Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/Traces
History
Exact
Christian Kreibich e3cecdf04d Remove executable file permission bits from a bunch of our pcaps
2025-06-06 12:35:14 -07:00
..
bittorrent Adding test for BitTorrent tracker. 2021-12-21 17:48:26 +01:00
chksums Add an option to ignore packets sourced from particular subnets. 2020-10-22 13:23:10 -04:00
communityid Add community_id_v1() based on corelight/zeek-community-id 2023-04-21 20:44:09 +02:00
dce-rpc dce-rpc: Test cases for unbounded state growth 2023-06-30 15:14:35 +02:00
dhcp Prevent large dhcp log entries 2022-07-28 11:34:18 -07:00
dnp3 Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
dns IPv6 support for detect-external-names and testcase 2025-02-04 17:34:43 +00:00
dnssec DNS: Add Ed25519 and Ed448 enum values to parser 2023-11-17 19:56:47 +01:00
finger Provide infrastructure to migrate legacy analyzers to Spicy. 2023-02-01 11:33:48 +01:00
ftp Add explicit TLS support for FTP 2025-05-27 16:57:51 +01:00
http Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
icmp GH-1321: Prevent compounding of connection_status_update event timers 2020-12-08 11:20:02 -08:00
ipv4 A set of tests exercising IP defragmentation and TCP reassembly. 2015-07-03 08:40:22 -07:00
krb Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ldap ldap: Only switch into MS_KRB5 mode if responseToken exists 2025-04-15 20:10:52 +02:00
mobile-ipv6 Add support for mobile IPv6 Mobility Header (RFC 6275). 2012-04-09 14:39:00 -05:00
modbus Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
mount Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, 2018-01-11 17:00:15 -05:00
mysql mysql: Implement and test COM_CHANGE_USER 2024-08-14 10:20:01 +02:00
nfs Format print nfs units tests to improve output readability. Add unit 2018-01-11 17:02:47 -05:00
ntp NTP: Detect out-of-order packets 2023-05-04 19:44:02 +02:00
pe Add btest for timestamp check 2024-05-29 13:58:32 +01:00
pop3 POP3: Rework unbounded pending command fix 2024-10-04 12:45:59 -07:00
postgresql postgresql: Initial parser implementation 2024-09-06 16:10:48 +02:00
ppp PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9) 2023-08-23 16:41:19 +02:00
quic QUIC: Use initial destination conn_id for decryption 2025-05-05 14:34:11 +02:00
radius Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
rdp RDP: cookie is optional 2025-03-04 13:38:01 +00:00
redis spicy-redis: Cleanup scripts and tests 2025-05-27 09:29:13 -04:00
rfb Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
sip GH-1507: Tolerate junk data before SIP requests 2021-04-14 15:34:07 -07:00
smb Fix handling of zero-length SMB2 error responses 2024-07-24 12:44:46 -07:00
smtp SMTP/BDAT: Use strtoull and bail on UULONG_MAX values 2024-01-19 13:24:07 +01:00
snmp Test changes caused by minor order-of-operation changes related to the new loop architecture 2020-01-31 10:13:09 -07:00
spicy Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
ssh SSH: make banner parsing more robust 2025-03-18 16:19:33 +00:00
tcp Add btest for expiration of all pending timers. 2022-11-27 15:02:09 +01:00
tls Add two protocol mismatch testcases 2025-03-04 15:38:20 +00:00
trunc GH-977: Improve pcap error handling 2020-06-08 18:11:58 -07:00
tunnels Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
websocket websocket: Fix opcode for continuation frames 2024-01-24 22:57:24 +01:00
arp-leak.pcap Add bad ARP tests 2018-05-18 17:39:53 +02:00
arp-who-has-radiotap.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has-wlanmon.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has.pcap ARP: remove unnecessary variables and add testcase 2016-04-27 06:51:04 -07:00
