From 96f174a5f868958060944c928d897c70cdc8c201 Mon Sep 17 00:00:00 2001 From: Andy Wick Date: Wed, 3 Sep 2014 13:16:39 -0400 Subject: [PATCH] Added vlan and mac address (issue #284) --- CHANGELOG | 1 + capture/nids.c | 69 +++++++++++++++++++- tests/bigendian.test | 34 ++++++---- tests/bt-tcp.test | 9 +++ tests/bt-udp.test | 82 ++++++++++++++--------- tests/dns-dnskey.test | 12 ++++ tests/dns-error.test | 9 +++ tests/dns-flags0000.test | 9 +++ tests/dns-flags0110.test | 14 ++++ tests/dns-mx.test | 9 +++ tests/dns-tcp.test | 18 +++++ tests/dns-udp.test | 18 +++++ tests/http-301-get.test | 9 +++ tests/http-500-head.test | 9 +++ tests/http-content-gzip.test | 9 +++ tests/http-content-zip.test | 17 +++++ tests/http-no-length.test | 8 +++ tests/http-simple-get.test | 8 +++ tests/http-wrapped-header.test | 8 +++ tests/https2-301-get.test | 9 +++ tests/https3-301-get.test | 48 +++++++++----- tests/imap-tag.test | 9 +++ tests/irc.test | 9 +++ tests/long-session.test | 18 +++++ tests/mysql-allow.test | 8 +++ tests/mysql-deny.test | 8 +++ tests/pop3-tag.test | 9 +++ tests/postgres-badpass.test | 9 +++ tests/postgres-good.test | 9 +++ tests/postgres-no-sslrequest.test | 48 ++++++++------ tests/smb-port80.test | 9 +++ tests/smb-smbclient.test | 8 +++ tests/smtp-data-250.test | 11 +++- tests/smtp-data-521.test | 9 +++ tests/smtp-originating.test | 11 +++- tests/smtp-rcpt-553.test | 9 +++ tests/smtp-starttls.test | 9 +++ tests/smtp-subject-8859-b.test | 11 +++- tests/smtp-subject-8859-multi.test | 11 +++- tests/smtp-subject-8859-q.test | 45 +++++++++---- tests/smtp-subject-encoded-empty.test | 9 +++ tests/smtp-subject-gb2312-b.test | 11 +++- tests/smtp-subject-multi-nospace.test | 9 +++ tests/smtp-subject-utf8-mixed.test | 11 +++- tests/smtp-subject-utf8-q.test | 9 +++ tests/smtp-subject-windows.test | 9 +++ tests/smtp-zip.test | 83 +++++++++++++----------- tests/socks-http-example.test | 24 +++++++ tests/socks-http-pass.test | 54 ++++++++++----- tests/socks-https-example.test | 26 +++++++- tests/socks5-http-302.test | 9 +++ tests/socks5-rdp.test | 9 +++ tests/socks5-reverse.test | 9 +++ tests/socks5-smtp-503.test | 9 +++ tests/ssh2.test | 9 +++ viewer/views/mixins.jade | 12 ++++ viewer/views/sessionDetail-standard.jade | 10 +++ 57 files changed, 830 insertions(+), 151 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 1c91d8ee99..61619dedfc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,7 @@ - Allow multiple -r and -R options - Fixed update vs upgrade message (issue #287) - Fixed expression errors not displayed on connections tab (issue #288) + - Added vlan and mac.src, mac.dst, mac indexing/expressions (issue #284) 0.11.1 2014/08/07 - NOTICE: ES 0.90.12+, 1.1.x, 1.2.0 are supported by this version. diff --git a/capture/nids.c b/capture/nids.c index 2c323a016a..62eea5195f 100644 --- a/capture/nids.c +++ b/capture/nids.c @@ -57,7 +57,7 @@ static MolochSessionHead_t udpSessionQ; static MolochSessionHead_t icmpSessionQ; static MolochSessionHead_t tcpWriteQ; -static MolochIntHead_t freeOutputBufs; +static MolochIntHead_t freeOutputBufs; static pthread_mutex_t freeOutputMutex = PTHREAD_MUTEX_INITIALIZER; typedef struct moloch_output { @@ -88,6 +88,9 @@ static char offlinePcapFilename[PATH_MAX+1]; static int tagsField; static int protocolField; +static int mac1Field; +static int mac2Field; +static int vlanField; uint64_t totalPackets = 0; uint64_t totalBytes = 0; @@ -730,6 +733,43 @@ void moloch_nids_cb_ip(struct ip *packet, int len) break; } + /* Handle MACs and vlans on first few packets in each direction */ + if (pcapFileHeader.linktype == 1 && session->packets[session->which] <= 1) { + char str1[20]; + char str2[20]; + snprintf(str1, sizeof(str1), "%02x:%02x:%02x:%02x:%02x:%02x", + nids_last_pcap_data[0], + nids_last_pcap_data[1], + nids_last_pcap_data[2], + nids_last_pcap_data[3], + nids_last_pcap_data[4], + nids_last_pcap_data[5]); + + + snprintf(str2, sizeof(str2), "%02x:%02x:%02x:%02x:%02x:%02x", + nids_last_pcap_data[6], + nids_last_pcap_data[7], + nids_last_pcap_data[8], + nids_last_pcap_data[9], + nids_last_pcap_data[10], + nids_last_pcap_data[11]); + + if (session->which == 1) { + moloch_field_string_add(mac1Field, session, str1, 17, TRUE); + moloch_field_string_add(mac2Field, session, str2, 17, TRUE); + } else { + moloch_field_string_add(mac1Field, session, str2, 17, TRUE); + moloch_field_string_add(mac2Field, session, str1, 17, TRUE); + } + + int n = 12; + while (nids_last_pcap_data[n] == 0x81 && nids_last_pcap_data[n+1] == 0x00) { + uint16_t vlan = ((uint16_t)(nids_last_pcap_data[n+2] << 8 | nids_last_pcap_data[n+3])) & 0xfff; + moloch_field_int_add(vlanField, session, vlan); + n += 4; + } + } + session->bytes[session->which] += nids_last_pcap_header->caplen; session->lastPacket = nids_last_pcap_header->ts; @@ -1455,6 +1495,8 @@ void moloch_nids_root_init() pcapFileHeader.snaplen = pcap_snapshot(nids_params.pcap_desc); pcapFileHeader.sigfigs = 0; pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(nids_params.pcap_desc)) | pcap_datalink_ext(nids_params.pcap_desc); + if (config.debug) + LOG("linktype %x", pcapFileHeader.linktype); config.maxWriteBuffers = config.pcapReadOffline?10:2000; } @@ -1525,6 +1567,31 @@ void moloch_nids_init() MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_COUNT | MOLOCH_FIELD_FLAG_LINKED_SESSIONS, NULL); + mac1Field = moloch_field_define("general", "lotermfield", + "mac.src", "Src MAC", "mac1-term", + "Source ethernet mac addresses set for session", + MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_COUNT | MOLOCH_FIELD_FLAG_LINKED_SESSIONS, + NULL); + + mac2Field = moloch_field_define("general", "lotermfield", + "mac.dst", "Dst MAC", "mac2-term", + "Destination ethernet mac addresses set for session", + MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_COUNT | MOLOCH_FIELD_FLAG_LINKED_SESSIONS, + NULL); + + moloch_field_define("general", "lotermfield", + "mac", "Src or Dst MAC", "macall", + "Shorthand for mac.src or mac.dst", + 0, MOLOCH_FIELD_FLAG_FAKE, + "regex", "^mac\\\\.(?:(?!\\\\.cnt$).)