Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Some test updates.

Browse source
This commit is contained in:
Seth Hall 2012-11-20 02:08:49 -05:00
parent 20fdd36a44
commit 08538211e1
13 changed files with 62 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/frameworks/metrics/main.bro
View file

@ -135,7 +135,7 @@ export {
measure: set[Calculation] &optional; measure: set[Calculation] &optional;
## A predicate so that you can decide per index if you would like ## A predicate so that you can decide per index if you would like
## to accept the data being inserted. ## to accept the data being inserted.
pred: function(index: Metrics::Index, data: DataPoint): bool &optional; pred: function(index: Metrics::Index, data: Metrics::DataPoint): bool &optional;
## A function to normalize the index. This can be used to aggregate or ## A function to normalize the index. This can be used to aggregate or
## normalize the entire index. ## normalize the entire index.
normalize_func: function(index: Metrics::Index): Index &optional; normalize_func: function(index: Metrics::Index): Index &optional;

4
scripts/policy/frameworks/metrics/conn-example.bro
View file

@ -16,6 +16,6 @@ event bro_init()
event connection_established(c: connection) event connection_established(c: connection)
{ {
Metrics::add_data("conns.originated", [$host=c$id$orig_h], 1); Metrics::add_data("conns.originated", [$host=c$id$orig_h], [$num=1]);
Metrics::add_data("conns.responded", [$host=c$id$resp_h], 1); Metrics::add_data("conns.responded", [$host=c$id$resp_h], [$num=1]);
} }

15
scripts/policy/frameworks/metrics/http-example.bro
View file

@ -6,15 +6,6 @@
@load base/protocols/http @load base/protocols/http
@load base/utils/site @load base/utils/site
redef enum Metrics::ID += {
## Measures HTTP requests indexed on both the request host and the response
## code from the server.
HTTP_REQUESTS_BY_STATUS_CODE,
## Currently unfinished and not working.
HTTP_REQUESTS_BY_HOST_HEADER,
};
event bro_init() event bro_init()
{ {
# TODO: these are waiting on a fix with table vals + records before they will work. # TODO: these are waiting on a fix with table vals + records before they will work.
@ -24,14 +15,14 @@ event bro_init()
# $break_interval=1min]); # $break_interval=1min]);
# Site::local_nets must be defined in order for this to actually do anything. # Site::local_nets must be defined in order for this to actually do anything.
Metrics::add_filter(HTTP_REQUESTS_BY_STATUS_CODE, [$aggregation_table=Site::local_nets_table, Metrics::add_filter("http.request.by_status_code", [$aggregation_table=Site::local_nets_table,
$break_interval=1min]); $break_interval=1min]);
} }
event HTTP::log_http(rec: HTTP::Info) event HTTP::log_http(rec: HTTP::Info)
{ {
if ( rec?$host ) if ( rec?$host )
Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1); Metrics::add_data("http.request.by_host_header", [$str=rec$host], [$num=1]);
if ( rec?$status_code ) if ( rec?$status_code )
Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1); Metrics::add_data("http.request.by_status_code", [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], [$num=1]);
} }

10
scripts/policy/frameworks/metrics/ssl-example.bro
View file

@ -6,15 +6,11 @@
@load base/frameworks/metrics @load base/frameworks/metrics
@load base/protocols/ssl @load base/protocols/ssl
redef enum Metrics::ID += {
SSL_SERVERNAME,
};
event bro_init() event bro_init()
{ {
Metrics::add_filter(SSL_SERVERNAME, Metrics::add_filter("ssl.by_servername",
[$name="no-google-ssl-servers", [$name="no-google-ssl-servers",
$pred(index: Metrics::Index) = { $pred(index: Metrics::Index, data: Metrics::DataPoint) = {
return (/google\.com$/ !in index$str); return (/google\.com$/ !in index$str);
}, },
$break_interval=10secs $break_interval=10secs
@ -24,5 +20,5 @@ event bro_init()
event SSL::log_ssl(rec: SSL::Info) event SSL::log_ssl(rec: SSL::Info)
{ {
if ( rec?$server_name ) if ( rec?$server_name )
Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1); Metrics::add_data("ssl.by_servername", [$str=rec$server_name], [$num=1]);
} }

3
scripts/policy/protocols/conn/conn-stats-per-host.bro
View file

@ -1,4 +1,7 @@
@load base/protocols/conn
@load base/frameworks/metrics
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Metrics::add_filter("conn.orig.data", Metrics::add_filter("conn.orig.data",

9
scripts/policy/protocols/conn/metrics.bro
View file

@ -1,9 +1,10 @@
@load base/frameworks/metrics @load base/frameworks/metrics
@load base/utils/site
event bro_init() &priority=3 event bro_init() &priority=3
{ {
Metrics::add_filter("conns.country", [$break_interval=1hr]); Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM)]);
Metrics::add_filter("hosts.active", [$break_interval=1hr]); Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM)]);
} }
event connection_established(c: connection) &priority=3 event connection_established(c: connection) &priority=3
@ -12,10 +13,10 @@ event connection_established(c: connection) &priority=3
{ {
local loc = lookup_location(c$id$resp_h); local loc = lookup_location(c$id$resp_h);
if ( loc?$country_code ) if ( loc?$country_code )
Metrics::add_data("conns.country", [$str=loc$country_code], 1); Metrics::add_data("conns.country", [$str=loc$country_code], [$num=1]);
} }
local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h; local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h;
# There is no index for this. # There is no index for this.
Metrics::add_unique("hosts.active", [], cat(the_host)); Metrics::add_data("hosts.active", [], [$str=cat(the_host)]);
} }