auth_change_session_keys.pcap Fix invalid memory free when using Log::default_field_name_map 2018-09-10 19:06:35 -05:00
cdp-v1.pcap Make SNAP analyzer use both OUI and protocol for forwarding 2025-03-24 15:20:50 -07:00
cisco-fabric-path.pcap Add Cisco FabricPath support 2018-07-27 16:00:54 -05:00
conn-size.trace Merge of Gregor's conn-size branch. 2011-05-09 17:14:31 -07:00
contentline-irc-5k-line.pcap add a max_line_length flag to ContentLine_Analyzer 2017-11-03 16:25:26 -04:00
dns-caa.pcap Add DNS tests for huge TLL and CAA 2016-04-25 15:43:20 -07:00
dns-edns-cookie.pcap add edns-cookie testcase 2020-08-20 09:04:56 -04:00
dns-edns-ecs-bad.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs-weirds.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs.pcap Implement EDNS Client Subnet Option 2020-07-06 15:09:03 -04:00
dns-edns-tcp-keepalive.pcap add testcases 2020-08-20 09:04:56 -04:00
dns-https.pcap add a dns https test case 2021-10-12 17:43:32 -04:00
dns-huge-ttl.pcap Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns-inverse-query.trace Change dns.log to include only standard DNS queries. 2014-01-28 13:56:22 -06:00
dns-spf.pcap DNS: Add support for SPF response records 2019-06-14 10:18:37 -05:00
dns-svcb.pcap add svcb test case 2021-10-12 17:43:32 -04:00
dns-tsig.trace Fix possible buffer over-read in DNS TSIG parsing 2014-09-02 14:22:26 -05:00
dns-two-responses.trace Fixing a dns reporter message in master. 2013-07-18 09:24:22 -04:00
dns-txt-multiple.trace Merge remote-tracking branch 'origin/topic/jsiwek/bit-1156' 2014-04-24 16:36:47 -07:00
dns-zero-RRs.trace Fix for DNS log problem when a DNS response is seen with 0 RRs. 2012-10-05 13:48:49 -04:00
dns53.pcap BIT-788: use DNS QR field to better identify flow direction. 2015-03-19 11:53:40 -05:00
dns_original_case.pcap Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both. 2020-06-17 10:13:04 -05:00
echo-connections.pcap.gz Add tests exercising dictionary iteration during modification. 2022-04-14 11:12:11 +02:00
empty.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
erspan.trace Implement ERSPAN support. 2017-02-03 12:29:22 -08:00
erspanI.pcap Add tests for ERSPAN Type I patch 2021-03-17 14:41:29 +01:00
erspanII.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
erspanIII.pcap Added ERSPAN III testing 2019-01-24 14:05:13 +00:00
fake-syslog-with-padding.pcap Do not forward more than the remaining data to downstream UDP analyzer 2023-07-27 13:35:41 +01:00
globus-url-copy-bad-encoding.trace Handle invalid Base64 encodings in FTP ADAT analyzer 2020-01-15 12:44:10 -08:00
globus-url-copy.trace Add an example of a GridFTP data channel detection script. 2012-10-01 12:32:24 -05:00
icmp_dot1q.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
icmp_nd_dnssl.trace Change ICMP ND length to a uint16 2020-10-15 16:56:05 -05:00
ieee80211.15.4.pcap Add btest that exercises the pcap filter warnings 2022-10-21 10:50:00 -07:00
ip-bogus-header-len.pcap Fix handling of IP packets with bogus IP header lengths 2021-05-27 16:33:50 -07:00
ip6_esp.trace Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF. 2012-03-14 10:31:08 -05:00
ipv6-fragmented-dns.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ipv6-hbh-routing0.trace Improve handling of IPv6 routing type 0 extension headers. 2012-03-27 16:05:45 -05:00
ipv6-http-atomic-frag.trace Fix handling of IPv6 atomic fragments. 2012-04-04 15:27:43 -05:00
ipv6-mobility-dst-opts.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ipv6_zero_len_ah.trace Fix construction of ip6_ah (Authentication Header) record values. 2012-09-18 16:52:12 -05:00
irc-353.pcap Fix IRC names command parsing 2018-09-12 19:47:57 -05:00