*$", + NULL); + + vlanField = moloch_field_define("general", "integer", + "vlan", "VLan", "vlan", + "vlan value", + MOLOCH_FIELD_TYPE_INT_HASH, MOLOCH_FIELD_FLAG_COUNT | MOLOCH_FIELD_FLAG_LINKED_SESSIONS, + NULL); + tagsField = moloch_field_by_db("ta"); moloch_db_get_tag(NULL, tagsField, "tcp", NULL); moloch_db_get_tag(NULL, tagsField, "udp", NULL); diff --git a/tests/bigendian.test b/tests/bigendian.test index 94e34feb8e..c3eaac549b 100644 --- a/tests/bigendian.test +++ b/tests/bigendian.test @@ -4,13 +4,11 @@ "body" : { "db2" : 0, "db" : 0, - "lpd" : 1335958317529, - "fp" : 1335958313, + "mac2-term" : [ + "00:00:5e:00:01:b1" + ], "no" : "test", "lp" : 1335958317, - "pa" : 2, - "tacnt" : 2, - "sl" : 4376, "a2" : "10.64.11.49", "ss" : 1, "ta" : [ @@ -21,23 +19,33 @@ "fpd" : 1335958313152, "fs" : [], "by2" : 0, - "a1" : "192.168.177.160", - "db1" : 0, "pa2" : 0, "p1" : 0, - "by1" : 196, "by" : 196, - "p2" : 0, "rir1" : "ARIN", - "prot-term" : [ - "icmp" - ], "pr" : 1, "ps" : [ 24, 138 ], - "prot-term-cnt" : 1 + "prot-term-cnt" : 1, + "lpd" : 1335958317529, + "fp" : 1335958313, + "pa" : 2, + "sl" : 4376, + "tacnt" : 2, + "a1" : "192.168.177.160", + "db1" : 0, + "by1" : 196, + "mac2-term-cnt" : 1, + "p2" : 0, + "mac1-term-cnt" : 1, + "prot-term" : [ + "icmp" + ], + "mac1-term" : [ + "00:21:28:05:29:ba" + ] }, "header" : { "index" : { diff --git a/tests/bt-tcp.test b/tests/bt-tcp.test index ad73646d6f..bf9fcbd0a9 100644 --- a/tests/bt-tcp.test +++ b/tests/bt-tcp.test @@ -24,6 +24,10 @@ }, "db2" : 0, "db" : 68, + "mac2-term" : [ + "00:00:5e:00:01:02", + "00:1d:b5:ce:ef:c0" + ], "no" : "test", "lp" : 1387744084, "a2" : "10.0.0.2", @@ -62,12 +66,17 @@ "tacnt" : 5, "a1" : "10.0.0.1", "db1" : 68, + "mac2-term-cnt" : 2, "by1" : 248, "p2" : 26001, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "tcp", "bittorrent" + ], + "mac1-term" : [ + "00:0f:f7:76:82:80" ] }, "header" : { diff --git a/tests/bt-udp.test b/tests/bt-udp.test index 8d403f5709..b71a16c586 100644 --- a/tests/bt-udp.test +++ b/tests/bt-udp.test @@ -4,6 +4,9 @@ "body" : { "db2" : 0, "db" : 137, + "mac2-term" : [ + "00:10:db:ff:26:00" + ], "no" : "test", "lp" : 1387253713, "a2" : "10.0.0.1", @@ -40,11 +43,16 @@ "tacnt" : 5, "a1" : "10.0.0.2", "db1" : 137, + "mac2-term-cnt" : 1, "by1" : 145, "p2" : 3207, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "bittorrent" + ], + "mac1-term" : [ + "78:fe:3d:11:21:f2" ] }, "header" : { @@ -58,15 +66,11 @@ "body" : { "db2" : 0, "db" : 321, - "lpd" : 1387253793904, - "fp" : 1387253793, + "mac2-term" : [ + "00:00:5e:00:01:03" + ], "no" : "test", - "as2" : "AS0002 Hmm!@#$%^&*()", "lp" : 1387253793, - "pa" : 1, - "tacnt" : 3, - "fb1" : "64313a7264323a69", - "sl" : 0, "a2" : "10.0.0.3", "ss" : 1, "ta" : [ @@ -78,22 +82,34 @@ "fpd" : 1387253793904, "fs" : [], "by2" : 0, - "a1" : "10.0.0.4", - "db1" : 321, "pa2" : 0, "p1" : 44102, - "by1" : 329, "by" : 329, + "pr" : 17, + "ps" : [ + 185 + ], + "prot-term-cnt" : 2, + "lpd" : 1387253793904, + "fp" : 1387253793, + "as2" : "AS0002 Hmm!@#$%^&*()", + "pa" : 1, + "sl" : 0, + "fb1" : "64313a7264323a69", + "tacnt" : 3, + "a1" : "10.0.0.4", + "db1" : 321, + "by1" : 329, + "mac2-term-cnt" : 1, "p2" : 12074, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "bittorrent" ], - "pr" : 17, - "ps" : [ - 185 - ], - "prot-term-cnt" : 2 + "mac1-term" : [ + "00:10:db:ff:26:00" + ] }, "header" : { "index" : { @@ -106,14 +122,11 @@ "body" : { "db2" : 0, "db" : 328, - "lpd" : 1387257610963, - "fp" : 1387257610, + "mac2-term" : [ + "00:00:5e:00:01:03" + ], "no" : "test", "lp" : 1387257610, - "pa" : 1, - "tacnt" : 3, - "fb1" : "64313a71393a6669", - "sl" : 0, "a2" : "10.0.0.5", "ss" : 1, "ta" : [ @@ -125,22 +138,33 @@ "fpd" : 1387257610963, "fs" : [], "by2" : 0, - "a1" : "10.0.0.6", - "db1" : 328, "pa2" : 0, "p1" : 47061, - "by1" : 336, "by" : 336, + "pr" : 17, + "ps" : [ + 530 + ], + "prot-term-cnt" : 2, + "lpd" : 1387257610963, + "fp" : 1387257610, + "pa" : 1, + "sl" : 0, + "fb1" : "64313a71393a6669", + "tacnt" : 3, + "a1" : "10.0.0.6", + "db1" : 328, + "by1" : 336, + "mac2-term-cnt" : 1, "p2" : 20551, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "bittorrent" ], - "pr" : 17, - "ps" : [ - 530 - ], - "prot-term-cnt" : 2 + "mac1-term" : [ + "00:10:db:ff:26:00" + ] }, "header" : { "index" : { diff --git a/tests/dns-dnskey.test b/tests/dns-dnskey.test index e97b60505d..02ab59ee59 100644 --- a/tests/dns-dnskey.test +++ b/tests/dns-dnskey.test @@ -14,6 +14,10 @@ }, "db2" : 0, "db" : 66, + "vlan-cnt" : 1, + "mac2-term" : [ + "00:19:e2:ba:2f:c1" + ], "no" : "test", "lp" : 1393428477, "a2" : "8.8.8.8", @@ -52,12 +56,20 @@ "a1" : "10.0.0.1", "db1" : 66, "dnshocnt" : 1, + "mac2-term-cnt" : 1, "by1" : 74, + "vlan" : [ + 500 + ], "p2" : 53, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "udp", "dns" + ], + "mac1-term" : [ + "00:1a:e3:dc:2e:c0" ] }, "header" : { diff --git a/tests/dns-error.test b/tests/dns-error.test index c34b7125d8..9c426073e9 100644 --- a/tests/dns-error.test +++ b/tests/dns-error.test @@ -18,6 +18,10 @@ }, "db2" : 139, "db" : 203, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1394587409, "a2" : "10.0.0.2", @@ -59,12 +63,17 @@ "fb2" : "a9ba858300010000", "db1" : 64, "dnshocnt" : 1, + "mac2-term-cnt" : 2, "by1" : 72, "p2" : 53, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "udp", "dns" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/dns-flags0000.test b/tests/dns-flags0000.test index 7c876715db..72d811727a 100644 --- a/tests/dns-flags0000.test +++ b/tests/dns-flags0000.test @@ -14,6 +14,9 @@ }, "db2" : 74, "db" : 148, + "mac2-term" : [ + "00:10:db:ff:26:00" + ], "no" : "test", "lp" : 1393422583, "a2" : "10.0.0.1", @@ -56,11 +59,17 @@ "fb2" : "b2b5800500010000", "db1" : 74, "dnshocnt" : 1, + "mac2-term-cnt" : 1, "by1" : 82, "p2" : 53, + "mac1-term-cnt" : 2, "prot-term" : [ "udp", "dns" + ], + "mac1-term" : [ + "00:00:5e:00:01:03", + "88:e0:f3:f1:91:f2" ] }, "header" : { diff --git a/tests/dns-flags0110.test b/tests/dns-flags0110.test index 74660e87f7..6a9aed4f33 100644 --- a/tests/dns-flags0110.test +++ b/tests/dns-flags0110.test @@ -18,6 +18,11 @@ }, "db2" : 83, "db" : 210, + "vlan-cnt" : 1, + "mac2-term" : [ + "00:1a:e3:dc:2e:c0", + "00:23:04:17:9b:00" + ], "no" : "test", "lp" : 1393428477, "a2" : "10.0.0.1", @@ -75,8 +80,13 @@ "GBR", "GBR" ], + "mac2-term-cnt" : 2, "by1" : 135, + "vlan" : [ + 500 + ], "p2" : 62928, + "mac1-term-cnt" : 2, "prot-term" : [ "udp", "dns" @@ -85,6 +95,10 @@ "RIPE", "RIPE", "RIPE" + ], + "mac1-term" : [ + "00:19:e2:b1:ef:c6", + "00:19:e2:ba:2f:c1" ] }, "header" : { diff --git a/tests/dns-mx.test b/tests/dns-mx.test index ec20e4bc6a..be046c07dd 