zam-ci-testing' (Tim Wojtulewicz, Corelight) + + * origin/topic/timw/speed-up-zam-ci-testing: + CI: Use test.sh script for running ZAM tests, but disable parts of it + + (cherry picked from commit d9a74680e08553b34cb164847f61b0ea00ad1f5f) + +7.0.3-24 | 2024-11-19 09:32:54 -0700 + + * account for spaces encoding to plus signs in sqli regex detection (Cooper Grill) + + (cherry picked from commit 5200b84fb3ce6c19e9d114b3d8fb0d964639446d) + +7.0.3-23 | 2024-11-14 19:06:56 -0700 + + * btest: Skip core.script-args under TSAN (Arne Welzel, Corelight) + + (cherry picked from commit 159f40a4bff10e7000cb5f5c8a08c6d2b236baef) + + * Disable core.expr-execption btest under ZAM to fix CI builds (Tim Wojtulewicz, Corelight) + + * Fix ubsan warning with ZAM and mmdb btest (Tim Wojtulewicz) + +7.0.3-19 | 2024-11-14 12:15:54 -0700 + + * ci: Add asan and ubsan sanitizer tasks for ZAM (Arne Welzel, Corelight) + + (cherry picked from commit 8945b2b186e633f1f7c3a07f9e343da278c037ec) + +7.0.3-18 | 2024-11-14 12:13:59 -0700 + + * policy/community-id: Populate conn$community_id in new_connection() (Arne Welzel, Corelight) + + This wasn't possible before #3028 was fixed, but now it's safe to set + the value in new_connection() and allow other users access to the + field much earlier. We do not have to deal with connection_flipped() + because the community-id hash is symmetric. + + (cherry picked from commit d3579c1f34fa679ac05df6f1f2cfbe11fc77b328) + + * Update zeekjs submodule to latest tagged version (Tim Wojtulewicz, Corelight) + + This picks up the changes to support Node.js v22.11.0. + +7.0.3-16 | 2024-11-14 11:57:54 -0700 + + * GH-4006: Fix nullptr deref in Spicy accept/decline input (Evan Typanski, Corelight) + + (cherry picked from commit 1d38c310719088ca0e9610ec8458fe4cf8e4a318) + +7.0.3-15 | 2024-11-14 11:56:06 -0700 + + * Fix potential nullptr deref in Spicy plugin runtime (Benjamin Bannier, Corelight) + + If we added a file but the other side of the connection had already run + into a protocol violation and shut down we could previously have + dereferenced a null cookie. This patch fixes the code so it now throws + in such scenarios. + + (cherry picked from commit 2e8d6e86e75bc7b0c7be67ab9c38738a1318f6ff) + + * Assume no Spicy cookie in most places (Benjamin Bannier, Corelight) + + We would previously assert that it was available which could have lead + to aborts since when the analyzer for either side of a connection shuts + down the connection cookie could get cleared and become nil. This patch + reworks the code slightly so we now never assume it is available. We do + this by either throwing or by making the whole operation requesting the + cookie a noop. + + (cherry picked from commit 2e8d6e86e75bc7b0c7be67ab9c38738a1318f6ff) + +7.0.3-14 | 2024-11-14 11:52:34 -0700 + + * Fix up minor warnings in touched files (Evan Typanski, Corelight) + + (cherry picked from commit 36af0591a6f2c7270c68deaee4c4d733fa4086b1) + + * Fix Clang 19 deprecation failure (Evan Typanski, Corelight) + + Clang 19 with libc++ started failing to compile because the default + implementation of `std::char_traits` was removed, making uses of + `std::char_traits` invalid. This was more of used for + convenience before, but it should be roughly the same behavior with + `char`. + + (cherry picked from commit 985f4f7c725ae1a9f85dbc112e5bc340a34a034b) + +7.0.3-12 | 2024-11-14 11:33:09 -0700 + + * GH-3978: Bump zeekjs to 0.12.1 (Arne Welzel, Corelight) + 7ec0953 ci: Bump actions/upload-artifact + 8e5914d ci/docker: Bump distros, update some OBS repos + 129b737 Fix crash during shutdown + + (cherry picked from commit d74b073852b748aca7793f557f0a5378cb30ca19) + +7.0.3-11 | 2024-11-14 11:31:35 -0700 + + * GH-3962: Prevent non-Modbus on port 502 to be reported as Modbus (Emmanuele Zambon) + + This commit prevents most non-Modbus TCP traffic on port 502 to be + reported as Modbus in conn.log as well as in modbus.log. + To do so, we have introduced two &enforce checks in the Modbus + protocol definition that checks that some specific fields of the + (supposedly) Modbus header are compatible with values specified in + the specs. + + (cherry picked from commit 4763282f36d13808b58948cc378a7df00201c9f5) + +7.0.3-10 | 2024-11-14 11:30:00 -0700 + + * GH-3957: input/Raw: Rework GetLine() (Arne Welzel, Corelight) + + (cherry picked from commit 2a23e9fc1962419e41133689c2a682455d24e35e) + + * GH-215: POP3: Rework unbounded pending command fix (Arne Welzel, Corelight) + + (cherry picked from commit 2a23e9fc1962419e41133689c2a682455d24e35e) + +7.0.3-9 | 2024-11-14 10:21:55 -0700 + + * import of GH-4022 BTest additions (Vern Paxson, Corelight) + ZAM baseline update + + * fix for setting object locations to avoid use-after-free situation (Vern Paxson, Corelight) + + * fixes for script optimization of coerce-to-any expressions (Vern Paxson, Corelight) + + * porting of GH-4022 (Vern Paxson, Corelight) + + * porting of GH-4016 (Vern Paxson, Corelight) + + * porting of GH-4013 (Vern Paxson, Corelight) + + * fixed access to uninitialized memory in ZAM's "cat" built-in (Vern Paxson, Corelight) + +7.0.3-1 | 2024-10-18 17:15:02 -0700 + + * Merge remote-tracking branch 'origin/topic/bbannier/fix-docs-ci-again' (Christian Kreibich, Corelight) + + * origin/topic/bbannier/fix-docs-ci-again: + Fix installation of Python packages in generate docs CI job again + + (cherry picked from commit c28442a9a178b735e3fe1b5f5938f922a5aa7a66) + +7.0.3 | 2024-10-04 15:42:14 -0700 + + * Update CHANGES, VERSION, and NEWS for 7.0.3 release (Christian Kreibich, Corelight) + +7.0.2-5 | 2024-10-04 10:46:01 -0700 + + * Merge remote-tracking branch 'security/topic/awelzel/215-pop3-mail-null-deref' (Christian Kreibich, Corelight) + + * security/topic/awelzel/215-pop3-mail-null-deref: + POP3: Rework unbounded pending command fix + + (cherry picked from commit 7fea32c6edc5d4d14646366f87c9208c8c9cf555) + +7.0.2-4 | 2024-10-04 10:28:13 -0700 + + * Update docs submodule [nomail] [skip ci] (Christian Kreibich, Corelight) + +7.0.2-3 | 2024-10-04 09:54:48 -0700 + + * Bump auxil/spicy to latest release (Benjamin Bannier, Corelight) + + * Install procps in OpenSuse Leap images (Benjamin Bannier, Corelight) + + (cherry picked from commit a27066e3fc58d70401359887fcf34bd0bb83d433) + +7.0.2 | 2024-09-23 12:01:55 -0700 + + * pop3: Remove unused headers (Arne Welzel, Corelight) + + (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2) + + * pop3: Prevent unbounded state growth (Arne Welzel, Corelight) + + The cmds list may grow unbounded due to the POP3 analyzer being in + multiLine mode after seeing `AUTH` in a Redis connection, but never + a `.` terminator. This can easily be provoked by the Redis ping + command. + + This adds two heuristics: 1) Forcefully process the oldest commands in + the cmds list and cap it at max_pending_commands. 2) Start raising + analyzer violations if the client has been using more than + max_unknown_client_commands commands (default 10). + + (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2) + + * btest/pop3: Add somewhat more elaborate testing (Arne Welzel, Corelight) + + PCAP taken from here: https://tranalyzer.com/tutorial/pop and reference + added to Traces/README. + + (cherry picked from commit 702fb031a4ea2b00364d6a7321384a45551ce3a2) + +7.0.1-6 | 2024-09-23 10:01:55 -0700 + + * Remove core.negative-time btest (Tim Wojtulewicz, Corelight) + + This test is failing with libpcap libpcap 1.10.5; for more information + see https://github.com/zeek/zeek/issues/3921 + + (cherry picked from commit 899f7297d7b8c83ef2640e7cf40d3f230e42cc6b) + + * Update broker submodule (Arne Welzel, Corelight) + + ...to pin prometheus to 1.2.4 + + (cherry picked from commit f24bc1ee882b3b266ca9dc325a1b5584addb155e) + + * telemetry: Move callbacks to Zeek (Arne Welzel, Corelight) + + Now that we run callbacks on the main loop, we can move callback support + for Counter and Gauge instances directly into Zeek and don't need to patch + prometheus-cpp anymore. + + (cherry picked from commit f24bc1ee882b3b266ca9dc325a1b5584addb155e) + + * auxil/prometheus-cpp: Pin to 1.2.4 (Arne Welzel, Corelight) + + (cherry picked from commit f24bc1ee882b3b266ca9dc325a1b5584addb155e) + + * btest/ldap: Add regression test for #3919 (Arne Welzel, Corelight) + + This works as expected in master, it's just that we forgot to backport + PR #3845 to 7.0.1. Add the PCAP from Martin anyhow. + + (cherry picked from commit a339cfa4c007762c6fbb16a35576220851fe4a82) + + * GH-3853: ldap: Recognize SASL+SPNEGO+NTLMSSP (Arne Welzel, Corelight) + + The ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap file was harvested + from the CTU-SME-11 (Experiment-VM-Microsoft-Windows7AD-1) dataset + at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258). + + (cherry picked from commit 152bbbd680e6c329255dc28d57cd506e7d2c09ff) + + * Bump auxil/spicy to latest release (Benjamin Bannier, Corelight) + +7.0.1 | 2024-09-03 13:04:23 -0700 + + * Update CHANGES, VERSION, and NEWS for 7.0.1 release (Tim Wojtulewicz, Corelight) + + * Update zeek-aux submodule to pick up zeek-archiver permissions fix (Tim Wojtulewicz, Corelight) + +7.0.0-14 | 2024-09-03 09:02:19 -0700 + + * Bump auxil/spicy to latest release (Benjamin Bannier, Corelight) + +7.0.0-11 | 2024-08-30 12:38:59 -0700 + + * Spicy: Register well-known ports through an event handler. (Robin Sommer, Corelight) + + This avoids the earlier problem of not tracking ports correctly in + scriptland, while still supporting `port` in EVT files and `%port` in + Spicy files. + + As it turns out we are already following the same approach for file + analyzers' MIME types, so I'm applying the same pattern: it's one + event per port, without further customization points. That leaves the + patch pretty small after all while fixing the original issue. + + (cherry picked from commit a2079bcda6e40180b888240a281c12cc0ca735be) + + * Revert "Remove deprecated port/ports fields for spicy analyzers" (Robin Sommer, Corelight) + + This reverts commit 15d404dd191a723960e4efd956eec22739d3f1c2. + + (cherry picked from commit a2079bcda6e40180b888240a281c12cc0ca735be) + +7.0.0-9 | 2024-08-30 11:47:39 -0700 + + * ldap: Promote uint8 to uint64 before shifting (Arne Welzel, Corelight) + + (cherry picked from commit 97fa7cdc0a49869ee6605fac9cfc15f11d8c855b) + + * ldap: Add heuristic for wrap tokens (Arne Welzel, Corelight) + + Instead of dissecting the GSSAPI handshake, add another heuristic + into MaybeEncrypted to check for the WRAP token identifier. + + After this change, the pcap on the following ticket is processed + nicely: https://gitlab.com/wireshark/migration-test/-/issues/9398 + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Ignore ec/rrc for sealed wrap tokens (Arne Welzel, Corelight) + + It shouldn't matter for the encrypted payload that we'll + just consume and ignore. + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Add LDAP sample with SASL-SRP mechanism (Arne Welzel, Corelight) + + This is what @dopheide-esnet actually saw. Produced with a custom + cyrus-sasl and openldap build :-( + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Reintroduce encryption after SASL heuristic (Arne Welzel, Corelight) + + @dopheide-esnet provided sample captures where SASL SRP is used as + a SASL mechanism and the follow-up LDAP messages are encrypted. It's + not clear how to determine whether encryption will or will not happen, + so re-add a heuristic to determine this based on the first byte of + the first message *after* the successful bindResponse handshake. If + that byte is 0x30, assume cleartext. + + I haven't been able to produce such pcaps, unfortunately, but the + cleartext path is tested via the existing sasl-ntlm.pcap. + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Fix assuming GSS-SPNEGO for all bindResponses (Arne Welzel, Corelight) + + In retrospect that's an obvious bug. + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Implement extended request/response and StartTLS support (Arne Welzel, Corelight) + + PCAP was produced with a local OpenLDAP server configured to support StartTLS. + + This puts the Zeek calls into a separate ldap_zeek.spicy file/module + to separate it from LDAP. + + (cherry picked from commit 6a6a5c3d0d60a1d4d32ba2173c035023c29fbf1d) + + * ldap: Remove MessageWrapper with magic 0x30 searching (Arne Welzel, Corelight) + + This unit implements a heuristic to search for the 0x30 sequence + byte if Message couldn't readily be parsed. Remove it with the + idea of explicit and predictable support for SASL mechanisms. + + (cherry picked from commit 2ea3a651bd83b0dfa15924417e4667241531b57b) + + * ldap: Harden parsing a bit (Arne Welzel, Corelight) + + ASN1Message(True) may go off parsing arbitrary input data as + "something ASN.1" This could be GBs of octet strings or just very + long sequences. Avoid this by open-coding some top-level types expected. + + This also tries to avoid some of the &parse-from usages that result + in unnecessary copies of data. + + Adds a locally generated PCAP with addRequest/addResponse that we + don't currently handle. + + (cherry picked from commit 2ea3a651bd83b0dfa15924417e4667241531b57b) + + * ldap: Handle integrity-only KRB wrap tokens (Arne Welzel, Corelight) + + Mostly staring at the PCAPs and opened a few RFCs. For now, only if the + MS_KRB5 OID is used and accepted in a bind response, start stripping + KRB5 wrap tokens for both, client and server traffic. + + Would probably be nice to forward the GSS-API data to the analyzer... + + (cherry picked from commit 2ea3a651bd83b0dfa15924417e4667241531b57b) + + * http: fix password capture when enabled (Pierre Lalet) + + The current implementation would only log, if the password contains a + colon, the part before the first colon (e.g., the password + `password:password` would be logged as `password`). + + (cherry picked from commit c27e18631c5d9c6f04c230bd421c9750a1f02342) + + * Analyzer: Do not add child analyzers when finished (Arne Welzel, Corelight) + + Depending on an analyzer's implementation, its Done() method may + attempt to access analyzer or connection state when executing. + When this happens in the destructor of the parent analyzer during + the process of destructing a connection, this state may have been + deleted, resulting in use-after-free crashes or worse memory + corruption. + + The following cases have been observed in the wild for when this happens. + + * PIA matching during Done() for undelivered TCP data enables a Spicy + based analyzer which in turn attempts to raise an analyzer violation + during Done()->EndOfData(). + + * Spicy analyzers attaching new analyzers during their Done() processing + which in turn attempt to use TCP() (to call FindChild()) during Done() + while the analyzer tree / connection is being destructed. + + The second scenario was previously found to happen in the HTTP analyzer + and fixed with 6ef9423f3cff13e6c73f97eb6a3a27d6f64cc320. + + Plug these scenarios by short-circuiting AddChildAnalyzer() if the analyzer + or connection have finished or are being finished. + + (cherry picked from commit 45b33bf5c17d5e8cf6c777a9bd57e4a803dfad19) + + * TCP_Reassembler: Fix IsOrig() position in Match() call (Arne Welzel, Corelight) + + Found during a debug session with @rsmmr. Undelivered TCP data + would only be matched for the responder and eol set to IsOrig(). + + (cherry picked from commit 4a4cbf25765f387f0aa20277afd133918292b9c4) + + * Process metric callbacks from the main-loop thread (Tim Wojtulewicz, Corelight) + + This avoids the callbacks from being processed on the worker thread + spawned by Civetweb. It fixes data race issues with lookups involving + global variables, amongst other threading issues. + + (cherry picked from commit 3c3853dc7da9aad94a9b2d5a143cc7bd9476ea7a) + + * CI: Use 16GB of memory for FreeBSD builds (Tim Wojtulewicz, Corelight) + + (cherry picked from commit 9d9cc51e9dd93668cd332aa1aef283c9dc23a677) + +7.0.0 | 2024-07-31 09:37:03 -0700 + + * Release 7.0.0. + +7.0.0-rc4.4 | 2024-07-31 09:36:51 -0700 + + * Allowlist a name for typos check (Benjamin Bannier, Corelight) + + * Bump Spicy to latest release (Benjamin Bannier, Corelight) + +7.0.0-rc4 | 2024-07-26 10:12:34 -0700 + + * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight) + + This in particular pulls in a fix for zeek/spicy#1808. + + (cherry picked from commit 4c0c7581c835b4dcd5339a4b34c2b82fcfc40dc3) + +7.0.0-rc3 | 2024-07-25 10:52:29 -0700 + + * Generate docs for 7.0.0-rc3 (Tim Wojtulewicz) + + * Bump zeek-testing-cluster to reflect deprecation of prometheus.zeek (Christian Kreibich, Corelight) + + (cherry picked from commit 146cf99ff62d729705c155b44199a674911ade09) + + * Update 7.0 NEWS with blurb about multi-PDU parsing causing increased load [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + + (cherry picked from commit bd208f4c54f66074315479071c810d792e69f96b) + + * Fix handling of zero-length SMB2 error responses (Tim Wojtulewicz, Corelight) + + (cherry picked from commit bd208f4c54f66074315479071c810d792e69f96b) + + * Update Mozilla CA list and CT list (Johanna Amann, Corelight) + + (cherry picked from commit cb88f6316c7341da7a2af397932a145be3a0cc29) + + * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight) + + (cherry picked from commit da7c3d91385195a7a4ba957e46743bc52a9d4ecb) + +7.0.0-rc2.7 | 2024-07-24 17:00:51 -0700 + + * Add contributors to 7.0.0 NEWS entry (Christian Kreibich, Corelight) + + * telemetry: Deprecate prometheus.zeek policy script (Arne Welzel, Corelight) + + * Update broker submodule [nomail] (Tim Wojtulewicz, Corelight) + +7.0.0-rc2 | 2024-07-18 14:31:49 -0700 + + * Bump zeek-testing-cluster to pull in tee SIGPIPE fix (Christian Kreibich, Corelight) + + (cherry picked from commit b51a46f94d4012119fd27d5e46328c70af7270a2) + + * CI: Set FETCH_CONTENT_FULLY_DISCONNECTED flag for configure (Tim Wojtulewicz, Corelight) + + * Update broker and cmake submodules [nomail] (Tim Wojtulewicz, Corelight) + + * Fix warning about grealpath when running 'make dist' on Linux (Tim Wojtulewicz, Corelight) + + (cherry picked from commit e4716b6c912f86cf6b2afd6979c38667c45add95) + +7.0.0-rc1 | 2024-07-11 12:21:02 -0700 + + * Updating submodule(s) [nomail] (Tim Wojtulewicz, Corelight) + 7.0.0-dev.467 | 2024-07-11 12:14:52 -0700 * Update the scripts.base.frameworks.telemetry.internal-metrics test (Christian Kreibich, Corelight) diff --git a/Makefile b/Makefile index 5c0f8a4b97..394a77ab8e 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ BUILD=build REPO=$$(cd $(CURDIR) && basename $$(git config --get remote.origin.url | sed 's/^[^:]*://g')) VERSION_FULL=$(REPO)-$$(cd $(CURDIR) && cat VERSION) GITDIR=$$(test -f .git && echo $$(cut -d" " -f2 .git) || echo .git) -REALPATH=$$($$(realpath --relative-to=$(pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath') +REALPATH=$$($$(realpath --relative-to=$(shell pwd) . >/dev/null 2>&1) && echo 'realpath' || echo 'grealpath') all: configured $(MAKE) -C $(BUILD) $@ diff --git a/NEWS b/NEWS index e526919b09..25a19bc2ab 100644 --- a/NEWS +++ b/NEWS @@ -3,9 +3,111 @@ This document summarizes the most important changes in the current Zeek release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as Broker, come with their own ``CHANGES``.) +Zeek 7.0.5 +========== + +This release fixes the following security issues: + +- Large QUIC packets can cause Zeek to overflow memory and potentially + crash. Due to the possibility of receiving these packets from remote hosts, + this is a DoS risk. The fix included limits the payload length to 10000 bytes + and reports an error for those cases, as well as fixing the memory allocation + to not use a fixed-size buffer for all packets. + +This release fixes the following bugs: + +- The ZAM script optimization feature gained some fixes for some minor memory + leaks. + +- The ZeekJS submodule was updated to v0.14.0. In certain environment, ZeekJS + would fail to start a debugging thread due to limited stack size, producing + spurious log messages. This was fixed by not starting the debugging thread by + default. + +Zeek 7.0.4 +========== + +This release fixes the following bugs: + +- The community-id-logging.zeek policy script was used to set + ``c$conn$community_id`` during ``new_connection()`` rather than + ``connection_state_remove()``, allowing other scripts to reuse its value + early. + +- The input framework will no longer get stuck and use 100% of the CPU when + encountering lines not immediately terminated by a new line. + +- The Modbus analyzer added some additional protocol checks and should no longer + over-match on traffic that's not specifically on port 502. + +- ZeekJS was updated to version v0.13.2, which brings support for newer versions + of Node.js and a fix for a segfault when running under Alpine. + +- A minor bug was fixed in the detect-sqli policy script to handle spaces being + encoded as plus signs. + +Zeek 7.0.3 +========== + +This release fixes the following security issue: + +- Adding to the POP3 hardening in 7.0.2, the parser now simply discards too many + pending commands, rather than any attempting to process them. Further, invalid + server responses do not result in command completion anymore. Processing + out-of-order commands or finishing commands based on invalid server responses + could result in inconsistent analyzer state, potentially triggering null + pointer references for crafted traffic. + +This release ships with Spicy 1.11.3, a bugfix release. Please refer to its +release notes for details. + +Zeek 7.0.2 +========== + +This release fixes the following security issues: + +- The POP3 parser has been hardened to avoid unbounded state growth in the + face of one-sided traffic capture or when enabled for non-POP3 traffic. + Concretely, the Redis protocol's AUTH mechanism enables the POP3 analyzer + for such connections through DPD. + +This release fixes the following bugs: + +- Support for SASL+SPNEGO+NTLMSSP was added to the LDAP analyzer. + +- Telemetry callbacks are now handled via Zeek instead of depending on the + prometehus-cpp library to handle them. + +Zeek 7.0.1 +========== + +This release fixes the following bugs: + +- HTTP passwords with colon characters in them are now correctly logged. + +- The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens. + +- Heuristics for parsing SASL encrypted and signed LDAP traffic have been made + more strict and predictable. Please provide input if this results in less + visibility in your environment. + +- StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled + for connections where client and server negotiate to TLS through the extended + request/response mechanism. + +- Specify less-strict permissions for directories and files created by + zeek-archiver to play more nicely with user's umask setting. + Zeek 7.0.0 ========== +We would like to thank the following people for their contributions to this +release: Christopher Knill (cknill), Jan Grashöfer (J-Gras), Martin van +Hensbergen (mvhensbergen), Matti Bispham (mbispham), Mike Dopheide +(dopheide-esnet), Oleksandr Pastushkov (opastushkov), Peter Cullen (pbcullen), +Steve Smoot (stevesmoot), Tanner Kvarfordt (Kardbord), Victor Dvornikov +(lydiym). + Breaking Changes ---------------- @@ -20,7 +122,7 @@ Breaking Changes All of the metrics-related script-level options, type, and methods have been moved to the Telemetry framework: - * Option ``Broker::metrics_port` is now ``Telemetry::metrics_port`` + * Option ``Broker::metrics_port`` is now ``Telemetry::metrics_port`` * Option ``Broker::metrics_export_endpoint_name`` is now ``Telemetry::metrics_endpoint_name`` The following options have been removed: @@ -85,7 +187,8 @@ New Functionality environment variable configures the addition. - SMB2 packets containing multiple PDUs now correctly parse all of the headers, - instead of just the first one and ignoring the rest. + instead of just the first one and ignoring the rest. This may cause increased + CPU load on SMB2-heavy networks. - The new built-in function ``lookup_connection_analyzer_id()`` retrieves the numeric identifier of an analyzer associated with a connection. This enables @@ -167,6 +270,11 @@ Deprecated Functionality - The ``--disable-archiver`` configure flag no longer does anything and will be removed in 7.1. zeek-archiver has moved into the zeek-aux repository. +- The policy/frameworks/telemetry/prometheus.zeek script has been deprecated + and will be removed with Zeek 7.1. Setting the ``metrics_port`` field on a + ``Cluster::Node`` implies listening on that port and exposing telemetry + in Prometheus format. + Zeek 6.2.0 ========== diff --git a/VERSION b/VERSION index 14530a2cf8..2be8aeb6b1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.467 +7.0.5 diff --git a/auxil/broker b/auxil/broker index fada26ae50..a80bf420aa 160000 --- a/auxil/broker +++ b/auxil/broker @@ -1 +1 @@ -Subproject commit fada26ae504981f7f5524bf2a5c82ae49acd556d +Subproject commit a80bf420aa6f55b4eb959ae89c184522a096a119 diff --git a/auxil/prometheus-cpp b/auxil/prometheus-cpp index 2fec7205d1..ad99e21f47 160000 --- a/auxil/prometheus-cpp +++ b/auxil/prometheus-cpp @@ -1 +1 @@ -Subproject commit 2fec7205d1a9cb4829b86c943d599696d53de85c +Subproject commit ad99e21f4706193670c42b36c9824dc997f4c475 diff --git a/auxil/spicy b/auxil/spicy index 6581b1855a..31880e215f 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit 6581b1855a5ea8cc102c66b4ac6a431fc67484a0 +Subproject commit 31880e215ff6f85ad95507d7a760e81ae2e0999d diff --git a/auxil/zeek-aux b/auxil/zeek-aux index 8a66cd60fb..e850412ab5 160000 --- a/auxil/zeek-aux +++ b/auxil/zeek-aux @@ -1 +1 @@ -Subproject commit 8a66cd60fb29a1237b5070854cb194f43a3f7a30 +Subproject commit e850412ab5dea10ee2ebb98e42527d80fcf9a7ed diff --git a/auxil/zeekjs b/auxil/zeekjs index 230f53c159..79b0c2126f 160000 --- a/auxil/zeekjs +++ b/auxil/zeekjs @@ -1 +1 @@ -Subproject commit 230f53c1596ee88289e96397f0810ca60ed897e3 +Subproject commit 79b0c2126fa0178dbc2e37536588fcd1db9f4443 diff --git a/ci/opensuse-leap-15.5/Dockerfile b/ci/opensuse-leap-15.5/Dockerfile index be927da6c0..b59f445a2a 100644 --- a/ci/opensuse-leap-15.5/Dockerfile +++ b/ci/opensuse-leap-15.5/Dockerfile @@ -21,6 +21,7 @@ RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5 libpcap-devel \ make \ openssh \ + procps \ python311 \ python311-devel \ python311-pip \ diff --git a/ci/opensuse-leap-15.6/Dockerfile b/ci/opensuse-leap-15.6/Dockerfile index a2b94c91c8..359c282f01 100644 --- a/ci/opensuse-leap-15.6/Dockerfile +++ b/ci/opensuse-leap-15.6/Dockerfile @@ -21,6 +21,7 @@ RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.6 libpcap-devel \ make \ openssh \ + procps \ python312 \ python312-devel \ python312-pip \ diff --git a/ci/test.sh b/ci/test.sh index c5304b4512..1d5da9e2a7 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -40,6 +40,11 @@ function banner { } function run_unit_tests { + if [[ ${ZEEK_CI_SKIP_UNIT_TESTS} -eq 1 ]]; then + printf "Skipping unit tests as requested by task configureation\n\n" + return 0 + fi + banner "Running unit tests" pushd build @@ -60,7 +65,7 @@ function run_btests { pushd testing/btest ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \ - ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} || result=1 + ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} || result=1 make coverage prep_artifacts popd @@ -68,11 +73,16 @@ function run_btests { } function run_external_btests { + if [[ ${ZEEK_CI_SKIP_EXTERNAL_BTESTS} -eq 1 ]]; then + printf "Skipping external tests as requested by task configuration\n\n" + return 0 + fi + local zeek_testing_pid="" local zeek_testing_pid_private="" pushd testing/external/zeek-testing ZEEK_PROFILER_FILE=$(pwd)/.tmp/script-coverage/XXXXXX \ - ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} >btest.out 2>&1 & + ${BTEST} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} ${ZEEK_CI_BTEST_EXTRA_ARGS} >btest.out 2>&1 & zeek_testing_pid=$! popd diff --git a/cmake b/cmake index 690483f76c..2d42baf8e6 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 690483f76c149ffa8e035b612b406b0964f9886f +Subproject commit 2d42baf8e63a7494224aa9d02afa2cb43ddb96b8 diff --git a/doc b/doc index f65820ff0f..6fc35ef451 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit f65820ff0faf2887799fe691a443b5db39eeed54 +Subproject commit 6fc35ef451358576c8a730ed78e54d5509897ee8 diff --git a/scripts/base/frameworks/spicy/init-framework.zeek b/scripts/base/frameworks/spicy/init-framework.zeek index ae3a3b8e65..de6b528ee4 100644 --- a/scripts/base/frameworks/spicy/init-framework.zeek +++ b/scripts/base/frameworks/spicy/init-framework.zeek @@ -47,12 +47,18 @@ export { # Marked with &is_used to suppress complaints when there aren't any # Spicy file analyzers loaded, and hence this event can't be generated. -# The attribute is only supported for Zeek 5.0 and higher. event spicy_analyzer_for_mime_type(a: Files::Tag, mt: string) &is_used { Files::register_for_mime_type(a, mt); } +# Marked with &is_used to suppress complaints when there aren't any +# Spicy protocol analyzers loaded, and hence this event can't be generated. +event spicy_analyzer_for_port(a: Analyzer::Tag, p: port) &is_used + { + Analyzer::register_for_port(a, p); + } + function enable_protocol_analyzer(tag: Analyzer::Tag) : bool { return Spicy::__toggle_analyzer(tag, T); diff --git a/scripts/base/frameworks/telemetry/__load__.zeek b/scripts/base/frameworks/telemetry/__load__.zeek index 88b6dbf672..a10fe855df 100644 --- a/scripts/base/frameworks/telemetry/__load__.zeek +++ b/scripts/base/frameworks/telemetry/__load__.zeek @@ -1,3 +1 @@ @load ./main - -@load base/frameworks/cluster diff --git a/scripts/base/frameworks/telemetry/main.zeek b/scripts/base/frameworks/telemetry/main.zeek index d71a7d9783..0e5ce1b1f5 100644 --- a/scripts/base/frameworks/telemetry/main.zeek +++ b/scripts/base/frameworks/telemetry/main.zeek @@ -5,10 +5,28 @@ ##! enabled by setting :zeek:see:`Telemetry::metrics_port`. @load base/misc/version +@load base/frameworks/cluster + @load base/frameworks/telemetry/options module Telemetry; +# In a cluster configuration, open the port number for metrics +# from the cluster node configuration for exporting data to +# Prometheus. +# +# The manager node will also provide a ``/services.json`` endpoint +# for the HTTP Service Discovery system in Prometheus to use for +# configuration. This endpoint will include information for all of +# the other nodes in the cluster. +@if ( Cluster::is_enabled() ) +redef Telemetry::metrics_endpoint_name = Cluster::node; + +@if ( Cluster::local_node_metrics_port() != 0/unknown ) +redef Telemetry::metrics_port = Cluster::local_node_metrics_port(); +@endif +@endif + export { ## Alias for a vector of label values. type labels_vector: vector of string; diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 30b49def26..25746c1bea 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2903,6 +2903,22 @@ export { } # end export +module POP3; + +export { + ## How many commands a POP3 client may have pending + ## before Zeek forcefully removes the oldest. + ## + ## Setting this value to 0 removes the limit. + const max_pending_commands = 10 &redef; + + ## How many invalid commands a POP3 client may use + ## before Zeek starts raising analyzer violations. + ## + ## Setting this value to 0 removes the limit. + const max_unknown_client_commands = 10 &redef; + +} # end export module Threading; @@ -5883,6 +5899,13 @@ export { type MetricVector : vector of Metric; type HistogramMetricVector : vector