irc-basic.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-08 13:02:09 -08:00
irc-dcc-send.trace Add IRC unit tests. 2011-07-20 14:49:20 -05:00
irc-whitespace.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-12 18:55:25 -08:00
linux_dlt_sll2.pcap Add support for DLT_LINUX_SLL2 PCAP link-type 2022-08-24 10:38:31 +10:00
linuxsll-arp.pcap Initial implementation of Lower-Level analyzers 2020-09-23 11:13:25 -07:00
llc.pcap Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro 2016-06-06 17:59:34 -07:00
lldp.pcap Move UnknownProtocol options to init-bare.zeek 2020-11-11 12:58:38 -08:00
mixed-vlan-mpls.trace Support for (mixed) MPLS and VLAN traffic, and a new default BPF 2011-04-29 09:10:43 -07:00
mmsX.pcap Add test case for binpac flowbuffer frame length parsing bug 2020-03-19 22:09:23 -07:00
mpls-in-vlan.trace Support for MPLS over VLAN. 2014-02-14 12:07:24 -08:00
mqtt.pcap MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar 2019-07-29 13:45:10 -04:00
ncp.pcap Migrate NCP analyzer to use latest analyzer API 2018-05-22 16:27:07 -05:00
nflog-http.pcap Merge branch 'master' of https://github.com/rdenniston/zeek 2019-03-19 19:19:02 -07:00
nmap-vsn.trace Added a document for the SumStats framework. 2013-11-06 13:52:29 -05:00
ntp.pcap Fix a couple of problems with signature matching. 2016-10-19 14:23:43 -07:00
pbb.pcap Add btest for PBB and update baselines 2023-02-15 14:36:26 -07:00
pop3-unknown-commands.pcap test: Add btest verifying max_analyzer_violations functionality 2022-11-08 16:44:34 -07:00
port4242.trace Checkpointing the dynamic plugin code. 2013-11-26 14:04:29 -08:00
port4243.trace Fix registration of protocol analyzers from inside plugins. 2021-07-18 10:00:49 +02:00
pppoe-over-qinq.pcap BIT-1950: support PPPoE over QinQ 2018-07-06 08:04:02 -05:00
pppoe.trace Adding a test for PPPoE support. 2012-10-24 01:05:01 -04:00
q-in-q.trace Add support for 802.1ah (Q-in-Q). 2013-03-22 12:38:43 -04:00
radiotap.pcap Improved Radiotap support and a test. 2016-01-19 04:10:44 -05:00
raw_layer.pcap Extend packet analysis test. 2020-09-23 11:13:29 -07:00
raw_packets.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
README ldap: Only switch into MS_KRB5 mode if responseToken exists 2025-04-15 20:10:52 +02:00
rotation.trace Moving trace for rotation test into traces directory. 2012-05-16 18:28:51 -07:00
rpc-portmap-sadmind.pcap GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors 2019-11-13 13:14:14 -08:00
smtp-attachment-msg.pcap GH-1352: Added flag to stop processing SMTP headers in attached 2021-01-21 14:55:10 -05:00
smtp-mail-transactions-invalid.pcap smtp: Validate mail transaction and disable SMTP analyzer if excessive 2023-03-27 18:41:47 +02:00
smtp-multi-addr.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
smtp-one-side-only.trace Fixing SMTP state tracking. 2014-06-10 18:01:38 -07:00
smtp.trace Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
snap-arp.pcap Add basic LLC, SNAP, and Novell 802.3 packet analyzers 2023-04-25 12:29:54 -07:00
snap-tcp.pcap Add test for TCP over 802.3/SNAP 2024-10-31 14:37:44 +00:00
socks-auth-10080.pcap socks/dpd: Fix socks5_server side signature 2023-06-05 13:54:47 +02:00
socks-auth.pcap Update the SOCKS analyzer to support user/pass login. 2015-02-05 12:44:10 -05:00
socks-with-ssl.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
socks.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
ssl-and-ssh-using-sslh.trace Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek 2019-08-09 10:47:34 -07:00
syslog-missing-pri.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
syslog-single-udp.trace Porting syslog analyzer as another example. 2013-04-05 13:13:30 -07:00