100644 --- a/tests/dns-mx.test +++ b/tests/dns-mx.test @@ -18,6 +18,10 @@ }, "db2" : 208, "db" : 266, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1386104997, "a2" : "10.2.95.39", @@ -56,11 +60,16 @@ "fb2" : "4c17818000010002", "db1" : 58, "dnshocnt" : 3, + "mac2-term-cnt" : 2, "by1" : 66, "p2" : 53, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "dns" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/dns-tcp.test b/tests/dns-tcp.test index 9adf6354af..19a4fcb38b 100644 --- a/tests/dns-tcp.test +++ b/tests/dns-tcp.test @@ -18,6 +18,10 @@ }, "db2" : 342, "db" : 372, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1385482078, "a2" : "10.2.95.39", @@ -102,8 +106,10 @@ "USA", "USA" ], + "mac2-term-cnt" : 2, "by1" : 438, "p2" : 53, + "mac1-term-cnt" : 1, "prot-term" : [ "dns", "tcp" @@ -120,6 +126,9 @@ "ARIN", "ARIN", "ARIN" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -147,6 +156,10 @@ }, "db2" : 258, "db" : 285, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1385482080, "a2" : "10.2.95.39", @@ -213,8 +226,10 @@ "USA", "USA" ], + "mac2-term-cnt" : 2, "by1" : 435, "p2" : 53, + "mac1-term-cnt" : 1, "prot-term" : [ "dns", "tcp" @@ -225,6 +240,9 @@ "ARIN", "ARIN", "ARIN" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/dns-udp.test b/tests/dns-udp.test index 9c70c02a79..698e83ee4c 100644 --- a/tests/dns-udp.test +++ b/tests/dns-udp.test @@ -18,6 +18,10 @@ }, "db2" : 246, "db" : 312, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1385400647, "a2" : "10.2.95.39", @@ -65,14 +69,19 @@ "gdnsip" : [ "USA" ], + "mac2-term-cnt" : 2, "by1" : 74, "p2" : 53, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "dns" ], "rirdnsip" : [ "ARIN" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -100,6 +109,10 @@ }, "db2" : 246, "db" : 312, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1385400648, "a2" : "10.178.8.71", @@ -147,14 +160,19 @@ "gdnsip" : [ "USA" ], + "mac2-term-cnt" : 2, "by1" : 74, "p2" : 53, + "mac1-term-cnt" : 1, "prot-term" : [ "udp", "dns" ], "rirdnsip" : [ "ARIN" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/http-301-get.test b/tests/http-301-get.test index 077d8d8633..561757f301 100644 --- a/tests/http-301-get.test +++ b/tests/http-301-get.test @@ -7,6 +7,10 @@ ], "db2" : 107, "db" : 252, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "ho" : [ "www.github.com" @@ -91,9 +95,11 @@ "https://www.github.com/" ] }, + "mac2-term-cnt" : 2, "by1" : 487, "hh1cnt" : 3, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "hdvercnt" : 1, "prot-term" : [ @@ -103,6 +109,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/http-500-head.test b/tests/http-500-head.test index 8d319ac181..43b898fba8 100644 --- a/tests/http-500-head.test +++ b/tests/http-500-head.test @@ -7,6 +7,9 @@ ], "db2" : 155, "db" : 312, + "mac2-term" : [ + "00:10:db:ff:26:00" + ], "no" : "test", "ho" : [ "samples.example.com" @@ -87,9 +90,11 @@ "a1" : "10.172.10.16", "fb2" : "485454502f312e31", "db1" : 157, + "mac2-term-cnt" : 1, "by1" : 457, "hh1cnt" : 4, "p2" : 80, + "mac1-term-cnt" : 2, "hdvercnt" : 1, "prot-term" : [ "http", @@ -98,6 +103,10 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "78:fe:3d:11:21:f2", + "00:00:5e:00:01:03" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/http-content-gzip.test b/tests/http-content-gzip.test index ab5f3e355e..2718c09f67 100644 --- a/tests/http-content-gzip.test +++ b/tests/http-content-gzip.test @@ -27,6 +27,10 @@ }, "db2" : 478, "db" : 895, + "mac2-term" : [ + "00:00:5e:00:01:01", + "00:26:88:d8:bf:c2" + ], "no" : "test", "ho" : [ "xxxxxxxxxxx.xxxxxxx.xxx" @@ -141,9 +145,11 @@ "http://xx.xxxxx.xxx/xx?id=xxxxxxx&cb=xxxxxxxxxxxxx&referrer=xxxxxxx.xxx" ] }, + "mac2-term-cnt" : 2, "by1" : 843, "hh1cnt" : 9, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "hdvercnt" : 1, "prot-term" : [ @@ -153,6 +159,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:0a:f3:31:90:00" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/http-content-zip.test b/tests/http-content-zip.test index 38013db6d3..be8a12e1b2 100644 --- a/tests/http-content-zip.test +++ b/tests/http-content-zip.test @@ -27,6 +27,9 @@ }, "db2" : 571, "db" : 933, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "ho" : [ "xxxxxxxxxxxxx.xxx.com" @@ -128,9 +131,11 @@ "hmd5" : [ "40be8f5100e9beabab293c9d7bacaff0" ], + "mac2-term-cnt" : 1, "by1" : 704, "hh1cnt" : 6, "p2" : 80, + "mac1-term-cnt" : 2, "rir2" : "TEST", "hdvercnt" : 1, "prot-term" : [ @@ -140,6 +145,10 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "uacnt" : 1 }, "header" : { @@ -153,6 +162,9 @@ "body" : { "db2" : 0, "db" : 0, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "lp" : 1388428585, "a2" : "10.0.0.2", @@ -187,11 +199,16 @@ "tacnt" : 4, "a1" : "10.0.0.1", "db1" : 0, + "mac2-term-cnt" : 1, "by1" : 132, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "tcp" + ], + "mac1-term" : [ + "00:0e:d6:0b:98:80" ] }, "header" : { diff --git a/tests/http-no-length.test b/tests/http-no-length.test index 13d05f49e2..ae86ecaaf1 100644 --- a/tests/http-no-length.test +++ b/tests/http-no-length.test @@ -27,6 +27,9 @@ }, "db2" : 744, "db" : 1196, + "mac2-term" : [ + "00:c0:ca:30:eb:0c" + ], "no" : "test", "ho" : [ "xxxxxxx.xxxxxx.xx" @@ -140,9 +143,11 @@ "http://www.xxxxxxxx.com/xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx.html" ] }, + "mac2-term-cnt" : 1, "by1" : 734, "hh1cnt" : 10, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "hdvercnt" : 1, "prot-term" : [ @@ -152,6 +157,9 @@ "hdver" : [ "1.0" ], + "mac1-term" : [ + "00:16:44:a0:a0:7e" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/http-simple-get.test b/tests/http-simple-get.test index a1fe8e0f58..8f89e3d3df 100644 --- a/tests/http-simple-get.test +++ b/tests/http-simple-get.test @@ -7,6 +7,9 @@ ], "db2" : 5237, "db" : 5389, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "ho" : [ "xxxxxxxxxxxxx.xxx.com" @@ -105,9 +108,11 @@ "hmd5" : [ "230e3b4387b64caf54a7487b4f726adb" ], + "mac2-term-cnt" : 1, "by1" : 692, "hh1cnt" : 3, "p2" : 80, + "mac1-term-cnt" : 1, "hdvercnt" : 1, "prot-term" : [ "http", @@ -116,6 +121,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/http-wrapped-header.test b/tests/http-wrapped-header.test index bf28c400ac..7be146b540 100644 --- a/tests/http-wrapped-header.test +++ b/tests/http-wrapped-header.test @@ -27,6 +27,9 @@ }, "db2" : 706, "db" : 