of HistogramMetric; + + ## Maximum amount of time for CivetWeb HTTP threads to + ## wait for metric callbacks to complete on the IO loop. + const callback_timeout: interval = 5sec &redef; + + ## Number of CivetWeb threads to use. + const civetweb_threads: count = 2 &redef; } module GLOBAL; diff --git a/scripts/base/protocols/http/main.zeek b/scripts/base/protocols/http/main.zeek index 0f65c6b984..e334a83253 100644 --- a/scripts/base/protocols/http/main.zeek +++ b/scripts/base/protocols/http/main.zeek @@ -338,8 +338,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr if ( /^[bB][aA][sS][iI][cC] / in value ) { local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]+/, "")); - local up = split_string(userpass, /:/); - if ( |up| >= 2 ) + local up = split_string1(userpass, /:/); + if ( |up| == 2 ) { c$http$username = up[0]; if ( c$http$capture_password ) diff --git a/scripts/base/protocols/ldap/consts.zeek b/scripts/base/protocols/ldap/consts.zeek index bbd378c7e8..5b29fd22e4 100644 --- a/scripts/base/protocols/ldap/consts.zeek +++ b/scripts/base/protocols/ldap/consts.zeek @@ -120,4 +120,11 @@ export { "searching", [ LDAP::SearchDerefAlias_DEREF_FINDING_BASE ] = "finding", [ LDAP::SearchDerefAlias_DEREF_ALWAYS ] = "always", } &default="unknown"; + + const EXTENDED_REQUESTS = { + # StartTLS, https://datatracker.ietf.org/doc/html/rfc4511#section-4.14.1 + [ "1.3.6.1.4.1.1466.20037" ] = "StartTLS", + # whoami, https://datatracker.ietf.org/doc/html/rfc4532#section-2 + [ "1.3.6.1.4.1.4203.1.11.3" ] = "whoami", + } &default="unknown" &redef; } diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index 93c301a65a..da4a21871c 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -258,6 +258,9 @@ event LDAP::message(c: connection, } m$object = object; + + if ( opcode == LDAP::ProtocolOpcode_EXTENDED_REQUEST ) + m$object += fmt(" (%s)", EXTENDED_REQUESTS[object]); } if ( argument != "" ) { diff --git a/scripts/base/protocols/ldap/spicy-events.zeek b/scripts/base/protocols/ldap/spicy-events.zeek index fa670f3456..baa00ba548 100644 --- a/scripts/base/protocols/ldap/spicy-events.zeek +++ b/scripts/base/protocols/ldap/spicy-events.zeek @@ -98,3 +98,44 @@ global LDAP::search_result_entry: event ( message_id: int, object_name: string ); + +## Event generated for each ExtendedRequest in LDAP messages. +## +## c: The connection. +## +## message_id: The messageID element. +## +## request_name: The name of the extended request. +## +## request_value: The value of the extended request (empty if missing). +global LDAP::extended_request: event ( + c: connection, + message_id: int, + request_name: string, + request_value: string +); + +## Event generated for each ExtendedResponse in LDAP messages. +## +## c: The connection. +## +## message_id: The messageID element. +## +## result: The result code of the response. +## +## response_name: The name of the extended response (empty if missing). +## +## response_value: The value of the extended response (empty if missing). +global LDAP::extended_response: event ( + c: connection, + message_id: int, + result: LDAP::ResultCode, + response_name: string, + response_value: string +); + +## Event generated when a plaintext LDAP connection switched to TLS. +## +## c: The connection. +## +global LDAP::starttls: event(c: connection); diff --git a/scripts/base/protocols/ssl/ct-list.zeek b/scripts/base/protocols/ssl/ct-list.zeek index c7c2a87ec9..036374d946 100644 --- a/scripts/base/protocols/ssl/ct-list.zeek +++ b/scripts/base/protocols/ssl/ct-list.zeek @@ -1,9 +1,9 @@ # # Do not edit this file. This file is automatically generated by gen-ct-list.pl -# File generated at Fri Feb 23 11:37:01 2024 +# File generated at Tue Jul 23 16:04:45 2024 # File generated from https://www.gstatic.com/ct/log_list/v3/log_list.json -# Source file generated at: 2024-02-22T12:56:21Z -# Source file version: 32.9 +# Source file generated at: 2024-07-23T13:06:08Z +# Source file version: 39.1 # @load base/protocols/ssl @@ -12,21 +12,32 @@ redef ct_logs += { ["\xee\xcd\xd0\x64\xd5\xdb\x1a\xce\xc5\x5c\xb7\x9d\xb4\xcd\x13\xa2\x32\x87\x46\x7c\xbc\xec\xde\xc3\x51\x48\x59\x46\x71\x1f\xb5\x9b"] = CTInfo($description="Google 'Argon2024' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1d\xb9\x6c\xa9\xcb\x69\x94\xc5\x5c\xe6\xb6\xa6\x03\xbb\xd2\xb8\xdc\x54\x43\x17\x28\x99\x0c\x06\x01\x50\x1d\x9d\x64\xc0\x59\x46\x2b\xdc\xc8\x03\x1d\x05\xb4\x2d\xa8\x09\xf7\x99\x41\xed\x04\xfb\xe5\x57\xba\x26\x04\xf6\x11\x52\xce\x14\x65\x3b\x2f\x76\x2b\xc0"), ["\x4e\x75\xa3\x27\x5c\x9a\x10\xc3\x38\x5b\x6c\xd4\xdf\x3f\x52\xeb\x1d\xf0\xe0\x8e\x1b\x8d\x69\xc0\xb1\xfa\x64\xb1\x62\x9a\x39\xdf"] = CTInfo($description="Google 'Argon2025h1' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2025h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x82\xa1\xf9\x67\x68\xa8\xe4\xdb\x94\x98\xe2\xe1\x68\x87\xe4\x09\x6d\x20\x35\x33\x38\x3c\xaf\x14\xaa\xd7\x08\x18\xf0\xfd\x16\x9b\xd3\xff\x7c\x27\x82\xd4\x87\xb7\x4e\x24\x46\x3b\xfb\xae\xbe\xc8\x23\x52\x20\x2b\xaa\x44\x05\xfe\x54\xf9\xd5\xf1\x1d\x45\x9a"), ["\x12\xf1\x4e\x34\xbd\x53\x72\x4c\x84\x06\x19\xc3\x8f\x3f\x7a\x13\xf8\xe7\xb5\x62\x87\x88\x9c\x6d\x30\x05\x84\xeb\xe5\x86\x26\x3a"] = CTInfo($description="Google 'Argon2025h2' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2025h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xaf\xe4\xf3\x94\x2c\xdf\xa6\x27\xb5\xfe\xb2\x61\x83\x19\xc8\x21\x3a\x23\xa8\xa9\x3d\x54\xaf\xbc\x31\x9a\x1c\xd3\xc1\xe3\xb6\xc2\xf3\x0f\xc7\xb9\xca\x3b\x1d\x79\x65\x61\x22\x25\x82\x56\x4e\x98\xe8\xaa\x26\x29\x36\x1e\x28\x60\x6f\xeb\x15\x6e\xf7\x7c\xd0\xba"), +["\x0e\x57\x94\xbc\xf3\xae\xa9\x3e\x33\x1b\x2c\x99\x07\xb3\xf7\x90\xdf\x9b\xc2\x3d\x71\x32\x25\xdd\x21\xa9\x25\xac\x61\xc5\x4e\x21"] = CTInfo($description="Google 'Argon2026h1' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2026h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x07\xfc\x1e\xe8\x63\x8e\xff\x1c\x31\x8a\xfc\xb8\x1e\x19\x2b\x60\x50\x00\x3e\x8e\x9e\xda\x77\x37\xe3\xa5\xa8\xda\x8d\x94\xf8\x6b\xe8\x3d\x64\x8f\x27\x3f\x75\xb3\xfc\x6b\x12\xf0\x37\x06\x4f\x64\x58\x75\x14\x5d\x56\x52\xe6\x6a\x2b\x14\x4c\xec\x81\xd1\xea\x3e"), +["\xd7\x6d\x7d\x10\xd1\xa7\xf5\x77\xc2\xc7\xe9\x5f\xd7\x00\xbf\xf9\x82\xc9\x33\x5a\x65\xe1\xd0\xb3\x01\x73\x17\xc0\xc8\xc5\x69\x77"] = CTInfo($description="Google 'Argon2026h2' log", $operator="Google", $url="https://ct.googleapis.com/logs/us1/argon2026h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2a\x3a\x67\x8b\xfe\xba\x0c\x86\x2b\x4a\x51\x8a\xe9\x17\xfe\x7b\xa1\x76\x73\xfd\xbc\x65\x4b\xc3\x27\xbf\x4d\xf3\x5f\xa0\xca\x29\x80\x11\x20\x32\x78\xd6\x7e\xf9\x34\x60\x8c\x75\xa0\xf5\x35\x50\x9c\xa1\xd3\x49\x4d\x13\xd5\x3b\x6a\x0e\xea\x45\x9d\x24\x13\x22"), ["\x76\xff\x88\x3f\x0a\xb6\xfb\x95\x51\xc2\x61\xcc\xf5\x87\xba\x34\xb4\xa4\xcd\xbb\x29\xdc\x68\x42\x0a\x9f\xe6\x67\x4c\x5a\x3a\x74"] = CTInfo($description="Google 'Xenon2024' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb9\x60\xe0\x34\x1e\x35\xe4\x65\x00\x93\x4f\x90\x09\xbd\x5a\xec\x44\xdd\x8c\x0f\xce\xed\x11\x3e\x2a\x59\x46\x9a\x31\xb6\xc7\x99\xf7\xdc\xef\x3d\xcd\x8f\x86\xc2\x35\xa5\x3e\xdc\x29\xba\xbb\xf2\x54\xe2\xa8\x0c\x83\x08\x51\x06\xde\x21\x6d\x36\x50\x8e\x38\x4d"), ["\xcf\x11\x56\xee\xd5\x2e\x7c\xaf\xf3\x87\x5b\xd9\x69\x2e\x9b\xe9\x1a\x71\x67\x4a\xb0\x17\xec\xac\x01\xd2\x5b\x77\xce\xcc\x3b\x08"] = CTInfo($description="Google 'Xenon2025h1' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2025h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x82\xe2\xce\x90\x40\x3f\x81\x0e\xdf\xea\xe1\x20\x2b\x5e\x2e\x30\x54\x46\x81\xb9\x58\xed\xaf\xbd\xff\x36\xa7\x9e\x0b\x5f\x6a\x6b\x91\xa5\xc1\x98\xe1\xf2\xcd\xeb\x17\x20\x70\xca\x2a\x12\xe6\x54\x78\x50\xdc\xff\x6d\xfd\x1c\xa7\xb6\x3a\x1f\xf9\x26\xa9\x1b\xbd"), ["\xdd\xdc\xca\x34\x95\xd7\xe1\x16\x05\xe7\x95\x32\xfa\xc7\x9f\xf8\x3d\x1c\x50\xdf\xdb\x00\x3a\x14\x12\x76\x0a\x2c\xac\xbb\xc8\x2a"] = CTInfo($description="Google 'Xenon2025h2' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2025h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6b\xe0\xaf\xed\x06\x7c\x3d\xef\xd9\x0e\xe4\x58\x4b\x04\xd8\x2a\x47\x99\x90\x89\x7a\xb9\x36\xa5\x75\xc8\x04\xb8\xcb\xe2\xaa\x2b\xb5\x68\x9d\x88\x29\xa2\xa5\xcf\xce\x2b\x9a\x15\x9b\xa0\x3e\x9d\x94\x1c\xb2\xb7\x4a\xf2\x51\xec\x40\xed\x62\x47\xa4\x03\x49\x86"), +["\x96\x97\x64\xbf\x55\x58\x97\xad\xf7\x43\x87\x68\x37\x08\x42\x77\xe9\xf0\x3a\xd5\xf6\xa4\xf3\x36\x6e\x46\xa4\x3f\x0f\xca\xa9\xc6"] = CTInfo($description="Google 'Xenon2026h1' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2026h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x3a\x1f\xc8\xbb\xce\xd5\x90\x47\x34\xca\xca\x01\x04\x27\x21\x1c\xe2\x29\x3d\x92\xbb\x91\x45\xc7\x5a\x3e\xa5\xd4\xf2\x12\xe6\xe8\xe6\x43\xba\xf3\x7b\xc2\x38\xaf\xfc\x23\x8a\x05\x56\xeb\x03\x0a\x30\xcc\x63\x6c\xd9\x3c\xbe\xf5\x7b\x94\xba\x94\xd3\xbf\x88\x4c"), +["\xd8\x09\x55\x3b\x94\x4f\x7a\xff\xc8\x16\x19\x6f\x94\x4f\x85\xab\xb0\xf8\xfc\x5e\x87\x55\x26\x0f\x15\xd1\x2e\x72\xbb\x45\x4b\x14"] = CTInfo($description="Google 'Xenon2026h2' log", $operator="Google", $url="https://ct.googleapis.com/logs/eu1/xenon2026h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe5\x77\x78\x95\x71\x28\xb3\x95\xc9\xa5\xcc\x7a\x4c\xe8\x32\x03\x96\x7b\xfc\x2e\x1d\xb9\xa4\xdb\x43\xa0\xbd\x69\x72\xf9\x45\xba\x9a\xc3\xe9\x96\xd5\x70\xe7\x0d\x7e\xc9\x95\x15\x27\x8a\x72\x30\x65\x86\x43\x53\xdc\x11\x44\x18\x49\x98\x25\x68\xa7\x3c\x05\xbf"), ["\xda\xb6\xbf\x6b\x3f\xb5\xb6\x22\x9f\x9b\xc2\xbb\x5c\x6b\xe8\x70\x91\x71\x6c\xbb\x51\x84\x85\x34\xbd\xa4\x3d\x30\x48\xd7\xfb\xab"] = CTInfo($description="Cloudflare 'Nimbus2024' Log", $operator="Cloudflare", $url="https://ct.cloudflare.com/logs/nimbus2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x77\xb1\x9b\x7b\x8f\xe6\x8b\x35\xfe\x3a\x92\x29\x2d\xac\x8a\x8d\x51\x8a\x25\xfc\x93\xb6\xd7\xa0\x8b\x29\x37\x71\x1d\x33\xca\xcc\x33\xea\x28\xb9\x1f\xe2\xac\xc3\xa9\x5d\xdd\x97\xbe\xf6\x9e\x94\x25\xdd\x36\x81\xd1\xeb\x5d\x29\xc3\x2b\x44\xf1\x5b\xca\x15\x48"), ["\xcc\xfb\x0f\x6a\x85\x71\x09\x65\xfe\x95\x9b\x53\xce\xe9\xb2\x7c\x22\xe9\x85\x5c\x0d\x97\x8d\xb6\xa9\x7e\x54\xc0\xfe\x4c\x0d\xb0"] = CTInfo($description="Cloudflare 'Nimbus2025'", $operator="Cloudflare", $url="https://ct.cloudflare.com/logs/nimbus2025/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1a\x80\x1a\x15\x19\x19\x23\x79\xb4\xfa\xa0\x79\x8e\x8d\xd5\xc1\xdc\xc2\xb5\x96\x92\x7e\x94\xe0\xc3\x7e\x14\x7c\x0a\x0d\x2d\x46\xa8\x9d\x1b\xb1\x41\x65\x0c\x5f\x98\xc4\x5a\x17\x79\x81\x5b\x4a\x14\x41\xec\xaf\xa9\x5d\x0e\xab\x12\x19\x71\xcd\x43\xef\xbb\x97"), ["\x48\xb0\xe3\x6b\xda\xa6\x47\x34\x0f\xe5\x6a\x02\xfa\x9d\x30\xeb\x1c\x52\x01\xcb\x56\xdd\x2c\x81\xd9\xbb\xbf\xab\x39\xd8\x84\x73"] = CTInfo($description="DigiCert Yeti2024 Log", $operator="DigiCert", $url="https://yeti2024.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x57\xb8\xc1\x6f\x30\xa4\x7f\x2e\xe4\xf0\xd0\xd9\x60\x62\x13\x95\xe3\x7a\xe3\x4e\x53\xc3\xb3\xb8\x73\x85\xc1\x18\x0d\x23\x0e\x58\x84\xd2\x78\xef\x9b\xb3\x1e\x2c\x1a\xde\xc1\x8f\x81\x1b\x19\x44\x58\xb7\x00\x77\x60\x20\x1a\x72\xd8\x82\xde\xae\x9e\xb1\xc6\x4b"), ["\x7d\x59\x1e\x12\xe1\x78\x2a\x7b\x1c\x61\x67\x7c\x5e\xfd\xf8\xd0\x87\x5c\x14\xa0\x4e\x95\x9e\xb9\x03\x2f\xd9\x0e\x8c\x2e\x79\xb8"] = CTInfo($description="DigiCert Yeti2025 Log", $operator="DigiCert", $url="https://yeti2025.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xdf\x95\x00\x5e\x10\xc1\x01\xf7\x37\xe3\x10\x74\xd1\xff\xb2\xca\x90\xed\x32\x99\x5f\x0c\x39\xfe\xa1\xd1\x13\x11\xac\xd1\xb3\x73\x93\x20\xc2\x13\x3c\x4c\xb5\x7a\x52\x86\x86\x3d\xe3\x95\x24\x7c\xd8\x91\x98\x48\x3b\xf0\xf0\xdf\x21\xf1\xb0\x81\x5a\x59\x25\x43"), ["\x73\xd9\x9e\x89\x1b\x4c\x96\x78\xa0\x20\x7d\x47\x9d\xe6\xb2\xc6\x1c\xd0\x51\x5e\x71\x19\x2a\x8c\x6b\x80\x10\x7a\xc1\x77\x72\xb5"] = CTInfo($description="DigiCert Nessie2024 Log", $operator="DigiCert", $url="https://nessie2024.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2d\xfc\xa2\x7b\x36\xbf\x56\x91\xe9\xfe\x3f\xe8\x3d\xfc\xc3\xa7\xe0\x61\x52\xea\x2c\xe9\x05\xa3\x9f\x27\x17\x81\x05\x70\x6b\x81\x61\x44\x8a\xf8\x3b\x10\x80\x42\xed\x03\x2f\x00\x50\x21\xfc\x41\x54\x84\xa3\x54\xd5\x2e\xb2\x7a\x16\x4b\x2a\x1f\x2b\x66\x04\x2b"), ["\xe6\xd2\x31\x63\x40\x77\x8c\xc1\x10\x41\x06\xd7\x71\xb9\xce\xc1\xd2\x40\xf6\x96\x84\x86\xfb\xba\x87\x32\x1d\xfd\x1e\x37\x8e\x50"] = CTInfo($description="DigiCert Nessie2025 Log", $operator="DigiCert", $url="https://nessie2025.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\xf0\xf0\xa7\x8b\x81\x2e\x09\x39\x3b\x9f\x42\xda\x38\x44\x5f\xb4\xcc\xed\x36\xbb\xd8\x43\x7f\x16\x49\x57\x87\x04\x7f\xa5\x01\x34\xf7\xe8\x68\x3f\xb7\x78\x1f\x60\x66\x2d\x67\x9a\x75\x80\xb7\x53\xa7\x85\xd5\xbc\xab\x47\x06\x55\xdb\xb5\xdf\x88\xa1\x6f\x38"), +["\xb6\x9d\xdc\xbc\x3c\x1a\xbd\xef\x6f\x9f\xd6\x0c\x88\xb1\x06\x7b\x77\xf0\x82\x68\x8b\x2d\x78\x65\xd0\x4b\x39\xab\xe9\x27\xa5\x75"] = CTInfo($description="DigiCert 'Wyvern2024h1' Log", $operator="DigiCert", $url="https://wyvern.ct.digicert.com/2024h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x68\xa6\x79\x14\xd1\x58\xe7\xab\xaa\x29\x69\x7f\x60\xed\x68\xe8\x10\xf6\x07\x84\xc0\xfb\x59\x04\x5a\x09\xc9\x1d\xe1\x4b\xfb\xcd\xdc\x03\xf3\xa8\x2a\x46\xb9\x84\x4d\x69\x30\xec\x23\x35\xc1\x8e\xfc\x9f\xb4\x20\x24\xd7\x15\xac\x87\xf7\x1e\xc1\x0b\x3c\x76\x1a"), +["\x0c\x2a\xef\x2c\x4a\x5b\x98\x83\xd4\xdd\xa3\x82\xfe\x50\xfb\x51\x88\xb3\xe9\x73\x33\xa1\xec\x53\xa0\x9d\xc9\xa7\x9d\x0d\x08\x20"] = CTInfo($description="DigiCert 'Wyvern2024h2' Log", $operator="DigiCert", $url="https://wyvern.ct.digicert.com/2024h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa8\x73\x12\x9c\x54\xd0\x7a\x7d\xc5\xb5\x17\x2b\x71\x52\x89\x04\x90\xbb\x42\xf1\x9d\xf8\x1c\xde\x4c\xcf\x82\x3c\xbd\x37\x1b\x74\x4c\x3c\xc7\xa3\x13\x87\x01\x51\x13\x14\xda\xa2\x12\x98\x84\xce\x1c\xbe\xcf\x4f\x7a\xef\x15\xfa\xd0\xee\xed\xed\x07\xad\x71\x6d"), +["\x73\x20\x22\x0f\x08\x16\x8a\xf9\xf3\xc4\xa6\x8b\x0a\xb2\x6a\x9a\x4a\x00\xee\xf5\x77\x85\x8a\x08\x4d\x05\x00\xd4\xa5\x42\x44\x59"] = CTInfo($description="DigiCert 'Wyvern2025h1' Log", $operator="DigiCert", $url="https://wyvern.ct.digicert.com/2025h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa7\xcb\x80\x61\x86\x1b\x1f\xb5\xab\x2b\x20\x76\x59\x83\x66\x0e\xce\xae\xb8\x6f\x3b\x88\x02\xeb\x43\xf4\x87\x90\xcb\x8b\xda\xac\x0e\x19\x50\xe0\xf9\x24\x0e\xab\x26\x93\x8c\x3f\x9e\x0d\x96\x58\x44\x9d\x3b\x8a\x80\xc5\xc8\xbe\xe1\x89\x46\x6b\x48\x4c\xd6\x09"), +["\xed\x3c\x4b\xd6\xe8\x06\xc2\xa4\xa2\x00\x57\xdb\xcb\x24\xe2\x38\x01\xdf\x51\x2f\xed\xc4\x86\xc5\x70\x0f\x20\xdd\xb7\x3e\x3f\xe0"] = CTInfo($description="DigiCert 'Wyvern2025h2' Log", $operator="DigiCert", $url="https://wyvern.ct.digicert.com/2025h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe0\xdb\x41\xef\xe4\x04\xbd\xcb\x6b\x2e\x4c\xcc\xf1\x6c\xde\x41\x58\x7f\xfe\x94\xf6\x7a\xf6\x60\xed\x8b\x76\x72\xa3\xa2\x1c\x31\x13\x32\x35\xa1\xf2\x08\xd2\x68\xc5\x34\xa7\x56\x08\x1c\x63\xde\x95\xe2\x81\x69\x97\x8d\x1e\xa8\xb7\x66\x51\x25\x75\x4d\x78\x2e"), +["\xdb\x07\x6c\xde\x6a\x8b\x78\xec\x58\xd6\x05\x64\x96\xeb\x6a\x26\xa8\xc5\x9e\x72\x12\x93\xe8\xac\x03\x27\xdd\xde\x89\xdb\x5a\x2a"] = CTInfo($description="DigiCert 'Sphinx2024h1' Log", $operator="DigiCert", $url="https://sphinx.ct.digicert.com/2024h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc6\xe4\x29\x69\x98\xfe\x28\x92\x57\x12\x4d\x9e\xed\x0e\xe7\x32\xa2\xe6\x9c\x27\x78\xa4\x29\x7c\x99\xd5\xdb\xfa\x22\xc1\xdd\x5e\xa7\xf4\xd8\xea\xc8\xd7\x44\x8d\xe0\xf1\x8c\x0a\x01\x1d\xd8\x22\xa8\xd3\xeb\xc9\x22\x8e\x36\xfb\x4a\xb1\x70\x9c\x5d\xc1\xe8\x33"), +["\xdc\xc9\x5e\x6f\xa2\x99\xb9\xb0\xfd\xbd\x6c\xa6\xa3\x6e\x1d\x72\xc4\x21\x2f\xdd\x1e\x0f\x47\x55\x3a\x36\xd6\xcf\x1a\xd1\x1d\x8d"] = CTInfo($description="DigiCert 'Sphinx2024h2' Log", $operator="DigiCert", $url="https://sphinx.ct.digicert.com/2024h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xdb\x09\x41\x84\xe7\xd1\xf1\x5b\x25\x09\x7b\xe8\xc6\x98\x51\x5e\x29\x85\xfd\x81\xde\x89\xd7\xd0\x86\xa4\xb0\xe5\x15\xec\x5d\x7b\x17\x55\x5f\xc9\x79\x8d\xe4\x22\x36\xe7\xe9\xbf\x38\x3f\xd1\xe9\xd4\x09\x84\x81\xbe\xb6\xc1\xed\x1b\x17\xea\x26\x97\xba\xe9\x9a"), +["\xde\x85\x81\xd7\x50\x24\x7c\x6b\xcd\xcb\xaf\x56\x37\xc5\xe7\x81\xc6\x4c\xe4\x6e\xd6\x17\x63\x9f\x8f\x34\xa7\x26\xc9\xe2\xbd\x37"] = CTInfo($description="DigiCert 'Sphinx2025h1' Log", $operator="DigiCert", $url="https://sphinx.ct.digicert.com/2025h1/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe3\x2f\x1f\x4d\x89\x05\x75\x29\x78\xbb\x22\x3d\x07\x62\x51\x14\x70\x94\xe7\x3c\xea\xf5\xee\xae\xa6\x48\x9a\x86\x52\x4e\x9e\x5c\xe3\x95\x97\x28\xbb\x52\x4b\x2a\xfd\xc8\xc9\x89\x4e\x45\x31\x17\xd3\x8d\xf2\xe7\xce\x18\x11\x58\x98\x2c\x60\x6f\x58\x20\x36\x6e"), +["\xa4\x42\xc5\x06\x49\x60\x61\x54\x8f\x0f\xd4\xea\x9c\xfb\x7a\x2d\x26\x45\x4d\x87\xa9\x7f\x2f\xdf\x45\x59\xf6\x27\x4f\x3a\x84\x54"] = CTInfo($description="DigiCert 'Sphinx2025h2' Log", $operator="DigiCert", $url="https://sphinx.ct.digicert.com/2025h2/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x41\x8c\x50\x13\x54\xb1\x19\x05\xb7\x7f\x4a\x20\x6e\xa3\x75\x63\xca\x34\xf4\xcc\x74\xea\x32\x3b\xb6\x8b\x03\x14\xa8\x52\x7f\x32\x87\x5e\x59\x9e\x0f\xab\x18\x9e\x29\x6c\xb5\x72\x77\x1a\x27\x54\x85\x5d\xc1\x7b\x24\xa8\x34\xe3\xcd\x88\xce\xd4\x50\x1b\xbe\x69"), ["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Sectigo 'Sabre' CT log", $operator="Sectigo", $url="https://sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"), ["\xa2\xe2\xbf\xd6\x1e\xde\x2f\x2f\x07\xa0\xd6\x4e\x6d\x37\xa7\xdc\x65\x43\xb0\xc6\xb5\x2e\xa2\xda\xb7\x8a\xf8\x9a\x6d\xf5\x17\xd8"] = CTInfo($description="Sectigo 'Sabre2024h1'", $operator="Sectigo", $url="https://sabre2024h1.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\x01\xf6\xce\x31\xbc\xaa\x14\x61\x51\xfe\x6b\x7a\x87\xae\xa6\xd3\x9b\xc7\x87\x2d\x0a\x5a\xc8\x4f\xb5\x54\xdc\xc9\x93\xa0\x00\xee\xca\x1c\xb9\xa7\xb6\x7b\x47\x3b\xe5\x4f\xaa\x6c\x16\x1c\x70\x2e\xc8\xec\x53\x5a\x4c\x21\x4c\x7e\x27\x0b\x13\x14\x5e\xfc\x85"), ["\x19\x98\x10\x71\x09\xf0\xd6\x52\x2e\x30\x80\xd2\x9e\x3f\x64\xbb\x83\x6e\x28\xcc\xf9\x0f\x52\x8e\xee\xdf\xce\x4a\x3f\x16\xb4\xca"] = CTInfo($description="Sectigo 'Sabre2024h2'", $operator="Sectigo", $url="https://sabre2024h2.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7a\x10\x4c\x8a\xe7\x22\x7b\x6d\x2a\xba\x8e\xfa\x6b\x4a\x81\xd5\x85\xae\x03\xef\xff\x4b\xfc\x4d\x53\x3d\xb7\x8c\xbb\x75\x09\xc9\xea\x16\x7e\xc1\x77\x16\xd2\xc2\x45\x74\x6d\x8d\xc4\xe1\x88\x37\xdf\xd4\xf3\x60\x65\xfc\xa0\x75\xf0\x20\x66\x8e\x4a\xcc\x19\xda"), ["\xe0\x92\xb3\xfc\x0c\x1d\xc8\xe7\x68\x36\x1f\xde\x61\xb9\x96\x4d\x0a\x52\x78\x19\x8a\x72\xd6\x72\xc4\xb0\x4d\xa5\x6d\x6f\x54\x04"] = CTInfo($description="Sectigo 'Sabre2025h1'", $operator="Sectigo", $url="https://sabre2025h1.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7e\x2f\x39\xf1\xe8\x23\x8e\xb3\x32\x04\xaf\x4d\x57\xf6\xdb\xc5\x74\xa4\x7a\x6d\x3b\x07\x51\x0c\x5a\xfb\x80\x30\x05\xc6\x5a\x0c\xc4\x76\xd6\x06\xa8\x57\x4d\xfb\xdf\xe4\x82\x90\xc2\x41\xae\x70\xb3\x31\xa2\xe3\xfa\x3d\x5f\x2c\x5d\x04\xcd\xb4\x9d\x55\xab\x41"), ["\x1a\x04\xff\x49\xd0\x54\x1d\x40\xaf\xf6\xa0\xc3\xbf\xf1\xd8\xc4\x67\x2f\x4e\xec\xee\x23\x40\x68\x98\x6b\x17\x40\x2e\xdc\x89\x7d"] = CTInfo($description="Sectigo 'Sabre2025h2'", $operator="Sectigo", $url="https://sabre2025h2.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x85\x13\x11\x2d\x7b\xf3\x93\x81\xe4\xb9\x7c\xd9\x64\x3b\xe7\xb5\x83\x99\x66\x79\x59\x47\x6a\x42\x5e\xd6\xbd\x63\x2e\xb7\x91\x4b\xae\xbc\x56\xc4\xc5\x6e\x09\xa0\xd7\x64\x1a\xc8\xc1\xaf\x89\x8b\xf5\x58\xd8\xba\xeb\x7b\x83\x52\xe9\xf4\xe0\xa5\xcd\xcd\x92\xcc"), -["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Sectigo 'Mammoth' CT log", $operator="Sectigo", $url="https://mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"), ["\x29\xd0\x3a\x1b\xb6\x74\xaa\x71\x1c\xd3\x03\x5b\x65\x57\xc1\x4f\x8a\xa7\x8b\x4f\xe8\x38\x94\x49\xec\xa4\x53\xf9\x44\xbd\x24\x68"] = CTInfo($description="Sectigo 'Mammoth2024h1'", $operator="Sectigo", $url="https://mammoth2024h1.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa4\x59\x90\xf3\x71\x24\x24\xf7\xc3\x55\x27\x56\x9c\xa3\x59\x1e\xf7\xb7\x9f\xce\xab\x4e\x19\x66\x4d\xd0\x8a\xfa\x9d\x62\xa4\x24\xf0\x3b\x20\xe4\x1d\x14\x67\xc8\xfc\xe4\x37\xf2\x4b\x38\x54\x5a\xcf\x9f\x6b\x07\x90\xd0\x0e\x7e\x3d\x4c\x87\xb2\xe8\x3f\x07\xcc"), ["\x50\x85\x01\x58\xdc\xb6\x05\x95\xc0\x0e\x92\xa8\x11\x02\xec\xcd\xfe\x3f\x6b\x78\x58\x42\x9f\x57\x98\x35\x38\xc9\xda\x52\x50\x63"] = CTInfo($description="Sectigo 'Mammoth2024h1b'", $operator="Sectigo", $url="https://mammoth2024h1b.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\xd5\x07\x28\x7a\x04\x34\xae\xca\xbe\x80\x79\x4f\x3e\xf6\x41\xf4\x24\x04\xe1\xd6\x36\x5a\x1a\x09\xf2\xd1\xba\x84\x17\xae\x1e\xa1\x7c\x00\x1d\x54\x73\x90\x75\x21\xa8\xd1\xda\x5e\x10\xe1\x8c\xec\xb2\x8a\x8c\xc8\xe7\xdd\xcd\xe2\x07\xf0\x4e\x16\x02\x57\x37"), ["\xdf\xe1\x56\xeb\xaa\x05\xaf\xb5\x9c\x0f\x86\x71\x8d\xa8\xc0\x32\x4e\xae\x56\xd9\x6e\xa7\xf5\xa5\x6a\x01\xd1\xc1\x3b\xbe\x52\x5c"] = CTInfo($description="Sectigo 'Mammoth2024h2'", $operator="Sectigo", $url="https://mammoth2024h2.ct.sectigo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x85\x66\x22\x24\x6e\xbe\x52\x62\x0a\xa0\xaf\xc3\x25\x1a\x36\x2e\xa7\x60\x89\xa2\x65\xbf\xa4\x5f\xbd\x85\x6a\x94\x05\x81\x35\x90\x54\x31\x95\xe7\x11\x9e\xa3\x2e\x0f\x85\xef\xa7\x88\x57\x8b\x63\x1a\x81\xc1\x41\x9d\x7d\xec\x01\x3a\xdb\xb9\xc1\x27\xf4\x65\x1e"), @@ -39,4 +50,6 @@ redef ct_logs += { ["\x87\x4f\xb5\x0d\xc0\x29\xd9\x93\x1d\xe5\x73\xe9\xf2\x89\x9e\x8e\x45\x33\xb3\x92\xd3\x8b\x0a\x46\x25\x74\xbf\x0f\xee\xb2\xfc\x1e"] = CTInfo($description="Trust Asia Log2024-2", $operator="TrustAsia", $url="https://ct2024.trustasia.com/log2024/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa7\x64\xe2\x79\x81\x3f\x61\xd7\xec\xc6\xf8\x65\x28\x1d\xa0\xb4\x66\x33\xc3\x25\xd5\x0a\x95\x78\x9c\x8f\xfe\xa4\x2a\xd8\x8f\x7e\x72\xe0\xfe\xa8\x7f\xf8\xb1\x2d\x85\xc0\x8e\x12\x74\x0d\x2f\x8c\xab\xd7\x7f\x7a\x1e\xd9\x84\x33\x39\xe8\xfd\x89\x5f\x96\x48\x08"), ["\x28\xe2\x81\x38\xfd\x83\x21\x45\xe9\xa9\xd6\xaa\x75\x37\x6d\x83\x77\xa8\x85\x12\xb3\xc0\x7f\x72\x41\x48\x21\xdc\xbd\xe9\x8c\x66"] = CTInfo($description="TrustAsia Log2025a", $operator="TrustAsia", $url="https://ct2025-a.trustasia.com/log2025a/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x70\xe5\xb1\xa4\x09\x79\x2b\x9d\xf8\xa3\xa0\xdf\x18\xef\x95\x5d\x03\x6c\x7b\xa1\x91\xa9\xb8\x80\x7d\xec\x5c\x02\x08\xe2\x6e\x2f\x7c\x32\x70\xbd\x96\x84\x5f\xa6\x62\xe9\x65\xb5\x7c\x90\x58\xba\x22\xd5\xf9\xf5\x69\x54\xb7\xa8\x94\x4e\x32\x09\xae\x26\x11\x4d"), ["\x28\x2c\x8b\xdd\x81\x0f\xf9\x09\x12\x0a\xce\x16\xd6\xe0\xec\x20\x1b\xea\x82\xa3\xa4\xaf\x19\xd9\xef\xfb\x59\xe8\x3f\xdc\x42\x68"] = CTInfo($description="TrustAsia Log2025b", $operator="TrustAsia", $url="https://ct2025-b.trustasia.com/log2025b/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xaa\xa0\x8b\xdb\x67\x14\x5d\x97\x89\x1d\x08\x8d\x06\xd7\xc1\x94\x8e\xb0\xfa\x4c\x46\xd5\x53\x08\x78\x2b\x04\x53\x6c\xf3\xde\xb1\xd1\x53\x40\xda\x90\x57\xe6\x1a\x9e\x3c\xc7\x03\xb8\xbd\x2f\xa9\xcf\xe8\x7b\x5e\xe1\x4b\x60\xe5\x38\x43\x60\x97\xc1\x5b\x2f\x65"), +["\x74\xdb\x9d\x58\xf7\xd4\x7e\x9d\xfd\x78\x7a\x16\x2a\x99\x1c\x18\xcf\x69\x8d\xa7\xc7\x29\x91\x8c\x9a\x18\xb0\x45\x0d\xba\x44\xbc"] = CTInfo($description="TrustAsia 'log2026a'", $operator="TrustAsia", $url="https://ct2026-a.trustasia.com/log2026a/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa7\x4e\x7a\xc9\xa6\x07\xf9\xff\x74\xec\x98\xcb\x49\xe1\x00\x24\xb3\x59\x2e\x83\xfd\xc0\x70\x35\x33\x4c\x63\xca\x74\x83\xc0\x3c\x5b\x53\x40\x7c\x31\x1f\x35\xa4\x5f\x0f\xe4\xee\x4f\x89\x17\xe8\x5b\x2e\xc5\xac\x00\x05\xc9\x76\x37\x45\x97\x03\x15\xff\x60\x59"), +["\x25\xb7\xef\xde\xa1\x13\x01\x93\xed\x93\x07\x97\x70\xaa\x32\x2a\x26\x62\x0d\xe3\x5a\xc8\xaa\x7c\x75\x19\x7d\xe0\xb1\xa9\xe0\x65"] = CTInfo($description="TrustAsia 'log2026b'", $operator="TrustAsia", $url="https://ct2026-b.trustasia.com/log2026b/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0f\x12\x8c\xa9\xe6\xe3\xec\x62\xee\xdf\x58\xc8\x50\xe6\x26\x70\x76\x10\xb7\x04\x39\xb3\xa7\xf8\x4c\x73\x3b\xc3\x38\x5a\x12\x00\x4c\xe0\xda\x0e\x16\x8a\x45\x32\x0a\x31\xaa\x22\xc7\x9d\x7d\x05\x53\xc7\x9e\x94\xea\x9b\x57\x46\xbf\x4f\xa4\x7e\xfb\xdf\xfa\x85"), }; diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.zeek b/scripts/base/protocols/ssl/mozilla-ca-list.zeek index 1206908a10..e308f1fb75 100644 --- a/scripts/base/protocols/ssl/mozilla-ca-list.zeek +++ b/scripts/base/protocols/ssl/mozilla-ca-list.zeek @@ -1,6 +1,6 @@ # Don't edit! This file is automatically generated. -# Generated at: 2024-02-23 11:28:07 +0000 -# Generated from: NSS 3.98 +# Generated at: 2024-07-23 16:04:06 +0100 +# Generated from: NSS 3.102 # # The original source file comes with this licensing statement: # @@ -158,4 +158,5 @@ redef root_certs += { ["CN=CommScope Public Trust RSA Root-02,O=CommScope,C=US"] = "\x30\x82\x05\x6C\x30\x82\x03\x54\xA0\x03\x02\x01\x02\x02\x14\x54\x16\xBF\x3B\x7E\x39\x95\x71\x8D\xD1\xAA\x00\xA5\x86\x0D\x2B\x8F\x7A\x05\x4E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x43\x6F\x6D\x6D\x53\x63\x6F\x70\x65\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x43\x6F\x6D\x6D\x53\x63\x6F\x70\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x52\x6F\x6F\x74\x2D\x30\x32\x30\x1E\x17\x0D\x32\x31\x30\x34\x32\x38\x31\x37\x31\x36\x34\x33\x5A\x17\x0D\x34\x36\x30\x34\x32\x38\x31\x37\x31\x36\x34\x32\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x43\x6F\x6D\x6D\x53\x63\x6F\x70\x65\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x43\x6F\x6D\x6D\x53\x63\x6F\x70\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x52\x6F\x6F\x74\x2D\x30\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE1\xFA\x0E\xFB\x68\x00\x12\xC8\x4D\xD5\xAC\x22\xC4\x35\x01\x3B\xC5\x54\xE5\x59\x76\x63\xA5\x7F\xEB\xC1\xC4\x6A\x98\xBD\x32\x8D\x17\x80\xEB\x5D\xBA\xD1\x62\x3D\x25\x23\x19\x35\x14\xE9\x7F\x89\xA7\x1B\x62\x3C\xD6\x50\xE7\x34\x95\x03\x32\xB1\xB4\x93\x22\x3D\xA7\xE2\xB1\xED\xE6\x7B\x4E\x2E\x87\x9B\x0D\x33\x75\x0A\xDE\xAA\x35\xE7\x7E\xE5\x36\x98\xA2\xAE\x25\x9E\x95\xB3\x32\x96\xA4\x2B\x58\x1E\xEF\x3F\xFE\x62\x34\x48\x51\xD1\xB4\x8D\x42\xAD\x60\xDA\x49\x6A\x95\x70\xDD\xD2\x00\xE2\xCC\x57\x63\x02\x7B\x96\xDD\x49\x97\x5B\x92\x4E\x95\xD3\xF9\xCB\x29\x1F\x18\x4A\xF8\x01\x2A\xD2\x63\x09\x6E\x24\xE9\x89\xD2\xE5\xC7\x22\x4C\xDC\x73\x86\x47\x00\xAA\x0D\x88\x8E\xAE\x85\x7D\x4A\xE9\xBB\x33\x4F\x0E\x52\x70\x9D\x95\xE3\x7C\x6D\x96\x5B\x2D\x3D\x5F\xA1\x83\x46\x5D\xB6\xE3\x25\xB8\x7C\xA7\x19\x80\x1C\xEA\x65\x43\xDC\x91\x79\x36\x2C\x74\x7C\xF2\x67\x06\xC9\x89\xC9\xDB\xBF\xDA\x68\xBF\x23\xED\xDC\x6B\xAD\x28\x83\x79\x2F\xEC\x38\xA5\x0D\x37\x01\x67\x27\x9A\xE9\x33\xD9\x33\x5F\x37\xA1\xC5\xF0\xAB\x3D\xFA\x78\xB0\xE7\x2C\x9F\xF6\x3E\x9F\x60\xE0\xEF\x48\xE9\x90\x45\x1E\x05\x51\x78\x1A\x2C\x12\x2C\x5C\x28\xAC\x0D\xA2\x23\x9E\x34\x8F\x05\xE6\xA2\x33\xCE\x11\x77\x13\xD4\x0E\xA4\x1E\x42\x1F\x86\xCD\x70\xFE\xD9\x2E\x15\x3D\x1D\xBB\xB8\xF2\x53\x57\xDB\xCC\xC6\x74\x29\x9C\x18\xB3\x36\x75\x38\x2E\x0F\x54\xA1\xF8\x92\x1F\x89\x96\x4F\xBB\xD4\xEE\x9D\xE9\x3B\x36\x42\xB5\x0A\x3B\x2A\xD4\x64\x79\x36\x10\xE1\xF9\x91\x03\x2B\x7B\x20\x54\xCD\x0D\x19\x1A\xC8\x41\x32\x34\xD1\xB0\x99\xE1\x90\x1E\x01\x40\x36\xB5\xB7\xFA\xA9\xE5\x77\x75\xA4\x22\x81\x5D\xB0\x8B\xE4\x27\x12\x0F\x54\x88\xC6\xDB\x85\x74\xE6\xB7\xC0\xD7\xA6\x29\xFA\xDB\xDE\xF3\x93\x97\x27\x04\x55\x2F\x0A\x6F\x37\xC5\x3D\x13\xAF\x0A\x00\xA9\x2C\x8B\x1C\x81\x28\xD7\xEF\x86\x31\xA9\xAE\xF2\x6E\xB8\xCA\x6A\x2C\x54\x47\xD8\x2A\x88\x2E\xAF\xC1\x07\x10\x78\xAC\x11\xA2\x2F\x42\xF0\x37\xC5\xF2\xB8\x56\xDD\x0E\x62\x2D\xCE\x2D\x56\x7E\x55\xF2\xA7\x44\xF6\x2B\x32\xF4\x23\xA8\x47\xE8\xD4\x2A\x01\x78\xCF\x6A\xC3\x37\xA8\x9E\x65\xD2\x2C\xE5\xFA\xBA\x33\xC1\x06\x44\xF6\xE6\xCF\xA5\x0D\xA7\x66\x08\x34\x8A\x2C\xF3\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\xD0\xE7\xB1\x22\xFF\x9D\x2C\xF5\xD9\x57\x60\xB3\xB1\xB1\x70\x95\xEF\x61\x7A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x86\x69\xB1\x4D\x2F\xE9\x9F\x4F\x22\x93\x68\x8E\xE4\x21\x99\xA3\xCE\x45\x53\x1B\x73\x44\x53\x00\x81\x61\xCD\x31\xE3\x08\xBA\x81\x28\x28\x7A\x92\xB9\xB6\xA8\xC8\x43\x9E\xC7\x13\x26\x4D\xC2\xD8\xE5\x55\x9C\x92\x5D\x50\xD8\xC2\x2B\xDB\xFE\xE6\xA8\x97\xCF\x52\x3A\x24\xC3\x65\x64\x5C\x47\x31\xA3\x65\x35\x13\xC3\x93\xB9\xF7\xF9\x51\x97\xBB\xA4\xF0\x62\x87\xC5\xD6\x06\xD3\x97\x83\x20\xA9\x7E\xBB\xB6\x21\xC2\xA5\x0D\x84\x00\xE1\xF2\x27\x10\x83\xBA\xDD\x03\x81\xD5\xDD\x68\xC3\x66\x10\xC8\xD1\x76\xB4\xB3\x6F\x29\x9E\x00\xF9\xC2\x29\xF5\xB1\x93\x19\x52\x69\x1A\x2C\x4C\xA0\x8B\xE0\x15\x9A\x31\x2F\xD3\x88\x95\x59\x6E\xE5\xC4\xB3\x50\xC8\x14\x08\x4A\x9B\x8B\x13\x83\xB1\xA4\x72\xB2\x3B\x76\x33\x41\xDC\xDC\xAA\xA6\x07\x6F\x1D\x24\x12\x9F\xC8\x76\xBD\x2F\xD9\x8E\xF4\x2C\xEE\xB7\xD2\x38\x10\x24\x36\x51\x2F\xE3\x5C\x5D\x81\x21\xA7\xDA\xBB\x4E\xFF\xE6\x07\xA8\xFE\xB9\x0D\x27\x6C\xBB\x70\x5A\x55\x7A\x13\xE9\xF1\x2A\x49\x69\xC7\x5F\x87\x57\x4C\x43\x79\x6D\x3A\x65\xE9\x30\x5C\x41\xEE\xEB\x77\xA5\x73\x12\x88\xE8\xBF\x7D\xAE\xE5\xC4\xA8\x1F\x0D\x8E\x1C\x6D\x50\x02\x4F\x26\x18\x43\xDE\x8F\x55\x85\xB1\x0B\x37\x05\x60\xC9\x55\x39\x12\x04\xA1\x2A\xCF\x71\x16\x9F\x36\x51\x49\xBF\x70\x3B\x9E\x67\x9C\xFB\x7B\x79\xC9\x39\x1C\x78\xAC\x77\x91\x54\x9A\xB8\x75\x0A\x81\x52\x97\xE3\x66\x61\x6B\xED\x3E\x38\x1E\x96\x61\x55\xE1\x91\x54\x8C\xED\x8C\x24\x1F\x81\xC9\x10\x9A\x73\x99\x2B\x16\x4E\x72\x00\x3F\x54\x1B\xF8\x8D\xBA\x8B\xE7\x14\xD6\xB6\x45\x4F\x60\xEC\x96\xAE\xC3\x2F\x02\x4E\x5D\x9D\x96\x49\x72\x00\xB2\xAB\x75\x5C\x0F\x68\x5B\x1D\x65\xC2\x5F\x33\x0F\x1E\x0F\xF0\x3B\x86\xF5\xB0\x4E\xBB\x9C\xF7\xEA\x25\x05\xDC\xAD\xA2\x9B\x4B\x17\x01\xBE\x42\xDF\x35\x21\x1D\xAD\xAB\xAE\xF4\xBF\xAE\x1F\x1B\xD3\xE2\x3B\xFC\xB3\x72\x73\x1C\x9B\x28\x90\x89\x13\x3D\x1D\xC1\x00\x47\x09\x96\x9A\x38\x1B\xDD\xB1\xCF\x0D\xC2\xB4\x44\xF3\x96\x95\xCE\x32\x3A\x8F\x34\x9C\xE0\x17\xC7\x5E\xCE\xAE\x0D\xDB\x87\x38\xE5\x3F\x5B\xFD\x9B\x19\xE1\x31\x41\x7A\x70\xAA\x23\x6B\x01\xE1\x45\x4C\xCD\x94\xCE\x3B\x9E\x2D\xE7\x88\x02\x22\xF4\x6E\xE8\xC8\xEC\xD6\x3C\xF3\xB9\xB2\xD7\x77\x7A\xAC\x7B", ["CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE"] = "\x30\x82\x02\x42\x30\x82\x01\xC9\xA0\x03\x02\x01\x02\x02\x10\x36\x3A\x96\x8C\xC9\x5C\xB2\x58\xCD\xD0\x01\x5D\xC5\xE5\x57\x00\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x0C\x1E\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x47\x6D\x62\x48\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x4C\x53\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x20\x32\x30\x32\x30\x30\x1E\x17\x0D\x32\x30\x30\x38\x32\x35\x30\x37\x34\x38\x32\x30\x5A\x17\x0D\x34\x35\x30\x38\x32\x35\x32\x33\x35\x39\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x0C\x1E\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x47\x6D\x62\x48\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x4C\x53\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x20\x32\x30\x32\x30\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xCE\xBF\xFE\x57\xA8\xBF\xD5\xAA\xF7\x10\x9A\xCD\xBC\xD1\x11\xA2\xBD\x67\x42\xCC\x90\xEB\x15\x18\x90\xD9\xA2\xCD\x0C\x2A\x25\xEB\x3E\x4F\xCE\xB5\xD2\x8F\x0F\xF3\x35\xDA\x43\x8B\x02\x80\xBE\x6F\x51\x24\x1D\x0F\x6B\x2B\xCA\x9F\xC2\x6F\x50\x32\xE5\x37\x20\xB6\x20\xFF\x88\x0D\x0F\x6D\x49\xBB\xDB\x06\xA4\x87\x90\x92\x94\xF4\x09\xD0\xCF\x7F\xC8\x80\x0B\xC1\x97\xB3\xBB\x35\x27\xC9\xC2\x1B\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x72\xCC\x6E\x95\x99\x47\xB1\xE6\xB3\x61\x4C\xD1\xCB\xAB\xE3\xBA\xCD\xDE\x9F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x75\x52\x8B\xB7\xA4\x10\x4F\xAE\x4A\x10\x8B\xB2\x84\x5B\x42\xE1\xE6\x2A\x36\x02\xDA\xA0\x6E\x19\x3F\x25\xBF\xDA\x59\x32\x8E\xE4\xFB\x90\xDC\x93\x64\xCE\xAD\xB4\x41\x47\x60\xE2\xCF\xA7\xCB\x1E\x02\x30\x37\x41\x8C\x66\xDF\x41\x6B\xD6\x83\x00\x41\xFD\x2F\