tcp-http-with-padding.pcap Do not forward padding to downstream TCP packet analyzer 2023-08-02 17:17:01 +01:00
tcp-sig-match.pcap signatures: Add data_end_offset to signature_match() and custom events 2024-10-30 13:29:58 +01:00
ticks-dns-1hr.pcap Annotate scheduled events with intended timestamp. 2023-05-11 12:51:06 +02:00
ticks-dns.pcap Add timestamp to events. 2023-05-11 12:51:06 +02:00
udp-broadcast.pcap IPBasedAnalyzer: Don't flip connections when destination is broadcast 2023-08-28 12:15:55 +02:00
udp-multiple-source-ports.pcap GH-173: Support ranges of values for value_list elements in the signature parser 2019-05-23 10:58:04 -07:00
udp-packet.pcap Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
udp-signature-test.pcap BIT-844: fix UDP payload signatures to match packet-wise 2015-04-06 15:22:26 -05:00
var-services-std-ports.trace Update/improve known-services test. 2011-06-24 11:18:25 -05:00
vntag.pcap GH-1389: Skip VN-Tag headers 2021-02-01 14:34:56 -07:00
vntag_vlan_sandwich_clean.pcap Add analyzer registration from VLAN to VNTAG 2025-03-18 11:51:27 -07:00
web.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
wikipedia-filtered-plus-udp.trace Tweak find-filtered-trace to not flag traces if they have non-TCP 2020-09-25 11:29:44 +00:00
wikipedia.trace Fixing checksums in test trace because Bro now reports them. :-) 2012-12-14 14:48:16 -08:00
wlanmon.pcap Add a test for 802.11 monitor mode 2018-05-15 17:59:26 +02:00
workshop_2011_browse.trace Basic cross-referencing UIDs between files, btests, and baselines. 2013-05-07 13:33:38 -04:00
www-odd-url.trace Bugfix for log writer. 2011-09-11 21:33:09 -07:00

README 

These are the trace files that are used by the Zeek test suite.

Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might
depend on them for tests.

Trace Index/Sources:

- modbus/modbus-eit.trace:
  Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/.
  The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
- ldap/simpleauth-diff-port.pcap: made with
  `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
- ldap/krb5-sign-seal-01.pcap: trace is derived from
  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
  - the LDAP flow selected (filtered out the Kerberos packets)
  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
  - one `\x30` byte in the ciphertext changed to `\x00`
- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen,
  <https://github.com/zeek/spicy-ldap/issues/23>
- ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- ldap/ldap_invalid_credentials.pcap
  Provided by Martin van Hensbergen in issue #3919.
- dns/tkey.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- dns/dynamic-update.pcap: : Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
  https://tranalyzer.com/tutorial/pop
  https://tranalyzer.com/download/data/pop3.pcap
- http/cooper-grill-dvwa.pcapng
  Provided by cooper-grill on #3995
  https://github.com/zeek/zeek/pull/3995
- http/docker-http-upgrade.pcap
  Provided by blightzero on #4068
  https://github.com/zeek/zeek/issues/4068
- quic/merlinc2_Zeek_example.pcapng
  Provided by Faan Rossouw on #4198
  https://github.com/zeek/zeek/issues/4198
- pe/pe.trace
  VirusTotal reports that this file contains malware. The PE analyzer was originally added
  to decode info for malware, so this is expected. See
  https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049
- tunnels/geneve-tagged-udp-packet.pcap
  Provided by Eldon Koyle Corelight for testing.
- cdp-v1.pcap
  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
  Provided by Mohan-Dhawan on #4275
  https://github.com/zeek/zeek/issues/4275