Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/Traces
History
Exact
Johanna Amann 1fed0ed58d PPPoE: don't forward more bytes than header indicates 
This changes the PPPoE parser so that it doesn't forward extra bytes
that might be appended after the payload. Instead, it raises a weird if
the payload size doesn't match the size indicated by the header.

This is in line with what other protocol parsers (like UDP) are doing.

Two tests needed to be updated - with this change, the traffic in
pppoe-over-qinq.pcap is now valid TLS. A new trace was introduced for
the confirmation-violation-info test.

Addresses GH-4602
2025-07-08 10:20:59 +01:00
..
bittorrent Adding test for BitTorrent tracker. 2021-12-21 17:48:26 +01:00
chksums Add an option to ignore packets sourced from particular subnets. 2020-10-22 13:23:10 -04:00
communityid Add community_id_v1() based on corelight/zeek-community-id 2023-04-21 20:44:09 +02:00
dce-rpc dce-rpc: Test cases for unbounded state growth 2023-06-30 15:14:35 +02:00
dhcp Prevent large dhcp log entries 2022-07-28 11:34:18 -07:00
dnp3 Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
dns DNS: Implement NAPTR RR support 2025-06-24 17:43:27 +02:00
dnssec DNS: Add Ed25519 and Ed448 enum values to parser 2023-11-17 19:56:47 +01:00
finger Provide infrastructure to migrate legacy analyzers to Spicy. 2023-02-01 11:33:48 +01:00
ftp Add explicit TLS support for FTP 2025-05-27 16:57:51 +01:00
http Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
icmp GH-1321: Prevent compounding of connection_status_update event timers 2020-12-08 11:20:02 -08:00
ipv4 A set of tests exercising IP defragmentation and TCP reassembly. 2015-07-03 08:40:22 -07:00
krb Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ldap ldap: Only switch into MS_KRB5 mode if responseToken exists 2025-04-15 20:10:52 +02:00
mobile-ipv6 Add support for mobile IPv6 Mobility Header (RFC 6275). 2012-04-09 14:39:00 -05:00
modbus Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
mount Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, 2018-01-11 17:00:15 -05:00
mysql mysql: Implement and test COM_CHANGE_USER 2024-08-14 10:20:01 +02:00
nfs Format print nfs units tests to improve output readability. Add unit 2018-01-11 17:02:47 -05:00
ntp NTP: Detect out-of-order packets 2023-05-04 19:44:02 +02:00
pe Add btest for timestamp check 2024-05-29 13:58:32 +01:00
pop3 POP3: Rework unbounded pending command fix 2024-10-04 12:45:59 -07:00
postgresql postgresql: Initial parser implementation 2024-09-06 16:10:48 +02:00
ppp PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9) 2023-08-23 16:41:19 +02:00
quic QUIC: Use initial destination conn_id for decryption 2025-05-05 14:34:11 +02:00
radius Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
rdp RDP: cookie is optional 2025-03-04 13:38:01 +00:00
redis Handle more Redis RESP3 protocol pieces 2025-07-01 14:14:15 -04:00
rfb Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
sip GH-1507: Tolerate junk data before SIP requests 2021-04-14 15:34:07 -07:00
smb Fix handling of zero-length SMB2 error responses 2024-07-24 12:44:46 -07:00
smtp SMTP/BDAT: Use strtoull and bail on UULONG_MAX values 2024-01-19 13:24:07 +01:00
snmp Test changes caused by minor order-of-operation changes related to the new loop architecture 2020-01-31 10:13:09 -07:00
spicy Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
ssh SSH: make banner parsing more robust 2025-03-18 16:19:33 +00:00
tcp Add btest for expiration of all pending timers. 2022-11-27 15:02:09 +01:00
tls PPPoE: don't forward more bytes than header indicates 2025-07-08 10:20:59 +01:00
trunc GH-977: Improve pcap error handling 2020-06-08 18:11:58 -07:00
tunnels Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
websocket websocket: Fix opcode for continuation frames 2024-01-24 22:57:24 +01:00
arp-leak.pcap Add bad ARP tests 2018-05-18 17:39:53 +02:00
arp-who-has-radiotap.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has-wlanmon.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has.pcap ARP: remove unnecessary variables and add testcase 2016-04-27 06:51:04 -07:00
auth_change_session_keys.pcap Fix invalid memory free when using Log::default_field_name_map 2018-09-10 19:06:35 -05:00
cdp-v1.pcap Make SNAP analyzer use both OUI and protocol for forwarding 2025-03-24 15:20:50 -07:00
cisco-fabric-path.pcap Add Cisco FabricPath support 2018-07-27 16:00:54 -05:00
