Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/Traces
History
Christian Kreibich 99de7b7526 Add community_id_v1() based on corelight/zeek-community-id 
"Community ID" has become an established flow hash for connection correlation
across different monitoring and storage systems. Other NSMs have had native
and built-in support for Community ID since late 2018. And even though the
roots of "Community ID" are very close to Zeek, Zeek itself has never provided
out-of-the-box support and instead required users to install an external plugin.

While we try to make that installation as easy as possible, an external plugin
always sets the bar higher for an initial setup and can be intimidating.
It also requires a rebuild operation of the plugin during upgrades. Nothing
overly complicated, but somewhat unnecessary for such popular functionality.

This isn't a 1:1 import. The options are parameters and the "verbose"
functionality  has been removed. Further, instead of a `connection`
record, the new bif works with `conn_id`, allowing computation of the
hash with little effort on the command line:

    $ zeek -e 'print community_id_v1([$orig_h=1.2.3.4, $orig_p=1024/tcp, $resp_h=5.6.7.8, $resp_p=80/tcp])'
    1:RcCrCS5fwYUeIzgDDx64EN3+okU

Reference: https://github.com/corelight/zeek-community-id/
2023-04-21 20:44:09 +02:00
..
bittorrent Adding test for BitTorrent tracker. 2021-12-21 17:48:26 +01:00
chksums Add an option to ignore packets sourced from particular subnets. 2020-10-22 13:23:10 -04:00
communityid Add community_id_v1() based on corelight/zeek-community-id 2023-04-21 20:44:09 +02:00
dce-rpc Fix protocol forwarding in dce_rpc-auth 2021-09-23 08:50:11 -04:00
dhcp Prevent large dhcp log entries 2022-07-28 11:34:18 -07:00
dnp3 Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns Add btests for DNS WKS and BINDS 2021-09-01 12:00:50 -05:00
dnssec Add btest for DNS NSEC3PARAM RR. 2021-07-14 20:22:06 -05:00
finger Provide infrastructure to migrate legacy analyzers to Spicy. 2023-02-01 11:33:48 +01:00
ftp ftp/main: Skip get_pending_command() for intermediate reply lines 2023-03-23 13:50:36 +01:00
http Merge remote-tracking branch 'origin/topic/awelzel/http-content-range-parsing-robustness' 2023-03-13 18:41:16 +01:00
icmp GH-1321: Prevent compounding of connection_status_update event timers 2020-12-08 11:20:02 -08:00
ipv4 A set of tests exercising IP defragmentation and TCP reassembly. 2015-07-03 08:40:22 -07:00
krb Add testcase for TCP segment offloading. 2021-11-23 12:37:55 +00:00
mobile-ipv6 Add support for mobile IPv6 Mobility Header (RFC 6275). 2012-04-09 14:39:00 -05:00
modbus BIT-1829: add unit test for modbus parser issue 2018-05-18 09:24:06 -05:00
mount Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, 2018-01-11 17:00:15 -05:00
mysql testing/mysql: Add traces recorded with a free-tier MySQL instance 2023-01-27 10:59:23 +01:00
nfs Format print nfs units tests to improve output readability. Add unit 2018-01-11 17:02:47 -05:00
ntp update tests and add a new one for key_id and mac 2019-06-06 16:45:09 +02:00
pe Add a PE memleak test, and fix a memleak. 2015-04-19 20:22:42 -04:00
radius Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
rdp RDP: add some enforcement to required values based on MS-RDPBCGR docs 2023-03-24 10:33:21 -07:00
rfb Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
sip GH-1507: Tolerate junk data before SIP requests 2021-04-14 15:34:07 -07:00
smb Merge remote-tracking branch 'security/topic/timw/131-smb-fscontrol-overflow' 2023-02-01 10:48:16 -07:00
snmp Test changes caused by minor order-of-operation changes related to the new loop architecture 2020-01-31 10:13:09 -07:00
ssh Added several events for detailed info on the SSH2 key init directions 2022-12-05 12:35:05 +01:00
tcp Add btest for expiration of all pending timers. 2022-11-27 15:02:09 +01:00
tls SSL/TLS: Parse CertificateRequest message 2023-03-09 09:12:29 +01:00
trunc GH-977: Improve pcap error handling 2020-06-08 18:11:58 -07:00
tunnels Add test cases for Geneve. 2023-03-30 22:58:54 +02:00
arp-leak.pcap Add bad ARP tests 2018-05-18 17:39:53 +02:00
arp-who-has-radiotap.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has-wlanmon.pcap Tests/ARP: fix capture files. 2018-05-18 17:25:55 +02:00