4119, + "mac2-term" : [ + "88:43:e1:94:fc:2d" + ], "no" : "test", "ho" : [ "xxxxx.xxxxxxxx.xxxxxxxxxx.xxx" @@ -166,9 +169,11 @@ "http://www.xxxxxxxxxx.xxx/xx/xxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxx.jsp" ] }, + "mac2-term-cnt" : 1, "by1" : 3811, "hh1cnt" : 8, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "hdvercnt" : 1, "prot-term" : [ @@ -178,6 +183,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "a4:93:4c:43:13:9b" + ], "hval" : [ "xxxxxxxxxxxxxxxxxxxxxxxxxxx", "xxxxxxxxxxxxxxx", diff --git a/tests/https2-301-get.test b/tests/https2-301-get.test index c00db08611..ab48661250 100644 --- a/tests/https2-301-get.test +++ b/tests/https2-301-get.test @@ -4,6 +4,10 @@ "body" : { "db2" : 4204, "db" : 4817, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1385410274, "a2" : "192.30.252.131", @@ -60,6 +64,7 @@ "a1" : "10.180.156.141", "fb2" : "1603010051020000", "db1" : 613, + "mac2-term-cnt" : 2, "by1" : 1513, "tls" : [ { @@ -91,10 +96,14 @@ } ], "p2" : 443, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "tls", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/https3-301-get.test b/tests/https3-301-get.test index 6ccafe176f..a8381d8d01 100644 --- a/tests/https3-301-get.test +++ b/tests/https3-301-get.test @@ -4,6 +4,10 @@ "body" : { "db2" : 4208, "db" : 4838, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "ho" : [ "www.github.com" @@ -61,6 +65,7 @@ "a1" : "10.180.156.141", "fb2" : "1603010055020000", "db1" : 630, + "mac2-term-cnt" : 2, "by1" : 1422, "tls" : [ { @@ -92,10 +97,14 @@ } ], "p2" : 443, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "tls", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -109,14 +118,12 @@ "body" : { "db2" : 0, "db" : 0, - "lpd" : 1385396821236, - "fp" : 1385396821, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", - "as2" : "AS36459 GitHub, Inc.", "lp" : 1385396821, - "pa" : 3, - "tacnt" : 2, - "sl" : 0, "a2" : "192.30.252.130", "ss" : 1, "ta" : [ @@ -128,25 +135,36 @@ "fs" : [], "by2" : 66, "g1" : "USA", - "a1" : "10.180.156.141", - "db1" : 0, "pa2" : 1, "p1" : 62599, - "by1" : 108, "by" : 174, - "p2" : 443, - "rir2" : "ARIN", "g2" : "USA", - "prot-term" : [ - "tcp" - ], "pr" : 6, "ps" : [ 6510, 6580, 6662 ], - "prot-term-cnt" : 1 + "prot-term-cnt" : 1, + "lpd" : 1385396821236, + "fp" : 1385396821, + "as2" : "AS36459 GitHub, Inc.", + "pa" : 3, + "sl" : 0, + "tacnt" : 2, + "a1" : "10.180.156.141", + "db1" : 0, + "mac2-term-cnt" : 2, + "by1" : 108, + "p2" : 443, + "rir2" : "ARIN", + "mac1-term-cnt" : 1, + "prot-term" : [ + "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ] }, "header" : { "index" : { diff --git a/tests/imap-tag.test b/tests/imap-tag.test index 9efddceabf..eb062e18d6 100644 --- a/tests/imap-tag.test +++ b/tests/imap-tag.test @@ -24,6 +24,10 @@ }, "db2" : 18, "db" : 18, + "mac2-term" : [ + "00:00:5e:00:01:01", + "00:1d:b5:ce:ef:c0" + ], "no" : "test", "lp" : 1387759542, "a2" : "10.0.0.2", @@ -62,12 +66,17 @@ "a1" : "10.0.0.1", "fb2" : "2a204f4b20494d41", "db1" : 0, + "mac2-term-cnt" : 2, "by1" : 122, "p2" : 143, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "imap", "tcp" + ], + "mac1-term" : [ + "00:0f:f7:76:82:80" ] }, "header" : { diff --git a/tests/irc.test b/tests/irc.test index 97803b1f48..40d207496b 100644 --- a/tests/irc.test +++ b/tests/irc.test @@ -4,6 +4,10 @@ "body" : { "db2" : 6901, "db" : 7015, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1387554256, "a2" : "38.229.70.20", @@ -72,13 +76,18 @@ "ircnck" : [ "molochtest" ], + "mac2-term-cnt" : 2, "by1" : 1046, "p2" : 8000, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "ircnckcnt" : 1, "prot-term" : [ "irc", "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/long-session.test b/tests/long-session.test index b7389d98c0..08713afb7e 100644 --- a/tests/long-session.test +++ b/tests/long-session.test @@ -24,6 +24,10 @@ }, "db2" : 0, "db" : 0, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1401386288, "a2" : "10.0.0.2", @@ -61,11 +65,16 @@ "tacnt" : 4, "a1" : "10.0.0.1", "db1" : 0, + "mac2-term-cnt" : 2, "by1" : 187, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { @@ -99,6 +108,10 @@ }, "db2" : 0, "db" : 5, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "no" : "test", "lp" : 1401386288, "a2" : "10.0.0.2", @@ -135,12 +148,17 @@ "tacnt" : 5, "a1" : "10.0.0.1", "db1" : 5, + "mac2-term-cnt" : 2, "by1" : 0, "p2" : 80, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "http", "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/mysql-allow.test b/tests/mysql-allow.test index 8680132c5e..15b09ba355 100644 --- a/tests/mysql-allow.test +++ b/tests/mysql-allow.test @@ -4,6 +4,9 @@ "body" : { "db2" : 185, "db" : 308, + "mac2-term" : [ + "00:00:00:00:00:00" + ], "no" : "test", "lp" : 1398217359, "a2" : "192.168.1.3", @@ -44,16 +47,21 @@ "a1" : "192.168.1.3", "fb2" : "5b0000000a352e35", "db1" : 123, + "mac2-term-cnt" : 1, "by1" : 527, "p2" : 3306, "mysql" : { "user-term" : "user10", "ver-term" : "5.5.35-0ubuntu0.12.04.2" }, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "tcp", "mysql" + ], + "mac1-term" : [ + "00:00:00:00:00:00" ] }, "header" : { diff --git a/tests/mysql-deny.test b/tests/mysql-deny.test index 4ddcf7ad6b..0fe0707b6d 100644 --- a/tests/mysql-deny.test +++ b/tests/mysql-deny.test @@ -4,6 +4,9 @@ "body" : { "db2" : 175, "db" : 240, + "mac2-term" : [ + "00:00:00:00:00:00" + ], "no" : "test", "lp" : 1398195861, "a2" : "192.168.1.3", @@ -43,16 +46,21 @@ "a1" : "192.168.1.3", "fb2" : "5b0000000a352e35", "db1" : 65, + "mac2-term-cnt" : 1, "by1" : 403, "p2" : 3306, "mysql" : { "user-term" : "user0", "ver-term" : "5.5.35-0FUNntu0.12.04.2" }, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "tcp", "mysql" + ], + "mac1-term" : [ + "00:00:00:00:00:00" ] }, "header" : { diff --git a/tests/pop3-tag.test b/tests/pop3-tag.test index b10f48032f..be663086c7 100644 --- a/tests/pop3-tag.test +++ b/tests/pop3-tag.test @@ -24,6 +24,10 @@ }, "db2" : 16, "db" : 16, + "mac2-term" : [ + "00:00:5e:00:01:02", + "00:1d:b5:ce:ef:c1" + ], "no" : "test", "lp" : 1387659690, "a2" : "10.0.0.2", @@ -65,12 +69,17 @@ "a1" : "10.0.0.1", "fb2" : "2b4f4b20504f5033", "db1" : 0, + "mac2-term-cnt" : 2, "by1" : 122, "p2" : 110, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "pop3", "tcp" + ], + "mac1-term" : [ + "00:0f:f7:76:7d:40" ] }, "header" : { diff --git