Merge branch 'topic/jgras/connection-packet-threshold' of https://github.com/J-Gras/zeek

* 'topic/jgras/connection-packet-threshold' of https://github.com/J-Gras/zeek: Add NEWS entry for generic packet thresholds Allow for multiple generic packet thresholds Add btest for conn_generic_packet_threshold_crossed event Update dump-events btest baseline Add conn_generic_packet_threshold_crossed event
2025-10-02 06:38:20 +00:00 · 2025-07-08 17:53:56 +02:00 · 2025-07-08 17:53:56 +02:00 · 0c60f2a70a
commit 0c60f2a70a
parent 8ba77da152 50ab72efc2
11 changed files with 140 additions and 2 deletions
--- a/testing/btest/Baseline/core.conn-generic-packet-threshold/out
+++ b/testing/btest/Baseline/core.conn-generic-packet-threshold/out
@ -0,0 +1,17 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+=== Generic threshold crossed ===
+new_connection: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]]
+conn_generic_packet_threshold_crossed: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]] at 5
+new_connection: [orig_h=192.168.170.8, orig_p=32795/udp, resp_h=192.168.170.20, resp_p=53/udp, proto=17, ctx=[]]
+conn_generic_packet_threshold_crossed: [orig_h=192.168.170.8, orig_p=32795/udp, resp_h=192.168.170.20, resp_p=53/udp, proto=17, ctx=[]] at 5
+new_connection: [orig_h=192.168.170.8, orig_p=32795/udp, resp_h=192.168.170.20, resp_p=53/udp, proto=17, ctx=[]]
+conn_generic_packet_threshold_crossed: [orig_h=192.168.170.8, orig_p=32795/udp, resp_h=192.168.170.20, resp_p=53/udp, proto=17, ctx=[]] at 5
+new_connection: [orig_h=192.168.170.8, orig_p=0/unknown, resp_h=192.168.170.56, resp_p=0/unknown, proto=132, ctx=[]]
+conn_generic_packet_threshold_crossed: [orig_h=192.168.170.8, orig_p=0/unknown, resp_h=192.168.170.56, resp_p=0/unknown, proto=132, ctx=[]] at 5
+new_connection: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]]
+conn_generic_packet_threshold_crossed: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]] at 5
+conn_generic_packet_threshold_crossed: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]] at 10
+=== Generic threshold not crossed ===
+new_connection: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]]
+new_connection: [orig_h=10.87.3.74, orig_p=51871/udp, resp_h=10.87.1.10, resp_p=53/udp, proto=17, ctx=[]]
+new_connection: [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]]
--- a/testing/btest/core/conn-generic-packet-threshold.zeek
+++ b/testing/btest/core/conn-generic-packet-threshold.zeek
@ -0,0 +1,19 @@
+# @TEST-EXEC: echo "=== Generic threshold crossed ===" > out
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/get.trace %INPUT >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/long-connection.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/communityid/sctp.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/get.trace %INPUT ConnThreshold::generic_packet_thresholds+={10} >> out
+# @TEST-EXEC: echo "=== Generic threshold not crossed ===" >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/syn.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns-binds.pcap %INPUT >> out
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/get.trace %INPUT ConnThreshold::generic_packet_thresholds={15} >> out
+
+# @TEST-EXEC: btest-diff out
+
+redef ConnThreshold::generic_packet_thresholds = {5};
+
+event new_connection(c: connection)
+	{ print fmt("new_connection: %s", c$id); }
+
+event conn_generic_packet_threshold_crossed(c: connection, threshold: count)
+	{ print fmt("conn_generic_packet_threshold_crossed: %s at %d", c$id, threshold); }