arp-who-has.pcap ARP: remove unnecessary variables and add testcase 2016-04-27 06:51:04 -07:00
auth_change_session_keys.pcap Fix invalid memory free when using Log::default_field_name_map 2018-09-10 19:06:35 -05:00
cisco-fabric-path.pcap Add Cisco FabricPath support 2018-07-27 16:00:54 -05:00
conn-size.trace Merge of Gregor's conn-size branch. 2011-05-09 17:14:31 -07:00
contentline-irc-5k-line.pcap add a max_line_length flag to ContentLine_Analyzer 2017-11-03 16:25:26 -04:00
dns-caa.pcap Add DNS tests for huge TLL and CAA 2016-04-25 15:43:20 -07:00
dns-edns-cookie.pcap add edns-cookie testcase 2020-08-20 09:04:56 -04:00
dns-edns-ecs-bad.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs-weirds.pcap Add test case to cover weird EDNS ECS parsing situations 2020-12-08 13:14:20 -08:00
dns-edns-ecs.pcap Implement EDNS Client Subnet Option 2020-07-06 15:09:03 -04:00
dns-edns-tcp-keepalive.pcap add testcases 2020-08-20 09:04:56 -04:00
dns-https.pcap add a dns https test case 2021-10-12 17:43:32 -04:00
dns-huge-ttl.pcap Change snaplens of a few more tests. 2017-02-03 14:10:11 -08:00
dns-inverse-query.trace Change dns.log to include only standard DNS queries. 2014-01-28 13:56:22 -06:00
dns-spf.pcap DNS: Add support for SPF response records 2019-06-14 10:18:37 -05:00
dns-svcb.pcap add svcb test case 2021-10-12 17:43:32 -04:00
dns-tsig.trace Fix possible buffer over-read in DNS TSIG parsing 2014-09-02 14:22:26 -05:00
dns-two-responses.trace Fixing a dns reporter message in master. 2013-07-18 09:24:22 -04:00
dns-txt-multiple.trace Merge remote-tracking branch 'origin/topic/jsiwek/bit-1156' 2014-04-24 16:36:47 -07:00
dns-zero-RRs.trace Fix for DNS log problem when a DNS response is seen with 0 RRs. 2012-10-05 13:48:49 -04:00
dns53.pcap BIT-788: use DNS QR field to better identify flow direction. 2015-03-19 11:53:40 -05:00
dns_original_case.pcap Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both. 2020-06-17 10:13:04 -05:00
echo-connections.pcap.gz Add tests exercising dictionary iteration during modification. 2022-04-14 11:12:11 +02:00
empty.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
erspan.trace Implement ERSPAN support. 2017-02-03 12:29:22 -08:00
erspanI.pcap Add tests for ERSPAN Type I patch 2021-03-17 14:41:29 +01:00
erspanII.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
erspanIII.pcap Added ERSPAN III testing 2019-01-24 14:05:13 +00:00
globus-url-copy-bad-encoding.trace Handle invalid Base64 encodings in FTP ADAT analyzer 2020-01-15 12:44:10 -08:00
globus-url-copy.trace Add an example of a GridFTP data channel detection script. 2012-10-01 12:32:24 -05:00
icmp_dot1q.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
icmp_nd_dnssl.trace Change ICMP ND length to a uint16 2020-10-15 16:56:05 -05:00
ieee80211.15.4.pcap Add btest that exercises the pcap filter warnings 2022-10-21 10:50:00 -07:00
ip-bogus-header-len.pcap Fix handling of IP packets with bogus IP header lengths 2021-05-27 16:33:50 -07:00
ip6_esp.trace Fix ipv6_ext_headers event and add routing0_data_to_addrs BIF. 2012-03-14 10:31:08 -05:00
ipv6-fragmented-dns.trace Add unit test for IPv6 fragment reassembly. 2012-03-12 15:26:51 -05:00
ipv6-hbh-routing0.trace Improve handling of IPv6 routing type 0 extension headers. 2012-03-27 16:05:45 -05:00
ipv6-http-atomic-frag.trace Fix handling of IPv6 atomic fragments. 2012-04-04 15:27:43 -05:00
ipv6-mobility-dst-opts.trace Add some extra length checking when parsing mobile ipv6 packets 2021-05-20 15:32:07 -07:00
ipv6_zero_len_ah.trace Fix construction of ip6_ah (Authentication Header) record values. 2012-09-18 16:52:12 -05:00
irc-353.pcap Fix IRC names command parsing 2018-09-12 19:47:57 -05:00
irc-basic.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-08 13:02:09 -08:00
irc-dcc-send.trace Add IRC unit tests. 2011-07-20 14:49:20 -05:00
irc-whitespace.trace Merge branch 'master' of https://github.com/marktayl/bro 2016-02-12 18:55:25 -08:00
linux_dlt_sll2.pcap Add support for DLT_LINUX_SLL2 PCAP link-type 2022-08-24 10:38:31 +10:00
linuxsll-arp.pcap Initial implementation of Lower-Level analyzers 2020-09-23 11:13:25 -07:00
llc.pcap Merge branch 'topic/jgras/mac-logging' of https://github.com/J-Gras/bro 2016-06-06 17:59:34 -07:00