conn-size.trace Merge of Gregor's conn-size branch. 2011-05-09 17:14:31 -07:00
contentline-irc-5k-line.pcap add a max_line_length flag to ContentLine_Analyzer 2017-11-03 16:25:26 -04:00
dns-caa.pcap Add DNS tests for huge TLL and CAA 2016-04-25 15:43:20 -07:00
dns-edns-cookie.pcap add edns-cookie testcase 2020-08-20 09:04:56 -04:00
dns-edns-ecs-bad.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs-weirds.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs.pcap Implement EDNS Client Subnet Option 2020-07-06 15:09:03 -04:00
dns-edns-tcp-keepalive.pcap add testcases 2020-08-20 09:04:56 -04:00
dns-https.pcap add a dns https test case 2021-10-12 17:43:32 -04:00
dns-huge-ttl.pcap Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns-inverse-query.trace Change dns.log to include only standard DNS queries. 2014-01-28 13:56:22 -06:00
dns-spf.pcap DNS: Add support for SPF response records 2019-06-14 10:18:37 -05:00
dns-svcb.pcap add svcb test case 2021-10-12 17:43:32 -04:00
dns-tsig.trace Fix possible buffer over-read in DNS TSIG parsing 2014-09-02 14:22:26 -05:00
dns-two-responses.trace Fixing a dns reporter message in master. 2013-07-18 09:24:22 -04:00
dns-txt-multiple.trace Merge remote-tracking branch 'origin/topic/jsiwek/bit-1156' 2014-04-24 16:36:47 -07:00
dns-zero-RRs.trace Fix for DNS log problem when a DNS response is seen with 0 RRs. 2012-10-05 13:48:49 -04:00
dns53.pcap BIT-788: use DNS QR field to better identify flow direction. 2015-03-19 11:53:40 -05:00
dns_original_case.pcap Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both. 2020-06-17 10:13:04 -05:00
echo-connections.pcap.gz Add tests exercising dictionary iteration during modification. 2022-04-14 11:12:11 +02:00
empty.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
erspan.trace Implement ERSPAN support. 2017-02-03 12:29:22 -08:00
erspanI.pcap Add tests for ERSPAN Type I patch 2021-03-17 14:41:29 +01:00
erspanII.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
erspanIII.pcap Added ERSPAN III testing 2019-01-24 14:05:13 +00:00
fake-syslog-with-padding.pcap Do not forward more than the remaining data to downstream UDP analyzer 2023-07-27 13:35:41 +01:00
globus-url-copy-bad-encoding.trace Handle invalid Base64 encodings in FTP ADAT analyzer 2020-01-15 12:44:10 -08:00
globus-url-copy.trace Add an example of a GridFTP data channel detection script. 2012-10-01 12:32:24 -05:00
icmp_dot1q.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
icmp_nd_dnssl.trace Change ICMP ND length to a uint16 2020-10-15 16:56:05 -05:00
ieee80211.15.4.pcap Add btest that exercises the pcap filter warnings 2022-10-21 10:50:00 -07:00
ip-bogus-header-len.pcap Fix handling of IP packets with bogus IP header lengths 2021-05-27 16:33:50 -07:00
ip6_esp.trace Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF. 2012-03-14 10:31:08 -05:00
ipv6-fragmented-dns.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ipv6-hbh-routing0.trace Improve handling of IPv6 routing type 0 extension headers. 2012-03-27 16:05:45 -05:00
ipv6-http-atomic-frag.trace Fix handling of IPv6 atomic fragments. 2012-04-04 15:27:43 -05:00
ipv6-mobility-dst-opts.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
ipv6_zero_len_ah.trace Fix construction of ip6_ah (Authentication Header) record values. 2012-09-18 16:52:12 -05:00
irc-353.pcap Fix IRC names command parsing 2018-09-12 19:47:57 -05:00
irc-basic.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-08 13:02:09 -08:00
irc-dcc-send.trace Add IRC unit tests. 2011-07-20 14:49:20 -05:00
irc-whitespace.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-12 18:55:25 -08:00
linux_dlt_sll2.pcap Add support for DLT_LINUX_SLL2 PCAP link-type 2022-08-24 10:38:31 +10:00
linuxsll-arp.pcap Initial implementation of Lower-Level analyzers 2020-09-23 11:13:25 -07:00
llc.pcap Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro 2016-06-06 17:59:34 -07:00
lldp.pcap Move UnknownProtocol options to init-bare.zeek 2020-11-11 12:58:38 -08:00
mixed-vlan-mpls.trace Support for (mixed) MPLS and VLAN traffic, and a new default BPF 2011-04-29 09:10:43 -07:00
mmsX.pcap Add test case for binpac flowbuffer frame length parsing bug 2020-03-19 22:09:23 -07:00
mpls-in-vlan.trace Support for MPLS over VLAN. 2014-02-14 12:07:24 -08:00
mqtt.pcap MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar 2019-07-29 13:45:10 -04:00
ncp.pcap Migrate NCP analyzer to use latest analyzer API 2018-05-22 16:27:07 -05:00
