Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/Traces
History
Arne Welzel 377fd711bd HTTP: Implement FlipRoles() 
When Zeek flips roles of a HTTP connection subsequent to the HTTP analyzer
being attached, that analyzer would not update its own ContentLine analyzer
state, resulting in the wrong ContentLine analyzer being switched into
plain delivery mode.

In debug builds, this would result in assertion failures, in production
builds, the HTTP analyzer would receive HTTP bodies as individual header
lines, or conversely, individual header lines would be delivered as a
large chunk from the ContentLine analyzer.

PCAPs were generated locally using tcprewrite to select well-known-http ports
for both endpoints, then editcap to drop the first SYN packet.

Kudos to @JordanBarnartt for keeping at it.

Closes #3789
2024-07-04 11:38:33 +02:00
..
bittorrent Adding test for BitTorrent tracker. 2021-12-21 17:48:26 +01:00
chksums Add an option to ignore packets sourced from particular subnets. 2020-10-22 13:23:10 -04:00
communityid Add community_id_v1() based on corelight/zeek-community-id 2023-04-21 20:44:09 +02:00
dce-rpc dce-rpc: Test cases for unbounded state growth 2023-06-30 15:14:35 +02:00
dhcp Prevent large dhcp log entries 2022-07-28 11:34:18 -07:00
dnp3 Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
dnssec DNS: Add Ed25519 and Ed448 enum values to parser 2023-11-17 19:56:47 +01:00
finger Provide infrastructure to migrate legacy analyzers to Spicy. 2023-02-01 11:33:48 +01:00
ftp ftp/main: Skip get_pending_command() for intermediate reply lines 2023-03-23 13:50:36 +01:00
http HTTP: Implement FlipRoles() 2024-07-04 11:38:33 +02:00
icmp GH-1321: Prevent compounding of connection_status_update event timers 2020-12-08 11:20:02 -08:00
ipv4 A set of tests exercising IP defragmentation and TCP reassembly. 2015-07-03 08:40:22 -07:00
krb Add testcase for TCP segment offloading. 2021-11-23 12:37:55 +00:00
ldap ldap: Fix substring filter parsing and rendering 2024-01-05 16:06:23 +01:00
mobile-ipv6 Add support for mobile IPv6 Mobility Header (RFC 6275). 2012-04-09 14:39:00 -05:00
modbus Modbus: Add support for Encapsulation Interface Transport (FC=2B) requests and responses 2023-08-07 13:44:37 -07:00
mount Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, 2018-01-11 17:00:15 -05:00
mysql testing/mysql: Add traces recorded with a free-tier MySQL instance 2023-01-27 10:59:23 +01:00
nfs Format print nfs units tests to improve output readability. Add unit 2018-01-11 17:02:47 -05:00
ntp NTP: Detect out-of-order packets 2023-05-04 19:44:02 +02:00
pe Add btest for timestamp check 2024-05-29 13:58:32 +01:00
ppp PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9) 2023-08-23 16:41:19 +02:00
quic quic: tests: Add QUIC v2 test cases 2024-01-05 11:36:57 +01:00
radius Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
rdp RDP: add some enforcement to required values based on MS-RDPBCGR docs 2023-03-24 10:33:21 -07:00
rfb Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
sip GH-1507: Tolerate junk data before SIP requests 2021-04-14 15:34:07 -07:00
smb Allow SMB_TCP record to contain multiple protocol identifiers/headers 2024-04-22 15:55:25 -07:00
smtp SMTP/BDAT: Use strtoull and bail on UULONG_MAX values 2024-01-19 13:24:07 +01:00
snmp Test changes caused by minor order-of-operation changes related to the new loop architecture 2020-01-31 10:13:09 -07:00
spicy Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
ssh make SSH analyzer robust to half-duplex connections 2024-05-07 11:40:47 -07:00
tcp Add btest for expiration of all pending timers. 2022-11-27 15:02:09 +01:00
tls Update TLS consts, mainly new named curves. 2024-05-23 14:50:36 +01:00
trunc GH-977: Improve pcap error handling 2020-06-08 18:11:58 -07:00
tunnels init-bare: Default Tunnel::max_depth to 4 2024-01-11 10:22:36 +01:00
websocket websocket: Fix opcode for continuation frames 2024-01-24 22:57:24 +01:00
arp-leak.pcap Add bad ARP tests 2018-05-18 17:39:53 +02:00
arp-who-has-radiotap.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has-wlanmon.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has.pcap ARP: remove unnecessary variables and add testcase 2016-04-27 06:51:04 -07:00
auth_change_session_keys.pcap Fix invalid memory free when using Log::default_field_name_map 2018-09-10 19:06:35 -05:00
cisco-fabric-path.pcap Add Cisco FabricPath support 2018-07-27 16:00:54 -05:00
conn-size.trace Merge of Gregor's conn-size branch. 2011-05-09 17:14:31 -07:00
contentline-irc-5k-line.pcap add a max_line_length flag to ContentLine_Analyzer 2017-11-03 16:25:26 -04:00