a/tests/postgres-badpass.test b/tests/postgres-badpass.test index 3113e0de1f..ea6364e335 100644 --- a/tests/postgres-badpass.test +++ b/tests/postgres-badpass.test @@ -24,6 +24,9 @@ }, "db2" : 14, "db" : 96, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "lp" : 1399312748, "a2" : "10.0.0.2", @@ -76,12 +79,18 @@ "db-term" : "bar", "user-term" : "foo" }, + "mac2-term-cnt" : 1, "by1" : 622, "p2" : 5432, + "mac1-term-cnt" : 2, "rir2" : "TEST", "prot-term" : [ "tcp", "postgresql" + ], + "mac1-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" ] }, "header" : { diff --git a/tests/postgres-good.test b/tests/postgres-good.test index 97fb5c3cae..69017bc899 100644 --- a/tests/postgres-good.test +++ b/tests/postgres-good.test @@ -24,6 +24,9 @@ }, "db2" : 327, "db" : 456, + "mac2-term" : [ + "00:0c:29:18:7f:fe" + ], "no" : "test", "lp" : 1399300685, "a2" : "10.0.13.120", @@ -71,11 +74,17 @@ "db-term" : "dbdbdbdb", "user-term" : "cooluser" }, + "mac2-term-cnt" : 1, "by1" : 533, "p2" : 5432, + "mac1-term-cnt" : 2, "prot-term" : [ "tcp", "postgresql" + ], + "mac1-term" : [ + "90:e2:ba:52:f6:2a", + "00:00:5e:00:01:71" ] }, "header" : { diff --git a/tests/postgres-no-sslrequest.test b/tests/postgres-no-sslrequest.test index 2c85755940..38b85967de 100644 --- a/tests/postgres-no-sslrequest.test +++ b/tests/postgres-no-sslrequest.test @@ -4,14 +4,11 @@ "body" : { "db2" : 160, "db" : 256, - "lpd" : 1103485433664, - "fp" : 1103485433, + "mac2-term" : [ + "00:00:00:00:00:00" + ], "no" : "test", "lp" : 1103485433, - "pa" : 11, - "tacnt" : 2, - "fb1" : "0000005b00", - "sl" : 104, "a2" : "127.0.0.1", "ss" : 1, "ta" : [ @@ -22,22 +19,9 @@ "fpd" : 1103485433560, "fs" : [], "by2" : 432, - "fb2" : "5200000008000000", - "a1" : "127.0.0.1", - "db1" : 96, - "postgresql" : { - "db-term" : "dbdb", - "user-term" : "user" - }, "pa2" : 4, "p1" : 57827, - "by1" : 566, "by" : 998, - "p2" : 5432, - "prot-term" : [ - "tcp", - "postgresql" - ], "pr" : 6, "ps" : [ 24, @@ -52,7 +36,31 @@ 1034, 1116 ], - "prot-term-cnt" : 2 + "prot-term-cnt" : 2, + "lpd" : 1103485433664, + "fp" : 1103485433, + "pa" : 11, + "sl" : 104, + "fb1" : "0000005b00", + "tacnt" : 2, + "a1" : "127.0.0.1", + "fb2" : "5200000008000000", + "db1" : 96, + "postgresql" : { + "db-term" : "dbdb", + "user-term" : "user" + }, + "mac2-term-cnt" : 1, + "by1" : 566, + "p2" : 5432, + "mac1-term-cnt" : 1, + "prot-term" : [ + "tcp", + "postgresql" + ], + "mac1-term" : [ + "00:00:00:00:00:00" + ] }, "header" : { "index" : { diff --git a/tests/smb-port80.test b/tests/smb-port80.test index 2950f809e4..53923dfc55 100644 --- a/tests/smb-port80.test +++ b/tests/smb-port80.test @@ -4,6 +4,9 @@ "body" : { "db2" : 69, "db" : 237, + "mac2-term" : [ + "00:0b:45:b7:08:80" + ], "no" : "test", "lp" : 1379519110, "a2" : "10.0.0.1", @@ -49,11 +52,17 @@ "a1" : "10.0.0.2", "fb2" : "b378fd2aae2d4aee", "db1" : 168, + "mac2-term-cnt" : 1, "by1" : 506, "p2" : 80, + "mac1-term-cnt" : 2, "prot-term" : [ "smb", "tcp" + ], + "mac1-term" : [ + "00:26:88:df:17:c6", + "00:00:5e:00:01:02" ] }, "header" : { diff --git a/tests/smb-smbclient.test b/tests/smb-smbclient.test index 577b37c695..339542ec20 100644 --- a/tests/smb-smbclient.test +++ b/tests/smb-smbclient.test @@ -7,6 +7,9 @@ ], "db2" : 801, "db" : 1669, + "mac2-term" : [ + "00:00:00:00:00:00" + ], "no" : "test", "lp" : 1387494791, "a2" : "127.0.0.1", @@ -75,11 +78,16 @@ "fb2" : "00000061ff534d42", "db1" : 868, "smbfncnt" : 1, + "mac2-term-cnt" : 1, "by1" : 2262, "p2" : 445, + "mac1-term-cnt" : 1, "prot-term" : [ "smb", "tcp" + ], + "mac1-term" : [ + "00:00:00:00:00:00" ] }, "header" : { diff --git a/tests/smtp-data-250.test b/tests/smtp-data-250.test index 480a8508e9..bee5265e56 100644 --- a/tests/smtp-data-250.test +++ b/tests/smtp-data-250.test @@ -29,6 +29,10 @@ "12345678@aol.com" ], "ectcnt" : 1, + "mac2-term" : [ + "00:00:5e:00:01:02", + "80:71:1f:82:cf:c6" + ], "eid" : [ "xxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxx@xxxxx.xxxxxxx.xxx" ], @@ -124,18 +128,23 @@ "fb2" : "3232302d6d74616f", "db1" : 1063, "usercnt" : 1, + "mac2-term-cnt" : 2, "by1" : 1867, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 587, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:0a:f3:31:94:00" + ] }, "header" : { "index" : { diff --git a/tests/smtp-data-521.test b/tests/smtp-data-521.test index dc6e2a67ff..abc14de442 100644 --- a/tests/smtp-data-521.test +++ b/tests/smtp-data-521.test @@ -29,6 +29,10 @@ "1234567899@aol.com" ], "ectcnt" : 1, + "mac2-term" : [ + "00:00:5e:00:01:01", + "00:26:88:ca:1f:c6" + ], "no" : "test", "lp" : 1386251823, "emvcnt" : 1, @@ -128,16 +132,21 @@ "fb2" : "3232302d6d74616f", "db1" : 3122, "usercnt" : 1, + "mac2-term-cnt" : 2, "by1" : 4186, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 587, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:0b:45:b7:08:80" ] }, "header" : { diff --git a/tests/smtp-originating.test b/tests/smtp-originating.test index 751f984b75..2de999cc47 100644 --- a/tests/smtp-originating.test +++ b/tests/smtp-originating.test @@ -9,6 +9,9 @@ "xxxxxxxx@xxxxxxxxx.net" ], "ectcnt" : 1, + "mac2-term" : [ + "00:25:90:a2:c2:6c" + ], "eid" : [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@xxxxxxxxx.net" ], @@ -123,17 +126,23 @@ "---", "AS0001 Cool Beans!" ], + "mac2-term-cnt" : 1, "by1" : 2515, "esrccnt" : 1, "emv" : [ "1.0 (Apple Message framework v1283)" ], "p2" : 25, + "mac1-term-cnt" : 2, "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:00:5e:00:01:01", + "82:71:1f:83:98:f6" + ] }, "header" : { "index" : { diff --git a/tests/smtp-rcpt-553.test b/tests/smtp-rcpt-553.test index 4f39e3abcc..d35bc70954 100644 --- a/tests/smtp-rcpt-553.test +++ b/tests/smtp-rcpt-553.test @@ -28,6 +28,10 @@ "esrc" : [ "12345678@aol.com" ], + "mac2-term" : [ + "00:26:88:d8:bf:c1", + "00:00:5e:00:01:02" + ], "no" : "test", "lp" : 1386252623, "a2" : "64.12.168.40", @@ -81,13 +85,18 @@ "a1" : "10.0.0.1", "fb2" : "3232302d6d74616f", "db1" : 74, + "mac2-term-cnt" : 2, "by1" : 676, "esrccnt" : 1, "p2" : 587, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:0a:f3:31:84:00" ] }, "header" : { diff --git a/tests/smtp-starttls.test b/tests/smtp-starttls.test index 3971c70bfa..e7077b3a48 100644 --- a/tests/smtp-starttls.test +++ b/tests/smtp-starttls.test @@ -24,6 +24,10 @@ }, "db2" : 4627, "db" : 6011, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1388017125, "a2" : "173.194.68.26", @@ -97,6 +101,7 @@ "a1" : "10.0.0.1", "fb2" : "323230206d782e67", "db1" : 1384, + "mac2-term-cnt" : 2, "by1" : 2514, "tls" : [ { @@ -135,11 +140,15 @@ } ], "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "tls", "smtp", "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/smtp-subject-8859-b.test b/tests/smtp-subject-8859-b.test index 50fcd8380b..edd96196f8 100644 --- a/tests/smtp-subject-8859-b.test +++ b/tests/smtp-subject-8859-b.test @@ -9,6 +9,9 @@ "xxxxxxxxx@xxxxxxx.com" ], "ectcnt" : 1, + "mac2-term" : [ + "00:25:90:a2:c2:52" + ], "eid" : [ "CEC7902D.1A0ED%xxxxxxxxx@xxxxxxx.com" ], @@ -128,18 +131,24 @@ "---", "---" ], + "mac2-term-cnt" : 1, "by1" : 2296, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 2, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:00:0c:07:ac:02", + "00:0b:5f:6b:5c:00" + ] }, "header" : { "index" : { diff --git a/tests/smtp-subject-8859-multi.test b/tests/smtp-subject-8859-multi.test index 865cf3aa69..4b9a89a607 100644 --- a/tests/smtp-subject-8859-multi.test +++ b/tests/smtp-subject-8859-multi.test @@ -9,6 +9,10 @@ "xxxxx@xxx.net" ], "ectcnt" : 1, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "eid" : [ "20131212194457.GA7990@xxx.net" ], @@ -119,18 +123,23 @@ "aseip" : [ "---" ], + "mac2-term-cnt" : 2, "by1" : 1780, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:13:72:c4:f1:e1" + ] }, "header" : { "index" : { diff --git a/tests/smtp-subject-8859-q.test b/tests/smtp-subject-8859-q.test index 50f1661f12..c91e91c7e4 100644 --- a/tests/smtp-subject-8859-q.test +++ b/tests/smtp-subject-8859-q.test @@ -9,6 +9,10 @@ "xxxxx@xxx.net" ], "ectcnt" : 1, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "eid" : [ "20131212030845.GA715@xxx.net" ], @@ -119,18 +123,23 @@ "aseip" : [ "---" ], + "mac2-term-cnt" : 2, "by1" : 2075, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:13:72:c4:f1:e1" + ] }, "header" : { "index" : { @@ -143,13 +152,11 @@ "body" : { "db2" : 0, "db" : 0, - "lpd" : 1386817726156, - "fp" : 1386817726, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "lp" : 1386817726, - "pa" : 1, - "tacnt" : 2, - "sl" : 0, "a2" : "10.180.156.249", "ss" : 1, "ta" : [ @@ -161,24 +168,34 @@ "fs" : [], "by2" : 0, "g1" : "USA", - "a1" : "64.236.55.17", - "db1" : 0, "pa2" : 0, "p1" : 25, - "by1" : 66, "by" : 66, - "p2" : 35796, "as1" : "AS1668 AOL Transit Data Network", "rir1" : "ARIN", "g2" : "USA", - "prot-term" : [ - "tcp" - ], "pr" : 6, "ps" : [ 3906 ], - "prot-term-cnt" : 1 + "prot-term-cnt" : 1, + "lpd" : 1386817726156, + "fp" : 1386817726, + "pa" : 1, + "sl" : 0, + "tacnt" : 2, + "a1" : "64.236.55.17", + "db1" : 0, + "mac2-term-cnt" : 1, + "by1" : 66, + "p2" : 35796, + "mac1-term-cnt" : 1, + "prot-term" : [ + "tcp" + ], + "mac1-term" : [ + "00:0e:d6:0b:98:80" + ] }, "header" : { "index" : { diff --git a/tests/smtp-subject-encoded-empty.test b/tests/smtp-subject-encoded-empty.test index e0b4598191..134a14f8a6 100644 --- a/tests/smtp-subject-encoded-empty.test +++ b/tests/smtp-subject-encoded-empty.test @@ -28,6 +28,10 @@ "esrc" : [ "user1@xxx.net" ], + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1398431453, "a2" : "10.0.0.2", @@ -110,13 +114,18 @@ "a1" : "10.0.0.1", "fb2" : "3232302d78787878", "db1" : 350, + "mac2-term-cnt" : 2, "by1" : 1616, "esrccnt" : 1, "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/smtp-subject-gb2312-b.test b/tests/smtp-subject-gb2312-b.test index 4e43ffb128..4b69500b58 100644 --- a/tests/smtp-subject-gb2312-b.test +++ b/tests/smtp-subject-gb2312-b.test @@ -9,6 +9,9 @@ "xxxxxxxxx@xxxxxxx.com" ], "ectcnt" : 1, + "mac2-term" : [ + "00:25:90:7e:28:f6" + ], "eid" : [ "CEC790C3.1A0F0%xxxxxxxxx@xxxxxxx.com" ], @@ -140,18 +143,24 @@ "---", "---" ], + "mac2-term-cnt" : 1, "by1" : 2149, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 2, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:00:0c:07:ac:01", + "00:0b:5f:6b:5d:40" + ] }, "header" : { "index" : { diff --git a/tests/smtp-subject-multi-nospace.test b/tests/smtp-subject-multi-nospace.test index d2ee2a4d15..7d30dd8867 100644 --- a/tests/smtp-subject-multi-nospace.test +++ b/tests/smtp-subject-multi-nospace.test @@ -28,6 +28,10 @@ "esrc" : [ "xxxxx@xxx.net" ], + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1394730057, "a2" : "10.0.0.2", @@ -80,13 +84,18 @@ "esubcnt" : 1, "a1" : "10.0.0.1", "db1" : 325, + "mac2-term-cnt" : 2, "by1" : 561, "esrccnt" : 1, "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/smtp-subject-utf8-mixed.test b/tests/smtp-subject-utf8-mixed.test index b129b7489d..fe1a4936ee 100644 --- a/tests/smtp-subject-utf8-mixed.test +++ b/tests/smtp-subject-utf8-mixed.test @@ -9,6 +9,10 @@ "xxxxx@xxx.net" ], "ectcnt" : 1, + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" + ], "eid" : [ "20131212031238.GA1705@xxx.net" ], @@ -119,18 +123,23 @@ "aseip" : [ "---" ], + "mac2-term-cnt" : 2, "by1" : 2033, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" ], - "eidcnt" : 1 + "eidcnt" : 1, + "mac1-term" : [ + "00:13:72:c4:f1:e1" + ] }, "header" : { "index" : { diff --git a/tests/smtp-subject-utf8-q.test b/tests/smtp-subject-utf8-q.test index ba04f688d5..e728b5bd28 100644 --- a/tests/smtp-subject-utf8-q.test +++ b/tests/smtp-subject-utf8-q.test @@ -29,6 +29,9 @@ "xxxxxxxxx@xxxxxxxxx.com" ], "ectcnt" : 1, + "mac2-term" : [ + "00:25:90:ac:d0:6a" + ], "no" : "test", "emd5" : [ "5b153a606bea42005e1eedb5ddeabcf0" @@ -137,16 +140,22 @@ "---", "---" ], + "mac2-term-cnt" : 1, "by1" : 2436, "esrccnt" : 1, "emv" : [ "1.0" ], "p2" : 25, + "mac1-term-cnt" : 2, "rir2" : "ARIN", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:00:0c:07:ac:01", + "00:0b:5f:6b:5d:40" ] }, "header" : { diff --git a/tests/smtp-subject-windows.test b/tests/smtp-subject-windows.test index 56d3b1fa8b..a9e7b90aef 100644 --- a/tests/smtp-subject-windows.test +++ b/tests/smtp-subject-windows.test @@ -28,6 +28,10 @@ "esrc" : [ "xxxxx@xxx.net" ], + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:d0:2b:d1:76:00" + ], "no" : "test", "lp" : 1394118475, "a2" : "10.0.0.2", @@ -99,13 +103,18 @@ "a1" : "10.0.0.1", "fb2" : "3232302d78787878", "db1" : 211, + "mac2-term-cnt" : 2, "by1" : 1011, "esrccnt" : 1, "p2" : 25, + "mac1-term-cnt" : 1, "rir2" : "TEST", "prot-term" : [ "smtp", "tcp" + ], + "mac1-term" : [ + "00:13:72:c4:f1:e1" ] }, "header" : { diff --git a/tests/smtp-zip.test