nflog-http.pcap Merge branch 'master' of https://github.com/rdenniston/zeek 2019-03-19 19:19:02 -07:00
nmap-vsn.trace Added a document for the SumStats framework. 2013-11-06 13:52:29 -05:00
ntp.pcap Fix a couple of problems with signature matching. 2016-10-19 14:23:43 -07:00
pbb.pcap Add btest for PBB and update baselines 2023-02-15 14:36:26 -07:00
pop3-unknown-commands.pcap test: Add btest verifying max_analyzer_violations functionality 2022-11-08 16:44:34 -07:00
port4242.trace Checkpointing the dynamic plugin code. 2013-11-26 14:04:29 -08:00
port4243.trace Fix registration of protocol analyzers from inside plugins. 2021-07-18 10:00:49 +02:00
pppoe-over-qinq.pcap BIT-1950: support PPPoE over QinQ 2018-07-06 08:04:02 -05:00
pppoe.trace Adding a test for PPPoE support. 2012-10-24 01:05:01 -04:00
q-in-q.trace Add support for 802.1ah (Q-in-Q). 2013-03-22 12:38:43 -04:00
radiotap.pcap Improved Radiotap support and a test. 2016-01-19 04:10:44 -05:00
raw_layer.pcap Extend packet analysis test. 2020-09-23 11:13:29 -07:00
raw_packets.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
README ldap: Only switch into MS_KRB5 mode if responseToken exists 2025-04-15 20:10:52 +02:00
rotation.trace Moving trace for rotation test into traces directory. 2012-05-16 18:28:51 -07:00
rpc-portmap-sadmind.pcap GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors 2019-11-13 13:14:14 -08:00
smtp-attachment-msg.pcap GH-1352: Added flag to stop processing SMTP headers in attached 2021-01-21 14:55:10 -05:00
smtp-mail-transactions-invalid.pcap smtp: Validate mail transaction and disable SMTP analyzer if excessive 2023-03-27 18:41:47 +02:00
smtp-multi-addr.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
smtp-one-side-only.trace Fixing SMTP state tracking. 2014-06-10 18:01:38 -07:00
smtp.trace Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
snap-arp.pcap Add basic LLC, SNAP, and Novell 802.3 packet analyzers 2023-04-25 12:29:54 -07:00
snap-tcp.pcap Add test for TCP over 802.3/SNAP 2024-10-31 14:37:44 +00:00
socks-auth-10080.pcap socks/dpd: Fix socks5_server side signature 2023-06-05 13:54:47 +02:00
socks-auth.pcap Update the SOCKS analyzer to support user/pass login. 2015-02-05 12:44:10 -05:00
socks-with-ssl.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
socks.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
ssl-and-ssh-using-sslh.trace Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek 2019-08-09 10:47:34 -07:00
syslog-missing-pri.trace Remove executable file permission bits from a bunch of our pcaps 2025-06-06 12:35:14 -07:00
syslog-single-udp.trace Porting syslog analyzer as another example. 2013-04-05 13:13:30 -07:00
tcp-http-with-padding.pcap Do not forward padding to downstream TCP packet analyzer 2023-08-02 17:17:01 +01:00
tcp-sig-match.pcap signatures: Add data_end_offset to signature_match() and custom events 2024-10-30 13:29:58 +01:00
ticks-dns-1hr.pcap Annotate scheduled events with intended timestamp. 2023-05-11 12:51:06 +02:00
ticks-dns.pcap Add timestamp to events. 2023-05-11 12:51:06 +02:00
udp-broadcast.pcap IPBasedAnalyzer: Don't flip connections when destination is broadcast 2023-08-28 12:15:55 +02:00
udp-multiple-source-ports.pcap GH-173: Support ranges of values for value_list elements in the signature parser 2019-05-23 10:58:04 -07:00
udp-packet.pcap Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
udp-signature-test.pcap BIT-844: fix UDP payload signatures to match packet-wise 2015-04-06 15:22:26 -05:00
var-services-std-ports.trace Update/improve known-services test. 2011-06-24 11:18:25 -05:00
vlan-collisions.pcap Add a VLAN-aware flow tuple implementation. 2025-06-25 13:19:26 +02:00
vntag.pcap GH-1389: Skip VN-Tag headers 2021-02-01 14:34:56 -07:00
vntag_vlan_sandwich_clean.pcap Add analyzer registration from VLAN to VNTAG 2025-03-18 11:51:27 -07:00
web.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
wikipedia-filtered-plus-udp.trace Tweak find-filtered-trace to not flag traces if they have non-TCP 2020-09-25 11:29:44 +00:00
wikipedia.trace Fixing checksums in test trace because Bro now reports them. :-) 2012-12-14 14:48:16 -08:00
wlanmon.pcap Add a test for 802.11 monitor mode 2018-05-15 17:59:26 +02:00
workshop_2011_browse.trace Basic cross-referencing UIDs between files, btests, and baselines. 2013-05-07 13:33:38 -04:00
www-odd-url.trace Bugfix for log writer. 2011-09-11 21:33:09 -07:00

