40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
# @TEST-EXEC: zeek -b -r $TRACES/tcp/handshake-reorder.trace %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
# This tests the Connection::FlipRoles code path (SYN/SYN-ACK reversal).
|
|
|
|
# The check of likely_server_ports is before Connection::FlipRoles, so
|
|
# need to make sure that isn't the mechanism used to flip src/dst stuff.
|
|
redef likely_server_ports = {};
|
|
|
|
global first_packet: bool = T;
|
|
|
|
event new_packet(c: connection, p: pkt_hdr)
|
|
{
|
|
if ( ! first_packet )
|
|
return;
|
|
|
|
first_packet = F;
|
|
|
|
print "schedule_analyzer, current conn_id", c$id;
|
|
# Anticipate roles getting flipped in next packet.
|
|
Analyzer::schedule_analyzer(141.142.228.5, 192.150.187.43, 80/tcp,
|
|
Analyzer::ANALYZER_HTTP, 2mins);
|
|
}
|
|
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
print "connection_state_remove", c$id;
|
|
}
|
|
|
|
event http_request(c: connection, method: string, original_URI: string,
|
|
unescaped_URI: string, version: string)
|
|
{
|
|
print "http_request", version, method, original_URI;
|
|
}
|
|
|
|
event http_reply(c: connection, version: string, code: count, reason: string)
|
|
{
|
|
print "http_reply", version, code, reason;
|
|
}
|