b/tests/smtp-zip.test index a388da9e98..67b4dfb75a 100644 --- a/tests/smtp-zip.test +++ b/tests/smtp-zip.test @@ -2,34 +2,25 @@ "packets" : [ { "body" : { - "edstcnt" : 1, - "db2" : 470, "db" : 1969, "esrc" : [ "xxxxx@xxx.net" ], "ectcnt" : 1, - "eid" : [ - "20131217145016.GA29077@xxx.net" + "mac2-term" : [ + "00:00:0c:07:ac:01", + "00:0e:d6:0b:98:80" ], - "no" : "test", "emd5" : [ "40be8f5100e9beabab293c9d7bacaff0" ], - "euacnt" : 1, - "lp" : 1387291817, "email" : { "bodymagic-term" : [ "application/zip" ], "bodymagic-term-cnt" : 1 }, - "emvcnt" : 1, "a2" : "64.236.64.225", - "ss" : 1, - "ect" : [ - "multipart/mixed; boundary=\"HcAYCG3uE/tztfnV\"" - ], "esub" : [ "zip test" ], @@ -43,17 +34,10 @@ "eip" : [ "127.0.0.1" ], - "eua" : [ - "Mutt/1.5.20 (2009-12-10)" - ], - "pa1" : 14, - "fpd" : 1387291817187, - "fs" : [], "by2" : 1402, "g1" : "USA", "pa2" : 14, "p1" : 46671, - "by" : 3833, "ehh" : [ "content-type", "from", @@ -67,12 +51,10 @@ "subject" ], "ehhcnt" : 10, - "eipcnt" : 1, "eho" : [ "localhost", "xxxxxxxxxxxxx.xxx.com" ], - "g2" : "USA", "pr" : 6, "ps" : [ 24, @@ -104,48 +86,75 @@ 4141, 4223 ], - "prot-term-cnt" : 2, - "efncnt" : 1, - "ehocnt" : 2, "geip" : [ "---" ], - "lpd" : 1387291817565, - "fp" : 1387291817, "as2" : "AS1668 AOL Transit Data Network", - "pa" : 28, - "tacnt" : 5, "edst" : [ "xxxxxxxxx@xxxxxxx.com" ], - "sl" : 377, "fb1" : "45484c4f20787878", "esubcnt" : 1, "a1" : "10.180.156.249", "fb2" : "3232302078787878", - "db1" : 1499, "efn" : [ "a.zip" ], + "emd5cnt" : 1, + "p2" : 25, + "prot-term" : [ + "smtp", + "tcp" + ], + "eidcnt" : 1, + "edstcnt" : 1, + "db2" : 470, + "no" : "test", + "eid" : [ + "20131217145016.GA29077@xxx.net" + ], + "lp" : 1387291817, + "euacnt" : 1, + "emvcnt" : 1, + "ss" : 1, + "ect" : [ + "multipart/mixed; boundary=\"HcAYCG3uE/tztfnV\"" + ], + "fpd" : 1387291817187, + "pa1" : 14, + "eua" : [ + "Mutt/1.5.20 (2009-12-10)" + ], + "fs" : [], + "by" : 3833, + "eipcnt" : 1, + "g2" : "USA", + "prot-term-cnt" : 2, + "ehocnt" : 2, + "efncnt" : 1, + "lpd" : 1387291817565, + "fp" : 1387291817, + "pa" : 28, + "sl" : 377, + "tacnt" : 5, + "db1" : 1499, "rireip" : [ "" ], - "emd5cnt" : 1, "aseip" : [ "---" ], "by1" : 2431, + "mac2-term-cnt" : 2, "esrccnt" : 1, "emv" : [ "1.0" ], - "p2" : 25, "rir2" : "ARIN", - "prot-term" : [ - "smtp", - "tcp" - ], - "eidcnt" : 1 + "mac1-term-cnt" : 1, + "mac1-term" : [ + "00:13:72:c4:f1:e1" + ] }, "header" : { "index" : { diff --git a/tests/socks-http-example.test b/tests/socks-http-example.test index 0ec58291f1..685659ba08 100644 --- a/tests/socks-http-example.test +++ b/tests/socks-http-example.test @@ -7,6 +7,9 @@ ], "db2" : 1599, "db" : 1754, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "socksip" : "93.184.216.119", "no" : "test", "ho" : [ @@ -112,11 +115,13 @@ "hmd5" : [ "09b9c392dc1f6e914cea287cb6be34b0" ], + "mac2-term-cnt" : 1, "by1" : 695, "hh1cnt" : 3, "assocksip" : "AS15133 EdgeCast Networks, Inc.", "p2" : 1080, "gsocksip" : "USA", + "mac1-term-cnt" : 1, "hdvercnt" : 1, "prot-term" : [ "http", @@ -126,6 +131,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { @@ -143,6 +151,9 @@ ], "db2" : 1599, "db" : 1770, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "ho" : [ "www.example.com" @@ -247,9 +258,11 @@ "hmd5" : [ "09b9c392dc1f6e914cea287cb6be34b0" ], + "mac2-term-cnt" : 1, "by1" : 711, "hh1cnt" : 3, "p2" : 1080, + "mac1-term-cnt" : 1, "hdvercnt" : 1, "prot-term" : [ "http", @@ -259,6 +272,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { @@ -275,6 +291,9 @@ ], "db2" : 1603, "db" : 1763, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "socksip" : "93.184.216.119", "no" : "test", "ho" : [ @@ -383,11 +402,13 @@ "hmd5" : [ "09b9c392dc1f6e914cea287cb6be34b0" ], + "mac2-term-cnt" : 1, "by1" : 832, "hh1cnt" : 3, "assocksip" : "AS15133 EdgeCast Networks, Inc.", "p2" : 1080, "gsocksip" : "USA", + "mac1-term-cnt" : 1, "hdvercnt" : 1, "prot-term" : [ "http", @@ -397,6 +418,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/socks-http-pass.test b/tests/socks-http-pass.test index a1d2ec3487..2924b94c52 100644 --- a/tests/socks-http-pass.test +++ b/tests/socks-http-pass.test @@ -4,14 +4,11 @@ "body" : { "db2" : 2, "db" : 6, - "lpd" : 1386090517358, - "fp" : 1386090517, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "lp" : 1386090517, - "pa" : 11, - "tacnt" : 2, - "fb1" : "05020001", - "sl" : 1, "a2" : "10.180.156.249", "ss" : 1, "ta" : [ @@ -23,18 +20,10 @@ "fs" : [], "by2" : 340, "g1" : "USA", - "fb2" : "05ff", - "a1" : "10.180.156.185", - "db1" : 4, "pa2" : 5, "p1" : 54068, - "by1" : 412, "by" : 752, - "p2" : 1080, "g2" : "USA", - "prot-term" : [ - "tcp" - ], "pr" : 6, "ps" : [ 24, @@ -49,7 +38,26 @@ 788, 870 ], - "prot-term-cnt" : 1 + "prot-term-cnt" : 1, + "lpd" : 1386090517358, + "fp" : 1386090517, + "pa" : 11, + "sl" : 1, + "fb1" : "05020001", + "tacnt" : 2, + "a1" : "10.180.156.185", + "fb2" : "05ff", + "db1" : 4, + "mac2-term-cnt" : 1, + "by1" : 412, + "p2" : 1080, + "mac1-term-cnt" : 1, + "prot-term" : [ + "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ] }, "header" : { "index" : { @@ -63,6 +71,9 @@ "socksuser" : "testuser", "db2" : 4, "db" : 28, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "lp" : 1386090528, "a2" : "10.180.156.249", @@ -109,11 +120,16 @@ "a1" : "10.180.156.185", "fb2" : "0502", "db1" : 24, + "mac2-term-cnt" : 1, "by1" : 564, "p2" : 1080, + "mac1-term-cnt" : 1, "prot-term" : [ "socks", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -131,6 +147,9 @@ "socksuser" : "testuser", "db2" : 1605, "db" : 1785, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "socksip" : "93.184.216.119", "no" : "test", "ho" : [ @@ -243,11 +262,13 @@ "hmd5" : [ "09b9c392dc1f6e914cea287cb6be34b0" ], + "mac2-term-cnt" : 1, "by1" : 984, "hh1cnt" : 3, "assocksip" : "AS15133 EdgeCast Networks, Inc.", "p2" : 1080, "gsocksip" : "USA", + "mac1-term-cnt" : 1, "hdvercnt" : 1, "prot-term" : [ "http", @@ -257,6 +278,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/socks-https-example.test b/tests/socks-https-example.test index 0ab3341bef..5bf8f9363f 100644 --- a/tests/socks-https-example.test +++ b/tests/socks-https-example.test @@ -4,6 +4,9 @@ "body" : { "db2" : 8279, "db" : 8920, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "socksip" : "93.184.216.119", "no" : "test", "ho" : [ @@ -74,6 +77,7 @@ "fb2" : "005a99b40ab49cf9", "db1" : 