x5A\xF7\x50\xB4\x67\xD1\x2C\xA8\x71\xD7\x43\xCA\x9C\x27\x24\x91\x83\x48\x0D\xCF\xCD\xF7\x54\x81\xAF\xEC\x7F\xE4\x67\xDB\xB8\x90\xEE\xDD\x25", ["CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE"] = "\x30\x82\x05\xB3\x30\x82\x03\x9B\xA0\x03\x02\x01\x02\x02\x10\x21\x9C\x54\x2D\xE8\xF6\xEC\x71\x77\xFA\x4E\xE8\xC3\x70\x57\x97\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x0C\x1E\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x47\x6D\x62\x48\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x4C\x53\x20\x52\x53\x41\x20\x52\x6F\x6F\x74\x20\x32\x30\x32\x33\x30\x1E\x17\x0D\x32\x33\x30\x33\x32\x38\x31\x32\x31\x36\x34\x35\x5A\x17\x0D\x34\x38\x30\x33\x32\x37\x32\x33\x35\x39\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x0C\x1E\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x47\x6D\x62\x48\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x4C\x53\x20\x52\x53\x41\x20\x52\x6F\x6F\x74\x20\x32\x30\x32\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xED\x35\xA1\x81\x80\xF3\xCB\x4A\x69\x5B\xC2\xFB\x51\x83\xAE\x26\xFD\xE1\x6E\xF3\x81\x12\x7D\x71\x40\xFF\x87\x75\x42\x29\x21\xED\x81\x52\x2C\xDF\x12\xC1\x19\x84\x89\xC1\xBD\xC5\x28\xD5\xD5\x4B\x6C\x44\xD6\x4C\xDB\x07\x96\x4A\x55\x7A\xCA\x36\x82\x04\x36\xA8\xA5\xFC\x27\xF6\x49\xF1\xD5\x72\x9E\x91\xF9\x23\xD6\x70\x7B\xBB\xF5\x9B\xC1\xEC\x93\xCF\x19\xEA\x65\x7E\x88\x70\xA0\x73\xFC\xF6\xFF\xB5\x56\x62\xE1\x73\x6A\x34\x98\x3E\x82\xB8\xAC\x95\x53\xF4\x01\xA0\x27\x07\x72\xA3\x00\x53\xA0\xE4\xB2\xAB\x83\x38\x57\x33\x25\x94\x9F\xBE\x48\x1D\x98\xE1\xA3\xBA\x9E\x5C\xCD\x04\x71\x51\x7D\x75\x78\xAB\xF3\x59\xAA\xC4\xE0\x60\xBE\x8F\x83\x52\xB8\x75\x1A\x41\x35\xED\xBC\xF3\x3A\x63\xE9\xA9\x14\x45\xD7\xE6\x52\xD1\x6E\xD2\xDE\xBC\xE3\xF5\x0B\x3B\xE6\xE0\xC4\xBD\x43\x64\x13\xA6\xCE\xF4\x98\x37\x6C\x8A\x95\xA8\x97\xC8\x47\x0F\xF0\x5E\x10\x8B\xE7\x1D\x1C\xFE\xB1\x3B\xA0\x05\x33\x68\x05\x41\x82\xC1\x03\x2B\x01\xC8\xE7\x8F\x4D\xAB\xE8\xB5\xF6\xCD\x6B\x44\xB5\xE7\xDD\x8B\xEC\xEA\x25\xB4\x00\x22\x57\x4D\xB0\xB1\xB2\x31\xC1\x16\xCE\xFF\xFD\x14\x84\xB7\x47\xFA\xB2\xF1\x70\xDE\xDB\x8B\x6C\x36\x58\xA4\x7C\xB3\x11\xD1\xC3\x77\x7F\x5F\xB6\x25\xE0\x0D\xC5\xD2\xB3\xF9\xB8\xB8\x77\xDB\x37\x71\x71\x47\xE3\x60\x18\x4F\x24\xB6\x75\x37\x78\xB9\xA3\x62\xAF\xBD\xC9\x72\x8E\x2F\xCC\xBB\xAE\xDB\xE4\x15\x52\x19\x07\x33\xFB\x6A\xB7\x2D\x4B\x90\x28\x82\x73\xFE\x18\x8B\x35\x8D\xDB\xA7\x04\x6A\xBE\xEA\xC1\x4D\x36\x3B\x16\x36\x91\x32\xEF\xB6\x40\x89\x91\x43\xE0\xF2\xA2\xAB\x04\x2E\xE6\xF2\x4C\x0E\x16\x34\x20\xAC\x87\xC1\x2D\x7E\xC9\x66\x47\x17\x14\x11\xA4\xF3\xF7\xA1\x24\x89\xAB\xD8\x1A\xC8\xA1\x5C\xB1\xA3\xF7\x8C\x6D\xC8\x01\xC9\x4F\xC9\xEC\xC4\xFC\xAC\x51\x33\xD1\xC8\x83\xD1\xC9\x9F\x1D\xD4\x47\x34\x29\x3E\xCB\xB0\x0E\xFA\x83\x0B\x28\x58\xE5\x29\xDC\x3F\x7C\xA8\x9F\xC9\xB6\x0A\xBB\xA6\xE8\x46\x16\x0F\x96\xE5\x7B\xE4\x6A\x7A\x48\x6D\x76\x98\x05\xA5\xDC\x6D\x1E\x42\x1E\x42\xDA\x1A\xE0\x52\xF7\xB5\x83\xC0\x1A\x7B\x78\x35\x2C\x38\xF5\x1F\xFD\x49\xA3\x2E\xD2\x59\x63\xBF\x80\xB0\x8C\x93\x73\xCB\x35\xA6\x99\x95\x22\x61\x65\x03\x60\xFB\x2F\x93\x4B\xFA\x9A\x9C\x80\x3B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\xA7\x97\x82\x3D\x74\x85\x9B\xF7\x3C\x9F\x93\x9A\x95\x79\x75\x52\x8C\x6D\x47\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB6\xA7\x97\x82\x3D\x74\x85\x9B\xF7\x3C\x9F\x93\x9A\x95\x79\x75\x52\x8C\x6D\x47\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xA8\xCC\x61\xA6\xBE\x75\x9E\x15\x50\xA4\x6B\xFB\xA8\x70\x45\x7C\xBA\x7E\xB1\x5A\xFC\x5B\x23\xFA\x0A\x77\xF8\x98\x71\x82\x0C\x6D\xE0\x5E\x46\xAA\x93\xF4\x1E\xA0\xC3\xE1\x93\xDB\x4B\xAD\xB2\xA6\x5D\xAB\xB0\xD4\x62\xCB\x5E\xBB\x66\xF5\x2D\xEE\x97\x40\x3C\x62\xEB\x5E\xD6\x14\xD6\x8C\xE2\x96\x8B\x41\x69\x93\x35\xE6\xB9\x99\x6B\x62\xB4\xA1\x17\x66\x34\xA6\x6B\x63\xC6\xB9\x4E\xF2\x22\xE9\x58\x0D\x56\x41\xD1\xFA\x0C\x4A\xF0\x33\xCD\x3B\xBB\x6D\x21\x3A\xAE\x8E\x72\xB5\xC3\x4A\xFB\xE9\x7D\xE5\xB1\x9B\x86\xEE\xE2\xE0\x7D\xB4\xF7\x32\xFD\x22\x84\xF1\x85\xC9\x37\x79\xE9\xB5\x3F\xBF\x5C\xE4\x74\xB2\x8F\x11\x62\x00\xDD\x18\x66\xA1\xD9\x7B\x23\x5F\xF1\x8E\xD5\x67\xE8\x54\xDA\x5B\x3A\x6B\x36\x6F\xF9\x81\xB1\x33\x47\x33\x77\x40\xF9\x52\xAA\xDD\xD4\x83\xCF\x85\x78\x99\x9A\x93\xB9\x73\x67\x42\x46\x11\x21\xEA\xFE\x0A\xA9\x1B\x1A\x65\x69\xB3\x8F\xAE\x16\xB6\xF6\x4B\x56\xB2\x2D\xF9\xA5\xC8\xEC\x3B\x62\xA3\xED\x6B\xD0\x4E\xD5\x40\x09\xA4\x1F\x98\xD7\x3A\xA5\x92\x59\x20\xE4\xB0\x7D\xCD\x5B\x73\x68\xBD\x6D\xC4\xA2\x13\x0E\x67\x19\xB8\x8D\x42\x7E\x6C\x0C\x9A\x6E\xA0\x24\x2D\xD5\x45\x1B\xDC\xC4\x02\x14\xFE\x85\x5B\x65\x97\xCA\x4E\x90\x50\x08\x7A\x42\x35\xF9\xEA\xC2\x66\xD4\xF8\x01\xAE\x1E\xB4\xBE\xC3\xA8\xEF\xFE\x76\x9A\xA2\xA6\x1F\x46\xF6\x84\xED\xFC\xDB\xCE\xC4\x02\xCE\x77\x48\x2C\x8C\xB2\xEC\xC3\x00\xA3\xEC\x2C\x55\x18\xC1\x7E\x19\xEE\xE1\x2F\xF2\xAD\x83\x9B\x9E\xAB\x19\xDF\xC6\x8A\x2F\x8C\x77\xE5\xB7\x05\xEC\x3B\xC1\xEC\xBE\x86\xB3\x86\xBC\xC0\xF7\xDC\xE7\xEA\x5B\xAE\xB2\xCC\xB5\x35\x86\x4B\xD0\xE2\x3F\xB6\xD8\xF8\x0E\x00\xEE\x5D\xE3\xF7\x8D\x58\xFF\xCF\x8B\x37\xE9\x63\x5F\x6E\xF7\x09\x71\x36\xC2\x12\x5D\x57\xF2\xC8\xB4\xCD\xF3\xEE\x02\xDF\x11\xDC\x6A\xB9\x57\x84\x1D\x59\x4D\x8C\xCE\xC8\x0E\x23\xC2\xB7\x26\x9A\x10\x14\x71\xFE\x93\xB2\x8A\xB8\x80\xF0\x0E\x10\x9E\xD3\xA8\x50\x0C\x37\x82\x2F\xEA\xE0\x8A\x9D\xE1\x2C\x39\xFF\xB5\xB4\x73\x00\xE4\xF7\x48\xA6\x73\xAC\xBF\xB2\xDE\x77\x04\x87\xB4\xA3\xCD\x9B\x35\x24\x37\xFA\x90\x93\x13\x81\x42\xC6\x98\x26\x75\x37\x66\x41\x10\xAC\xBB\xF5\x94\xE3\xC2\x31\x2B\xAD\xE7\x23\x56\xCC\x35\x25\x92\xB3\x50", + ["CN=FIRMAPROFESIONAL CA ROOT-A WEB,organizationIdentifier=VATES-A62634068,O=Firmaprofesional SA,C=ES"] = "\x30\x82\x02\x7A\x30\x82\x02\x00\xA0\x03\x02\x01\x02\x02\x10\x31\x97\x21\xED\xAF\x89\x42\x7F\x35\x41\x87\xA1\x67\x56\x4C\x6D\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x6E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x0C\x13\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x53\x41\x31\x18\x30\x16\x06\x03\x55\x04\x61\x0C\x0F\x56\x41\x54\x45\x53\x2D\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x46\x49\x52\x4D\x41\x50\x52\x4F\x46\x45\x53\x49\x4F\x4E\x41\x4C\x20\x43\x41\x20\x52\x4F\x4F\x54\x2D\x41\x20\x57\x45\x42\x30\x1E\x17\x0D\x32\x32\x30\x34\x30\x36\x30\x39\x30\x31\x33\x36\x5A\x17\x0D\x34\x37\x30\x33\x33\x31\x30\x39\x30\x31\x33\x36\x5A\x30\x6E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x0C\x13\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x53\x41\x31\x18\x30\x16\x06\x03\x55\x04\x61\x0C\x0F\x56\x41\x54\x45\x53\x2D\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x46\x49\x52\x4D\x41\x50\x52\x4F\x46\x45\x53\x49\x4F\x4E\x41\x4C\x20\x43\x41\x20\x52\x4F\x4F\x54\x2D\x41\x20\x57\x45\x42\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x47\x53\xEA\x2C\x11\xA4\x77\xC7\x2A\xEA\xF3\xD6\x5F\x7B\xD3\x04\x91\x5C\xFA\x88\xC6\x22\xB9\x83\x10\x62\x77\x84\x33\x2D\xE9\x03\x88\xD4\xE0\x33\xF7\xED\x77\x2C\x4A\x60\xEA\xE4\x6F\xAD\x6D\xB4\xF8\x4C\x8A\xA4\xE4\x1F\xCA\xEA\x4F\x38\x4A\x2E\x82\x73\x2B\xC7\x66\x9B\x0A\x8C\x40\x9C\x7C\x8A\xF6\xF2\x39\x60\xB2\xDE\xCB\xEC\xB8\xE4\x6F\xEA\x9B\x5D\xB7\x53\x90\x18\x32\x55\xC5\x20\xB7\x94\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x93\xE1\x43\x63\x5C\x3C\x9D\xD6\x27\xF3\x52\xEC\x17\xB2\xA9\xAF\x2C\xF7\x76\xF8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x93\xE1\x43\x63\x5C\x3C\x9D\xD6\x27\xF3\x52\xEC\x17\xB2\xA9\xAF\x2C\xF7\x76\xF8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x1D\x7C\xA4\x7B\xC3\x89\x75\x33\xE1\x3B\xA9\x45\xBF\x46\xE9\xE9\xA1\xDD\xC9\x22\x16\xB7\x47\x11\x0B\xD8\x9A\xBA\xF1\xC8\x0B\x70\x50\x53\x02\x91\x70\x85\x59\xA9\x1E\xA4\xE6\xEA\x23\x31\xA0\x00\x02\x31\x00\xFD\xE2\xF8\xB3\xAF\x16\xB9\x1E\x73\xC4\x96\xE3\xC1\x30\x19\xD8\x7E\xE6\xC3\x97\xDE\x1C\x4F\xB8\x89\x2F\x33\xEB\x48\x0F\x19\xF7\x87\x46\x5D\x26\x90\xA5\x85\xC5\xB9\x7A\x94\x3E\x87\xA8\xBD\x00", }; diff --git a/scripts/policy/frameworks/notice/community-id.zeek b/scripts/policy/frameworks/notice/community-id.zeek index a1b9a65659..8dc71b1561 100644 --- a/scripts/policy/frameworks/notice/community-id.zeek +++ b/scripts/policy/frameworks/notice/community-id.zeek @@ -20,6 +20,12 @@ export { hook Notice::notice(n: Notice::Info) { - if ( CommunityID::Notice::enabled && n?$conn ) - n$community_id = community_id_v1(n$conn$id, CommunityID::seed, CommunityID::do_base64); + if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn ) + { + local info = n$conn$conn; + # This is set during new_connection(), so it should + # always be there, but better safe than sorry. + if ( info?$community_id ) + n$community_id = info$community_id; + } } diff --git a/scripts/policy/frameworks/telemetry/prometheus.zeek b/scripts/policy/frameworks/telemetry/prometheus.zeek index 2b2ac4d255..a7d0226d73 100644 --- a/scripts/policy/frameworks/telemetry/prometheus.zeek +++ b/scripts/policy/frameworks/telemetry/prometheus.zeek @@ -1,19 +1,2 @@ -##! In a cluster configuration, open the port number for metrics -##! from the cluster node configuration for exporting data to -##! Prometheus. -##! -##! The manager node will also provide a ``/services.json`` endpoint -##! for the HTTP Service Discovery system in Prometheus to use for -##! configuration. This endpoint will include information for all of -##! the other nodes in the cluster. -@load base/frameworks/cluster - -@if ( Cluster::is_enabled() ) - -redef Telemetry::metrics_endpoint_name = Cluster::node; - -@if ( Cluster::local_node_metrics_port() != 0/unknown ) -redef Telemetry::metrics_port = Cluster::local_node_metrics_port(); -@endif - -@endif +@deprecated "Remove in v7.1: Cluster nodes now implicitly listen on metrics port if set in cluster-layout." +@load base/frameworks/telemetry diff --git a/scripts/policy/protocols/conn/community-id-logging.zeek b/scripts/policy/protocols/conn/community-id-logging.zeek index a08430727b..be8a7f8b7f 100644 --- a/scripts/policy/protocols/conn/community-id-logging.zeek +++ b/scripts/policy/protocols/conn/community-id-logging.zeek @@ -17,7 +17,10 @@ export { }; } -event connection_state_remove(c: connection) +module Conn; + +event new_connection(c: connection) &priority=5 { + Conn::set_conn(c, F); # likely first to access :-/ c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64); } diff --git a/scripts/policy/protocols/http/detect-sqli.zeek b/scripts/policy/protocols/http/detect-sqli.zeek index 1a62c552fb..ed1a687f29 100644 --- a/scripts/policy/protocols/http/detect-sqli.zeek +++ b/scripts/policy/protocols/http/detect-sqli.zeek @@ -46,11 +46,11 @@ export { ## Regular expression is used to match URI based SQL injections. const match_sql_injection_uri = - /[\?&][^[:blank:]\x00-\x1f\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+/ - | /[\?&][^[:blank:]\x00-\x1f\|]+?=[\-0-9%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ - | /[\?&][^[:blank:]\x00-\x1f]+?=[\-0-9%]*([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ - | /[\?&][^[:blank:]\x00-\x1f\|]+?=([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ - | /[\?&][^[:blank:]\x00-\x1f]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ + /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+/ + | /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/ + | /[\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/ + | /[\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/ + | /[\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/ | /\/\*![[:digit:]]{5}.*?\*\// &redef; ## A hook that can be used to prevent specific requests from being counted diff --git a/scripts/site/local.zeek b/scripts/site/local.zeek index 71251c0cb1..d92ccdd5a6 100644 --- a/scripts/site/local.zeek +++ b/scripts/site/local.zeek @@ -94,10 +94,6 @@ redef digest_salt = "Please change this value."; # telemetry_histogram.log. @load frameworks/telemetry/log -# Enable Prometheus metrics scraping in the cluster: each Zeek node will listen -# on the metrics port defined in its Cluster::nodes entry. -# @load frameworks/telemetry/prometheus - # Uncomment the following line to enable detection of the heartbleed attack. Enabling # this might impact performance a bit. # @load policy/protocols/ssl/heartbleed diff --git a/src/Conn.h b/src/Conn.h index f6ec77e59a..269f432409 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -201,6 +201,9 @@ public: bool PermitWeird(const char* name, uint64_t threshold, uint64_t rate, double duration); + // Returns true once Done() is called. + bool IsFinished() { return finished; } + private: friend class session::detail::Timer; diff --git a/src/DFA.cc b/src/DFA.cc index b9d62f8db4..9de8c025c9 100644 --- a/src/DFA.cc +++ b/src/DFA.cc @@ -2,8 +2,6 @@ #include "zeek/DFA.h" -#include "zeek/zeek-config.h" - #include "zeek/Desc.h" #include "zeek/EquivClass.h" #include "zeek/Hash.h" @@ -265,9 +263,9 @@ DFA_State_Cache::~DFA_State_Cache() { DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas, DigestStr* digest) { // We assume that state ID's don't exceed 10 digits, plus // we allow one more character for the delimiter. - auto id_tag_buf = std::make_unique(nfas.length() * 11 + 1); + auto id_tag_buf = std::make_unique(nfas.length() * 11 + 1); auto id_tag = id_tag_buf.get(); - u_char* p = id_tag; + char* p = id_tag; for ( int i = 0; i < nfas.length(); ++i ) { NFA_State* n = nfas[i]; @@ -287,7 +285,7 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas, DigestStr* digest // HashKey because the data is copied into the key. hash128_t hash; KeyedHash::Hash128(id_tag, p - id_tag, &hash); - *digest = DigestStr(reinterpret_cast(hash), 16); + *digest = DigestStr(reinterpret_cast(hash), 16); auto entry = states.find(*digest); if ( entry == states.end() ) { diff --git a/src/DFA.h b/src/DFA.h index 1bf2979ec3..7944a6053f 100644 --- a/src/DFA.h +++ b/src/DFA.h @@ -2,7 +2,7 @@ #pragma once -#include // for u_char +#include #include #include #include @@ -18,7 +18,7 @@ class DFA_Machine; // Transitions to the uncomputed state indicate that we haven't yet // computed the state to go to. -#define DFA_UNCOMPUTED_STATE -2 +#define DFA_UNCOMPUTED_STATE (-2) #define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*)DFA_UNCOMPUTED_STATE) class DFA_State : public Obj { @@ -67,7 +67,7 @@ protected: DFA_State* mark; }; -using DigestStr = std::basic_string; +using DigestStr = std::string; struct DFA_State_Cache_Stats { // Sum of all NFA states diff --git a/src/Expr.h b/src/Expr.h index 73929a2114..ffead932af 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -1642,6 +1642,9 @@ class CoerceToAnyExpr : public UnaryExpr { public: CoerceToAnyExpr(ExprPtr op); + bool IsReduced(Reducer* c) const override; + ExprPtr Reduce(Reducer* c, StmtPtr& red_stmt) override; + protected: ValPtr Fold(Val* v) const override; diff --git a/src/Obj.cc b/src/Obj.cc index a3b36dee76..5e346fead9 100644 --- a/src/Obj.cc +++ b/src/Obj.cc @@ -130,11 +130,14 @@ bool Obj::SetLocationInfo(const detail::Location* start, const detail::Location* // We already have a better location, so don't use this one. return true; - delete location; - - location = + auto new_location = new detail::Location(start->filename, start->first_line, end->last_line, start->first_column, end->last_column); + // Don't delete this until we've constructed the new location, in case + // "start" or "end" are our own location. + delete location; + location = new_location; + return true; } diff --git a/src/Stmt.cc b/src/Stmt.cc index a1edb51ee0..01e892ead0 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -1849,7 +1849,8 @@ void WhenInfo::Build(StmtPtr ws) { auto else_branch = timeout_s ? timeout_s : empty; auto do_bodies = make_intrusive(two_test, s, else_branch); - auto dummy_return = make_intrusive(true_const); + auto any_true_const = make_intrusive(true_const); + auto dummy_return = make_intrusive(any_true_const); auto shebang = make_intrusive(do_test, do_bodies, dummy_return); diff --git a/src/Timer.cc b/src/Timer.cc index ef2763071a..65bcae4c2b 100644 --- a/src/Timer.cc +++ b/src/Timer.cc @@ -2,14 +2,11 @@ #include "zeek/Timer.h" -#include "zeek/zeek-config.h" - #include "zeek/Desc.h" #include "zeek/NetVar.h" #include "zeek/RunState.h" #include "zeek/broker/Manager.h" #include "zeek/iosource/Manager.h" -#include "zeek/iosource/PktSrc.h" #include "zeek/util.h" namespace zeek::detail { diff --git a/src/Val.cc b/src/Val.cc index bf86360b70..e82f0e9c1b 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -3241,10 +3241,11 @@ bool VectorVal::Assign(unsigned int index, ValPtr element) { if ( yield_types ) { const auto& t = element->GetType(); - (*yield_types)[index] = t; + auto& yt_i = (*yield_types)[index]; auto& elem = vector_val[index]; if ( elem ) - ZVal::DeleteIfManaged(*elem, t); + ZVal::DeleteIfManaged(*elem, yt_i); + yt_i = t; elem = ZVal(std::move(element), t); } else { diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index e8f2b65d28..5db65b44a2 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -113,19 +113,7 @@ void Analyzer::CtorInit(const zeek::Tag& arg_tag, Connection* arg_conn) { Analyzer::~Analyzer() { assert(finished); - - // Make sure any late entries into the analyzer tree are handled (e.g. - // from some Done() implementation). - LOOP_OVER_GIVEN_CHILDREN(i, new_children) { - if ( ! (*i)->finished ) - (*i)->Done(); - } - - // Deletion of new_children done in separate loop in case a Done() - // implementation tries to inspect analyzer tree w/ assumption that - // all analyzers are still valid. - LOOP_OVER_GIVEN_CHILDREN(i, new_children) - delete *i; + assert(new_children.empty()); LOOP_OVER_CHILDREN(i) delete *i; @@ -330,6 +318,30 @@ void Analyzer::ForwardEndOfData(bool orig) { bool Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) { auto t = analyzer->GetAnalyzerTag(); + // Prevent attaching child analyzers to analyzer subtrees where + // either the parent has finished or is being removed. Further, + // don't attach analyzers when the connection has finished or is + // currently being finished (executing Done()). + // + // Scenarios in which analyzers have been observed that late in + // analyzer / connection lifetime are: + // + // * A DPD signature match on undelivered TCP data that is flushed + // during Connection::Done(). The PIA analyzer activates a new + // analyzer adding it to the TCP analyzer. + // + // * Analyzers flushing buffered state during Done(), resulting + // in new analyzers being created. + // + // Analyzers added during Done() are problematic as calling Done() + // within the parent's destructor isn't safe, so we prevent these + // situations. + if ( Removing() || IsFinished() || Conn()->IsFinished() ) { + analyzer->Done(); + delete analyzer; + return false; + } + if ( HasChildAnalyzer(t) || IsPreventedChildAnalyzer(t) ) { analyzer->Done(); delete analyzer; diff --git a/src/analyzer/protocol/finger/finger.spicy b/src/analyzer/protocol/finger/finger.spicy index dd07dbb7c3..0d6a8da54e 100644 --- a/src/analyzer/protocol/finger/finger.spicy +++ b/src/analyzer/protocol/finger/finger.spicy @@ -15,7 +15,7 @@ public type Request = unit { switch { -> : /\/W/ { self.whois = True; } - -> void; + -> : void; }; : OptionalWhiteSpace; diff --git a/src/analyzer/protocol/ldap/CMakeLists.txt b/src/analyzer/protocol/ldap/CMakeLists.txt index a687e880ff..3f69e6543d 100644 --- a/src/analyzer/protocol/ldap/CMakeLists.txt +++ b/src/analyzer/protocol/ldap/CMakeLists.txt @@ -1,5 +1,5 @@ spicy_add_analyzer( NAME LDAP PACKAGE_NAME spicy-ldap - SOURCES ldap.spicy ldap.evt asn1.spicy - MODULES LDAP ASN1) + SOURCES ldap.spicy ldap.evt asn1.spicy ldap_zeek.spicy + MODULES LDAP ASN1 LDAP_Zeek) diff --git a/src/analyzer/protocol/ldap/ldap.evt b/src/analyzer/protocol/ldap/ldap.evt index 96baef6f98..77f34fb62e 100644 --- a/src/analyzer/protocol/ldap/ldap.evt +++ b/src/analyzer/protocol/ldap/ldap.evt @@ -41,3 +41,18 @@ on LDAP::SearchRequest -> event LDAP::search_request($conn, on LDAP::SearchResultEntry -> event LDAP::search_result_entry($conn, message.messageID, self.objectName); + +on LDAP::ExtendedRequest -> event LDAP::extended_request($conn, + message.messageID, + self.requestName, + self.requestValue); + +on LDAP::ExtendedResponse -> event LDAP::extended_response($conn, + message.messageID, + message.result_.code, + self.responseName, + self.responseValue); + +# Once switched into MessageMode::TLS, we won't parse messages anymore, +# so this is raised just once. +on LDAP::Message if (ctx.messageMode == LDAP::MessageMode::TLS) -> event LDAP::starttls($conn); diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index 8d74b85237..0816e6afe9 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -126,125 +126,206 @@ public type Result = unit { # https://tools.ietf.org/html/rfc4511#section-4.1.10 }; +# 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) +const GSSAPI_MECH_MS_KRB5 = "1.2.840.48018.1.2.2"; + +# Supported SASL stripping modes. +type MessageMode = enum { + MS_KRB5 = 1, # Payload starts with a 4 byte length followed by a wrap token that may or may not be sealed. + TLS = 2, # Client/server used StartTLS, forward to SSL analyzer. + MAYBE_ENCRYPTED = 3, # Use a heuristic to determine encrypted traffic. + CLEARTEXT = 4, # Assume cleartext. + ENCRYPTED = 5, # Assume encrypted. +}; + +type Ctx = struct { + messageMode: MessageMode; # Message dispatching mode + saslMechanism: string; # The SASL mechanism selected by the client. + startTlsRequested: bool; # Did the client use the StartTLS extended request? +}; + #----------------------------------------------------------------------------- public type Messages = unit { - : MessageWrapper[]; + %context = Ctx; + : MessageDispatch(self.context())[]; }; #----------------------------------------------------------------------------- -type SASLLayer = unit { - # For the time being (before we support parsing the SASL layer) this unit - # is used by MessageWrapper below to strip it (SASL) so that the parser - # can attempt to resume parsing afterward. It also sets the success flag - # if '\x30' is found, otherwise backtracks so that we can deal with encrypted - # SASL payloads without raising a parse error. - var success: bool = False; - : bytes &until=b"\x30" { - self.success = True; +public type MessageDispatch = unit(ctx: Ctx&) { + switch( ctx.messageMode ) { + MessageMode::Undef -> : Message(ctx); + MessageMode::MS_KRB5 -> : SaslMsKrb5Stripper(ctx); + MessageMode::TLS -> : TlsForward; # never returns + MessageMode::MAYBE_ENCRYPTED -> : MaybeEncrypted(ctx); + MessageMode::CLEARTEXT -> : Message(ctx); + MessageMode::ENCRYPTED -> : EncryptedMessage; + }; +}; + + +#----------------------------------------------------------------------------- +type MaybeEncrypted = unit(ctx: Ctx&) { + # A plaintext LDAP message always starts with at least 3 bytes and the first + # byte is 0x30 for the sequence. A SASL encrypted message starts with a 4 byte + # length field. The heuristic here is that if the first byte is a 0x30, + # assume it's unencrypted LDAP. This should be pretty good, if it was an + # encrypted/SASL wrapped message, it would have a size between 0x30000000 and + # 0x30FFFFFF, meaning at least a size of ~768MB, which seems unlikely. + var start: iterator; + var saslLen: uint64; + var mech: bytes; + + on %init { + self.start = self.input(); + # Don't have starts_with() on string, work around that. + # https://github.com/zeek/spicy/issues/1807 + self.mech = ctx.saslMechanism.encode(spicy::Charset::UTF8); } - on %error { - self.backtrack(); + first: uint8 { + if ( $$ == 0x30 ) { + ctx.messageMode = MessageMode::CLEARTEXT; + } else { + ctx.messageMode = MessageMode::ENCRYPTED; + } } + + # As a further heuristic, if encrypted mode was decided and the client + # requested GSSAPI or GSS-SPNEGO (or we just didn't see it) peak a bit + # into the SASL payload and check if it starts with a 0504 (WRAP_TOKEN). + # If so, switch into KRB mode assuming that's what is being used and + # have a chance seeing some more plaintext LDAP in non-sealed tokens. + rem: uint8[3] if ( ctx.messageMode == MessageMode::ENCRYPTED && (|self.mech| == 0 || self.mech.starts_with(b"GSS")) ) { + self.saslLen = (uint64(self.first) << 24) + (uint64($$[0]) << 16) + (uint64($$[1]) << 8) + uint64($$[2]); + } + + : uint16 if ( self.saslLen >= 2 ) { + if ( $$ == 0x0504 ) { + ctx.messageMode = MessageMode::MS_KRB5; + } + } + + # Rewind the input. + : void { + # Prevent MessageDispatch from recursing endlessly. + assert ctx.messageMode != MessageMode::MAYBE_ENCRYPTED; + self.set_input(self.start); + } + + # One recursion to parse with the new ctx.messageMode setting. + : MessageDispatch(ctx); }; #----------------------------------------------------------------------------- -public type MessageWrapper = unit { - # A wrapper around 'Message'. First, we try to parse a Message unit. - # There are two possible outcomes: - # (1) Success -> We consumed all bytes and successfully parsed a Message unit - # (2) No success -> self.backtrack() is called in the Message unit, - # so effectively we didn't consume any bytes yet. - # The outcome can be determined by checking the `success` variable of the Message unit - - # This success variable is different, because this keeps track of the status for the MessageWrapper object - var success: bool = False; - var message: Message; - - # Here, we try to parse the message... - : Message &try { - - # ... and only if the Message unit successfully parsed, we can set - # the status of this MessageWrapper's success to 'True' - if ( $$.success == True ) { - self.success = True; - self.message = $$; - } - } - - # If we failed to parse the message, then we're going to scan the remaining bytes for the '\x30' - # start byte and try to parse a Message starting from that byte. This effectively - # strips the SASL layer if SASL Signing was enabled. Until now, I haven't found A - # better way to scan / determine the exact SASL header length yet, so we'll stick with this - # for the time being. If the entire LDAP packet was encrypted with SASL, then we skip parsing for - # now (in the long run we need to be parsing SASL/GSSAPI instead, in which case encrypted payloads - # are just another message type). - - # SASLLayer (see unit above) just consumes bytes &until=b"\x30" or backtracks if it isn't found - # and sets a success flag we can use later to decide if those bytes contain a parsable message. - var sasl_success: bool = False; - : SASLLayer &try if ( self.success == False ) { - if ( $$.success == True ) { - self.sasl_success = True; - } - } - var remainder: bytes; - - # SASLLayer consumes the delimiter ('\x30'), and because this is the first byte of a valid LDAP message - # we should re-add it to the remainder if the delimiter was found. If the delimiter was not found, we - # leave the remainder empty, but note that the bytes must be consumed either way to avoid stalling the - # parser and causing an infinite loop error. - : bytes &eod if ( self.success == False ) { - if ( self.sasl_success == True ) { - self.remainder = b"\x30" + $$; - } - } - - # Again, try to parse a Message unit. Be aware that in this will sometimes fail if the '\x30' byte is - # also present in the SASL header. - - # Also, we could try to do this recursively or try a few iterations, but for now I would suggest - # to try this extra parsing once to get the best cost/benefit tradeoff. - : Message &try &parse-from=self.remainder if ( self.success == False && self.sasl_success == True ) { - if ( $$.success == True ) { - self.success = True; - self.message = $$; - } - } - - # If we still didn't manage to parse a message (so the &try resulted in another backtrack()) then - # this is probably an encrypted LDAP message, so skip it - -} &convert=self.message; +type EncryptedMessage = unit { + len: uint32; + : skip bytes &size=self.len; +}; #----------------------------------------------------------------------------- -public type Message = unit { +type TlsForward = unit { + # Just consume everything. This is hooked in ldap_zeek.spicy + chunk: bytes &chunked &eod; +}; + +type KrbWrapToken = unit { + # https://datatracker.ietf.org/doc/html/rfc4121#section-4.2.6.2 + + # Number of bytes to expect *after* the payload. + var trailer_ec: uint64; + var header_ec: uint64; + + ctx_flags: bitfield(8) { + send_by_acceptor: 0; + sealed: 1; + acceptor_subkey: 2; + }; + filler: skip b"\xff"; + ec: uint16; # extra count + rrc: uint16 { # right rotation count + # Handle rrc == ec or rrc == 0. + if ( self.rrc == self.ec ) { + self.header_ec = self.ec; + } else if ( self.rrc == 0 ) { + self.trailer_ec = self.ec; + } else { + if ( ! self.ctx_flags.sealed ) + # If it's sealed, we'll consume until &eod anyhow + # and ec/rrc shouldn't apply, otherwise, bail. + throw "Unhandled rc %s and ec %s" % (self.ec, self.rrc); + } + } + + snd_seq: uint64; + header_e: skip bytes &size=self.header_ec; +}; + +#----------------------------------------------------------------------------- +type SaslMsKrb5Stripper = unit(ctx: Ctx&) { + # This is based on Wireshark output and example traffic we have. There's always + # a 4 byte length field followed by the krb5_tok_id field in messages after + # MS_KRB5 was selected. I haven't read enough specs to understand if it's + # just this one case that works, or others could use the same stripping. + var switch_size: uint64; + + len: uint32; + krb5_tok_id: uint16; + + switch ( self.krb5_tok_id ) { + 0x0504 -> krb_wrap_token: KrbWrapToken; + * -> : void; + }; + + : skip bytes &size=0 { + self.switch_size = self.len - (self.offset() - 4); + if ( self?.krb_wrap_token ) + self.switch_size -= self.krb_wrap_token.trailer_ec; + } + + switch ( self?.krb_wrap_token && ! self.krb_wrap_token.ctx_flags.sealed ) { + True -> : Message(ctx)[] &eod; + * -> : skip bytes &eod; + } &size=self.switch_size; + + # Consume the wrap token trailer, if any. + trailer_e: skip bytes &size=self.krb_wrap_token.trailer_ec if (self?.krb_wrap_token); +}; + +#----------------------------------------------------------------------------- +public type Message = unit(ctx: Ctx&) { var messageID: int64; var opcode: ProtocolOpcode = ProtocolOpcode::Undef; - var applicationBytes: bytes; var unsetResultDefault: Result; var result_: Result& = self.unsetResultDefault; var obj: string = ""; var arg: string = ""; - var success: bool = False; + var seqHeaderLen: uint64; + var msgLen: uint64; + var opLen: uint64; - : ASN1::ASN1Message(True) { - if (($$.head.tag.type_ == ASN1::ASN1Type::Sequence) && - ($$.body?.seq) && - (|$$.body.seq.submessages| >= 2)) { - if ($$.body.seq.submessages[0].body?.num_value) { - self.messageID = $$.body.seq.submessages[0].body.num_value; - } - if ($$.body.seq.submessages[1]?.application_id) { - self.opcode = cast(cast($$.body.seq.submessages[1].application_id)); - self.applicationBytes = $$.body.seq.submessages[1].application_data; - } - } + seqHeader: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::Universal && $$.tag.type_ == ASN1::ASN1Type::Sequence) { + self.msgLen = $$.len.len; + } + + # Use offset() to determine how many bytes the seqHeader took. This + # needs to be done after the seqHeader field hook. + : void { + self.seqHeaderLen = self.offset(); + } + + messageID_header: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::Universal && $$.tag.type_ == ASN1::ASN1Type::Integer); + : ASN1::ASN1Body(self.messageID_header, False) { + self.messageID = $$.num_value; + } + + protocolOp: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::Application) { + self.opcode = cast(cast($$.tag.type_)); + self.opLen = $$.len.len; } switch ( self.opcode ) { - ProtocolOpcode::BIND_REQUEST -> BIND_REQUEST: BindRequest(self); - ProtocolOpcode::BIND_RESPONSE -> BIND_RESPONSE: BindResponse(self); + ProtocolOpcode::BIND_REQUEST -> BIND_REQUEST: BindRequest(self, ctx); + ProtocolOpcode::BIND_RESPONSE -> BIND_RESPONSE: BindResponse(self, ctx); ProtocolOpcode::UNBIND_REQUEST -> UNBIND_REQUEST: UnbindRequest(self); ProtocolOpcode::SEARCH_REQUEST -> SEARCH_REQUEST: SearchRequest(self); ProtocolOpcode::SEARCH_RESULT_ENTRY -> SEARCH_RESULT_ENTRY: SearchResultEntry(self); @@ -262,22 +343,20 @@ public type Message = unit { # just commenting this out, it will stop processing LDAP Messages in this connection ProtocolOpcode::ADD_REQUEST -> ADD_REQUEST: NotImplemented(self); ProtocolOpcode::COMPARE_REQUEST -> COMPARE_REQUEST: NotImplemented(self); - ProtocolOpcode::EXTENDED_REQUEST -> EXTENDED_REQUEST: NotImplemented(self); - ProtocolOpcode::EXTENDED_RESPONSE -> EXTENDED_RESPONSE: NotImplemented(self); + ProtocolOpcode::EXTENDED_REQUEST -> EXTENDED_REQUEST: ExtendedRequest(self, ctx); + ProtocolOpcode::EXTENDED_RESPONSE -> EXTENDED_RESPONSE: ExtendedResponse(self, ctx); ProtocolOpcode::INTERMEDIATE_RESPONSE -> INTERMEDIATE_RESPONSE: NotImplemented(self); ProtocolOpcode::MOD_DN_REQUEST -> MOD_DN_REQUEST: NotImplemented(self); ProtocolOpcode::SEARCH_RESULT_REFERENCE -> SEARCH_RESULT_REFERENCE: NotImplemented(self); - } &parse-from=self.applicationBytes if ( self.opcode ); + } &size=self.opLen; - on %error { - self.backtrack(); - } + # Ensure some invariants hold after parsing the command. + : void &requires=(self.offset() >= self.seqHeaderLen); + : void &requires=(self.msgLen >= (self.offset() - self.seqHeaderLen)); - on %done { - self.success = True; - } - -} &requires=((self?.messageID) && (self?.opcode) && (self.opcode != ProtocolOpcode::Undef)); + # Eat the controls field if it exists. + : skip bytes &size=self.msgLen - (self.offset() - self.seqHeaderLen); +}; #----------------------------------------------------------------------------- # Bind Operation @@ -288,18 +367,94 @@ public type BindAuthType = enum { BIND_AUTH_SASL = 3, }; +type GSS_SPNEGO_negTokenInit = unit { + oidHeader: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::Universal && $$.tag.type_ == ASN1::ASN1Type::ObjectIdentifier); + oid: ASN1::ASN1ObjectIdentifier(self.oidHeader.len.len) &requires=(self.oid.oidstring == "1.3.6.1.5.5.2"); + + # TODO: Parse the rest of negTokenInit. + : skip bytes &eod; +}; + +# Peak into GSS-SPNEGO payload and ensure it is indeed GSS-SPNEGO, +# or GSS-SPNEGO with a NTMLSSP payload that starts with NTLMSSP. +type GSS_SPNEGO_Init = unit { + # This is the optional octet string in SaslCredentials. + credentialsHeader: ASN1::ASN1Header &requires=($$.tag.type_ == ASN1::ASN1Type::OctetString); + + # Now we either have the initial message as specified in RFC2743 or + # a continuation from RFC4178, or a "NTMLSSP" signature. + # + # 60 -> APPLICATION [0] https://datatracker.ietf.org/doc/html/rfc2743#page-81 + # a1 -> CHOICE [1] https://www.rfc-editor.org/rfc/rfc4178#section-4.2 + # "NTMLSSP" https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/907f519d-6217-45b1-b421-dca10fc8af0d + # + switch { + -> spnegoInitByte: uint8(0x60); + -> spnegoChoiceByte: uint8(0xa1); + -> ntlmSignature: skip b"NTLMSSP"; # Unsupported, should forward to child analyzer! + }; + + spnegoLen: skip ASN1::LengthType if (self?.spnegoInitByte || self?.spnegoChoiceByte); + + # Peak into the SPNEGO_negTokenInit + spnegoInitial: skip GSS_SPNEGO_negTokenInit if (self?.spnegoInitByte); +}; + type SaslCredentials = unit() { - mechanism: ASN1::ASN1Message(True) &convert=$$.body.str_value; - # TODO: if we want to parse the (optional) credentials string + mechanism: ASN1::ASN1Message(False) &convert=$$.body.str_value; + + # Peak into GSS-SPNEGO payload if we have any. + switch ( self.mechanism ) { + "GSS-SPNEGO" -> gss_spnego: GSS_SPNEGO_Init; + * -> : skip bytes &eod; + }; +}; + +type GSS_SPNEGO_Subsequent = unit { + switch { + -> spnegoChoiceByte: uint8(0xa1); + -> ntmlSignature: skip b"NTLMSSP"; # Unsupported, should forward to NTLM! + }; + + spnegoChoiceLen: skip ASN1::LengthType if (self?.spnegoChoiceByte); + negTokenResp: GSS_SPNEGO_negTokenResp if (self?.spnegoChoiceByte); +}; + +type GSS_SPNEGO_negTokenResp = unit { + var accepted: bool; + var supportedMech: ASN1::ASN1Message; + + # Parse the contained Sequence. + seq: ASN1::ASN1Message(True) { + for ( msg in $$.body.seq.submessages ) { + # https://www.rfc-editor.org/rfc/rfc4178#section-4.2.2 + if ( msg.application_id == 0 ) { + self.accepted = msg.application_data == b"\x0a\x01\x00"; + } else if ( msg.application_id == 1 ) { + self.supportedMech = msg; + } else if ( msg.application_id == 2 ) { + # ignore responseToken + } else if ( msg.application_id == 3 ) { + # ignore mechListMec + } else { + throw "unhandled NegTokenResp id %s" % msg.application_id; + } + } + } + + switch ( self?.supportedMech ) { + True -> supportedMechOid: ASN1::ASN1Message(False) &convert=$$.body.str_value; + * -> : void; + } &parse-from=self.supportedMech.application_data; }; # TODO(fox-ds): A helper unit for requests for which no handling has been implemented. # Eventually all uses of this unit should be replaced with actual parsers so this unit can be removed. type NotImplemented = unit(inout message: Message) { - # Do nothing + : skip bytes &eod; }; -type BindRequest = unit(inout message: Message) { +type BindRequest = unit(inout message: Message, ctx: Ctx&) { version: ASN1::ASN1Message(True) &convert=$$.body.num_value; name: ASN1::ASN1Message(True) &convert=$$.body.str_value { message.obj = self.name; @@ -323,15 +478,57 @@ type BindRequest = unit(inout message: Message) { saslCreds: SaslCredentials() &parse-from=self.authData if ((self.authType == BindAuthType::BIND_AUTH_SASL) && (|self.authData| > 0)) { message.arg = self.saslCreds.mechanism; + ctx.saslMechanism = self.saslCreds.mechanism; } -} &requires=((self?.authType) && (self.authType != BindAuthType::Undef)); +} &requires=(self?.authType && (self.authType != BindAuthType::Undef)); -type BindResponse = unit(inout message: Message) { +type ServerSaslCreds = unit { + serverSaslCreds: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific && $$.tag.type_ == ASN1::ASN1Type(7)); + payload: bytes &size=self.serverSaslCreds.len.len; +}; + +type BindResponse = unit(inout message: Message, ctx: Ctx&) { : Result { message.result_ = $$; + + # The SASL authentication was successful. We do not actually + # know if the following messages are encrypted or not. This may be + # mechanism and parameter specific. For example SCRAM-SHA512 or NTLM + # will continue to be cleartext, while SRP or GSS-API would be encrypted. + # + # Switch messageMode into trial mode which is explored via MessageDispatch + # and the MaybeEncrypted unit. + # + # Note, messageMode may be changed to something more specific like + # MS_KRB5 below. + if ( |ctx.saslMechanism| > 0 && $$.code == ResultCode::SUCCESS ) { + ctx.messageMode = MessageMode::MAYBE_ENCRYPTED; + } } - # TODO: if we want to parse SASL credentials returned + # Try to parse serverSaslCreds if there's any input remaining. This + # unit is parsed with &size, so &eod here works. + # + # Technically we should be able to tell from the ASN.1 structure + # if the serverSaslCreds field exists or not. But, not sure we can + # check if there's any bytes left at this point outside of passing + # in the length and playing with offset(). + serverSaslCreds: ServerSaslCreds[] &eod; + + # If the client requested GSS-SPNEGO, try to parse the server's response + # to switch message mode. + gss_spnego: GSS_SPNEGO_Subsequent &parse-from=self.serverSaslCreds[0].payload + if (ctx.saslMechanism == "GSS-SPNEGO" && |self.serverSaslCreds| > 0) { + + if ( $$?.negTokenResp ) { + local token = $$.negTokenResp; + if ( token.accepted && token?.supportedMechOid ) { + if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { + ctx.messageMode = MessageMode::MS_KRB5; + } + } + } + } }; #----------------------------------------------------------------------------- @@ -879,16 +1076,61 @@ type AbandonRequest = unit(inout message: Message) { #----------------------------------------------------------------------------- # Extended Operation # https://tools.ietf.org/html/rfc4511#section-4.12 +type ExtendedRequest = unit(inout message: Message, ctx: Ctx&) { + var requestValue: bytes; + header: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific); + requestName: bytes &size=self.header.len.len &convert=$$.decode(spicy::Charset::ASCII) { + message.obj = $$; + } -# TODO: implement ExtendedRequest -# type ExtendedRequest = unit(inout message: Message) { -# -# }; + # If there's more byte to parse, it's the requestValue. + : ASN1::ASN1Message(False) + &requires=($$.head.tag.class == ASN1::ASN1Class::ContextSpecific) + if ( message.opLen > self.offset() ) { -# TODO: implement ExtendedResponse -# type ExtendedResponse = unit(inout message: Message) { -# -# }; + self.requestValue = $$.application_data; + } + + on %done { + # Did the client request StartTLS? + # + # https://datatracker.ietf.org/doc/html/rfc4511#section-4.14.1 + if ( self.requestName == "1.3.6.1.4.1.1466.20037" ) + ctx.startTlsRequested = True; + } +}; + +#----------------------------------------------------------------------------- +type ExtendedResponseEntry = unit(inout r: ExtendedResponse) { + : ASN1::ASN1Message(False) &requires=($$.head.tag.class == ASN1::ASN1Class::ContextSpecific) { + if ( $$.head.tag.type_ == ASN1::ASN1Type(10) ) + r.responseName = $$.application_data; + else if ( $$.head.tag.type_ == ASN1::ASN1Type(11) ) + r.responseValue = $$.application_data; + else + throw "Unhandled extended response tag %s" % $$.head.tag; + } +}; + +#----------------------------------------------------------------------------- +type ExtendedResponse = unit(inout message: Message, ctx: Ctx&) { + var responseName: bytes; + var responseValue: bytes; + : Result { + message.result_ = $$; + } + + # Try to parse two ASN1 entries if there are bytes left in the unit. + # Both are optional and identified by context specific tagging. + : ExtendedResponseEntry(self) if ( message.opLen > self.offset() ); + : ExtendedResponseEntry(self) if ( message.opLen > self.offset() ); + + on %done { + # Client had requested StartTLS and it was successful? Switch to SSL. + if ( ctx.startTlsRequested && message.result_.code == ResultCode::SUCCESS ) + ctx.messageMode = MessageMode::TLS; + } +}; #----------------------------------------------------------------------------- # IntermediateResponse Message @@ -899,6 +1141,6 @@ type AbandonRequest = unit(inout message: Message) { # # }; -on LDAP::MessageWrapper::%done { +on LDAP::Message::%done { spicy::accept_input(); } diff --git a/src/analyzer/protocol/ldap/ldap_zeek.spicy b/src/analyzer/protocol/ldap/ldap_zeek.spicy new file mode 100644 index 0000000000..3a6784589f --- /dev/null +++ b/src/analyzer/protocol/ldap/ldap_zeek.spicy @@ -0,0 +1,12 @@ +module LDAP_Zeek; + +import LDAP; +import zeek; + +on LDAP::TlsForward::%init { + zeek::protocol_begin("SSL"); +} + +on LDAP::TlsForward::chunk { + zeek::protocol_data_in(zeek::is_orig(), self.chunk); +} diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac index ebd1805815..5b566e6729 100644 --- a/src/analyzer/protocol/modbus/modbus-protocol.pac +++ b/src/analyzer/protocol/modbus/modbus-protocol.pac @@ -90,8 +90,8 @@ type ModbusTCP_PDU(is_orig: bool) = record { type ModbusTCP_TransportHeader = record { tid: uint16; # Transaction identifier - pid: uint16; # Protocol identifier - len: uint16; # Length of everything after this field + pid: uint16 &enforce(pid == 0); # Protocol identifier + len: uint16 &enforce(len >= 2); # Length of everything after this field uid: uint8; # Unit identifier (previously 'slave address') fc: uint8; # MODBUS function code (see function_codes enum) } &byteorder=bigendian, &let { diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt index f5283b17e4..11e0e43439 100644 --- a/src/analyzer/protocol/pop3/CMakeLists.txt +++ b/src/analyzer/protocol/pop3/CMakeLists.txt @@ -5,4 +5,5 @@ zeek_add_plugin( POP3.cc Plugin.cc BIFS + consts.bif events.bif) diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index ed3a8f2aa1..fc11b4ca41 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -3,8 +3,6 @@ #include "zeek/analyzer/protocol/pop3/POP3.h" -#include "zeek/zeek-config.h" - #include #include #include @@ -12,6 +10,7 @@ #include "zeek/Base64.h" #include "zeek/Reporter.h" #include "zeek/analyzer/Manager.h" +#include "zeek/analyzer/protocol/pop3/consts.bif.h" #include "zeek/analyzer/protocol/pop3/events.bif.h" namespace zeek::analyzer::pop3 { @@ -41,6 +40,7 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) : analyzer::tcp::TCP_ApplicationA authLines = 0; mail = nullptr; + unknown_client_cmds = 0; cl_orig = new analyzer::tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(cl_orig); @@ -205,6 +205,19 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) { // keep a list of pending commands. cmds.emplace_back(line); + // Prevent unbounded state growth of cmds if there are no matching + // server replies by simply dropping the oldest command. + // + // This may be caused by packet drops of the server side, one-sided + // traffic, or analyzing the wrong protocol (Redis), etc. + if ( zeek::BifConst::POP3::max_pending_commands > 0 ) { + if ( cmds.size() > zeek::BifConst::POP3::max_pending_commands ) { + Weird("pop3_client_too_many_pending_commands"); + + cmds.pop_front(); + } + } + if ( cmds.size() == 1 ) // Not waiting for another server response, // so we can process it immediately. @@ -236,10 +249,19 @@ void POP3_Analyzer::ProcessClientCmd() { if ( cmd_code == -1 ) { if ( ! waitingForAuthentication ) { - Weird("pop3_client_command_unknown"); + Weird("pop3_client_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???")); if ( subState == detail::POP3_WOK ) subState = detail::POP3_OK; + + ++unknown_client_cmds; + + if ( zeek::BifConst::POP3::max_unknown_client_commands > 0 ) { + if ( unknown_client_cmds > zeek::BifConst::POP3::max_unknown_client_commands ) { + AnalyzerViolation("too many unknown client commands"); + } + } } + return; } @@ -299,6 +321,7 @@ void POP3_Analyzer::ProcessClientCmd() { if ( masterState == detail::POP3_AUTHORIZATION ) { POP3Event(pop3_request, true, cmd, message); if ( ! *message ) { + // This is the client requesting a list of AUTH mechanisms available. requestForMultiLine = true; state = detail::AUTH; subState = detail::POP3_WOK; @@ -555,7 +578,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) { AnalyzerViolation(util::fmt("unknown server command (%s)", (tokens.size() > 0 ? tokens[0].c_str() : "???")), line, length); - Weird("pop3_server_command_unknown"); + Weird("pop3_server_command_unknown", (tokens.size() > 0 ? tokens[0].c_str() : "???")); if ( subState == detail::POP3_WOK ) subState = detail::POP3_OK; } diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h index 629387d402..697bc73183 100644 --- a/src/analyzer/protocol/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -4,11 +4,9 @@ #pragma once -#include #include #include -#include "zeek/analyzer/protocol/login/NVT.h" #include "zeek/analyzer/protocol/mime/MIME.h" #include "zeek/analyzer/protocol/tcp/ContentLine.h" #include "zeek/analyzer/protocol/tcp/TCP.h" @@ -106,6 +104,7 @@ protected: analyzer::mime::MIME_Mail* mail; std::list cmds; + zeek_uint_t unknown_client_cmds; private: bool tls; diff --git a/src/analyzer/protocol/pop3/consts.bif b/src/analyzer/protocol/pop3/consts.bif new file mode 100644 index 0000000000..29fcd14e3d --- /dev/null +++ b/src/analyzer/protocol/pop3/consts.bif @@ -0,0 +1,2 @@ +const POP3::max_pending_commands: count; +const POP3::max_unknown_client_commands: count; diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index d38bc4154f..fa496413ae 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -60,7 +60,6 @@ const size_t AEAD_IV_LEN = 12; const size_t AEAD_HP_LEN = 16; const size_t AEAD_SAMPLE_LENGTH = 16; const size_t AEAD_TAG_LENGTH = 16; -const size_t MAXIMUM_PACKET_LENGTH = 1500; const size_t MAXIMUM_PACKET_NUMBER_LENGTH = 4; EVP_CIPHER_CTX* get_aes_128_ecb() { @@ -153,12 +152,17 @@ Function that calls the AEAD decryption routine, and returns the decrypted data. */ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& all_data, uint64_t payload_length, const DecryptionInformation& decryptInfo) { - int out, out2, res; + int out, out2; if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, decryptInfo.packet_number_length + AEAD_TAG_LENGTH)); + // Bail on large payloads, somewhat arbitrarily. 10k allows for Jumbo frames + // and sometimes the fuzzer produces packets up to that size as well. + if ( payload_length > 10000 ) + throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length)); + const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH; @@ -173,7 +177,8 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; int tag_to_check_length = AEAD_TAG_LENGTH; - std::array decrypt_buffer; + // Allocate memory for decryption. + std::vector decrypt_buffer(encrypted_payload_size); // Setup context auto* ctx = get_aes_128_gcm(); @@ -197,7 +202,8 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size); // Validate whether the decryption was successful or not - EVP_CipherFinal_ex(ctx, NULL, &out2); + if ( EVP_CipherFinal_ex(ctx, NULL, &out2) == 0 ) + throw hilti::rt::RuntimeError("decryption failed"); // Copy the decrypted data from the decrypted buffer into a Bytes instance. return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out); diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index b922c62f2b..5e7bf673b1 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -413,7 +413,7 @@ type SMB2_error_response(header: SMB2_Header) = record { byte_count : uint32; # This is implemented incorrectly and is disabled for now. #error_data : SMB2_error_data(header, byte_count); - stuff : bytestring &restofdata &transient; + stuff : bytestring &length=byte_count &transient; } &byteorder = littleendian; type SMB2_logoff_request(header: SMB2_Header) = record { diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 55f3469870..b6a3043a21 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -3,9 +3,9 @@ #include #include #include +#include #include "zeek/Reporter.h" -#include "zeek/analyzer/Manager.h" #include "zeek/analyzer/protocol/ssl/events.bif.h" #include "zeek/analyzer/protocol/ssl/ssl_pac.h" #include "zeek/analyzer/protocol/ssl/tls-handshake_pac.h" @@ -22,6 +22,8 @@ namespace zeek::analyzer::ssl { +using byte_buffer = std::vector; + template static inline T MSB(const T a) { return ((a >> 8) & 0xff); @@ -32,12 +34,13 @@ static inline T LSB(const T a) { return (a & 0xff); } -static std::basic_string fmt_seq(uint32_t num) { - std::basic_string out(4, '\0'); +static byte_buffer fmt_seq(uint32_t num) { + byte_buffer out(4, '\0'); out.reserve(13); uint32_t netnum = htonl(num); - out.append(reinterpret_cast(&netnum), 4); - out.append(5, '\0'); + uint8_t* p = reinterpret_cast(&netnum); + out.insert(out.end(), p, p + 4); + out.insert(out.end(), 5, '\0'); return out; } @@ -271,8 +274,8 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i const u_char* s_iv = keys.data() + 68; // FIXME: should we change types here? - u_char* encrypted = (u_char*)data; - size_t encrypted_len = len; + const u_char* encrypted = data; + int encrypted_len = len; if ( is_orig ) c_seq++; @@ -280,14 +283,15 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i s_seq++; // AEAD nonce, length 12 - std::basic_string s_aead_nonce; + byte_buffer s_aead_nonce; + s_aead_nonce.reserve(12); if ( is_orig ) - s_aead_nonce.assign(c_iv, 4); + s_aead_nonce.insert(s_aead_nonce.end(), c_iv, c_iv + 4); else - s_aead_nonce.assign(s_iv, 4); + s_aead_nonce.insert(s_aead_nonce.end(), s_iv, s_iv + 4); // this should be the explicit counter - s_aead_nonce.append(encrypted, 8); + s_aead_nonce.insert(s_aead_nonce.end(), encrypted, encrypted + 8); assert(s_aead_nonce.size() == 12); EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); @@ -310,28 +314,28 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i else EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, s_aead_nonce.data()); - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, encrypted + encrypted_len); + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, const_cast(encrypted + encrypted_len)); // AEAD tag - std::basic_string s_aead_tag; + byte_buffer s_aead_tag; if ( is_orig ) s_aead_tag = fmt_seq(c_seq); else s_aead_tag = fmt_seq(s_seq); + assert(s_aead_tag.size() == 13); s_aead_tag[8] = content_type; s_aead_tag[9] = MSB(raw_tls_version); s_aead_tag[10] = LSB(raw_tls_version); s_aead_tag[11] = MSB(encrypted_len); s_aead_tag[12] = LSB(encrypted_len); - assert(s_aead_tag.size() == 13); auto decrypted = std::vector(encrypted_len + 16); // see OpenSSL manpage - 16 is the block size for the supported cipher int decrypted_len = 0; EVP_DecryptUpdate(ctx, NULL, &decrypted_len, s_aead_tag.data(), s_aead_tag.size()); - EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, (const u_char*)encrypted, encrypted_len); + EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, encrypted, encrypted_len); assert(static_cast(decrypted_len) <= decrypted.size()); decrypted.resize(decrypted_len); diff --git a/src/analyzer/protocol/syslog/syslog.spicy b/src/analyzer/protocol/syslog/syslog.spicy index fd4c845870..ba8c8a77aa 100644 --- a/src/analyzer/protocol/syslog/syslog.spicy +++ b/src/analyzer/protocol/syslog/syslog.spicy @@ -7,7 +7,7 @@ import spicy; public type Message = unit { switch { -> prio: Priority; - -> void; + -> : void; }; msg: bytes &eod; diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index e9c2a1f2f6..9a63962db2 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -273,7 +273,12 @@ void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper) if ( b.upper > last_reassem_seq ) break; - tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(), false, false, IsOrig(), false); + // Note: Even though this passes bol=false, at the point where + // this code runs, the matcher is re-initialized resulting in + // undelivered data implicitly being bol-anchored. It's unclear + // if that was intended, but there's hardly a right way here, + // so that seems ok. + tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(), IsOrig(), false, false, false); } } diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc index 5161843af0..af8c434bbf 100644 --- a/src/input/readers/raw/Raw.cc +++ b/src/input/readers/raw/Raw.cc @@ -46,6 +46,7 @@ Raw::Raw(ReaderFrontend* frontend) : ReaderBackend(frontend), file(nullptr, fclo sep_length = BifConst::InputRaw::record_separator->Len(); bufpos = 0; + bufsize = 0; stdin_fileno = fileno(stdin); stdout_fileno = fileno(stdout); @@ -420,59 +421,74 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie int64_t Raw::GetLine(FILE* arg_file) { errno = 0; - int pos = 0; // strstr_n only works on ints - so no use to use something different here - int offset = 0; - if ( ! buf ) + if ( ! buf ) { buf = std::unique_ptr(new char[block_size]); - - int repeats = 1; + bufpos = 0; + bufsize = block_size; + } for ( ;; ) { - size_t readbytes = fread(buf.get() + bufpos + offset, 1, block_size - bufpos, arg_file); - pos += bufpos + readbytes; - // printf("Pos: %d\n", pos); - bufpos = offset = 0; // read full block size in next read... + size_t readbytes = fread(buf.get() + bufpos, 1, bufsize - bufpos, arg_file); - if ( pos == 0 && errno != 0 ) + bufpos = bufpos + readbytes; + + // Nothing in the buffer and errno set, yield. + if ( bufpos == 0 && errno != 0 ) break; // researching everything each time is a bit... cpu-intensive. But otherwise we have // to deal with situations where the separator is multi-character and split over multiple // reads... - int found = util::strstr_n(pos, (unsigned char*)buf.get(), separator.size(), (unsigned char*)separator.c_str()); + // + // memmem() would be more appropriate, but not available on Windows. + int found = util::strstr_n(bufpos, reinterpret_cast(buf.get()), separator.size(), + reinterpret_cast(separator.c_str())); if ( found == -1 ) { - // we did not find it and have to search again in the next try. resize buffer.... + // we did not find it and have to search again in the next try. // but first check if we encountered the file end - because if we did this was it. if ( feof(arg_file) != 0 ) { - if ( pos == 0 ) + if ( bufpos == 0 ) return -1; // signal EOF - and that we had no more data. else { outbuf = std::move(buf); // buf is null after this - return pos; + return bufpos; // flush out remaining buffered data as line } } - repeats++; - // bah, we cannot use realloc because we would have to change the delete in the manager - // to a free. - std::unique_ptr newbuf = std::unique_ptr(new char[block_size * repeats]); - memcpy(newbuf.get(), buf.get(), block_size * (repeats - 1)); - buf = std::move(newbuf); - offset = block_size * (repeats - 1); + // No separator found and buffer full, realloc and retry reading more right away. + if ( bufpos == bufsize ) { + std::unique_ptr newbuf = std::unique_ptr(new char[bufsize + block_size]); + memcpy(newbuf.get(), buf.get(), bufsize); + buf = std::move(newbuf); + bufsize = bufsize + block_size; + } + else { + // Short or empty read, some data in the buffer, but no separator found + // and also not EOF: This is likely reading from a pipe where the separator + // wasn't yet produced. Yield to retry on the next heartbeat. + return -2; + } } else { + size_t sep_idx = static_cast(found); + assert(sep_idx <= bufsize - sep_length); + size_t remaining = bufpos - sep_idx - sep_length; + outbuf = std::move(buf); - if ( found < pos ) { + if ( remaining > 0 ) { // we have leftovers. copy them into the buffer for the next line + assert(remaining <= block_size); buf = std::unique_ptr(new char[block_size]); - memcpy(buf.get(), outbuf.get() + found + sep_length, pos - found - sep_length); - bufpos = pos - found - sep_length; + bufpos = remaining; + bufsize = block_size; + + memcpy(buf.get(), outbuf.get() + sep_idx + sep_length, remaining); } - return found; + return sep_idx; } } diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h index e7f788afda..1fc1b52097 100644 --- a/src/input/readers/raw/Raw.h +++ b/src/input/readers/raw/Raw.h @@ -58,7 +58,8 @@ private: std::string separator; unsigned int sep_length; // length of the separator - int bufpos; + size_t bufpos; // Where in buf to read more data. + size_t bufsize; // Currently allocated size of buf. std::unique_ptr buf; std::unique_ptr outbuf; diff --git a/src/script_opt/Expr.cc b/src/script_opt/Expr.cc index 1ad24c5277..7591affd7b 100644 --- a/src/script_opt/Expr.cc +++ b/src/script_opt/Expr.cc @@ -1629,6 +1629,9 @@ ExprPtr AssignExpr::Reduce(Reducer* c, StmtPtr& red_stmt) { StmtPtr lhs_stmt; StmtPtr rhs_stmt; + if ( GetType()->Tag() == TYPE_ANY && op2->GetType()->Tag() != TYPE_ANY ) + op2 = with_location_of(make_intrusive(op2), op2); + auto lhs_e = field_e->Op()->Reduce(c, lhs_stmt); auto rhs_e = op2->ReduceToFieldAssignment(c, rhs_stmt); @@ -3091,6 +3094,23 @@ CoerceToAnyExpr::CoerceToAnyExpr(ExprPtr arg_op) : UnaryExpr(EXPR_TO_ANY_COERCE, type = base_type(TYPE_ANY); } +bool CoerceToAnyExpr::IsReduced(Reducer* c) const { return HasReducedOps(c); } + +ExprPtr CoerceToAnyExpr::Reduce(Reducer* c, StmtPtr& red_stmt) { + if ( c->Optimizing() ) + op = c->UpdateExpr(op); + + red_stmt = nullptr; + + if ( ! op->IsSingleton(c) ) + op = op->ReduceToSingleton(c, red_stmt); + + if ( c->Optimizing() ) + return ThisPtr(); + else + return AssignToTemporary(c, red_stmt); +} + ValPtr CoerceToAnyExpr::Fold(Val* v) const { return {NewRef{}, v}; } ExprPtr CoerceToAnyExpr::Duplicate() { return SetSucc(new CoerceToAnyExpr(op->Duplicate())); } diff --git a/src/script_opt/ZAM/BuiltInSupport.cc b/src/script_opt/ZAM/BuiltInSupport.cc index 4bc833814d..a41311c7ae 100644 --- a/src/script_opt/ZAM/BuiltInSupport.cc +++ b/src/script_opt/ZAM/BuiltInSupport.cc @@ -73,7 +73,7 @@ void FixedCatArg::RenderInto(ZVal* zframe, int slot, char*& res) { n = modp_dtoa2(d, res, 6); res += n; - if ( util::approx_equal(d, nearbyint(d), 1e-9) && std::isfinite(d) && ! strchr(tmp, 'e') ) { + if ( util::approx_equal(d, nearbyint(d), 1e-9) && std::isfinite(d) ) { // disambiguate from integer *(res++) = '.'; *(res++) = '0'; diff --git a/src/script_opt/ZAM/BuiltInSupport.h b/src/script_opt/ZAM/BuiltInSupport.h index 7169ea94d1..daa8c9c087 100644 --- a/src/script_opt/ZAM/BuiltInSupport.h +++ b/src/script_opt/ZAM/BuiltInSupport.h @@ -42,7 +42,6 @@ public: protected: TypePtr t; - char tmp[256]; }; class StringCatArg : public CatArg { diff --git a/src/script_opt/ZAM/OPs/ZAM.op b/src/script_opt/ZAM/OPs/ZAM.op index 6b18b4156e..36e960abec 100644 --- a/src/script_opt/ZAM/OPs/ZAM.op +++ b/src/script_opt/ZAM/OPs/ZAM.op @@ -934,13 +934,13 @@ eval auto& vsel = frame[z.v2].vector_val->RawVec(); auto& v1 = frame[z.v3].vector_val->RawVec(); auto& v2 = frame[z.v4].vector_val->RawVec(); auto n = v1.size(); - auto res = new vector>(n); + vector> res(n); for ( auto i = 0U; i < n; ++i ) if ( vsel[i] ) - (*res)[i] = vsel[i]->int_val ? v1[i] : v2[i]; + res[i] = vsel[i]->int_val ? v1[i] : v2[i]; auto& full_res = frame[z.v1].vector_val; Unref(full_res); - full_res = new VectorVal(cast_intrusive(z.t), res); + full_res = new VectorVal(cast_intrusive(z.t), &res); # Our instruction format doesn't accommodate two constants, so for # the singular case of a V ? C1 : C2 conditional, we split it into @@ -1254,9 +1254,14 @@ macro AssignFromRec() for ( size_t i = 0U; i < n; ++i ) { auto rhs_i = rhs->RawField(rhs_map[i]); + auto& init_i = init_vals[lhs_map[i]]; if ( is_managed[i] ) + { zeek::Ref(rhs_i.ManagedVal()); - init_vals[lhs_map[i]] = rhs_i; + if ( init_i ) + ZVal::DeleteManagedType(*init_i); + } + init_i = rhs_i; } op Construct-Known-Record-From @@ -1561,7 +1566,9 @@ eval if ( frame[z.v2].vector_val->Size() > 0 ) unary-expr-op To-Any-Coerce op-type X set-type $1 -eval AssignV1(ZVal(frame[z.v2].ToVal(z.t), ZAM::any_base_type)) +eval auto orig_lhs = frame[z.v1]; /* hold in case z.v1 = z.v2 */ + frame[z.v1] = ZVal($1.ToVal(z.t), ZAM::any_base_type); + ZVal::DeleteManagedType(orig_lhs); unary-expr-op From-Any-Coerce op-type X @@ -1604,7 +1611,19 @@ op Any-Vector-Elem-Assign op1-read set-type $1 type VVV -eval EvalVectorElemAssign(, vv->Assign(ind, frame[z.v3].ToVal(z.t))) +eval auto ind = frame[z.v2].AsCount(); + auto vv = frame[z.v1].AsVector(); + auto yt = vv->RawYieldTypes(); + if ( ind < vv->Size() && yt && (*yt)[ind] && ZVal::IsManagedType((*yt)[ind]) ) + { + auto orig_elem = vv->RawVec()[ind]; + if ( ! vv->Assign(ind, frame[z.v3].ToVal(z.t)) ) + ZAM_run_time_error(z.loc, "value used but not set"); + if ( orig_elem ) + ZVal::DeleteManagedType(*orig_elem); + } + else if ( ! vv->Assign(ind, frame[z.v3].ToVal(z.t)) ) + ZAM_run_time_error(z.loc, "value used but not set"); op Vector-Elem-Assign-Any op1-read @@ -2133,7 +2152,10 @@ type VVVV eval NextVectorIterCore(z.v3, v4) frame[z.v1].uint_val = si.iter; if ( z.is_managed ) + { + ZVal::DeleteManagedType(frame[z.v2]); frame[z.v2] = BuildVal(vv[si.iter]->ToVal(z.t), z.t); + } else frame[z.v2] = *vv[si.iter]; si.IterFinished(); @@ -2145,7 +2167,10 @@ internal-op Next-Vector-Blank-Iter-Val-Var type VVV eval NextVectorIterCore(z.v2, v3) if ( z.is_managed ) + { + ZVal::DeleteManagedType(frame[z.v1]); frame[z.v1] = BuildVal(vv[si.iter]->ToVal(z.t), z.t); + } else frame[z.v1] = *vv[si.iter]; si.IterFinished(); @@ -3068,11 +3093,11 @@ macro AnalyzerName(tag) auto atype = tag.ToVal(z.t); auto val = atype->AsEnumVal(); Unref(frame[z.v1].string_val); - plugin::Component* component = zeek::analyzer_mgr->Lookup(val); + plugin::Component* component = zeek::analyzer_mgr->Lookup(val, false); if ( ! component ) - component = zeek::packet_mgr->Lookup(val); + component = zeek::packet_mgr->Lookup(val, false); if ( ! component ) - component = zeek::file_mgr->Lookup(val); + component = zeek::file_mgr->Lookup(val, false); if ( component ) frame[z.v1].string_val = new StringVal(component->CanonicalName()); else diff --git a/src/script_opt/ZAM/ZBody.cc b/src/script_opt/ZAM/ZBody.cc index 0eb283284a..72e5236419 100644 --- a/src/script_opt/ZAM/ZBody.cc +++ b/src/script_opt/ZAM/ZBody.cc @@ -214,8 +214,9 @@ static void vec_exec(ZOp op, TypePtr t, VectorVal*& v1, const VectorVal* v2, con std::string err = "overflow promoting from "; \ err += ov_err; \ err += " arithmetic value"; \ + /* The run-time error will throw an exception, so recover intermediary memory. */ \ + delete res_zv; \ ZAM_run_time_error(z.loc, err.c_str()); \ - res[i] = std::nullopt; \ } \ else \ res[i] = ZVal(cast(vi)); \ @@ -326,6 +327,55 @@ std::shared_ptr ZBody::BuildProfVec() const { return pv; } +// Helper class for managing ZBody state to ensure that memory is recovered +// if a ZBody is exited via an exception. +class ZBodyStateManager { +public: + // If fixed_frame is nil then creates a dynamic frame. + ZBodyStateManager(ZVal* _fixed_frame, int frame_size, const std::vector& _managed_slots, + TableIterVec* _tiv_ptr) + : fixed_frame(_fixed_frame), managed_slots(_managed_slots), tiv_ptr(_tiv_ptr) { + if ( fixed_frame ) + frame = fixed_frame; + else { + frame = new ZVal[frame_size]; + for ( auto s : managed_slots ) + frame[s].ClearManagedVal(); + } + } + + void SetTableIters(TableIterVec* _tiv_ptr) { tiv_ptr = _tiv_ptr; } + + ~ZBodyStateManager() { + if ( tiv_ptr ) + for ( auto& ti : *tiv_ptr ) + ti.Clear(); + + if ( fixed_frame ) { + // Recover memory and reset for use in next call. + for ( auto s : managed_slots ) { + ZVal::DeleteManagedType(frame[s]); + frame[s].ClearManagedVal(); + } + } + + else { + // Recover memory, no need to reset. + for ( auto s : managed_slots ) + ZVal::DeleteManagedType(frame[s]); + delete[] frame; + } + } + + auto Frame() { return frame; } + +private: + ZVal* fixed_frame; + ZVal* frame; + const std::vector& managed_slots; + TableIterVec* tiv_ptr; +}; + ValPtr ZBody::Exec(Frame* f, StmtFlowType& flow) { unsigned int pc = 0; @@ -358,22 +408,22 @@ ValPtr ZBody::Exec(Frame* f, StmtFlowType& flow) { } #endif - ZVal* frame; + ZBodyStateManager state_mgr(fixed_frame, frame_size, managed_slots, &table_iters); std::unique_ptr local_table_iters; std::vector step_iters(num_step_iters); + ZVal* frame; + if ( fixed_frame ) frame = fixed_frame; else { - frame = new ZVal[frame_size]; - // Clear slots for which we do explicit memory management. - for ( auto s : managed_slots ) - frame[s].ClearManagedVal(); + frame = state_mgr.Frame(); if ( ! table_iters.empty() ) { local_table_iters = std::make_unique(table_iters.size()); *local_table_iters = table_iters; tiv_ptr = &(*local_table_iters); + state_mgr.SetTableIters(nullptr); // unique_ptr will clean it up directly } } @@ -423,33 +473,6 @@ ValPtr ZBody::Exec(Frame* f, StmtFlowType& flow) { ++pc; } - auto result = ret_type ? ret_u->ToVal(ret_type) : nullptr; - - if ( fixed_frame ) { - // Make sure we don't have any dangling iterators. - for ( auto& ti : table_iters ) - ti.Clear(); - - // Free slots for which we do explicit memory management, - // preparing them for reuse. - for ( auto& ms : managed_slots ) { - auto& v = frame[ms]; - ZVal::DeleteManagedType(v); - v.ClearManagedVal(); - } - } - else { - // Free those slots for which we do explicit memory management. - // No need to then clear them, as we're about to throw away - // the entire frame. - for ( auto& ms : managed_slots ) { - auto& v = frame[ms]; - ZVal::DeleteManagedType(v); - } - - delete[] frame; - } - #ifdef ENABLE_ZAM_PROFILE if ( profiling_active ) { tot_CPU_time += util::curr_CPU_time() - start_CPU_time; @@ -460,7 +483,7 @@ ValPtr ZBody::Exec(Frame* f, StmtFlowType& flow) { } #endif - return result; + return ret_type ? ret_u->ToVal(ret_type) : nullptr; } void ZBody::ReportExecutionProfile(ProfMap& pm) { @@ -604,8 +627,7 @@ static void vec_exec(ZOp op, TypePtr t, VectorVal*& v1, const VectorVal* v2, con auto& vec2 = v2->RawVec(); auto n = vec2.size(); - auto vec1_ptr = new vector>(n); - auto& vec1 = *vec1_ptr; + vector> vec1(n); for ( auto i = 0U; i < n; ++i ) { if ( vec2[i] ) @@ -620,7 +642,7 @@ static void vec_exec(ZOp op, TypePtr t, VectorVal*& v1, const VectorVal* v2, con auto vt = cast_intrusive(std::move(t)); auto old_v1 = v1; - v1 = new VectorVal(std::move(vt), vec1_ptr); + v1 = new VectorVal(std::move(vt), &vec1); Unref(old_v1); } @@ -631,8 +653,13 @@ static void vec_exec(ZOp op, TypePtr t, VectorVal*& v1, const VectorVal* v2, con auto& vec2 = v2->RawVec(); auto& vec3 = v3->RawVec(); auto n = vec2.size(); - auto vec1_ptr = new vector>(n); - auto& vec1 = *vec1_ptr; + + if ( vec3.size() != n ) { + ZAM_run_time_error(util::fmt("vector operands are of different sizes (%d vs. %d)", int(n), int(vec3.size()))); + return; + } + + vector> vec1(n); for ( auto i = 0U; i < vec2.size(); ++i ) { if ( vec2[i] && vec3[i] ) @@ -647,7 +674,7 @@ static void vec_exec(ZOp op, TypePtr t, VectorVal*& v1, const VectorVal* v2, con auto vt = cast_intrusive(std::move(t)); auto old_v1 = v1; - v1 = new VectorVal(std::move(vt), vec1_ptr); + v1 = new VectorVal(std::move(vt), &vec1); Unref(old_v1); } diff --git a/src/spicy/manager.cc b/src/spicy/manager.cc index 1a9420e22a..414ba705ee 100644 --- a/src/spicy/manager.cc +++ b/src/spicy/manager.cc @@ -6,6 +6,7 @@ #include #include +#include #include #include @@ -32,6 +33,7 @@ #include "zeek/spicy/file-analyzer.h" #include "zeek/spicy/packet-analyzer.h" #include "zeek/spicy/protocol-analyzer.h" +#include "zeek/spicy/runtime-support.h" #include "zeek/zeek-config-paths.h" using namespace zeek; @@ -74,9 +76,13 @@ void Manager::registerProtocolAnalyzer(const std::string& name, hilti::rt::Proto info.name_zeek = hilti::rt::replace(name, "::", "_"); info.name_zeekygen = hilti::rt::fmt("", name); info.protocol = proto; - info.ports = ports; info.linker_scope = linker_scope; + // Store ports in a deterministic order. We can't (easily) sort the + // `hilti::rt::Vector` unfortunately. + std::copy(ports.begin(), ports.end(), std::back_inserter(info.ports)); + std::sort(info.ports.begin(), info.ports.end()); + // We may have that analyzer already iff it was previously pre-registered // without a linker scope. We'll then only set the scope now. if ( auto t = _analyzer_name_to_tag_type.find(info.name_zeek); t != _analyzer_name_to_tag_type.end() ) { @@ -587,25 +593,25 @@ static ::TransportProto transport_protocol(const hilti::rt::Port port) { } static void hook_accept_input() { - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - - if ( auto x = cookie->protocol ) { - auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); - SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString())); - return x->analyzer->AnalyzerConfirmation(tag); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->protocol ) { + auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); + SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString())); + return x->analyzer->AnalyzerConfirmation(tag); + } } } static void hook_decline_input(const std::string& reason) { - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - - if ( auto x = cookie->protocol ) { - auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); - SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason)); - return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->protocol ) { + auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); + SPICY_DEBUG(hilti::rt::fmt("rejecting protocol %s: %s", tag.AsString(), reason)); + return x->analyzer->AnalyzerViolation(reason.c_str(), nullptr, 0, tag); + } } + else + SPICY_DEBUG(hilti::rt::fmt("attempting to reject protocol without cookie: %s", reason)); } void Manager::InitPostScript() { @@ -701,14 +707,25 @@ void Manager::InitPostScript() { if ( ! tag ) reporter->InternalError("cannot get analyzer tag for '%s'", p.name_analyzer.c_str()); + auto register_analyzer_for_port = [&](auto tag, const hilti::rt::Port& port_) { + SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_)); + + // Well-known ports are registered in scriptland, so we'll raise an + // event that will do it for us through a predefined handler. + zeek::Args vals = Args(); + vals.emplace_back(tag.AsVal()); + vals.emplace_back(zeek::spicy::rt::to_val(port_, base_type(TYPE_PORT))); + EventHandlerPtr handler = event_registry->Register("spicy_analyzer_for_port"); + event_mgr.Enqueue(handler, vals); + }; + for ( const auto& ports : p.ports ) { const auto proto = ports.begin.protocol(); // Port ranges are closed intervals. for ( auto port = ports.begin.port(); port <= ports.end.port(); ++port ) { const auto port_ = hilti::rt::Port(port, proto); - SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port_)); - analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port_), port); + register_analyzer_for_port(tag, port_); // Don't double register in case of single-port ranges. if ( ports.begin.port() == ports.end.port() ) @@ -727,7 +744,7 @@ void Manager::InitPostScript() { continue; SPICY_DEBUG(hilti::rt::fmt(" Scheduling analyzer for port %s", port.port)); - analyzer_mgr->RegisterAnalyzerForPort(tag, transport_protocol(port.port), port.port.port()); + register_analyzer_for_port(tag, port.port); } } } diff --git a/src/spicy/manager.h b/src/spicy/manager.h index 118e03b6c3..55f47c51fd 100644 --- a/src/spicy/manager.h +++ b/src/spicy/manager.h @@ -85,7 +85,7 @@ public: * * @param name name of the analyzer as defined in its EVT file * @param proto analyzer's transport-layer protocol - * @param prts well-known ports for the analyzer; it'll be activated automatically for these + * @param ports well-known ports for the analyzer; it'll be activated automatically for these * @param parser_orig name of the Spicy parser for the originator side; must match the name that * Spicy registers the unit's parser with * @param parser_resp name of the Spicy parser for the originator side; must match the name that @@ -343,7 +343,7 @@ private: std::string name_parser_resp; std::string name_replaces; hilti::rt::Protocol protocol = hilti::rt::Protocol::Undef; - hilti::rt::Vector<::zeek::spicy::rt::PortRange> ports; + std::vector<::zeek::spicy::rt::PortRange> ports; // we keep this sorted std::string linker_scope; // Computed and available once the analyzer has been registered. diff --git a/src/spicy/port-range.h b/src/spicy/port-range.h index bbe0d58c12..7e71d433f8 100644 --- a/src/spicy/port-range.h +++ b/src/spicy/port-range.h @@ -19,6 +19,11 @@ struct PortRange { hilti::rt::Port begin; /**< first port in the range */ hilti::rt::Port end; /**< last port in the range */ + + bool operator<(const PortRange& other) const { + // Just get us a deterministic order. + return std::tie(begin, end) < std::tie(other.begin, other.end); + } }; inline bool operator==(const PortRange& a, const PortRange& b) { diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc index f5afd37461..c5d36e0b30 100644 --- a/src/spicy/runtime-support.cc +++ b/src/spicy/runtime-support.cc @@ -223,47 +223,47 @@ TypePtr rt::event_arg_type(const EventHandlerPtr& handler, const hilti::rt::inte ValPtr& rt::current_conn() { auto _ = hilti::rt::profiler::start("zeek/rt/current_conn"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( cookie->cache.conn ) - return cookie->cache.conn; + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( cookie->cache.conn ) + return cookie->cache.conn; - if ( auto x = cookie->protocol ) { - cookie->cache.conn = x->analyzer->Conn()->GetVal(); - return cookie->cache.conn; + if ( auto x = cookie->protocol ) { + cookie->cache.conn = x->analyzer->Conn()->GetVal(); + return cookie->cache.conn; + } } - else - throw ValueUnavailable("$conn not available"); + + throw ValueUnavailable("$conn not available"); } ValPtr& rt::current_is_orig() { auto _ = hilti::rt::profiler::start("zeek/rt/current_is_orig"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( cookie->cache.is_orig ) - return cookie->cache.is_orig; + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( cookie->cache.is_orig ) + return cookie->cache.is_orig; - if ( auto x = cookie->protocol ) { - cookie->cache.is_orig = val_mgr->Bool(x->is_orig); - return cookie->cache.is_orig; + if ( auto x = cookie->protocol ) { + cookie->cache.is_orig = val_mgr->Bool(x->is_orig); + return cookie->cache.is_orig; + } } - else - throw ValueUnavailable("$is_orig not available"); + + throw ValueUnavailable("$is_orig not available"); } void rt::debug(const std::string& msg) { auto _ = hilti::rt::profiler::start("zeek/rt/debug"); auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + if ( ! cookie ) + return SPICY_DEBUG(msg); + rt::debug(*cookie, msg); } void rt::debug(const Cookie& cookie, const std::string& msg) { auto _ = hilti::rt::profiler::start("zeek/rt/debug"); - std::string name; - std::string id; if ( const auto p = cookie.protocol ) { auto name = p->analyzer->GetAnalyzerName(); @@ -285,12 +285,14 @@ void rt::debug(const Cookie& cookie, const std::string& msg) { inline rt::cookie::FileStateStack* _file_state_stack(rt::Cookie* cookie) { auto _ = hilti::rt::profiler::start("zeek/rt/file_state_stack"); - if ( auto c = cookie->protocol ) - return c->is_orig ? &c->fstate_orig : &c->fstate_resp; - else if ( auto f = cookie->file ) - return &f->fstate; - else - throw rt::ValueUnavailable("no current connection or file available"); + if ( cookie ) { + if ( auto c = cookie->protocol ) + return c->is_orig ? &c->fstate_orig : &c->fstate_resp; + else if ( auto f = cookie->file ) + return &f->fstate; + } + + throw rt::ValueUnavailable("no current connection or file available"); } inline const rt::cookie::FileState* _file_state(rt::Cookie* cookie, std::optional fid) { @@ -313,14 +315,14 @@ inline const rt::cookie::FileState* _file_state(rt::Cookie* cookie, std::optiona ValPtr rt::current_file() { auto _ = hilti::rt::profiler::start("zeek/rt/current_file"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto x = cookie->file ) - return x->analyzer->GetFile()->ToVal(); - else if ( auto* fstate = _file_state(cookie, {}) ) { - if ( auto* f = file_mgr->LookupFile(fstate->fid) ) - return f->ToVal(); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->file ) + return x->analyzer->GetFile()->ToVal(); + else if ( auto* fstate = _file_state(cookie, {}) ) { + if ( auto* f = file_mgr->LookupFile(fstate->fid) ) + return f->ToVal(); + } } throw ValueUnavailable("$file not available"); @@ -328,43 +330,43 @@ ValPtr rt::current_file() { ValPtr rt::current_packet() { auto _ = hilti::rt::profiler::start("zeek/rt/current_packet"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto c = cookie->packet ) { - if ( ! c->packet_val ) - // We cache the built value in case we need it multiple times. - c->packet_val = c->packet->ToRawPktHdrVal(); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto c = cookie->packet ) { + if ( ! c->packet_val ) + // We cache the built value in case we need it multiple times. + c->packet_val = c->packet->ToRawPktHdrVal(); - return c->packet_val; + return c->packet_val; + } } - else - throw ValueUnavailable("$packet not available"); + + throw ValueUnavailable("$packet not available"); } hilti::rt::Bool rt::is_orig() { auto _ = hilti::rt::profiler::start("zeek/rt/is_orig"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto x = cookie->protocol ) - return x->is_orig; - else - throw ValueUnavailable("is_orig() not available in current context"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->protocol ) + return x->is_orig; + } + + throw ValueUnavailable("is_orig() not available in current context"); } std::string rt::uid() { auto _ = hilti::rt::profiler::start("zeek/rt/uid"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto c = cookie->protocol ) { - // Retrieve the ConnVal() so that we ensure the UID has been set. - c->analyzer->ConnVal(); - return c->analyzer->Conn()->GetUID().Base62("C"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto c = cookie->protocol ) { + // Retrieve the ConnVal() so that we ensure the UID has been set. + c->analyzer->ConnVal(); + return c->analyzer->Conn()->GetUID().Base62("C"); + } } - else - throw ValueUnavailable("uid() not available in current context"); + + throw ValueUnavailable("uid() not available in current context"); } std::tuple rt::conn_id() { @@ -395,58 +397,59 @@ std::tuple(hilti::rt::context::cookie()); - assert(cookie); - - if ( auto c = cookie->protocol ) { - const auto* conn = c->analyzer->Conn(); - return std::make_tuple(convert_address(conn->OrigAddr()), convert_port(conn->OrigPort(), conn->ConnTransport()), - convert_address(conn->RespAddr()), - convert_port(conn->RespPort(), conn->ConnTransport())); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto c = cookie->protocol ) { + const auto* conn = c->analyzer->Conn(); + return std::make_tuple(convert_address(conn->OrigAddr()), + convert_port(conn->OrigPort(), conn->ConnTransport()), + convert_address(conn->RespAddr()), + convert_port(conn->RespPort(), conn->ConnTransport())); + } } - else - throw ValueUnavailable("conn_id() not available in current context"); + + throw ValueUnavailable("conn_id() not available in current context"); } void rt::flip_roles() { auto _ = hilti::rt::profiler::start("zeek/rt/flip_roles"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - rt::debug(*cookie, "flipping roles"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + rt::debug(*cookie, "flipping roles"); - if ( auto x = cookie->protocol ) - x->analyzer->Conn()->FlipRoles(); - else - throw ValueUnavailable("flip_roles() not available in current context"); + if ( auto x = cookie->protocol ) + return x->analyzer->Conn()->FlipRoles(); + } + + throw ValueUnavailable("flip_roles() not available in current context"); } hilti::rt::integer::safe rt::number_packets() { auto _ = hilti::rt::profiler::start("zeek/rt/number_packets"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto x = cookie->protocol ) { - return x->num_packets; + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->protocol ) { + return x->num_packets; + } } - else - throw ValueUnavailable("number_packets() not available in current context"); + + throw ValueUnavailable("number_packets() not available in current context"); } void rt::confirm_protocol() { auto _ = hilti::rt::profiler::start("zeek/rt/confirm_protocol"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( cookie->cache.confirmed ) - return; + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( cookie->cache.confirmed ) + return; - if ( auto x = cookie->protocol ) { - auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); - SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString())); - cookie->cache.confirmed = true; - return x->analyzer->AnalyzerConfirmation(tag); + if ( auto x = cookie->protocol ) { + auto tag = spicy_mgr->tagForProtocolAnalyzer(x->analyzer->GetAnalyzerTag()); + SPICY_DEBUG(hilti::rt::fmt("confirming protocol %s", tag.AsString())); + cookie->cache.confirmed = true; + return x->analyzer->AnalyzerConfirmation(tag); + } } + throw ValueUnavailable("no current connection available"); } @@ -471,18 +474,17 @@ void rt::reject_protocol(const std::string& reason) { void rt::weird(const std::string& id, const std::string& addl) { auto _ = hilti::rt::profiler::start("zeek/rt/weird"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( const auto x = cookie->protocol ) - x->analyzer->Weird(id.c_str(), addl.data()); - else if ( const auto x = cookie->file ) - zeek::reporter->Weird(x->analyzer->GetFile(), id.c_str(), addl.data()); - else if ( const auto x = cookie->packet ) { - x->analyzer->Weird(id.c_str(), x->packet, addl.c_str()); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( const auto x = cookie->protocol ) + return x->analyzer->Weird(id.c_str(), addl.data()); + else if ( const auto x = cookie->file ) + return zeek::reporter->Weird(x->analyzer->GetFile(), id.c_str(), addl.data()); + else if ( const auto x = cookie->packet ) + return x->analyzer->Weird(id.c_str(), x->packet, addl.c_str()); } - else - throw ValueUnavailable("none of $conn, $file, or $packet available for weird reporting"); + + throw ValueUnavailable("none of $conn, $file, or $packet available for weird reporting"); } void rt::protocol_begin(const std::optional& analyzer, const ::hilti::rt::Protocol& proto) { @@ -499,11 +501,11 @@ void rt::protocol_begin(const std::optional& analyzer, const ::hilt // doesn't need to track what the other side already did. auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + + if ( ! cookie || ! cookie->protocol ) + throw ValueUnavailable("no current connection available"); auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); switch ( proto.value() ) { case ::hilti::rt::Protocol::TCP: { @@ -547,12 +549,12 @@ void rt::protocol_begin(const ::hilti::rt::Protocol& proto) { return protocol_be rt::ProtocolHandle rt::protocol_handle_get_or_create(const std::string& analyzer, const ::hilti::rt::Protocol& proto) { auto _ = hilti::rt::profiler::start("zeek/rt/protocol_handle_get_or_create"); + auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + if ( ! cookie || ! cookie->protocol ) + throw ValueUnavailable("no current connection available"); auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); switch ( proto.value() ) { case ::hilti::rt::Protocol::TCP: { @@ -623,11 +625,11 @@ static void protocol_data_in(const hilti::rt::Bool& is_orig, const hilti::rt::By const std::optional& h) { auto _ = hilti::rt::profiler::start("zeek/rt/protocol_data_in"); auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + + if ( ! cookie || ! cookie->protocol ) + throw ValueUnavailable("no current connection available"); auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); // We need to copy the data here to be on the safe side: the streaming // input methods expect the data to stay around until they return. At first @@ -719,11 +721,11 @@ void rt::protocol_gap(const hilti::rt::Bool& is_orig, const hilti::rt::integer:: const hilti::rt::integer::safe& len, const std::optional& h) { auto _ = hilti::rt::profiler::start("zeek/rt/protocol_gap"); auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + + if ( ! cookie || ! cookie->protocol ) + throw ValueUnavailable("no current connection available"); auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); switch ( h->protocol().value() ) { case ::hilti::rt::Protocol::TCP: { @@ -761,25 +763,25 @@ void rt::protocol_gap(const hilti::rt::Bool& is_orig, const hilti::rt::integer:: void rt::protocol_end() { auto _ = hilti::rt::profiler::start("zeek/rt/protocol_end"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + auto c = cookie->protocol; + if ( ! c ) + throw ValueUnavailable("no current connection available"); - for ( const auto& i : c->analyzer->GetChildren() ) - c->analyzer->RemoveChildAnalyzer(i); + for ( const auto& i : c->analyzer->GetChildren() ) + c->analyzer->RemoveChildAnalyzer(i); + } } void rt::protocol_handle_close(const ProtocolHandle& handle) { auto _ = hilti::rt::profiler::start("zeek/rt/protocol_handle_close"); auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); + + if ( ! cookie || ! cookie->protocol ) + throw ValueUnavailable("no current connection available"); auto c = cookie->protocol; - if ( ! c ) - throw ValueUnavailable("no current connection available"); switch ( handle.protocol().value() ) { case ::hilti::rt::Protocol::TCP: { @@ -827,7 +829,8 @@ rt::cookie::FileState* rt::cookie::FileStateStack::push(std::optional(hilti::rt::context::cookie()); - assert(cookie); + if ( ! cookie ) + throw ValueUnavailable("no current connection available"); if ( auto c = cookie->protocol ) { auto tag = spicy_mgr->tagForProtocolAnalyzer(c->analyzer->GetAnalyzerTag()); @@ -899,38 +902,38 @@ static void _data_in(const char* data, uint64_t len, std::optional off void rt::terminate_session() { auto _ = hilti::rt::profiler::start("zeek/rt/terminate_session"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto c = cookie->protocol ) { - assert(session_mgr); - session_mgr->Remove(c->analyzer->Conn()); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto c = cookie->protocol ) { + assert(session_mgr); + return session_mgr->Remove(c->analyzer->Conn()); + } } - else - throw spicy::rt::ValueUnavailable("terminate_session() not available in the current context"); + + throw spicy::rt::ValueUnavailable("terminate_session() not available in the current context"); } void rt::skip_input() { auto _ = hilti::rt::profiler::start("zeek/rt/skip_input"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto p = cookie->protocol ) - p->analyzer->SetSkip(true); - else if ( auto f = cookie->file ) - f->analyzer->SetSkip(true); - else - throw spicy::rt::ValueUnavailable("skip() not available in the current context"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto p = cookie->protocol ) + return p->analyzer->SetSkip(true); + else if ( auto f = cookie->file ) + return f->analyzer->SetSkip(true); + } + + throw spicy::rt::ValueUnavailable("skip() not available in the current context"); } std::string rt::fuid() { auto _ = hilti::rt::profiler::start("zeek/rt/fuid"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto f = cookie->file ) { - if ( auto file = f->analyzer->GetFile() ) - return file->GetID(); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto f = cookie->file ) { + if ( auto file = f->analyzer->GetFile() ) + return file->GetID(); + } } throw ValueUnavailable("fuid() not available in current context"); @@ -1003,6 +1006,9 @@ void rt::file_gap(const hilti::rt::integer::safe& offset, const hilti: const std::optional& fid) { auto _ = hilti::rt::profiler::start("zeek/rt/file_gap"); auto cookie = static_cast(hilti::rt::context::cookie()); + if ( ! cookie ) + throw spicy::rt::ValueUnavailable("file_gap() not available in the current context"); + auto* fstate = _file_state(cookie, fid); if ( auto c = cookie->protocol ) { @@ -1024,13 +1030,15 @@ void rt::file_end(const std::optional& fid) { void rt::forward_packet(const hilti::rt::integer::safe& identifier) { auto _ = hilti::rt::profiler::start("zeek/rt/forward_packet"); - auto cookie = static_cast(hilti::rt::context::cookie()); - assert(cookie); - if ( auto c = cookie->packet ) - c->next_analyzer = identifier; - else - throw ValueUnavailable("no current packet analyzer available"); + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto c = cookie->packet ) { + c->next_analyzer = identifier; + return; + } + } + + throw ValueUnavailable("no current packet analyzer available"); } hilti::rt::Time rt::network_time() { diff --git a/src/spicy/spicyz/driver.cc b/src/spicy/spicyz/driver.cc index 8a4eee216a..75ffd1f6fa 100644 --- a/src/spicy/spicyz/driver.cc +++ b/src/spicy/spicyz/driver.cc @@ -4,10 +4,8 @@ #include -#include #include #include -#include #include #include @@ -42,11 +40,10 @@ struct VisitorTypes : public spicy::visitor::PreOrder { module = {}; return; } - module = n->scopeID(); path = n->uid().path; - if ( is_resolved ) + if ( is_resolved && ! n->skipImplementation() ) glue->addSpicyModule(module, path); } diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc index cc17312343..e9240ed245 100644 --- a/src/spicy/spicyz/glue-compiler.cc +++ b/src/spicy/spicyz/glue-compiler.cc @@ -1375,7 +1375,7 @@ bool GlueCompiler::CreateSpicyHook(glue::Event* ev) { auto attrs = builder()->attributeSet({builder()->attribute("&priority", builder()->integer(ev->priority))}); auto parameters = hilti::util::transform(ev->parameters, [](const auto& p) { return p.get(); }); - auto unit_hook = builder()->declarationHook(parameters, body.block(), ::spicy::Engine::All, attrs, meta); + auto unit_hook = builder()->declarationHook(parameters, body.block(), attrs, meta); auto hook_decl = builder()->declarationUnitHook(ev->hook, unit_hook, meta); ev->spicy_module->spicy_module->add(context(), hook_decl); diff --git a/src/telemetry/CMakeLists.txt b/src/telemetry/CMakeLists.txt index d61cbdb671..a760dcd13c 100644 --- a/src/telemetry/CMakeLists.txt +++ b/src/telemetry/CMakeLists.txt @@ -9,6 +9,7 @@ zeek_add_subdir_library( ProcessStats.cc Utils.cc BIFS + consts.bif telemetry.bif) # We don't need to include the civetweb headers across the whole project, only diff --git a/src/telemetry/Counter.cc b/src/telemetry/Counter.cc index 8b34624254..889a17f1a7 100644 --- a/src/telemetry/Counter.cc +++ b/src/telemetry/Counter.cc @@ -2,27 +2,17 @@ using namespace zeek::telemetry; -Counter::Counter(FamilyType* family, const prometheus::Labels& labels, prometheus::CollectCallbackPtr callback) noexcept - : handle(family->Add(labels)), labels(labels) { - if ( callback ) { - handle.AddCollectCallback(std::move(callback)); - has_callback = true; - } -} +Counter::Counter(FamilyType* family, const prometheus::Labels& labels, detail::CollectCallbackPtr callback) noexcept + : family(family), handle(family->Add(labels)), labels(labels), callback(std::move(callback)) {} double Counter::Value() const noexcept { - if ( has_callback ) { - // Use Collect() here instead of Value() to correctly handle metrics with - // callbacks. - auto metric = handle.Collect(); - return metric.counter.value; - } + if ( callback ) + return callback(); return handle.Value(); } -std::shared_ptr CounterFamily::GetOrAdd(Span labels, - prometheus::CollectCallbackPtr callback) { +std::shared_ptr CounterFamily::GetOrAdd(Span labels, detail::CollectCallbackPtr callback) { prometheus::Labels p_labels = detail::BuildPrometheusLabels(labels); auto check = [&](const std::shared_ptr& counter) { return counter->CompareLabels(p_labels); }; @@ -36,6 +26,15 @@ std::shared_ptr CounterFamily::GetOrAdd(Span labels, } std::shared_ptr CounterFamily::GetOrAdd(std::initializer_list labels, - prometheus::CollectCallbackPtr callback) { + detail::CollectCallbackPtr callback) { return GetOrAdd(Span{labels.begin(), labels.size()}, std::move(callback)); } + +void CounterFamily::RunCallbacks() { + for ( auto& c : counters ) { + if ( c->HasCallback() ) { + double val = c->RunCallback(); + c->Set(val); + } + } +} diff --git a/src/telemetry/Counter.h b/src/telemetry/Counter.h index f6c49315b7..c9595c7709 100644 --- a/src/telemetry/Counter.h +++ b/src/telemetry/Counter.h @@ -4,7 +4,6 @@ #include #include -#include #include #include @@ -15,6 +14,12 @@ namespace zeek::telemetry { +namespace detail { +using CollectCallbackPtr = std::function; +} + +class CounterFamily; + /** * A handle to a metric that can only go up. */ @@ -26,7 +31,7 @@ public: using FamilyType = prometheus::Family; explicit Counter(FamilyType* family, const prometheus::Labels& labels, - prometheus::CollectCallbackPtr callback = nullptr) noexcept; + detail::CollectCallbackPtr callback = nullptr) noexcept; /** * Increments the value by 1. @@ -55,10 +60,21 @@ public: bool CompareLabels(const prometheus::Labels& lbls) const { return labels == lbls; } + bool HasCallback() const noexcept { return callback != nullptr; } + double RunCallback() const { return callback(); } + private: + friend class CounterFamily; + void Set(double val) { + // Counter has no Set(), but we can fake it. + handle.Reset(); + handle.Increment(val); + } + + FamilyType* family = nullptr; Handle& handle; prometheus::Labels labels; - bool has_callback = false; + detail::CollectCallbackPtr callback; }; using CounterPtr = std::shared_ptr; @@ -74,15 +90,17 @@ public: * Returns the metrics handle for given labels, creating a new instance * lazily if necessary. */ - CounterPtr GetOrAdd(Span labels, prometheus::CollectCallbackPtr callback = nullptr); + CounterPtr GetOrAdd(Span labels, detail::CollectCallbackPtr callback = nullptr); /** * @copydoc GetOrAdd */ - CounterPtr GetOrAdd(std::initializer_list labels, prometheus::CollectCallbackPtr callback = nullptr); + CounterPtr GetOrAdd(std::initializer_list labels, detail::CollectCallbackPtr callback = nullptr); zeek_int_t MetricType() const noexcept override { return BifEnum::Telemetry::MetricType::COUNTER; } + void RunCallbacks() override; + private: prometheus::Family* family; std::vector counters; diff --git a/src/telemetry/Gauge.cc b/src/telemetry/Gauge.cc index 273c9a57bf..79550c8128 100644 --- a/src/telemetry/Gauge.cc +++ b/src/telemetry/Gauge.cc @@ -3,26 +3,16 @@ using namespace zeek::telemetry; double Gauge::Value() const noexcept { - if ( has_callback ) { - // Use Collect() here instead of Value() to correctly handle metrics - // with callbacks. - auto metric = handle.Collect(); - return metric.gauge.value; - } + if ( callback ) + return callback(); return handle.Value(); } +Gauge::Gauge(FamilyType* family, const prometheus::Labels& labels, detail::CollectCallbackPtr callback) noexcept + : family(family), handle(family->Add(labels)), labels(labels), callback(std::move(callback)) {} -Gauge::Gauge(FamilyType* family, const prometheus::Labels& labels, prometheus::CollectCallbackPtr callback) noexcept - : handle(family->Add(labels)), labels(labels) { - if ( callback ) { - handle.AddCollectCallback(std::move(callback)); - has_callback = true; - } -} - -std::shared_ptr GaugeFamily::GetOrAdd(Span labels, prometheus::CollectCallbackPtr callback) { +std::shared_ptr GaugeFamily::GetOrAdd(Span labels, detail::CollectCallbackPtr callback) { prometheus::Labels p_labels = detail::BuildPrometheusLabels(labels); auto check = [&](const std::shared_ptr& gauge) { return gauge->CompareLabels(p_labels); }; @@ -36,6 +26,13 @@ std::shared_ptr GaugeFamily::GetOrAdd(Span labels, prome } std::shared_ptr GaugeFamily::GetOrAdd(std::initializer_list labels, - prometheus::CollectCallbackPtr callback) { + detail::CollectCallbackPtr callback) { return GetOrAdd(Span{labels.begin(), labels.size()}, std::move(callback)); } + +void GaugeFamily::RunCallbacks() { + for ( const auto& g : gauges ) { + if ( g->HasCallback() ) + g->Set(g->RunCallback()); + } +} diff --git a/src/telemetry/Gauge.h b/src/telemetry/Gauge.h index 900cb7b784..22b0e4a0aa 100644 --- a/src/telemetry/Gauge.h +++ b/src/telemetry/Gauge.h @@ -4,7 +4,7 @@ #include #include -#include +#include #include #include @@ -15,6 +15,10 @@ namespace zeek::telemetry { +namespace detail { +using CollectCallbackPtr = std::function; +} + /** * A handle to a metric that can count up and down. */ @@ -26,7 +30,7 @@ public: using FamilyType = prometheus::Family; explicit Gauge(FamilyType* family, const prometheus::Labels& labels, - prometheus::CollectCallbackPtr callback = nullptr) noexcept; + detail::CollectCallbackPtr callback = nullptr) noexcept; /** * Increments the value by 1. @@ -57,6 +61,11 @@ public: */ void Dec(double amount) noexcept { handle.Decrement(amount); } + /** + * Set the value by @p val. + */ + void Set(double val) noexcept { handle.Set(val); } + /** * Decrements the value by 1. * @return The new value. @@ -73,10 +82,14 @@ public: bool CompareLabels(const prometheus::Labels& lbls) const { return labels == lbls; } + bool HasCallback() const noexcept { return callback != nullptr; } + double RunCallback() const { return callback(); } + private: + FamilyType* family = nullptr; Handle& handle; prometheus::Labels labels; - bool has_callback = false; + detail::CollectCallbackPtr callback; }; using GaugePtr = std::shared_ptr; @@ -89,18 +102,20 @@ public: * Returns the metrics handle for given labels, creating a new instance * lazily if necessary. */ - GaugePtr GetOrAdd(Span labels, prometheus::CollectCallbackPtr callback = nullptr); + GaugePtr GetOrAdd(Span labels, detail::CollectCallbackPtr callback = nullptr); /** * @copydoc GetOrAdd */ - GaugePtr GetOrAdd(std::initializer_list labels, prometheus::CollectCallbackPtr callback = nullptr); + GaugePtr GetOrAdd(std::initializer_list labels, detail::CollectCallbackPtr callback = nullptr); zeek_int_t MetricType() const noexcept override { return BifEnum::Telemetry::MetricType::GAUGE; } GaugeFamily(prometheus::Family* family, Span labels) : MetricFamily(labels), family(family) {} + void RunCallbacks() override; + private: prometheus::Family* family; std::vector gauges; diff --git a/src/telemetry/Histogram.h b/src/telemetry/Histogram.h index ec8858e463..b2131b40c8 100644 --- a/src/telemetry/Histogram.h +++ b/src/telemetry/Histogram.h @@ -66,6 +66,8 @@ public: zeek_int_t MetricType() const noexcept override { return BifEnum::Telemetry::MetricType::HISTOGRAM; } + void RunCallbacks() override {} + private: prometheus::Family* family; prometheus::Histogram::BucketBoundaries boundaries; diff --git a/src/telemetry/Manager.cc b/src/telemetry/Manager.cc index 04c47ba3ef..c8650476d6 100644 --- a/src/telemetry/Manager.cc +++ b/src/telemetry/Manager.cc @@ -6,6 +6,7 @@ // CivetServer is from the civetweb submodule in prometheus-cpp #include +#include #include #include #include @@ -16,19 +17,32 @@ #include "zeek/3rdparty/doctest.h" #include "zeek/ID.h" +#include "zeek/RunState.h" #include "zeek/ZeekString.h" #include "zeek/broker/Manager.h" +#include "zeek/iosource/Manager.h" #include "zeek/telemetry/ProcessStats.h" #include "zeek/telemetry/Timer.h" +#include "zeek/telemetry/consts.bif.h" #include "zeek/telemetry/telemetry.bif.h" #include "zeek/threading/formatters/detail/json.h" namespace zeek::telemetry { -Manager::Manager() { prometheus_registry = std::make_shared(); } +/** + * Prometheus Collectable interface used to insert Zeek callback processing + * before the Prometheus registry's collection of metric data. + */ +class ZeekCollectable : public prometheus::Collectable { +public: + std::vector Collect() const override { + telemetry_mgr->WaitForPrometheusCallbacks(); + return {}; + } +}; + +Manager::Manager() : IOSource(true) { prometheus_registry = std::make_shared(); } -// This can't be defined as =default because of the use of unique_ptr with a forward-declared type -// in Manager.h Manager::~Manager() {} void Manager::InitPostScript() { @@ -75,7 +89,9 @@ void Manager::InitPostScript() { if ( ! getenv("ZEEKCTL_CHECK_CONFIG") ) { try { - prometheus_exposer = std::make_unique(prometheus_url, 2, callbacks); + prometheus_exposer = + std::make_unique(prometheus_url, BifConst::Telemetry::civetweb_threads, + callbacks); // CivetWeb stores a copy of the callbacks, so we're safe to delete the pointer here delete callbacks; @@ -84,6 +100,13 @@ void Manager::InitPostScript() { prometheus_url.c_str()); } + // This has to be inserted before the registry below. The exposer + // processes the collectors in order of insertion. We want to make + // sure that the callbacks get called and the values in the metrics + // are updated before prometheus-cpp scrapes them. + zeek_collectable = std::make_shared(); + prometheus_exposer->RegisterCollectable(zeek_collectable); + prometheus_exposer->RegisterCollectable(prometheus_registry); } } @@ -99,37 +122,32 @@ void Manager::InitPostScript() { return &this->current_process_stats; }; rss_gauge = GaugeInstance("process", "resident_memory", {}, "Resident memory size", "bytes", - []() -> prometheus::ClientMetric { - auto* s = get_stats(); - prometheus::ClientMetric metric; - metric.gauge.value = static_cast(s->rss); - return metric; - }); + []() { return static_cast(get_stats()->rss); }); vms_gauge = GaugeInstance("process", "virtual_memory", {}, "Virtual memory size", "bytes", - []() -> prometheus::ClientMetric { - auto* s = get_stats(); - prometheus::ClientMetric metric; - metric.gauge.value = static_cast(s->vms); - return metric; - }); + []() { return static_cast(get_stats()->vms); }); cpu_gauge = GaugeInstance("process", "cpu", {}, "Total user and system CPU time spent", "seconds", - []() -> prometheus::ClientMetric { - auto* s = get_stats(); - prometheus::ClientMetric metric; - metric.gauge.value = s->cpu; - return metric; - }); + []() { return get_stats()->cpu; }); fds_gauge = GaugeInstance("process", "open_fds", {}, "Number of open file descriptors", "", - []() -> prometheus::ClientMetric { - auto* s = get_stats(); - prometheus::ClientMetric metric; - metric.gauge.value = static_cast(s->fds); - return metric; - }); + []() { return static_cast(get_stats()->fds); }); #endif + + iosource_mgr->RegisterFd(collector_flare.FD(), this); +} + +void Manager::Terminate() { + // Notify the collector condition so that it doesn't hang waiting for + // a collector request to complete. + collector_cv.notify_all(); + + // Shut down the exposer first of all so we stop getting requests for + // data. This keeps us from getting a request on another thread while + // we're shutting down. + prometheus_exposer.reset(); + + iosource_mgr->UnregisterFd(collector_flare.FD(), this); } // -- collect metric stuff ----------------------------------------------------- @@ -453,7 +471,7 @@ CounterFamilyPtr Manager::CounterFamily(std::string_view prefix, std::string_vie CounterPtr Manager::CounterInstance(std::string_view prefix, std::string_view name, Span labels, std::string_view helptext, std::string_view unit, - prometheus::CollectCallbackPtr callback) { + detail::CollectCallbackPtr callback) { return WithLabelNames(labels, [&, this](auto labelNames) { auto family = CounterFamily(prefix, name, labelNames, helptext, unit); return family->GetOrAdd(labels, callback); @@ -462,7 +480,7 @@ CounterPtr Manager::CounterInstance(std::string_view prefix, std::string_view na CounterPtr Manager::CounterInstance(std::string_view prefix, std::string_view name, std::initializer_list labels, std::string_view helptext, - std::string_view unit, prometheus::CollectCallbackPtr callback) { + std::string_view unit, detail::CollectCallbackPtr callback) { auto lbl_span = Span{labels.begin(), labels.size()}; return CounterInstance(prefix, name, lbl_span, helptext, unit, std::move(callback)); } @@ -491,8 +509,7 @@ GaugeFamilyPtr Manager::GaugeFamily(std::string_view prefix, std::string_view na } GaugePtr Manager::GaugeInstance(std::string_view prefix, std::string_view name, Span labels, - std::string_view helptext, std::string_view unit, - prometheus::CollectCallbackPtr callback) { + std::string_view helptext, std::string_view unit, detail::CollectCallbackPtr callback) { return WithLabelNames(labels, [&, this](auto labelNames) { auto family = GaugeFamily(prefix, name, labelNames, helptext, unit); return family->GetOrAdd(labels, callback); @@ -500,8 +517,7 @@ GaugePtr Manager::GaugeInstance(std::string_view prefix, std::string_view name, } GaugePtr Manager::GaugeInstance(std::string_view prefix, std::string_view name, std::initializer_list labels, - std::string_view helptext, std::string_view unit, - prometheus::CollectCallbackPtr callback) { + std::string_view helptext, std::string_view unit, detail::CollectCallbackPtr callback) { auto lbl_span = Span{labels.begin(), labels.size()}; return GaugeInstance(prefix, name, lbl_span, helptext, unit, std::move(callback)); } @@ -545,6 +561,41 @@ HistogramPtr Manager::HistogramInstance(std::string_view prefix, std::string_vie return HistogramInstance(prefix, name, lbls, bounds_span, helptext, unit); } +void Manager::ProcessFd(int fd, int flags) { + std::unique_lock lk(collector_cv_mtx); + + collector_flare.Extinguish(); + + for ( const auto& [name, f] : families ) + f->RunCallbacks(); + + collector_response_idx = collector_request_idx; + + lk.unlock(); + collector_cv.notify_all(); +} + +void Manager::WaitForPrometheusCallbacks() { + std::unique_lock lk(collector_cv_mtx); + + ++collector_request_idx; + uint64_t expected_idx = collector_request_idx; + collector_flare.Fire(); + + // It should *not* take 5 seconds to go through all of the callbacks, but + // set this to have a timeout anyways just to avoid a deadlock. + bool res = collector_cv.wait_for(lk, + std::chrono::microseconds( + static_cast(BifConst::Telemetry::callback_timeout * 1000000)), + [expected_idx]() { + return telemetry_mgr->collector_response_idx >= expected_idx || + zeek::run_state::terminating; + }); + + if ( ! res ) + fprintf(stderr, "Timeout waiting for prometheus callbacks\n"); +} + } // namespace zeek::telemetry // -- unit tests --------------------------------------------------------------- diff --git a/src/telemetry/Manager.h b/src/telemetry/Manager.h index c4c2537f1a..476589642e 100644 --- a/src/telemetry/Manager.h +++ b/src/telemetry/Manager.h @@ -9,8 +9,10 @@ #include #include +#include "zeek/Flare.h" #include "zeek/IntrusivePtr.h" #include "zeek/Span.h" +#include "zeek/iosource/IOSource.h" #include "zeek/telemetry/Counter.h" #include "zeek/telemetry/Gauge.h" #include "zeek/telemetry/Histogram.h" @@ -29,15 +31,20 @@ class Registry; namespace zeek::telemetry { +namespace detail { +using CollectCallbackPtr = std::function; +} + +class ZeekCollectable; + /** * Manages a collection of metric families. */ -class Manager final { +class Manager final : public iosource::IOSource { public: Manager(); Manager(const Manager&) = delete; - Manager& operator=(const Manager&) = delete; ~Manager(); @@ -50,6 +57,8 @@ public: */ void InitPostScript(); + void Terminate(); + /** * @return A VectorVal containing all counter and gauge metrics and their values matching prefix and name. * @param prefix The prefix pattern to use for filtering. Supports globbing. @@ -88,17 +97,17 @@ public: * @param labels Values for all label dimensions of the metric. * @param helptext Short explanation of the metric. * @param unit Unit of measurement. - * @param callback Passing a callback method will enable asynchronous mode. The callback method will be called by - * the metrics subsystem whenever data is requested. + * @param callback Passing a callback method will enable asynchronous mode. The callback method will be called + * by the metrics subsystem whenever data is requested. */ CounterPtr CounterInstance(std::string_view prefix, std::string_view name, Span labels, std::string_view helptext, std::string_view unit = "", - prometheus::CollectCallbackPtr callback = nullptr); + detail::CollectCallbackPtr callback = nullptr); /// @copydoc counterInstance CounterPtr CounterInstance(std::string_view prefix, std::string_view name, std::initializer_list labels, std::string_view helptext, std::string_view unit = "", - prometheus::CollectCallbackPtr callback = nullptr); + detail::CollectCallbackPtr callback = nullptr); /** * @return A gauge metric family. Creates the family lazily if necessary. @@ -124,17 +133,17 @@ public: * @param labels Values for all label dimensions of the metric. * @param helptext Short explanation of the metric. * @param unit Unit of measurement. - * @param callback Passing a callback method will enable asynchronous mode. The callback method will be called by - * the metrics subsystem whenever data is requested. + * @param callback Passing a callback method will enable asynchronous mode. The callback method will be called + * by the metrics subsystem whenever data is requested. */ GaugePtr GaugeInstance(std::string_view prefix, std::string_view name, Span labels, std::string_view helptext, std::string_view unit = "", - prometheus::CollectCallbackPtr callback = nullptr); + detail::CollectCallbackPtr callback = nullptr); /// @copydoc GaugeInstance GaugePtr GaugeInstance(std::string_view prefix, std::string_view name, std::initializer_list labels, std::string_view helptext, std::string_view unit = "", - prometheus::CollectCallbackPtr callback = nullptr); + detail::CollectCallbackPtr callback = nullptr); // Forces the compiler to use the type `Span` instead of trying to // match parameters to a `span`. @@ -212,6 +221,12 @@ public: */ std::shared_ptr GetRegistry() const { return prometheus_registry; } + // IOSource interface + double GetNextTimeout() override { return -1.0; } + void Process() override {} + const char* Tag() override { return "Telemetry::Manager"; } + void ProcessFd(int fd, int flags) override; + protected: template static auto WithLabelNames(Span xs, F continuation) { @@ -231,6 +246,15 @@ protected: } } + friend class ZeekCollectable; + + /** + * Fires the flare for prometheus-cpp callback handling and waits for it to complete. + * This can be called from other threads to ensure the callback handling happens on + * the main thread. + */ + void WaitForPrometheusCallbacks(); + private: RecordValPtr GetMetricOptsRecord(const prometheus::MetricFamily& metric_family); void BuildClusterJson(); @@ -250,6 +274,14 @@ private: std::unique_ptr prometheus_exposer; std::string cluster_json; + + std::shared_ptr zeek_collectable; + zeek::detail::Flare collector_flare; + std::condition_variable collector_cv; + std::mutex collector_cv_mtx; + // Only modified under collector_cv_mtx! + uint64_t collector_request_idx = 0; + uint64_t collector_response_idx = 0; }; } // namespace zeek::telemetry diff --git a/src/telemetry/MetricFamily.h b/src/telemetry/MetricFamily.h index 942932566e..e10ac608e0 100644 --- a/src/telemetry/MetricFamily.h +++ b/src/telemetry/MetricFamily.h @@ -22,6 +22,8 @@ public: std::vector LabelNames() const { return label_names; } + virtual void RunCallbacks() = 0; + protected: MetricFamily(Span labels) { for ( const auto& lbl : labels ) diff --git a/src/telemetry/Utils.h b/src/telemetry/Utils.h index 8eb0f98d99..77489fc260 100644 --- a/src/telemetry/Utils.h +++ b/src/telemetry/Utils.h @@ -5,7 +5,6 @@ #include #include "zeek/Span.h" -#include "zeek/Val.h" namespace zeek::telemetry { diff --git a/src/telemetry/consts.bif b/src/telemetry/consts.bif new file mode 100644 index 0000000000..76c256dfa1 --- /dev/null +++ b/src/telemetry/consts.bif @@ -0,0 +1,2 @@ +const Telemetry::callback_timeout: interval; +const Telemetry::civetweb_threads: count; diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index b05af74f20..3f5549b78a 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -376,6 +376,7 @@ static void terminate_zeek() { input_mgr->Terminate(); thread_mgr->Terminate(); broker_mgr->Terminate(); + telemetry_mgr->Terminate(); event_mgr.Drain(); @@ -716,6 +717,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) { // when that variable is defined. auto early_shutdown = [] { broker_mgr->Terminate(); + telemetry_mgr->Terminate(); delete iosource_mgr; delete telemetry_mgr; }; diff --git a/src/zeek.bif b/src/zeek.bif index eccc7f0292..a63252b4ff 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -5304,7 +5304,7 @@ function has_module_events%(group: string%) : bool %} ## Returns true if Zeek was built with support for using Spicy analyzers (which -# is the default). +## is the default). function have_spicy%(%) : bool %{ #ifdef HAVE_SPICY diff --git a/testing/btest/Baseline.zam/bifs.from_json-2/.stderr b/testing/btest/Baseline.zam/bifs.from_json-2/.stderr index 372f599e7f..1a3fceee72 100644 --- a/testing/btest/Baseline.zam/bifs.from_json-2/.stderr +++ b/testing/btest/Baseline.zam/bifs.from_json-2/.stderr @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/from_json.zeek, line 4: from_json() requires a type argument (from_json([], 10, from_json_default_key_mapper)) +error in <...>/from_json.zeek, line 4: from_json() requires a type argument (from_json([], ::#0, from_json_default_key_mapper)) diff --git a/testing/btest/Baseline.zam/core.max-analyzer-violations/weird.log b/testing/btest/Baseline.zam/core.max-analyzer-violations/weird.log index 99b5e14621..8d0cb822e6 100644 --- a/testing/btest/Baseline.zam/core.max-analyzer-violations/weird.log +++ b/testing/btest/Baseline.zam/core.max-analyzer-violations/weird.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source #types time string addr port addr port string string bool string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown - F zeek POP3 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown + F zeek POP3 XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 line_terminated_with_single_CR - F zeek CONTENTLINE XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 too_many_analyzer_violations - F zeek POP3 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline.zam/core.option-runtime-errors-2/.stderr b/testing/btest/Baseline.zam/core.option-runtime-errors-2/.stderr index 719b74fadc..15561eb6c9 100644 --- a/testing/btest/Baseline.zam/core.option-runtime-errors-2/.stderr +++ b/testing/btest/Baseline.zam/core.option-runtime-errors-2/.stderr @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/option-runtime-errors.zeek, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, )) +error in <...>/option-runtime-errors.zeek, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, ::#0, )) diff --git a/testing/btest/Baseline.zam/core.option-runtime-errors-3/.stderr b/testing/btest/Baseline.zam/core.option-runtime-errors-3/.stderr index f121199a5d..682f1fbe27 100644 --- a/testing/btest/Baseline.zam/core.option-runtime-errors-3/.stderr +++ b/testing/btest/Baseline.zam/core.option-runtime-errors-3/.stderr @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/option-runtime-errors.zeek, line 3: ID 'A' is not an option (Option::set(A, 6, )) +error in <...>/option-runtime-errors.zeek, line 3: ID 'A' is not an option (Option::set(A, ::#0, )) diff --git a/testing/btest/Baseline.zam/core.option-runtime-errors/.stderr b/testing/btest/Baseline.zam/core.option-runtime-errors/.stderr index 7537f10f90..5e6d272614 100644 --- a/testing/btest/Baseline.zam/core.option-runtime-errors/.stderr +++ b/testing/btest/Baseline.zam/core.option-runtime-errors/.stderr @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/option-runtime-errors.zeek, line 9: Could not find ID named 'B' (Option::set(B, 6, )) +error in <...>/option-runtime-errors.zeek, line 9: Could not find ID named 'B' (Option::set(B, ::#0, )) diff --git a/testing/btest/Baseline.zam/spicy.replaces/conn.log b/testing/btest/Baseline.zam/spicy.replaces/conn.log index 9a44cfd8c3..0202574b88 100644 --- a/testing/btest/Baseline.zam/spicy.replaces/conn.log +++ b/testing/btest/Baseline.zam/spicy.replaces/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.16.238.1 49656 172.16.238.131 80 tcp spicy_ssh 9.953807 2405 2887 SF T T 0 ShAdDaFf 40 4497 30 4455 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.16.238.1 49656 172.16.238.131 80 tcp ssh 9.953807 2405 2887 SF T T 0 ShAdDaFf 40 4497 30 4455 - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr index 69f805dbf7..9fc3532832 100644 --- a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr +++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr @@ -22,5 +22,6 @@ warning in , line 1: event handler never invoked: SupervisorControl::res warning in , line 1: event handler never invoked: SupervisorControl::status_request warning in , line 1: event handler never invoked: SupervisorControl::stop_request warning in , line 1: event handler never invoked: spicy_analyzer_for_mime_type +warning in , line 1: event handler never invoked: spicy_analyzer_for_port warning in , line 1: event handler never invoked: terminate_event warning in , line 1: event handler never invoked: this_is_never_used diff --git a/testing/btest/Baseline/core.max-analyzer-violations/weird.log b/testing/btest/Baseline/core.max-analyzer-violations/weird.log index 99b5e14621..8d0cb822e6 100644 --- a/testing/btest/Baseline/core.max-analyzer-violations/weird.log +++ b/testing/btest/Baseline/core.max-analyzer-violations/weird.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source #types time string addr port addr port string string bool string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown - F zeek POP3 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 pop3_server_command_unknown + F zeek POP3 XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 line_terminated_with_single_CR - F zeek CONTENTLINE XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58246 127.0.0.1 110 too_many_analyzer_violations - F zeek POP3 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index aee483157a..4601778fcb 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -146,6 +146,7 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/files/magic/__load__.zeek scripts/base/frameworks/telemetry/options.zeek build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/consts.bif.zeek build/scripts/base/bif/telemetry.bif.zeek build/scripts/base/bif/zeekygen.bif.zeek build/scripts/base/bif/pcap.bif.zeek @@ -191,6 +192,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 40a1c5b84c..a499ccfd25 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -146,6 +146,7 @@ scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/files/magic/__load__.zeek scripts/base/frameworks/telemetry/options.zeek build/scripts/base/bif/__load__.zeek + build/scripts/base/bif/consts.bif.zeek build/scripts/base/bif/telemetry.bif.zeek build/scripts/base/bif/zeekygen.bif.zeek build/scripts/base/bif/pcap.bif.zeek @@ -191,6 +192,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek build/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek diff --git a/testing/btest/Baseline/opt.regress-any-leak/output b/testing/btest/Baseline/opt.regress-any-leak/output new file mode 100644 index 0000000000..d5c6e60615 --- /dev/null +++ b/testing/btest/Baseline/opt.regress-any-leak/output @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[[a=abc-1]] +[1] diff --git a/testing/btest/Baseline/opt.regress-any/output b/testing/btest/Baseline/opt.regress-any/output new file mode 100644 index 0000000000..9627885028 --- /dev/null +++ b/testing/btest/Baseline/opt.regress-any/output @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[a=123, b=[abc]] +[a=123, b=1] diff --git a/testing/btest/Baseline/opt.regress-vector-mismatch/output b/testing/btest/Baseline/opt.regress-vector-mismatch/output new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/opt.regress-vector-mismatch/output @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index c3b551dc84..bbdfa3720d 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -385,6 +385,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1 @@ -464,6 +465,7 @@ 0.000000 MetaHookPost LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./communityid.bif.zeek, <...>/communityid.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./const.bif.zeek, <...>/const.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./consts.bif.zeek, <...>/consts.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./contents, <...>/contents.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./control, <...>/control.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./data.bif.zeek, <...>/data.bif.zeek) -> -1 @@ -679,6 +681,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, ) @@ -758,6 +761,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./communityid.bif.zeek, <...>/communityid.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./consts.bif.zeek, <...>/consts.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./contents, <...>/contents.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./control, <...>/control.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) -> (-1, ) @@ -1305,6 +1309,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) @@ -1384,6 +1389,7 @@ 0.000000 MetaHookPre LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./communityid.bif.zeek, <...>/communityid.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./const.bif.zeek, <...>/const.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./consts.bif.zeek, <...>/consts.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./contents, <...>/contents.zeek) 0.000000 MetaHookPre LoadFile(0, ./control, <...>/control.zeek) 0.000000 MetaHookPre LoadFile(0, ./data.bif.zeek, <...>/data.bif.zeek) @@ -1599,6 +1605,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) @@ -1678,6 +1685,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./communityid.bif.zeek, <...>/communityid.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./consts.bif.zeek, <...>/consts.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./contents, <...>/contents.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./control, <...>/control.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) @@ -2224,6 +2232,7 @@ 0.000000 | HookLoadFile ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek 0.000000 | HookLoadFile ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek +0.000000 | HookLoadFile ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek 0.000000 | HookLoadFile ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek @@ -2305,6 +2314,7 @@ 0.000000 | HookLoadFile ./comm.bif.zeek <...>/comm.bif.zeek 0.000000 | HookLoadFile ./communityid.bif.zeek <...>/communityid.bif.zeek 0.000000 | HookLoadFile ./const.bif.zeek <...>/const.bif.zeek +0.000000 | HookLoadFile ./consts.bif.zeek <...>/consts.bif.zeek 0.000000 | HookLoadFile ./contents <...>/contents.zeek 0.000000 | HookLoadFile ./control <...>/control.zeek 0.000000 | HookLoadFile ./data.bif.zeek <...>/data.bif.zeek @@ -2518,6 +2528,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek @@ -2599,6 +2610,7 @@ 0.000000 | HookLoadFileExtended ./comm.bif.zeek <...>/comm.bif.zeek 0.000000 | HookLoadFileExtended ./communityid.bif.zeek <...>/communityid.bif.zeek 0.000000 | HookLoadFileExtended ./const.bif.zeek <...>/const.bif.zeek +0.000000 | HookLoadFileExtended ./consts.bif.zeek <...>/consts.bif.zeek 0.000000 | HookLoadFileExtended ./contents <...>/contents.zeek 0.000000 | HookLoadFileExtended ./control <...>/control.zeek 0.000000 | HookLoadFileExtended ./data.bif.zeek <...>/data.bif.zeek diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-leftover/zeek..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-leftover/zeek..stdout new file mode 100644 index 0000000000..9097f9f60b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-leftover/zeek..stdout @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Input::EVENT_NEW, aaa +Input::EVENT_NEW, bbb +Input::EVENT_NEW, final diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-no-last-separator/zeek..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-no-last-separator/zeek..stdout new file mode 100644 index 0000000000..9097f9f60b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-no-last-separator/zeek..stdout @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Input::EVENT_NEW, aaa +Input::EVENT_NEW, bbb +Input::EVENT_NEW, final diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow-long/zeek..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow-long/zeek..stdout new file mode 100644 index 0000000000..94bf7b6faf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow-long/zeek..stdout @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Input::EVENT_NEW, 24612, binary start\x00\x00\x00\x00, \x00\x00\x00\x00\x00binary done +Input::EVENT_NEW, 3, ccc, ccc +Input::EVENT_NEW, 5, final, final diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow/zeek..