dns-caa.pcap Add DNS tests for huge TLL and CAA 2016-04-25 15:43:20 -07:00
dns-edns-cookie.pcap add edns-cookie testcase 2020-08-20 09:04:56 -04:00
dns-edns-ecs-bad.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs-weirds.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs.pcap Implement EDNS Client Subnet Option 2020-07-06 15:09:03 -04:00
dns-edns-tcp-keepalive.pcap add testcases 2020-08-20 09:04:56 -04:00
dns-https.pcap add a dns https test case 2021-10-12 17:43:32 -04:00
dns-huge-ttl.pcap Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns-inverse-query.trace Change dns.log to include only standard DNS queries. 2014-01-28 13:56:22 -06:00
dns-spf.pcap DNS: Add support for SPF response records 2019-06-14 10:18:37 -05:00
dns-svcb.pcap add svcb test case 2021-10-12 17:43:32 -04:00
dns-tsig.trace Fix possible buffer over-read in DNS TSIG parsing 2014-09-02 14:22:26 -05:00
dns-two-responses.trace Fixing a dns reporter message in master. 2013-07-18 09:24:22 -04:00
dns-txt-multiple.trace Merge remote-tracking branch 'origin/topic/jsiwek/bit-1156' 2014-04-24 16:36:47 -07:00
dns-zero-RRs.trace Fix for DNS log problem when a DNS response is seen with 0 RRs. 2012-10-05 13:48:49 -04:00
dns53.pcap BIT-788: use DNS QR field to better identify flow direction. 2015-03-19 11:53:40 -05:00
dns_original_case.pcap Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both. 2020-06-17 10:13:04 -05:00
echo-connections.pcap.gz Add tests exercising dictionary iteration during modification. 2022-04-14 11:12:11 +02:00
empty.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
erspan.trace Implement ERSPAN support. 2017-02-03 12:29:22 -08:00
erspanI.pcap Add tests for ERSPAN Type I patch 2021-03-17 14:41:29 +01:00
erspanII.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
erspanIII.pcap Added ERSPAN III testing 2019-01-24 14:05:13 +00:00
fake-syslog-with-padding.pcap Do not forward more than the remaining data to downstream UDP analyzer 2023-07-27 13:35:41 +01:00
globus-url-copy-bad-encoding.trace Handle invalid Base64 encodings in FTP ADAT analyzer 2020-01-15 12:44:10 -08:00
globus-url-copy.trace Add an example of a GridFTP data channel detection script. 2012-10-01 12:32:24 -05:00
icmp_dot1q.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
icmp_nd_dnssl.trace Change ICMP ND length to a uint16 2020-10-15 16:56:05 -05:00
ieee80211.15.4.pcap Add btest that exercises the pcap filter warnings 2022-10-21 10:50:00 -07:00
ip-bogus-header-len.pcap Fix handling of IP packets with bogus IP header lengths 2021-05-27 16:33:50 -07:00
ip6_esp.trace Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF. 2012-03-14 10:31:08 -05:00
ipv6-fragmented-dns.trace Add unit test for IPv6 fragment reassembly. 2012-03-12 15:26:51 -05:00
ipv6-hbh-routing0.trace Improve handling of IPv6 routing type 0 extension headers. 2012-03-27 16:05:45 -05:00
ipv6-http-atomic-frag.trace Fix handling of IPv6 atomic fragments. 2012-04-04 15:27:43 -05:00
ipv6-mobility-dst-opts.trace Add some extra length checking when parsing mobile ipv6 packets 2021-05-20 15:32:07 -07:00
ipv6_zero_len_ah.trace Fix construction of ip6_ah (Authentication Header) record values. 2012-09-18 16:52:12 -05:00
irc-353.pcap Fix IRC names command parsing 2018-09-12 19:47:57 -05:00
irc-basic.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-08 13:02:09 -08:00
irc-dcc-send.trace Add IRC unit tests. 2011-07-20 14:49:20 -05:00
irc-whitespace.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-12 18:55:25 -08:00
linux_dlt_sll2.pcap Add support for DLT_LINUX_SLL2 PCAP link-type 2022-08-24 10:38:31 +10:00
linuxsll-arp.pcap Initial implementation of Lower-Level analyzers 2020-09-23 11:13:25 -07:00
llc.pcap Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro 2016-06-06 17:59:34 -07:00
lldp.pcap Move UnknownProtocol options to init-bare.zeek 2020-11-11 12:58:38 -08:00
mixed-vlan-mpls.trace Support for (mixed) MPLS and VLAN traffic, and a new default BPF 2011-04-29 09:10:43 -07:00
mmsX.pcap Add test case for binpac flowbuffer frame length parsing bug 2020-03-19 22:09:23 -07:00
mpls-in-vlan.trace Support for MPLS over VLAN. 2014-02-14 12:07:24 -08:00
mqtt.pcap MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar 2019-07-29 13:45:10 -04:00
ncp.pcap Migrate NCP analyzer to use latest analyzer API 2018-05-22 16:27:07 -05:00
negative-time.pcap Ignoring packets with negative timestamps. 2016-05-23 13:22:22 -07:00
nflog-http.pcap Merge branch 'master' of https://github.com/rdenniston/zeek 2019-03-19 19:19:02 -07:00
nmap-vsn.trace Added a document for the SumStats framework. 2013-11-06 13:52:29 -05:00