641, "rirsocksip" : "RIPE", + "mac2-term-cnt" : 1, "by1" : 1775, "tls" : [ { @@ -126,10 +130,14 @@ "p2" : 1080, "assocksip" : "AS15133 EdgeCast Networks, Inc.", "gsocksip" : "USA", + "mac1-term-cnt" : 1, "prot-term" : [ "tls", "socks", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -144,6 +152,9 @@ "socksho" : "www.example.com", "db2" : 8254, "db" : 8911, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "no" : "test", "ho" : [ "www.example.com" @@ -206,12 +217,13 @@ "lpd" : 1386004475761, "fp" : 1386004475, "pa" : 30, - "tacnt" : 4, "sl" : 69, "fb1" : "040101bb00000001", + "tacnt" : 4, "a1" : "10.180.156.185", "fb2" : "005a99b50ab49cf9", "db1" : 657, + "mac2-term-cnt" : 1, "by1" : 1791, "tls" : [ { @@ -262,10 +274,14 @@ } ], "p2" : 1080, + "mac1-term-cnt" : 1, "prot-term" : [ "tls", "socks", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { @@ -279,6 +295,9 @@ "body" : { "db2" : 8283, "db" : 8929, + "mac2-term" : [ + "00:13:72:c4:f1:e1" + ], "socksip" : "93.184.216.119", "no" : "test", "ho" : [ @@ -352,6 +371,7 @@ "fb2" : "0500050000010ab4", "db1" : 646, "rirsocksip" : "RIPE", + "mac2-term-cnt" : 1, "by1" : 1912, "tls" : [ { @@ -474,10 +494,14 @@ "p2" : 1080, "assocksip" : "AS15133 EdgeCast Networks, Inc.", "gsocksip" : "USA", + "mac1-term-cnt" : 1, "prot-term" : [ "tls", "socks", "tcp" + ], + "mac1-term" : [ + "00:1f:5b:ff:51:cb" ] }, "header" : { diff --git a/tests/socks5-http-302.test b/tests/socks5-http-302.test index e57fc46c39..91cdb58470 100644 --- a/tests/socks5-http-302.test +++ b/tests/socks5-http-302.test @@ -28,6 +28,10 @@ }, "db2" : 942, "db" : 1361, + "mac2-term" : [ + "00:00:5e:00:01:01", + "00:26:88:df:17:c7" + ], "no" : "test", "ho" : [ "www.google.com" @@ -144,9 +148,11 @@ "http://www.google.de/?gws_rd=cr&ei=xxxxxxxxxxxxxxxxxxxxxx" ] }, + "mac2-term-cnt" : 2, "by1" : 886, "hh1cnt" : 7, "p2" : 21477, + "mac1-term-cnt" : 1, "rir2" : "TEST", "hdvercnt" : 1, "prot-term" : [ @@ -157,6 +163,9 @@ "hdver" : [ "1.1" ], + "mac1-term" : [ + "00:0b:45:b7:16:c0" + ], "uacnt" : 1 }, "header" : { diff --git a/tests/socks5-rdp.test b/tests/socks5-rdp.test index 2d8e752e99..1cd92c8e72 100644 --- a/tests/socks5-rdp.test +++ b/tests/socks5-rdp.test @@ -4,6 +4,9 @@ "body" : { "db2" : 31, "db" : 85, + "mac2-term" : [ + "00:0a:f3:31:94:00" + ], "socksip" : "10.0.0.1", "no" : "test", "lp" : 1386644257, @@ -51,15 +54,21 @@ "a1" : "10.0.0.3", "fb2" : "0500050000010000", "db1" : 54, + "mac2-term-cnt" : 1, "by1" : 405, "p2" : 42356, "assocksip" : "AS0000 This is neat", "gsocksip" : "RUS", + "mac1-term-cnt" : 2, "rir2" : "TEST", "prot-term" : [ "rdp", "socks", "tcp" + ], + "mac1-term" : [ + "00:00:5e:00:01:01", + "80:71:1f:82:cf:c6" ] }, "header" : { diff --git a/tests/socks5-reverse.test b/tests/socks5-reverse.test index 11f11641ae..ac062175e0 100644 --- a/tests/socks5-reverse.test +++ b/tests/socks5-reverse.test @@ -3,6 +3,10 @@ { "body" : { "db" : 24346, + "mac2-term" : [ + "00:00:5e:00:01:01", + "80:71:1f:83:9f:c6" + ], "socksip" : "74.125.131.103", "sockspo" : 80, "a2" : "10.0.0.2", @@ -220,10 +224,15 @@ "2069181ae704855f29caf964ca52ec49", "b0cecae354b9eab1f04f70e46a612cb1" ], + "mac2-term-cnt" : 2, "by1" : 25112, "assocksip" : "AS15169 Google Inc.", + "mac1-term-cnt" : 1, "rir2" : "TEST", "hdvercnt" : 1, + "mac1-term" : [ + "00:0a:f3:31:94:00" + ], "hval" : [ "firefox", "en", diff --git a/tests/socks5-smtp-503.test b/tests/socks5-smtp-503.test index c975f71dbc..846de6f82d 100644 --- a/tests/socks5-smtp-503.test +++ b/tests/socks5-smtp-503.test @@ -5,6 +5,10 @@ "socksho" : "010.000.00.003", "db2" : 280, "db" : 327, + "mac2-term" : [ + "00:00:5e:00:01:01", + "80:71:1f:82:cf:c6" + ], "no" : "test", "lp" : 1385474639, "sockspo" : 25, @@ -64,12 +68,17 @@ "a1" : "10.0.0.2", "fb2" : "0500050000010a00", "db1" : 47, + "mac2-term-cnt" : 2, "by1" : 638, "p2" : 1080, + "mac1-term-cnt" : 1, "prot-term" : [ "socks", "smtp", "tcp" + ], + "mac1-term" : [ + "00:0a:f3:31:94:00" ] }, "header" : { diff --git a/tests/ssh2.test b/tests/ssh2.test index f48e1b96e3..2a8680019c 100644 --- a/tests/ssh2.test +++ b/tests/ssh2.test @@ -24,6 +24,10 @@ }, "db2" : 1407, "db" : 2516, + "mac2-term" : [ + "02:21:59:a1:83:b2", + "00:00:5e:00:01:01" + ], "no" : "test", "lp" : 1387565112, "a2" : "10.0.0.2", @@ -87,8 +91,10 @@ "a1" : "10.0.0.1", "fb2" : "5353482d312e3939", "db1" : 1109, + "mac2-term-cnt" : 2, "by1" : 1715, "p2" : 22, + "mac1-term-cnt" : 1, "rir2" : "TEST", "sshkey" : [ "AAAAB3NzaC1yc2EAAAABeHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=" @@ -96,6 +102,9 @@ "prot-term" : [ "ssh", "tcp" + ], + "mac1-term" : [ + "00:0c:29:62:b6:75" ] }, "header" : { diff --git a/viewer/views/mixins.jade b/viewer/views/mixins.jade index a99f9ea9b7..a4b164e5ea 100644 --- a/viewer/views/mixins.jade +++ b/viewer/views/mixins.jade @@ -22,6 +22,18 @@ mixin fieldsSelect(name,classname,simple,extra) else option(value="#{value.dbField}", exp='#{value.exp}') #{value.exp} +mixin arrayPrint(container, field, expr) + if ((container && container[field])) + each value,i in container[field] + if (i > 0) + |, + if (value.length == 0) + a(href='#', onclick='return addExpression("#{expr} == \\\"#{value}\\\"");') <empty> + else if (typeof value == "string") + a(href='#', onclick='return addExpression("#{expr} == \\\"#{value.replace(/\\/g, "\\\\")}\\\"");') #{value} + else + a(href='#', onclick='return addExpression("#{expr} == \\\"#{value}\\\"");') #{value} + //- Standard method to print an array of values with commas mixin arrayList(container, field, title, expr, extra, max) if (!max) diff --git a/viewer/views/sessionDetail-standard.jade b/viewer/views/sessionDetail-standard.jade index 2a72a6dd38..71a2f8e9e0 100644 --- a/viewer/views/sessionDetail-standard.jade +++ b/viewer/views/sessionDetail-standard.jade @@ -55,6 +55,16 @@ dl.sessionDetailMeta a(href='#', onclick='return addExpression("bytes.dst == #{session.by2}");') #{session.by2} |  Databytes: a(href='#', onclick='return addExpression("databytes.dst == #{session.db2}");') #{session.db2} + if (session["mac1-term"]) + dt Ethernet + dd + | Src Mac: + +arrayPrint(session, "mac1-term", "mac.src") + |  Dst Mac: + +arrayPrint(session, "mac2-term", "mac.dst") + if (session.vlan) + |  VLan: + +arrayPrint(session, "vlan", "vlan") dt Src IP/Port dd +ipPrint(session.a1, session.p1, session.g1, session.as1, session.rir1, "src")