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow/zeek..stdout new file mode 100644 index 0000000000..c561637236 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream-slow/zeek..stdout @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Input::EVENT_NEW, aaa-bbb-ccc +Input::EVENT_NEW, aaa-bbb-ccc +Input::EVENT_NEW, final diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log new file mode 100644 index 0000000000..e386f15fb5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types +#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.24.133.205 43090 172.24.133.205 8000 1 GET 172.24.133.205:8000 / - 1.0 python-requests/2.31.0 - 0 643 200 OK - - (empty) test 1:34 - - - - FM4Ls72L4REzbA61lg - text/html +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log new file mode 100644 index 0000000000..09b5614986 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.add/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46160 127.0.1.1 389 tcp ldap_tcp 3.537413 536 42 SF 0 ShADadFf 11 1116 6 362 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.add/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.add/ldap.log new file mode 100644 index 0000000000..b6de5febd9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.add/ldap.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46160 127.0.1.1 389 1 3 bind simple success - cn=admin,dc=example,dc=com REDACTED +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46160 127.0.1.1 389 2 - add success - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46160 127.0.1.1 389 3 - add success - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46160 127.0.1.1 389 4 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log new file mode 100644 index 0000000000..4ca02e8489 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log @@ -0,0 +1,35 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 65 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 66 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 83 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 84 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 101 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 102 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 119 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 120 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 137 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 138 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 155 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 156 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 173 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 174 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 191 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 192 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 209 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 210 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 227 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 228 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 245 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 246 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 263 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 264 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 349 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log new file mode 100644 index 0000000000..27c56bc33b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 tcp ldap_tcp 2.290081 289 1509 SF 0 ShADadFf 12 921 15 2297 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log new file mode 100644 index 0000000000..cd94c49d5b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 1 3 bind SASL SASL bind in progress SASL(0): successful result: - NTLM +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 2 3 bind SASL success - - NTLM +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 4 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log new file mode 100644 index 0000000000..3ff2f3b1a6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 3 tree never dc=example,dc=com 9 success - (objectclass=*) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log new file mode 100644 index 0000000000..5fcce64ab8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 tcp ldap_tcp 2.231680 353 1772 SF 0 ShADadFf 11 933 15 2560 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log new file mode 100644 index 0000000000..7c3478b262 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 1 3 bind SASL SASL bind in progress SASL(0): successful result: user: sasladmin@slapd.ldap property: slapAuthzDN not found in sasldb - SCRAM-SHA-512 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 2 3 bind SASL success - - SCRAM-SHA-512 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 4 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log new file mode 100644 index 0000000000..edcf38ced5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 3 tree never dc=example,dc=com 9 success - (objectclass=*) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log new file mode 100644 index 0000000000..8b4c3fa573 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 tcp ldap_tcp 0.033404 3046 90400 RSTR 0 ShADdar 14 1733 68 93132 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap.log new file mode 100644 index 0000000000..cce0806fc6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 3 3 bind SASL success - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 9 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap_search.log new file mode 100644 index 0000000000..0caeba4973 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear-2/ldap_search.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 1 base never - 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 4 base never - 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 6 single never CN=Schema,CN=Configuration,DC=matrix,DC=local 424 success - (&(!(isdefunct=TRUE))(|(|(|(|(|(attributeSyntax=2.5.5.17)(attributeSyntax=2.5.5.10))(attributeSyntax=2.5.5.15))(attributeSyntax=2.5.5.1))(attributeSyntax=2.5.5.7))(attributeSyntax=2.5.5.14))) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.10.138 63815 192.168.10.186 389 8 tree never DC=matrix,DC=local 1 success - (samaccountname=krbtgt) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log new file mode 100644 index 0000000000..d4b1e6e630 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/conn.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 tcp ldap_tcp 63.273503 3963 400107 OTH 0 Dd 12 2595 282 411387 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 tcp ldap_tcp 0.007979 2630 3327 OTH 0 Dd 6 990 6 3567 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.199.2.121 59356 10.199.2.111 389 tcp ldap_tcp 0.001925 2183 3436 OTH 0 Dd 4 463 5 3636 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap.log new file mode 100644 index 0000000000..6e6fe79fd9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap.log @@ -0,0 +1,15 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 3 3 bind SASL success - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 3 3 bind SASL success - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.199.2.121 59356 10.199.2.111 389 9 3 bind SASL success - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.199.2.121 59356 10.199.2.111 389 12 - unbind - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 13 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap_search.log new file mode 100644 index 0000000000..3ef959bcf1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-signed-clear/ldap_search.log @@ -0,0 +1,27 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 1 base never - 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 4 base never - 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 5 base never CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=DMC,DC=local 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 6 base never - 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 7 tree never CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=DMC,DC=local 2 success - (objectCategory=pKIEnrollmentService) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 8 base never - 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 9 base never CN=Schema,CN=Configuration,DC=DMC,DC=local 1 success - (objectClass=dMD) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 10 base never CN=Schema,CN=Configuration,DC=DMC,DC=local 1 success - (objectClass=dMD) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 11 base never CN=Aggregate,CN=Schema,CN=Configuration,DC=DMC,DC=local 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 1 base never - 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 4 base never CN=WS01,CN=Computers,DC=DMC,DC=local 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 5 base never CN=WS01,CN=Computers,DC=DMC,DC=local 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.199.2.121 59355 10.199.2.111 389 6 base never CN=WS01,CN=Computers,DC=DMC,DC=local 1 success - (objectclass=*) - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.199.2.121 59356 10.199.2.111 389 10 base never - 1 success - (ObjectClass=*) - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.199.2.121 59356 10.199.2.111 389 11 base never CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=services,CN=Configuration,DC=DMC,DC=local 0 no such object 0000208D: NameErr: DSID-0310028B, problem 2001 (NO_OBJECT), data 0, best match of:??'CN=Services,CN=Configuration,DC=DMC,DC=local'?? (ObjectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 12 base never CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DMC,DC=local 1 success - (objectClass=*) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.199.2.121 59327 10.199.2.111 389 13 tree never CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=DMC,DC=local 38 success - (objectclass=pKICertificateTemplate) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log new file mode 100644 index 0000000000..2638ca3cba --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60648 127.0.1.1 389 tcp ldap_tcp 2.114467 548 1020 SF 0 ShADadFf 9 1024 6 1340 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/ldap.log new file mode 100644 index 0000000000..facaf46bc7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-srp-who-am-i/ldap.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60648 127.0.1.1 389 1 3 bind SASL SASL bind in progress SASL(0): successful result: user: zeek@ubuntu-01.example.com property: slapAuthzDN not found in sasldb - SRP +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60648 127.0.1.1 389 2 3 bind SASL success - - SRP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log new file mode 100644 index 0000000000..84a495d3fb --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/conn.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 50041 192.168.1.108 389 tcp ldap_tcp 0.004745 93 283 RSTR 0 ShADdFar 5 305 4 455 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.107 50041 192.168.1.108 389 tcp ldap_tcp 0.005883 93 283 RSTR 0 ShADdFar 5 305 4 455 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/ldap.log new file mode 100644 index 0000000000..07355e0e78 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.spnego-ntlmssp/ldap.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 50041 192.168.1.108 389 160 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.105 50041 192.168.1.108 389 161 - unbind - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.107 50041 192.168.1.108 389 427 3 bind SASL SASL bind in progress - - GSS-SPNEGO +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.107 50041 192.168.1.108 389 428 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log new file mode 100644 index 0000000000..db789c02c1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 45936 127.0.1.1 389 tcp ldap_tcp,ssl 0.016922 683 3002 RSTO 0 ShADadFR 14 1407 14 3738 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ldap.log new file mode 100644 index 0000000000..95a084dab8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ldap.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 45936 127.0.1.1 389 1 - extended success - 1.3.6.1.4.1.1466.20037 (StartTLS) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/out b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/out new file mode 100644 index 0000000000..08e6ccc9f2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/out @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, extended_request, 1.3.6.1.4.1.1466.20037 (StartTLS), +CHhAvVGS1DHFjwGM9, extended_response, LDAP::ResultCode_SUCCESS, , +CHhAvVGS1DHFjwGM9, LDAP::starttls diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ssl.log new file mode 100644 index 0000000000..19fdd43528 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.starttls/ssl.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 45936 127.0.1.1 389 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 ubuntu-01.example.com F - - T CsiI - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log new file mode 100644 index 0000000000..9914fbe2dc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 48122 127.0.1.1 389 tcp ldap_tcp 0.001192 83 59 SF 0 ShADadFf 8 507 5 327 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/ldap.log new file mode 100644 index 0000000000..80da834eba --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/ldap.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 48122 127.0.1.1 389 1 3 bind simple success - cn=admin,dc=example,dc=com REDACTED +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 48122 127.0.1.1 389 2 - extended success - 1.3.6.1.4.1.4203.1.11.3 (whoami) - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 48122 127.0.1.1 389 3 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/out b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/out new file mode 100644 index 0000000000..c4dbc10489 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.who-am-i/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, extended_request, 1.3.6.1.4.1.4203.1.11.3 (whoami), +CHhAvVGS1DHFjwGM9, extended_response, LDAP::ResultCode_SUCCESS, , dn:cn=admin,dc=example,dc=com diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log index 9298bf4eeb..07518ad4fc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log @@ -11,15 +11,15 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 u XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-29 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-160 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-33 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 WRITE_SINGLE_REGISTER REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-162 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 21504 1 unknown-35 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-36 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-37 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-38 REQ - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-175 RESP - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-179 RESP - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 12032 0 unknown-0 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 0 unknown-0 REQ - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-165 RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-54 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 37 1 unknown-71 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-63 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-65 REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.235 2582 166.161.16.230 502 0 1 unknown-71 REQ - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log new file mode 100644 index 0000000000..ab8cb41827 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/analyzer.log @@ -0,0 +1,20 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path analyzer +#open XXXX-XX-XX-XX-XX-XX +#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +#types time string string string string string addr port addr port string string +XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS ClEkJM2Vm5giqnMf4h - 87.236.176.106 38129 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C4J4Th3PJpwUYZZ6gc - 87.236.176.96 60175 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CtPZjS20MLrsMUOJi2 - 66.175.213.4 58380 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS CP5puj4I8PtEU4qzYg - 159.203.208.13 33752 192.168.10.113 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +XXXXXXXXXX.XXXXXX violation protocol MODBUS C37jN32gN3y3AZzyf6 - 62.122.184.123 7488 192.168.10.111 502 Binpac exception: binpac exception: &enforce violation : ModbusTCP_TransportHeader:pid - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log new file mode 100644 index 0000000000..945c873d56 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/conn.log @@ -0,0 +1,18 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 tcp modbus 177.095534 72 69 SF T T 0 ShADdFaf 16 720 9 437 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 87.236.176.106 38129 192.168.10.111 502 tcp dce_rpc 5.102604 72 9 SF F T 0 ShADadFf 6 392 4 225 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 87.236.176.96 60175 192.168.10.111 502 tcp - 5.052092 44 9 SF F T 0 ShADadFf 6 364 4 225 - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 66.175.213.4 58380 192.168.10.111 502 tcp ssl 59.999857 138 9 SF F T 0 ShADadFf 9 610 7 377 - +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 198.74.56.135 60293 192.168.10.111 502 tcp - 0.117322 0 0 RSTO F T 0 ShR 2 80 1 44 - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 198.74.56.135 60293 192.168.10.111 502 tcp - 0.000054 109 0 RSTRH F T 0 Dr 1 149 1 40 - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 159.203.208.13 33752 192.168.10.113 502 tcp - 0.470159 24 9 SF F T 0 ShADadFf 6 344 4 225 - +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 62.122.184.123 7488 192.168.10.111 502 tcp - 30.159557 43 9 SF F T 0 ShADadFf 6 295 4 181 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log new file mode 100644 index 0000000000..0bf4ca545b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.modbus.modbus_and_non_modbus_on_port_502/modbus.log @@ -0,0 +1,22 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path modbus +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tid unit func pdu_type exception +#types time string addr port addr port count count string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_COILS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 READ_HOLDING_REGISTERS RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_COIL RESP - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER REQ - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.9 3082 10.0.0.3 502 1 10 WRITE_SINGLE_REGISTER RESP - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/analyzer.log new file mode 100644 index 0000000000..23f62ab8e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/analyzer.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path analyzer +#open XXXX-XX-XX-XX-XX-XX +#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +#types time string string string string string addr port addr port string string +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 58854 127.0.0.1 110 unknown server command (GARBAGE) GARBAGE (and LIST response missing .) +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log new file mode 100644 index 0000000000..1ead1294bf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58854 127.0.0.1 110 tcp - 0.151387 20 253 RSTO T T 0 ShAdDaFR 20 1056 16 1093 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/weird.log similarity index 78% rename from testing/btest/Baseline/core.negative-time/weird.log rename to testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/weird.log index 49c7011a3b..b661991b9e 100644 --- a/testing/btest/Baseline/core.negative-time/weird.log +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.bad-list-retr-crafted/weird.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source #types time string addr port addr port string string bool string string -XXXXXXXXXX.XXXXXX - - - - - negative_packet_timestamp - F zeek - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 58854 127.0.0.1 110 pop3_server_command_unknown GARBAGE F zeek POP3 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log new file mode 100644 index 0000000000..d123788c75 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/conn.log @@ -0,0 +1,21 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.4 26242 212.227.15.188 110 tcp - 0.050692 0 0 REJ T F 0 Sr 1 52 1 40 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.4 26242 212.227.15.188 110 tcp - 0.060847 0 0 REJ T F 0 Sr 1 52 1 40 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.0.4 26245 212.227.15.171 110 tcp - 0.050705 0 0 REJ T F 0 Sr 1 52 1 40 - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.0.4 26245 212.227.15.171 110 tcp - 0.050062 0 0 REJ T F 0 Sr 1 52 1 40 - +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.0.4 26242 212.227.15.188 110 tcp - 0.050967 0 0 REJ T F 0 Sr 1 48 1 40 - +XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.0.4 26245 212.227.15.171 110 tcp - 0.047718 0 0 REJ T F 0 Sr 1 48 1 40 - +XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.0.4 26272 212.227.15.166 110 tcp pop3 0.163506 12 175 SF T F 0 ShAdDafF 6 264 6 427 - +XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.0.4 26284 212.227.15.166 110 tcp pop3 3.469839 86 205 SF T F 0 ShAdDafF 9 470 9 577 - +XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.0.4 26304 212.227.15.166 110 tcp pop3 0.206558 12 175 SF T F 0 ShAdDafF 6 264 6 427 - +XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.0.4 26308 212.227.15.166 110 tcp pop3 0.537230 96 297 SF T F 0 ShAdDafF 9 468 10 709 - +XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.0.4 26383 212.227.15.166 110 tcp pop3 1.213485 138 19651 SF T F 0 ShAdDafF 22 1030 30 20863 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.basic/out b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/out new file mode 100644 index 0000000000..199ebac41b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.basic/out @@ -0,0 +1,48 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2 +CP5puj4I8PtEU4qzYg, pop3_request, T, CAPA, +CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, Capability list follows +CP5puj4I8PtEU4qzYg, pop3_request, T, QUIT, +CP5puj4I8PtEU4qzYg, pop3_reply, F, OK, POP server signing off +C37jN32gN3y3AZzyf6, pop3_reply, F, OK, POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq +C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, +C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, 1 argument required +C37jN32gN3y3AZzyf6, pop3_request, T, CAPA, +C37jN32gN3y3AZzyf6, pop3_reply, F, OK, Capability list follows +C37jN32gN3y3AZzyf6, pop3_request, T, AUTH, PLAIN +C37jN32gN3y3AZzyf6, pop3_reply, F, ERR, authentication failed +C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN +C3eiCBGOLw3VtHfOj, pop3_request, T, CAPA, +C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, Capability list follows +C3eiCBGOLw3VtHfOj, pop3_request, T, QUIT, +C3eiCBGOLw3VtHfOj, pop3_reply, F, OK, POP server signing off +CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd +CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, +CwjjYJ2WqgTbAqiHl6, pop3_reply, F, ERR, 1 argument required +CwjjYJ2WqgTbAqiHl6, pop3_request, T, CAPA, +CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, Capability list follows +CwjjYJ2WqgTbAqiHl6, pop3_request, T, AUTH, PLAIN +CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap13 +CwjjYJ2WqgTbAqiHl6, pop3_request, T, QUIT, +CwjjYJ2WqgTbAqiHl6, pop3_reply, F, OK, POP server signing off +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn +C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, +C0LAHyvtKSQHyJxIl, pop3_reply, F, ERR, 1 argument required +C0LAHyvtKSQHyJxIl, pop3_request, T, CAPA, +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, Capability list follows +C0LAHyvtKSQHyJxIl, pop3_request, T, AUTH, PLAIN +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15 +C0LAHyvtKSQHyJxIl, pop3_request, T, STAT, +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, 3 19191 +C0LAHyvtKSQHyJxIl, pop3_request, T, LIST, +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, +C0LAHyvtKSQHyJxIl, pop3_request, T, UIDL, +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, +C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 1 +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, +C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 2 +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, +C0LAHyvtKSQHyJxIl, pop3_request, T, RETR, 3 +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, +C0LAHyvtKSQHyJxIl, pop3_request, T, QUIT, +C0LAHyvtKSQHyJxIl, pop3_reply, F, OK, POP server signing off diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/analyzer.log new file mode 100644 index 0000000000..3f9f9ae848 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/analyzer.log @@ -0,0 +1,16 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path analyzer +#open XXXX-XX-XX-XX-XX-XX +#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +#types time string string string string string addr port addr port string string +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 too many unknown client commands - +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 unknown server command (+PONG) +PONG +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 unknown server command (+PONG) +PONG +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 unknown server command (+PONG) +PONG +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 unknown server command (+PONG) +PONG +XXXXXXXXXX.XXXXXX violation protocol POP3 CHhAvVGS1DHFjwGM9 - 127.0.0.1 59954 127.0.0.1 6379 unknown server command (+PONG) +PONG +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log new file mode 100644 index 0000000000..deeefbdba5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 tcp - 0.002030 848 370 SF T T 0 ShADadfF 58 3872 58 3394 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/out b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/out new file mode 100644 index 0000000000..fe3bec3f1d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/out @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, pop3_reply, F, OK, +CHhAvVGS1DHFjwGM9, pop3_reply, F, OK, +CHhAvVGS1DHFjwGM9, pop3_reply, F, OK, diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.redis/weird.log b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/weird.log new file mode 100644 index 0000000000..7ac280b3c0 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.redis/weird.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 pop3_client_command_unknown *2 F zeek POP3 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 pop3_client_too_many_pending_commands - F zeek POP3 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59954 127.0.0.1 6379 pop3_server_command_unknown +PONG F zeek POP3 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut new file mode 100644 index 0000000000..1a3b7336c7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid cause analyzer_kind analyzer_name failure_reason +1733909795.417573 C4J4Th3PJpwUYZZ6gc violation protocol QUIC decryption failed (<...>/QUIC.spicy:) diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut new file mode 100644 index 0000000000..e9151b0dee --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid proto history service +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h udp D - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc udp D - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 tcp F ftp diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out new file mode 100644 index 0000000000..f803db64f2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=0, message_id=8, process_id=65279, tree_id=3905704575, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=256, flags=1, message_id=8, process_id=65279, tree_id=3905704575, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=0, message_id=21, process_id=65279, tree_id=900627714, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=256, flags=1, message_id=21, process_id=65279, tree_id=900627714, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=25, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=25, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=28, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=28, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=31, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=31, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] +smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=34, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00] +smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=34, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]] diff --git a/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut index 7227d38c91..3fc24c4d1e 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut +++ b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut @@ -1,3 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. - - - - - - COMMUNITY_ID_INIT Zeek initializing +141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_NEW_CONNECTION New connection 141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_CONN_ESTABLISHED Connection establishment diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut new file mode 100644 index 0000000000..b02a020eb9 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/conn.log.cut @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +141.142.228.5 59856 192.150.187.43 80 tcp - 1:yvyB8h+3dnggTZW0UEITWCst97w= diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out new file mode 100644 index 0000000000..d70fe804fb --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging-flipped/out @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +new_connection, CHhAvVGS1DHFjwGM9, 1:yvyB8h+3dnggTZW0UEITWCst97w= diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut new file mode 100644 index 0000000000..345a4837e7 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid method host uri tags +ClEkJM2Vm5giqnMf4h GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+OR+'1'='1&Submit=Submit HTTP::URI_SQLI +C4J4Th3PJpwUYZZ6gc GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+UNION+SELECT+NULL,+version()+#&Submit=Submit HTTP::URI_SQLI +CtPZjS20MLrsMUOJi2 GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=2'+OR+'2'='2&Submit=Submit HTTP::URI_SQLI diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output new file mode 100644 index 0000000000..06c5829847 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ClEkJM2Vm5giqnMf4h, [orig_h=192.168.111.148, orig_p=53796/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} +C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.111.148, orig_p=57524/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} +CtPZjS20MLrsMUOJi2, [orig_h=192.168.111.148, orig_p=40112/tcp, resp_h=192.168.111.154, resp_p=80/tcp], {\x0a\x09HTTP::URI_SQLI\x0a} diff --git a/testing/btest/Baseline/spicy.port-deprecated/out.stderr b/testing/btest/Baseline/spicy.port-deprecated/out.stderr deleted file mode 100644 index a033682601..0000000000 --- a/testing/btest/Baseline/spicy.port-deprecated/out.stderr +++ /dev/null @@ -1,2 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -[warning] <...>/udp-test.evt:4: Remove in v7.1: Analyzer spicy::TEST is using the deprecated 'port' or 'ports' keyword to register well-known ports. Use Analyzer::register_for_ports() in the accompanying Zeek script instead. diff --git a/testing/btest/Baseline/spicy.port-fail/output b/testing/btest/Baseline/spicy.port-fail/output index f572d2e79a..24eb09807d 100644 --- a/testing/btest/Baseline/spicy.port-fail/output +++ b/testing/btest/Baseline/spicy.port-fail/output @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -[error] <...>/port-fail.evt:9: port outside of valid range +[error] <...