Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add btests for the lookup_connection_analyzer_id() BiF.

Browse source
This commit is contained in:
Christian Kreibich 2024-05-23 17:15:02 -07:00
parent 3e97ec39b8
commit 09b70879b0
4 changed files with 56 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
testing/btest/Baseline/bifs.disable_analyzer-for-conn-2/output Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

1
testing/btest/Baseline/bifs.disable_analyzer-for-conn-3/output Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

3
testing/btest/Baseline/bifs.disable_analyzer-for-conn/output Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
Analyzer::ANALYZER_HTTP
Analyzer::ANALYZER_HTTP

51
testing/btest/bifs/disable_analyzer-for-conn.zeek Normal file
View file

@ -0,0 +1,51 @@
# Verifies analyzer ID retrieval from a connection.
#
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT >output
# @TEST-EXEC: btest-diff output
# This first test should trigger two analyzer violations since the given pcap
# has non-HTTP content on port 80, which triggers one violation each for the
# missing request and response lines.
@load base/protocols/http
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
{
print atype;
}
# @TEST-START-NEXT
# This one should not trigger violations since we suppress HTTP analysis when
# the TCP connection establishes.
@load base/protocols/http
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
{
print atype;
}
event connection_established(c: connection)
{
local aid = lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP);
if ( aid > 0 )
disable_analyzer(c$id, aid, T, T);
}
# @TEST-START-NEXT
# This one validates the return values of analyzer ID lookup calls for valid &
# invalid connection IDs and analyzers.
@load base/protocols/http
event connection_established(c: connection)
{
assert lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP) != 0;
local wrong_cid = copy(c$id);
wrong_cid$orig_h = 1.2.3.4;
assert lookup_connection_analyzer_id(wrong_cid, Analyzer::ANALYZER_HTTP) == 0;
}