4
scripts/policy/protocols/conn/scan.bro
View file

@ -4,10 +4,12 @@
##! Seth Hall ##! Seth Hall
##! All the authors of the old scan.bro ##! All the authors of the old scan.bro
@load base/frameworks/notice
@load base/frameworks/metrics
module Scan; module Scan;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
AddressScan, AddressScan,
PortScan, PortScan,

27
scripts/policy/protocols/smtp/metrics.bro
View file

@ -2,31 +2,36 @@
##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?" ##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?"
##! "How much mail is being sent from each local mail server per hour?" ##! "How much mail is being sent from each local mail server per hour?"
@load base/protocols/smtp
@load base/frameworks/metrics @load base/frameworks/metrics
@load base/utils/site
@load base/utils/directions-and-hosts
module SMTPMetrics; module SMTPMetrics;
export { export {
## Define the break intervals for all of the metrics collected and logged by this script. ## Define the break intervals for all of the metrics collected and logged by this script.
const breaks = 1hr &redef; const breaks=1hr &redef;
} }
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Metrics::add_filter("smtp.mailfrom", [$pred(index: Metrics::Index) = { Metrics::add_filter("smtp.mailfrom", [$every=breaks,
return addr_matches_host(index$host, LOCAL_HOSTS); }, $measure=set(Metrics::SUM),
$break_interval=breaks]); $pred(index: Metrics::Index, data: Metrics::DataPoint) = {
Metrics::add_filter("smtp.messages", [$pred(index: Metrics::Index) = { return addr_matches_host(index$host, LOCAL_HOSTS);
return addr_matches_host(index$host, LOCAL_HOSTS); }, }]);
$break_interval=breaks]); Metrics::add_filter("smtp.messages", [$every=breaks,
$measure=set(Metrics::SUM),
$pred(index: Metrics::Index, data: Metrics::DataPoint) = {
return addr_matches_host(index$host, LOCAL_HOSTS);
}]);
} }
event SMTP::log_smtp(rec: SMTP::Info) event SMTP::log_smtp(rec: SMTP::Info)
{ {
Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], 1); Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], [$num=1]);
if ( rec?$mailfrom ) if ( rec?$mailfrom )
Metrics::add_unique("smtp.mailfrom", [$host=rec$id$orig_h], rec$mailfrom); Metrics::add_data("smtp.mailfrom", [$host=rec$id$orig_h], [$str=rec$mailfrom]);
} }

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path loaded_scripts #path loaded_scripts
#open 2012-11-05-23-29-45 #open 2012-11-20-06-11-08
#fields name #fields name
#types string #types string
scripts/base/init-bare.bro scripts/base/init-bare.bro
@ -38,6 +38,7 @@ scripts/base/init-default.bro
scripts/base/utils/files.bro scripts/base/utils/files.bro
scripts/base/utils/numbers.bro scripts/base/utils/numbers.bro
scripts/base/utils/paths.bro scripts/base/utils/paths.bro
scripts/base/utils/queue.bro
scripts/base/utils/strings.bro scripts/base/utils/strings.bro
scripts/base/utils/thresholds.bro scripts/base/utils/thresholds.bro
scripts/base/utils/urls.bro scripts/base/utils/urls.bro
@ -118,4 +119,4 @@ scripts/base/init-default.bro
scripts/base/protocols/syslog/./main.bro scripts/base/protocols/syslog/./main.bro
scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-checksum-offloading.bro
scripts/policy/misc/loaded-scripts.bro scripts/policy/misc/loaded-scripts.bro
#close 2012-11-05-23-29-45 #close 2012-11-20-06-11-08

14
testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
View file

@ -3,10 +3,10 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path metrics #path metrics
#open 2012-07-20-01-50-41 #open 2012-11-20-06-46-51
#fields ts metric_id filter_name index.host index.str index.network value #fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique
#types time enum string addr string subnet count #types time interval string string string addr subnet time count double double double double double double count
1342749041.601712 TEST_METRIC foo-bar 6.5.4.3 - - 4 1353394011.192622 3.000000 default test.metric - 6.5.4.3 - - 2 6.0 1.0 5.0 3.0 4.0 2.0 -
1342749041.601712 TEST_METRIC foo-bar 7.2.1.5 - - 2 1353394011.192622 3.000000 default test.metric - 1.2.3.4 - - 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 -
1342749041.601712 TEST_METRIC foo-bar 1.2.3.4 - - 6 1353394011.192622 3.000000 default test.metric - 7.2.1.5 - - 2 145.0 54.0 91.0 72.5 342.25 18.5 -
#close 2012-07-20-01-50-49 #close 2012-11-20-06-46-51

10
testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-51-18 #open 2012-11-20-06-46-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1342749078.270791 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1353393982.260495 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-07-20-01-51-27 #close 2012-11-20-06-46-22

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-07-20-01-51-36 #open 2012-11-20-06-45-52
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1342749096.545663 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1353393952.489496 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-07-20-01-51-45 #close 2012-11-20-06-45-56

10
testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2012-10-05-21-45-15 #open 2012-11-20-06-09-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet #types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - - - - - 1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-10-05-21-45-15 #close 2012-11-20-06-09-07