>/port-fail.evt:7: port outside of valid range [error] error loading EVT file "<...>/port-fail.evt" diff --git a/testing/btest/Baseline/spicy.port/output b/testing/btest/Baseline/spicy.port/output new file mode 100644 index 0000000000..938a6c7b35 --- /dev/null +++ b/testing/btest/Baseline/spicy.port/output @@ -0,0 +1,19 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Analyzer::ANALYZER_SPICY_TEST, 11337/udp +Analyzer::ANALYZER_SPICY_TEST, 11338/udp +Analyzer::ANALYZER_SPICY_TEST, 11339/udp +Analyzer::ANALYZER_SPICY_TEST, 11340/udp +Analyzer::ANALYZER_SPICY_TEST, 31337/udp +Analyzer::ANALYZER_SPICY_TEST, 31338/udp +Analyzer::ANALYZER_SPICY_TEST, 31339/udp +Analyzer::ANALYZER_SPICY_TEST, 31340/udp +{ +31339/udp, +31337/udp, +31338/udp, +11339/udp, +11338/udp, +11340/udp, +31340/udp, +11337/udp +} diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index bc5a304436..0e7f31431c 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -18,3 +18,14 @@ Trace Index/Sources: - one `\x30` byte in the ciphertext changed to `\x00` - ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen, +- ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11 + (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041. + https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258). +- ldap/ldap_invalid_credentials.pcap + Provided by Martin van Hensbergen in issue #3919. +- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com + https://tranalyzer.com/tutorial/pop + https://tranalyzer.com/download/data/pop3.pcap +- http/cooper-grill-dvwa.pcapng + Provided by cooper-grill on #3995 + https://github.com/zeek/zeek/pull/3995 diff --git a/testing/btest/Traces/http/basic-auth-with-colon.trace b/testing/btest/Traces/http/basic-auth-with-colon.trace new file mode 100644 index 0000000000..c1b03b6ecb Binary files /dev/null and b/testing/btest/Traces/http/basic-auth-with-colon.trace differ diff --git a/testing/btest/Traces/http/cooper-grill-dvwa.pcapng b/testing/btest/Traces/http/cooper-grill-dvwa.pcapng new file mode 100644 index 0000000000..b68eb250ef Binary files /dev/null and b/testing/btest/Traces/http/cooper-grill-dvwa.pcapng differ diff --git a/testing/btest/Traces/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap b/testing/btest/Traces/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap new file mode 100644 index 0000000000..dd2b34ce4a Binary files /dev/null and b/testing/btest/Traces/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap differ diff --git a/testing/btest/Traces/ldap/ldap-add.pcap b/testing/btest/Traces/ldap/ldap-add.pcap new file mode 100644 index 0000000000..118a8c42a5 Binary files /dev/null and b/testing/btest/Traces/ldap/ldap-add.pcap differ diff --git a/testing/btest/Traces/ldap/ldap-starttls.pcap b/testing/btest/Traces/ldap/ldap-starttls.pcap new file mode 100644 index 0000000000..0cb6035125 Binary files /dev/null and b/testing/btest/Traces/ldap/ldap-starttls.pcap differ diff --git a/testing/btest/Traces/ldap/ldap-who-am-i.pcap b/testing/btest/Traces/ldap/ldap-who-am-i.pcap new file mode 100644 index 0000000000..75dae01d4e Binary files /dev/null and b/testing/btest/Traces/ldap/ldap-who-am-i.pcap differ diff --git a/testing/btest/Traces/ldap/ldap_invalid_credentials.pcap b/testing/btest/Traces/ldap/ldap_invalid_credentials.pcap new file mode 100644 index 0000000000..b273b140bd Binary files /dev/null and b/testing/btest/Traces/ldap/ldap_invalid_credentials.pcap differ diff --git a/testing/btest/Traces/ldap/missing_krbtgt_ldap_request.pcapng b/testing/btest/Traces/ldap/missing_krbtgt_ldap_request.pcapng new file mode 100644 index 0000000000..52c52d7424 Binary files /dev/null and b/testing/btest/Traces/ldap/missing_krbtgt_ldap_request.pcapng differ diff --git a/testing/btest/Traces/ldap/missing_ldap_logs.pcapng b/testing/btest/Traces/ldap/missing_ldap_logs.pcapng new file mode 100644 index 0000000000..e9e1597222 Binary files /dev/null and b/testing/btest/Traces/ldap/missing_ldap_logs.pcapng differ diff --git a/testing/btest/Traces/ldap/sasl-ntlm.pcap b/testing/btest/Traces/ldap/sasl-ntlm.pcap new file mode 100644 index 0000000000..ef2fb91ab4 Binary files /dev/null and b/testing/btest/Traces/ldap/sasl-ntlm.pcap differ diff --git a/testing/btest/Traces/ldap/sasl-scram-sha-512.pcap b/testing/btest/Traces/ldap/sasl-scram-sha-512.pcap new file mode 100644 index 0000000000..70fd3d6b0d Binary files /dev/null and b/testing/btest/Traces/ldap/sasl-scram-sha-512.pcap differ diff --git a/testing/btest/Traces/ldap/sasl-srp-who-am-i.pcap b/testing/btest/Traces/ldap/sasl-srp-who-am-i.pcap new file mode 100644 index 0000000000..9e70f2d1b0 Binary files /dev/null and b/testing/btest/Traces/ldap/sasl-srp-who-am-i.pcap differ diff --git a/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap b/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap new file mode 100644 index 0000000000..a3b1ea28f8 Binary files /dev/null and b/testing/btest/Traces/modbus/modbus-and-non-modbus-p502.pcap differ diff --git a/testing/btest/Traces/negative-time.pcap b/testing/btest/Traces/negative-time.pcap deleted file mode 100644 index a216f1eb6e..0000000000 Binary files a/testing/btest/Traces/negative-time.pcap and /dev/null differ diff --git a/testing/btest/Traces/pop3/bad-list-retr-crafted.pcap b/testing/btest/Traces/pop3/bad-list-retr-crafted.pcap new file mode 100644 index 0000000000..7543e833e1 Binary files /dev/null and b/testing/btest/Traces/pop3/bad-list-retr-crafted.pcap differ diff --git a/testing/btest/Traces/pop3/pop3.pcap b/testing/btest/Traces/pop3/pop3.pcap new file mode 100644 index 0000000000..856c498950 Binary files /dev/null and b/testing/btest/Traces/pop3/pop3.pcap differ diff --git a/testing/btest/Traces/pop3/redis-50-pings.pcap b/testing/btest/Traces/pop3/redis-50-pings.pcap new file mode 100644 index 0000000000..4b12508307 Binary files /dev/null and b/testing/btest/Traces/pop3/redis-50-pings.pcap differ diff --git a/testing/btest/Traces/quic/383379789-decrypt-crash.pcap b/testing/btest/Traces/quic/383379789-decrypt-crash.pcap new file mode 100644 index 0000000000..aeb9808508 Binary files /dev/null and b/testing/btest/Traces/quic/383379789-decrypt-crash.pcap differ diff --git a/testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap b/testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap new file mode 100644 index 0000000000..3ffab0867a Binary files /dev/null and b/testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap differ diff --git a/testing/btest/core/mmdb/explicit-open.zeek b/testing/btest/core/mmdb/explicit-open.zeek index 8300ef1604..9aa38c8362 100644 --- a/testing/btest/core/mmdb/explicit-open.zeek +++ b/testing/btest/core/mmdb/explicit-open.zeek @@ -45,6 +45,8 @@ event new_packet(c: connection, p: pkt_hdr) event zeek_init() { - assert mmdb_open_asn_db(asn_fn); - assert mmdb_open_location_db(city_fn); + if ( ! mmdb_open_asn_db(asn_fn) ) + Reporter::fatal("failed to open asn_db " + asn_fn); + if ( ! mmdb_open_location_db(city_fn) ) + Reporter::fatal("failed to open location db " + city_fn); } diff --git a/testing/btest/core/negative-time.test b/testing/btest/core/negative-time.test deleted file mode 100644 index cd1ac20240..0000000000 --- a/testing/btest/core/negative-time.test +++ /dev/null @@ -1,2 +0,0 @@ -# @TEST-EXEC: zeek -b -C -r $TRACES/negative-time.pcap base/frameworks/notice -# @TEST-EXEC: btest-diff weird.log diff --git a/testing/btest/core/script-args.zeek b/testing/btest/core/script-args.zeek index b229c87ada..7484bb9441 100644 --- a/testing/btest/core/script-args.zeek +++ b/testing/btest/core/script-args.zeek @@ -2,6 +2,10 @@ # the script differently, leading to complaints that there are no scripts. # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1" +# TSAN may re-execute the executable when the memory layout doesn't fullfill +# requirements, causing argument confusion when that happens (see #3774). +# @TEST-REQUIRES: ! have-tsan + # @TEST-EXEC: printf '#!' > test.zeek # @TEST-EXEC: printf "$BUILD/src/zeek -b --\n" >> test.zeek # @TEST-EXEC: cat %INPUT >> test.zeek diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index e477140083..be243bcdc0 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -9,4 +9,4 @@ # # @TEST-EXEC: test -d $DIST/scripts # @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.zeek`; do zeek -b --parse-only $script >>errors 2>&1; done -# @TEST-EXEC: TEST_DIFF_CANONIFIER="grep -v -e 'load-balancing.zeek.*deprecated script loaded' | $SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-sort" btest-diff errors +# @TEST-EXEC: TEST_DIFF_CANONIFIER="grep -v -e 'load-balancing.zeek.*deprecated script loaded' | grep -v -e 'prometheus.zeek.*deprecated script loaded' | $SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-sort" btest-diff errors diff --git a/testing/btest/coverage/test-all-policy-cluster.test b/testing/btest/coverage/test-all-policy-cluster.test index b213b1ac26..9d88868063 100644 --- a/testing/btest/coverage/test-all-policy-cluster.test +++ b/testing/btest/coverage/test-all-policy-cluster.test @@ -9,7 +9,7 @@ # @TEST-EXEC: CLUSTER_NODE=logger-1 zeek %INPUT # @TEST-EXEC: CLUSTER_NODE=proxy-1 zeek %INPUT # @TEST-EXEC: CLUSTER_NODE=worker-1 zeek %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v "load-balancing.zeek.*deprecated script" | $SCRIPTS/diff-remove-abspath' btest-diff .stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v "load-balancing.zeek.*deprecated script" | grep -v "prometheus.zeek.*deprecated script" | $SCRIPTS/diff-remove-abspath' btest-diff .stderr @load base/frameworks/cluster @load misc/loaded-scripts diff --git a/testing/btest/opt/regress-any-leak.zeek b/testing/btest/opt/regress-any-leak.zeek new file mode 100644 index 0000000000..118356aa07 --- /dev/null +++ b/testing/btest/opt/regress-any-leak.zeek @@ -0,0 +1,16 @@ +# @TEST-DOC: Regression test for leak when mixing "any" types (affected both ZAM and non-ZAM) +# @TEST-EXEC: zeek -b -O ZAM %INPUT >output +# @TEST-EXEC: btest-diff output + +type X: record { + a: string; +}; + +event zeek_init() + { + local vec: vector of any; + vec += X($a="abc-1"); + print vec; + vec[0] = 1; + print vec; + } diff --git a/testing/btest/opt/regress-any.zeek b/testing/btest/opt/regress-any.zeek new file mode 100644 index 0000000000..98c4116392 --- /dev/null +++ b/testing/btest/opt/regress-any.zeek @@ -0,0 +1,16 @@ +# @TEST-DOC: Regression test for reassigning an "any" field +# @TEST-EXEC: zeek -b -O ZAM %INPUT >output +# @TEST-EXEC: btest-diff output + +type X: record { + a: string; + b: any; +}; + +event zeek_init() + { + local x = X($a="123", $b=vector("abc")); + print x; + x$b = 1; + print x; + } diff --git a/testing/btest/opt/regress-vector-mismatch.zeek b/testing/btest/opt/regress-vector-mismatch.zeek new file mode 100644 index 0000000000..e07411750d --- /dev/null +++ b/testing/btest/opt/regress-vector-mismatch.zeek @@ -0,0 +1,17 @@ +# @TEST-DOC: Regression test for coercing vectors-of-any +# @TEST-EXEC: zeek -b -O ZAM %INPUT >output +# @TEST-EXEC: btest-diff output + +module X; + +export { + option o: vector of string = vector(); +} + +event zeek_init() + { + local x: any = vector(); + Config::set_value("X::o", vector("a") + (x as vector of string)); + print X::o; + print x; + } diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream-leftover.zeek b/testing/btest/scripts/base/frameworks/input/raw/executestream-leftover.zeek new file mode 100644 index 0000000000..f40a7d52a3 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream-leftover.zeek @@ -0,0 +1,52 @@ +# @TEST-DOC: Launching a program that produces output slowly and strangely separated. +# @TEST-EXEC: chmod +x run.sh +# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff zeek/.stdout + +redef exit_only_after_terminate = T; + +redef Threading::heartbeat_interval = 0.01sec; + +@TEST-START-FILE run.sh +#!/usr/bin/env bash +echo -e -n "aaa\nb" +sleep 0.1 +echo -e -n "bb\nfi" +sleep 0.1 +echo "nal" + +sleep infinity +@TEST-END-FILE + +module A; + +type Val: record { + s: string; +}; + +global lines = 0; + +event one_line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print tpe, s; + ++lines; + + if ( lines == 3 ) + { + Input::remove("input"); + terminate(); + } + } + +event zeek_init() + { + Input::add_event([ + $name="run", + $source="../run.sh |", + $reader=Input::READER_RAW, + $mode=Input::STREAM, + $fields=Val, + $ev=one_line, $want_record=F, + ]); + } diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream-no-last-separator.zeek b/testing/btest/scripts/base/frameworks/input/raw/executestream-no-last-separator.zeek new file mode 100644 index 0000000000..eeb77ac884 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream-no-last-separator.zeek @@ -0,0 +1,53 @@ +# @TEST-DOC: Launching a program that doesn't end it's final line with a \n +# @TEST-EXEC: chmod +x run.sh +# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff zeek/.stdout + +redef exit_only_after_terminate = T; + +redef Threading::heartbeat_interval = 0.01sec; + +@TEST-START-FILE run.sh +#!/usr/bin/env bash +sleep 0.1 +echo "aaa" +sleep 0.1 +echo "bbb" +sleep 0.1 +echo -n "final" + +sleep 0.1 +exit 0 +@TEST-END-FILE + +module A; + +type Val: record { + s: string; +}; + +global lines = 0; + +event one_line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print tpe, s; + ++lines; + if ( lines == 3 ) + { + Input::remove("input"); + terminate(); + } + } + +event zeek_init() + { + Input::add_event([ + $name="run", + $source="../run.sh |", + $reader=Input::READER_RAW, + $mode=Input::STREAM, + $fields=Val, + $ev=one_line, $want_record=F, + ]); + } diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream-slow-long.zeek b/testing/btest/scripts/base/frameworks/input/raw/executestream-slow-long.zeek new file mode 100644 index 0000000000..da6e489b4e --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream-slow-long.zeek @@ -0,0 +1,62 @@ +# @TEST-DOC: Launching a program that produces output slowly and exercises buffering. +# @TEST-EXEC: chmod +x run.sh +# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff zeek/.stdout + +redef exit_only_after_terminate = T; + +redef Threading::heartbeat_interval = 0.01sec; + +@TEST-START-FILE run.sh +#!/usr/bin/env bash +sleep 0.1 +echo -n "binary start" +sleep 0.1 +dd if=/dev/zero bs=1 count=8192 +sleep 0.1 +echo -n "binary middle" +sleep 0.1 +dd if=/dev/zero bs=1 count=8192 +sleep 0.1 +dd if=/dev/zero bs=1 count=8192 +sleep 0.1 +echo "binary done" +sleep 0.1 +echo "ccc" +sleep 0.1 +echo "final" + +sleep infinity +@TEST-END-FILE + +module A; + +type Val: record { + s: string; +}; + +global lines = 0; + +event one_line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print tpe,|s|, s[:16], s[-16:]; + ++lines; + if ( lines == 3 ) + { + Input::remove("input"); + terminate(); + } + } + +event zeek_init() + { + Input::add_event([ + $name="run", + $source="../run.sh |", + $reader=Input::READER_RAW, + $mode=Input::STREAM, + $fields=Val, + $ev=one_line, $want_record=F, + ]); + } diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream-slow.zeek b/testing/btest/scripts/base/frameworks/input/raw/executestream-slow.zeek new file mode 100644 index 0000000000..d221805b33 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/raw/executestream-slow.zeek @@ -0,0 +1,55 @@ +# @TEST-DOC: Launching a program that produces output slowly puts the raw reader into an endless loop. +# @TEST-EXEC: chmod +x run.sh +# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: btest-diff zeek/.stdout + +redef exit_only_after_terminate = T; + +redef Threading::heartbeat_interval = 0.01sec; + +@TEST-START-FILE run.sh +#!/usr/bin/env bash +sleep 0.1 +echo -n "aaa-" +sleep 0.1 +echo -n "bbb-" +sleep 0.1 +echo "ccc" +sleep 0.1 +echo "aaa-bbb-ccc" +echo "final" + +sleep infinity +@TEST-END-FILE + +module A; + +type Val: record { + s: string; +}; + +global lines = 0; + +event one_line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print tpe, s; + ++lines; + if ( lines == 3 ) + { + Input::remove("input"); + terminate(); + } + } + +event zeek_init() + { + Input::add_event([ + $name="run", + $source="../run.sh |", + $reader=Input::READER_RAW, + $mode=Input::STREAM, + $fields=Val, + $ev=one_line, $want_record=F, + ]); + } diff --git a/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek new file mode 100644 index 0000000000..6cef93eba7 --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek @@ -0,0 +1,8 @@ +# Authorization: Basic password has a colon in its value +# +# @TEST-EXEC: zeek -b -r $TRACES/http/basic-auth-with-colon.trace %INPUT +# @TEST-EXEC: btest-diff http.log + +@load base/protocols/http + +redef HTTP::default_capture_password = T; diff --git a/testing/btest/scripts/base/protocols/ldap/add.zeek b/testing/btest/scripts/base/protocols/ldap/add.zeek new file mode 100644 index 0000000000..fbe2c9a4ad --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/add.zeek @@ -0,0 +1,11 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-add.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: The addRequest/addResponse operation is not implemented, yet we process it. diff --git a/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek b/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek new file mode 100644 index 0000000000..041d03464d --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek @@ -0,0 +1,5 @@ +# @TEST-DOC: Regression test case for #3919 for invalid credentials. +# +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap_invalid_credentials.pcap %INPUT +# @TEST-EXEC: btest-diff ldap.log diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek new file mode 100644 index 0000000000..0504ba7a0a --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek @@ -0,0 +1,12 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: This broke after #3826 got merged diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek new file mode 100644 index 0000000000..9db41f96bc --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek @@ -0,0 +1,12 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: This broke after #3826 got merged diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek new file mode 100644 index 0000000000..12f397a62b --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek @@ -0,0 +1,11 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/missing_krbtgt_ldap_request.pcapng %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# +# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens. diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek new file mode 100644 index 0000000000..4ae8d4b639 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek @@ -0,0 +1,11 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/missing_ldap_logs.pcapng %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# +# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens. diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek new file mode 100644 index 0000000000..b467dbe484 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek @@ -0,0 +1,11 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: SASL authentication using SRP (Secure Remote Password) diff --git a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek new file mode 100644 index 0000000000..e936332b47 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek @@ -0,0 +1,15 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. +# +# The ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap file was harvested +# from the CTU-SME-11 (Experiment-VM-Microsoft-Windows7AD-1) dataset +# at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258). + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: SASL bindRequest with SPNEGO NTLMSSP. diff --git a/testing/btest/scripts/base/protocols/ldap/starttls.zeek b/testing/btest/scripts/base/protocols/ldap/starttls.zeek new file mode 100644 index 0000000000..df94315210 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek @@ -0,0 +1,25 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: LDAP supports StartTLS through extendedRequest 1.3.6.1.4.1.1466.20037 + +event LDAP::extended_request(c: connection, message_id: int, request_name: string, request_value: string) { + print c$uid, "extended_request", fmt("%s (%s)", request_name, LDAP::EXTENDED_REQUESTS[request_name]), request_value; +} + +event LDAP::extended_response(c: connection, message_id: int, result: LDAP::ResultCode, response_name: string, response_value: string) { + print c$uid, "extended_response", result, response_name, response_value; +} + +event LDAP::starttls(c: connection) { + print c$uid, "LDAP::starttls"; +} diff --git a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek new file mode 100644 index 0000000000..6026add5cc --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek @@ -0,0 +1,20 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: Testing OpenLDAP's ldapwhoami utility with simple authentication. + +event LDAP::extended_request(c: connection, message_id: int, request_name: string, request_value: string) { + print c$uid, "extended_request", fmt("%s (%s)", request_name, LDAP::EXTENDED_REQUESTS[request_name]), request_value; +} + +event LDAP::extended_response(c: connection, message_id: int, result: LDAP::ResultCode, response_name: string, response_value: string) { + print c$uid, "extended_response", result, response_name, response_value; +} diff --git a/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test new file mode 100644 index 0000000000..fcb95fa6d3 --- /dev/null +++ b/testing/btest/scripts/base/protocols/modbus/modbus_and_non_modbus_on_port_502.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: zeek -r $TRACES/modbus/modbus-and-non-modbus-p502.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff modbus.log +# @TEST-EXEC: btest-diff analyzer.log + +# The pcap has non Modbus traffic (i.e., DCERPC, HTTP, Magellan, NFS, RDP, TLS) on TCP port 502. +# This traffic should not be labelled as Modbus in conn.log, and not generate any Modbus events. diff --git a/testing/btest/scripts/base/protocols/pop3/bad-list-retr-crafted.zeek b/testing/btest/scripts/base/protocols/pop3/bad-list-retr-crafted.zeek new file mode 100644 index 0000000000..2aedeac81e --- /dev/null +++ b/testing/btest/scripts/base/protocols/pop3/bad-list-retr-crafted.zeek @@ -0,0 +1,14 @@ +# @TEST-DOC: Crafted pcap causing crashes due to mail not initialized. +# @TEST-EXEC: zeek -b -r $TRACES/pop3/bad-list-retr-crafted.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff analyzer.log + +@load base/frameworks/notice/weird +@load base/protocols/conn +@load base/protocols/pop3 + +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_POP3, 110/tcp); + } diff --git a/testing/btest/scripts/base/protocols/pop3/basic.zeek b/testing/btest/scripts/base/protocols/pop3/basic.zeek new file mode 100644 index 0000000000..d9094622d8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/pop3/basic.zeek @@ -0,0 +1,20 @@ +# @TEST-DOC: Ensure basic POP3 functionality. +# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/pop3.pcap %INPUT >out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: test ! -f weird.log +# @TEST-EXEC: test ! -f analyzer.log + +@load base/frameworks/notice/weird +@load base/protocols/conn +@load base/protocols/pop3 + +event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string) + { + print c$uid, "pop3_request", is_orig, cmd, arg; + } + +event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string) + { + print c$uid, "pop3_reply", is_orig, cmd, arg; + } diff --git a/testing/btest/scripts/base/protocols/pop3/redis.zeek b/testing/btest/scripts/base/protocols/pop3/redis.zeek new file mode 100644 index 0000000000..137baf459c --- /dev/null +++ b/testing/btest/scripts/base/protocols/pop3/redis.zeek @@ -0,0 +1,22 @@ +# @TEST-DOC: The POP3 signature triggered on Redis traffic. Ensure the analyzer is eventually removed to avoid. +# @TEST-EXEC: zeek -C -b -r $TRACES/pop3/redis-50-pings.pcap %INPUT >out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff analyzer.log + +@load base/frameworks/notice/weird +@load base/protocols/conn +@load base/protocols/pop3 + +redef POP3::max_unknown_client_commands = 3; + +event pop3_request(c: connection, is_orig: bool, cmd: string, arg: string) + { + print c$uid, "pop3_request", is_orig, cmd, arg; + } + +event pop3_reply(c: connection, is_orig: bool, cmd: string, arg: string) + { + print c$uid, "pop3_reply", is_orig, cmd, arg; + } diff --git a/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek b/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek new file mode 100644 index 0000000000..4b64b04dc4 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Trace produced by OSS-Fuzz triggered a crash due to using a too small local buffer for decryption. + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT +# @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut diff --git a/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test b/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test new file mode 100644 index 0000000000..058d17c29e --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test @@ -0,0 +1,16 @@ +# @TEST-DOC: Tests handling of PDUs containing error ioctls with byte lengths of zero +# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-zero-byte-error-ioctl.pcap %INPUT 2>&1 >out +# @TEST-EXEC: ! test -f analyzer.log +# @TEST-EXEC: btest-diff out + +@load base/protocols/smb + +event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) +{ + print "smb2_close_request", hdr; +} + +event smb2_close_response(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse) +{ + print "smb2_close_response", hdr, response; +} diff --git a/testing/btest/scripts/policy/frameworks/notice/community-id.zeek b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek index 8383017c63..07fd57a77d 100644 --- a/testing/btest/scripts/policy/frameworks/notice/community-id.zeek +++ b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek @@ -13,6 +13,7 @@ redef enum Notice::Type += { COMMUNITY_ID_INIT, COMMUNITY_ID_CONN_ESTABLISHED, + COMMUNITY_ID_NEW_CONNECTION, }; event zeek_init() @@ -22,6 +23,14 @@ event zeek_init() $msg="Zeek initializing"]); } +event new_connection(c: connection) + { + # A notice with connection context + NOTICE([$note=COMMUNITY_ID_NEW_CONNECTION, + $msg="New connection", + $conn=c]); + } + event connection_established(c: connection) { # A notice with connection context diff --git a/testing/btest/scripts/policy/frameworks/telemetry/prometheus.zeek b/testing/btest/scripts/policy/frameworks/telemetry/prometheus.zeek index 0d6e7794b0..50a6fd8d2c 100644 --- a/testing/btest/scripts/policy/frameworks/telemetry/prometheus.zeek +++ b/testing/btest/scripts/policy/frameworks/telemetry/prometheus.zeek @@ -55,7 +55,6 @@ done @TEST-END-FILE @load policy/frameworks/cluster/experimental -@load policy/frameworks/telemetry/prometheus @load base/frameworks/telemetry # So the cluster nodes don't terminate right away. diff --git a/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek b/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek new file mode 100644 index 0000000000..a7c425dca3 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/conn/community-id-logging-flipped.zeek @@ -0,0 +1,13 @@ +# @TEST-DOC: Ensure community_id is logged even if the connection is flipped. + +# @TEST-EXEC: zeek -b -r $TRACES/tcp/handshake-reorder.trace %INPUT >out +# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service community_id < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut + +@load protocols/conn/community-id-logging + +event new_connection(c: connection) + { + print "new_connection", c$uid, c$conn$community_id; + } diff --git a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek index eccb7a45c6..9e6f708260 100644 --- a/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek +++ b/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.zeek @@ -37,6 +37,8 @@ event zeek_init() add positive_matches["/index.php?id=22 /*!49999 and 1=2*/-- and 1=1"]; add positive_matches["/index.php?ID=59 and (select count(table_name) from user_tables)>0 and 1=1"]; add positive_matches["/index.php?ID=60 and exists (select * from [news])"]; + add positive_matches["?id=1'+OR+'1'='1"]; + add positive_matches["?id=1'+UNION+SELECT+NULL,+version()+#"]; # These are not detected currently. #add positive_matches["/index.asp?ARF_ID=(1/(1-(asc(mid(now(),18,1))\(2^7) mod 2)))"]; diff --git a/testing/btest/spicy/port-deprecated.evt b/testing/btest/spicy/port-deprecated.evt deleted file mode 100644 index 220a9d1faf..0000000000 --- a/testing/btest/spicy/port-deprecated.evt +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-REQUIRES: have-spicy -# -# @TEST-EXEC: spicyz -d -o test.hlto ./udp-test.evt 2>out.stderr -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.stderr -# -# @TEST-DOC: Remove with v7.1: Specifying ports is deprecated. - -module Test; - -import zeek; - -public type Message = unit { - data: bytes &eod {} -}; - -# @TEST-START-FILE udp-test.evt -protocol analyzer spicy::TEST over UDP: - parse with Test::Message, - port 11337/udp-11340/udp, - ports {31337/udp-31340/udp}; -# @TEST-END-FILE diff --git a/testing/btest/spicy/port-fail.evt b/testing/btest/spicy/port-fail.evt index e51ca0fb79..f00efc6210 100644 --- a/testing/btest/spicy/port-fail.evt +++ b/testing/btest/spicy/port-fail.evt @@ -2,8 +2,6 @@ # # @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output -# -# @TEST-DOC: Remove with v7.1 protocol analyzer spicy::SSH over TCP: port 123456/udp; diff --git a/testing/btest/spicy/port-range-one-port.zeek b/testing/btest/spicy/port-range-one-port.zeek index 95c32f2b27..bdc5219791 100644 --- a/testing/btest/spicy/port-range-one-port.zeek +++ b/testing/btest/spicy/port-range-one-port.zeek @@ -5,7 +5,7 @@ # @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered # @TEST-EXEC: btest-diff out.filtered -# @TEST-DOC: Remove with v7.1. Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. +# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. # @TEST-START-FILE udp-test.spicy module UDPTest; diff --git a/testing/btest/spicy/port.zeek b/testing/btest/spicy/port.zeek new file mode 100644 index 0000000000..81d3586c68 --- /dev/null +++ b/testing/btest/spicy/port.zeek @@ -0,0 +1,32 @@ +# @TEST-REQUIRES: have-spicy +# +# @TEST-EXEC: spicyz -d -o test.hlto test.spicy test.evt +# @TEST-EXEC: zeek test.hlto %INPUT >output +# @TEST-EXEC: btest-diff output +# +# @TEST-DOC: Check that we raise port events for Spicy analyzers, and that the ports get correctly registered. + +event spicy_analyzer_for_port(a: Analyzer::Tag, p: port){ + print a, p; +} + +event zeek_done() { + print Analyzer::ports[Analyzer::ANALYZER_SPICY_TEST]; +} + +# @TEST-START-FILE test.spicy +module Test; + +import zeek; + +public type Message = unit { + data: bytes &eod {} +}; +# @TEST-END-FILE + +# @TEST-START-FILE test.evt +protocol analyzer spicy::Test over UDP: + parse with Test::Message, + port 11337/udp-11340/udp, + ports {31337/udp-31340/udp}; +# @TEST-END-FILE diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster index 8b8bfdc2e4..b8df5d15d0 100644 --- a/testing/external/commit-hash.zeek-testing-cluster +++ b/testing/external/commit-hash.zeek-testing-cluster @@ -1 +1 @@ -45582671c6715e719d91c8afde7ffb480c602441 +9f875d86000602661fbfc9bb471d1c598917ebc9 diff --git a/testing/scripts/have-tsan b/testing/scripts/have-tsan new file mode 100755 index 0000000000..8030c8d248 --- /dev/null +++ b/testing/scripts/have-tsan @@ -0,0 +1,7 @@ +#!/bin/sh + +if grep -q "ZEEK_SANITIZERS:STRING=.*thread.*" "${BUILD}"/CMakeCache.txt; then + exit 0 +fi + +exit 1