lldp.pcap Move UnknownProtocol options to init-bare.zeek 2020-11-11 12:58:38 -08:00
mixed-vlan-mpls.trace Support for (mixed) MPLS and VLAN traffic, and a new default BPF 2011-04-29 09:10:43 -07:00
mmsX.pcap Add test case for binpac flowbuffer frame length parsing bug 2020-03-19 22:09:23 -07:00
mpls-in-vlan.trace Support for MPLS over VLAN. 2014-02-14 12:07:24 -08:00
mqtt.pcap MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar 2019-07-29 13:45:10 -04:00
ncp.pcap Migrate NCP analyzer to use latest analyzer API 2018-05-22 16:27:07 -05:00
negative-time.pcap Ignoring packets with negative timestamps. 2016-05-23 13:22:22 -07:00
nflog-http.pcap Merge branch 'master' of https://github.com/rdenniston/zeek 2019-03-19 19:19:02 -07:00
nmap-vsn.trace Added a document for the SumStats framework. 2013-11-06 13:52:29 -05:00
ntp.pcap Fix a couple of problems with signature matching. 2016-10-19 14:23:43 -07:00
pbb.pcap Add btest for PBB and update baselines 2023-02-15 14:36:26 -07:00
pop3-unknown-commands.pcap test: Add btest verifying max_analyzer_violations functionality 2022-11-08 16:44:34 -07:00
port4242.trace Checkpointing the dynamic plugin code. 2013-11-26 14:04:29 -08:00
port4243.trace Fix registration of protocol analyzers from inside plugins. 2021-07-18 10:00:49 +02:00
pppoe-over-qinq.pcap BIT-1950: support PPPoE over QinQ 2018-07-06 08:04:02 -05:00
pppoe.trace Adding a test for PPPoE support. 2012-10-24 01:05:01 -04:00
q-in-q.trace Add support for 802.1ah (Q-in-Q). 2013-03-22 12:38:43 -04:00
radiotap.pcap Improved Radiotap support and a test. 2016-01-19 04:10:44 -05:00
raw_layer.pcap Extend packet analysis test. 2020-09-23 11:13:29 -07:00
raw_packets.trace Refactor to make bro use a common Packet object. 2015-05-29 10:37:39 -04:00
README Spelling testing 2022-11-16 20:05:03 -05:00
rotation.trace Moving trace for rotation test into traces directory. 2012-05-16 18:28:51 -07:00
rpc-portmap-sadmind.pcap GH-684: Fix parsing of RPC calls with non-AUTH_UNIX flavors 2019-11-13 13:14:14 -08:00
smtp-attachment-msg.pcap GH-1352: Added flag to stop processing SMTP headers in attached 2021-01-21 14:55:10 -05:00
smtp-mail-transactions-invalid.pcap smtp: Validate mail transaction and disable SMTP analyzer if excessive 2023-03-27 18:41:47 +02:00
smtp-multi-addr.pcap Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
smtp-one-side-only.trace Fixing SMTP state tracking. 2014-06-10 18:01:38 -07:00
smtp.trace Convert pcapng test suite files to pcap format 2019-11-08 13:08:06 -08:00
socks-auth.pcap Update the SOCKS analyzer to support user/pass login. 2015-02-05 12:44:10 -05:00
socks-with-ssl.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
socks.trace Updates for the SOCKS analyzer. 2012-06-20 13:58:25 -04:00
ssl-and-ssh-using-sslh.trace Merge branch 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek 2019-08-09 10:47:34 -07:00
syslog-missing-pri.trace Make Syslog analyzer accept messages that omit Priority 2019-03-14 18:47:32 -07:00
syslog-single-udp.trace Porting syslog analyzer as another example. 2013-04-05 13:13:30 -07:00
udp-multiple-source-ports.pcap GH-173: Support ranges of values for value_list elements in the signature parser 2019-05-23 10:58:04 -07:00
udp-signature-test.pcap BIT-844: fix UDP payload signatures to match packet-wise 2015-04-06 15:22:26 -05:00
var-services-std-ports.trace Update/improve known-services test. 2011-06-24 11:18:25 -05:00
vntag.pcap GH-1389: Skip VN-Tag headers 2021-02-01 14:34:56 -07:00
web.trace Porting the istate tests to btest. 2011-03-29 21:46:06 -07:00
wikipedia-filtered-plus-udp.trace Tweak find-filtered-trace to not flag traces if they have non-TCP 2020-09-25 11:29:44 +00:00
wikipedia.trace Fixing checksums in test trace because Bro now reports them. :-) 2012-12-14 14:48:16 -08:00
wlanmon.pcap Add a test for 802.11 monitor mode 2018-05-15 17:59:26 +02:00
workshop_2011_browse.trace Basic cross-referencing UIDs between files, btests, and baselines. 2013-05-07 13:33:38 -04:00
www-odd-url.trace Bugfix for log writer. 2011-09-11 21:33:09 -07:00

README 

These are the trace files that are used by the Zeek test suite.

Note to maintainers: please take care when modifying/removing files from here.
We install these traces with the Zeek distribution and external packages might
depend on them for tests.