ntp.pcap Fix a couple of problems with signature matching. 2016-10-19 14:23:43 -07:00
pbb.pcap Add btest for PBB and update baselines 2023-02-15 14:36:26 -07:00
pop3-unknown-commands.pcap test: Add btest verifying max_analyzer_violations functionality 2022-11-08 16:44:34 -07:00
port4242.trace Checkpointing the dynamic plugin code. 2013-11-26 14:04:29 -08:00
port4243.trace Fix registration of protocol analyzers from inside plugins. 2021-07-18 10:00:49 +02:00
pppoe-over-qinq.pcap BIT-1950: support PPPoE over QinQ 2018-07-06 08:04:02 -05:00
pppoe.trace Adding a test for PPPoE support. 2012-10-24 01:05:01 -04:00
q-in-q.trace Add support for 802.1ah (Q-in-Q). 2013-03-22 12:38:43 -04:00
radiotap.pcap Improved Radiotap support and a test. 2016-01-19 04:10:44 -05:00
raw_layer.pcap Extend packet analysis test. 2020-09-23 11:13:29 -07:00
raw_packets.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
README Integrate spicy-ldap test suite 2023-10-10 09:21:57 +02:00
rotation.trace Moving trace for rotation test into traces directory. 2012-05-16 18:28:51 -07:00
rpc-portmap-sadmind.pcap GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors 2019-11-13 13:14:14 -08:00
smtp-attachment-msg.pcap GH-1352: Added flag to stop processing SMTP headers in attached 2021-01-21 14:55:10 -05:00
smtp-mail-transactions-invalid.pcap smtp: Validate mail transaction and disable SMTP analyzer if excessive 2023-03-27 18:41:47 +02:00
smtp-multi-addr.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
smtp-one-side-only.trace Fixing SMTP state tracking. 2014-06-10 18:01:38 -07:00
smtp.trace Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
snap-arp.pcap Add basic LLC, SNAP, and Novell 802.3 packet analyzers 2023-04-25 12:29:54 -07:00
socks-auth-10080.pcap socks/dpd: Fix socks5_server side signature 2023-06-05 13:54:47 +02:00
socks-auth.pcap Update the SOCKS analyzer to support user/pass login. 2015-02-05 12:44:10 -05:00
socks-with-ssl.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
socks.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
ssl-and-ssh-using-sslh.trace Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek 2019-08-09 10:47:34 -07:00
syslog-missing-pri.trace Make Syslog analyzer accept messages that omit Priority 2019-03-14 18:47:32 -07:00
syslog-single-udp.trace Porting syslog analyzer as another example. 2013-04-05 13:13:30 -07:00
tcp-http-with-padding.pcap Do not forward padding to downstream TCP packet analyzer 2023-08-02 17:17:01 +01:00
ticks-dns-1hr.pcap Annotate scheduled events with intended timestamp. 2023-05-11 12:51:06 +02:00
ticks-dns.pcap Add timestamp to events. 2023-05-11 12:51:06 +02:00
udp-broadcast.pcap IPBasedAnalyzer: Don't flip connections when destination is broadcast 2023-08-28 12:15:55 +02:00
udp-multiple-source-ports.pcap GH-173: Support ranges of values for value_list elements in the signature parser 2019-05-23 10:58:04 -07:00
udp-packet.pcap Integrate the Spicy plugin into Zeek proper. 2023-05-16 10:17:45 +02:00
udp-signature-test.pcap BIT-844: fix UDP payload signatures to match packet-wise 2015-04-06 15:22:26 -05:00
var-services-std-ports.trace Update/improve known-services test. 2011-06-24 11:18:25 -05:00
vntag.pcap GH-1389: Skip VN-Tag headers 2021-02-01 14:34:56 -07:00
web.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
wikipedia-filtered-plus-udp.trace Tweak find-filtered-trace to not flag traces if they have non-TCP 2020-09-25 11:29:44 +00:00
wikipedia.trace Fixing checksums in test trace because Bro now reports them. :-) 2012-12-14 14:48:16 -08:00
wlanmon.pcap Add a test for 802.11 monitor mode 2018-05-15 17:59:26 +02:00
workshop_2011_browse.trace Basic cross-referencing UIDs between files, btests, and baselines. 2013-05-07 13:33:38 -04:00
www-odd-url.trace Bugfix for log writer. 2011-09-11 21:33:09 -07:00

README 

These are the trace files that are used by the Zeek test suite.

Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might
depend on them for tests.

Trace Index/Sources:

- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.

- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
- ldap/simpleauth-diff-port.pcap: made with
  `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
- ldap/krb5-sign-seal-01.pcap: trace is derived from
  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
  - the LDAP flow selected (filtered out the Kerberos packets)
  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
  - one `\x30` byte in the ciphertext changed to `\x00`
- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen,
  <https://github.com/zeek/spicy-ldap/issues/23>