README 

These are the trace files that are used by the Zeek test suite.

Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might
depend on them for tests.

Trace Index/Sources:

- modbus/modbus-eit.trace:
  Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/.
  The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
- ldap/simpleauth-diff-port.pcap: made with
  `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
- ldap/krb5-sign-seal-01.pcap: trace is derived from
  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
  - the LDAP flow selected (filtered out the Kerberos packets)
  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
  - one `\x30` byte in the ciphertext changed to `\x00`
- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen,
  <https://github.com/zeek/spicy-ldap/issues/23>
- ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- ldap/ldap_invalid_credentials.pcap
  Provided by Martin van Hensbergen in issue #3919.
- dns/tkey.pcap: Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- dns/dynamic-update.pcap: : Harvested from CTU-SME-11
  (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- pop3/POP3.pcap: Picked up from POP tutorial on tranalyzer.com
  https://tranalyzer.com/tutorial/pop
  https://tranalyzer.com/download/data/pop3.pcap
- http/cooper-grill-dvwa.pcapng
  Provided by cooper-grill on #3995
  https://github.com/zeek/zeek/pull/3995
- http/docker-http-upgrade.pcap
  Provided by blightzero on #4068
  https://github.com/zeek/zeek/issues/4068
- quic/merlinc2_Zeek_example.pcapng
  Provided by Faan Rossouw on #4198
  https://github.com/zeek/zeek/issues/4198
- pe/pe.trace
  VirusTotal reports that this file contains malware. The PE analyzer was originally added
  to decode info for malware, so this is expected. See
  https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049
- tunnels/geneve-tagged-udp-packet.pcap
  Provided by Eldon Koyle Corelight for testing.
- cdp-v1.pcap
  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
  Provided by Mohan-Dhawan on #4275
  https://github.com/zeek/zeek/issues/4275