Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into topic/robin/dnp3-merge-v3

Browse source 
Conflicts:
	scripts/base/init-default.bro
This commit is contained in:
Robin Sommer 2013-08-09 17:11:51 -07:00
commit 0e7f51f78c
90 changed files with 1841 additions and 923 deletions
Download patch file Download diff file Expand all files Collapse all files

10
testing/btest/Baseline/core.print-bpf-filters/output2
View file

@ -26,6 +26,8 @@
1 6667
1 6668
1 6669
1 67
1 68
1 80
1 8000
1 8080
@ -36,8 +38,8 @@
1 992
1 993
1 995
40 and
39 or
40 port
42 and
41 or
42 port
31 tcp
9 udp
11 udp

6
testing/btest/Baseline/core.tunnels.teredo/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2008-05-16-15-50-57
#open 2013-08-04-03-28-45
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1210953047.736921 arKYeMETxOg 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - 0 fA 1 40 1 40 (empty)
@ -21,10 +21,10 @@
1210953074.570439 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - 0 ShADadFf 7 757 6 4164 (empty)
1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - 0 Dd 2 185 1 76 (empty)
1210953060.829233 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - 0 Dd 12 2695 13 11607 (empty)
1210953058.933954 iE6yhOq3SF 0.0.0.0 68 255.255.255.255 67 udp - - - - S0 - 0 D 1 328 0 0 (empty)
1210953058.933954 iE6yhOq3SF 0.0.0.0 68 255.255.255.255 67 udp dhcp - - - S0 - 0 D 1 328 0 0 (empty)
1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 udp - - - - SHR - 0 d 0 0 1 137 (empty)
1210953046.591933 UWkUyAuUGXf 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - 0 D 2 472 0 0 (empty)
1210953052.324629 FrJExwHcSal fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - 0 - 1 88 0 0 TEfuqmmG4bh
1210953060.829303 qCaWGmzFtM5 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.463615 4 4 OTH - 0 - 1 52 1 52 GSxOnSLghOa,nQcgTWjvg4c
1210953052.202579 j4u32Pc5bif fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - 0 - 1 64 0 0 nQcgTWjvg4c
#close 2008-05-16-15-51-16
#close 2013-08-04-03-28-45

15
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2013-07-29-22-37-52
#open 2013-08-09-16-13-58
#fields name
#types string
scripts/base/init-bare.bro
@ -23,28 +23,28 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_File.events.bif.bro
build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro
build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
@ -91,6 +91,7 @@ scripts/base/init-bare.bro
scripts/base/utils/site.bro
scripts/base/utils/patterns.bro
build/scripts/base/bif/__load__.bro
build/scripts/base/bif/top-k.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
#close 2013-07-29-22-37-52
#close 2013-08-09-16-13-58

20
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2013-07-29-22-37-53
#open 2013-08-09-16-13-37
#fields name
#types string
scripts/base/init-bare.bro
@ -23,28 +23,28 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_File.events.bif.bro
build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro
build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
@ -91,6 +91,7 @@ scripts/base/init-bare.bro
scripts/base/utils/site.bro
scripts/base/utils/patterns.bro
build/scripts/base/bif/__load__.bro
build/scripts/base/bif/top-k.bif.bro
scripts/base/init-default.bro
scripts/base/utils/active-http.bro
scripts/base/utils/exec.bro
@ -147,6 +148,7 @@ scripts/base/init-default.bro
scripts/base/frameworks/sumstats/plugins/std-dev.bro
scripts/base/frameworks/sumstats/plugins/variance.bro
scripts/base/frameworks/sumstats/plugins/sum.bro
scripts/base/frameworks/sumstats/plugins/topk.bro
scripts/base/frameworks/sumstats/plugins/unique.bro
scripts/base/frameworks/sumstats/non-cluster.bro
scripts/base/frameworks/tunnels/__load__.bro
@ -156,6 +158,10 @@ scripts/base/init-default.bro
scripts/base/protocols/conn/contents.bro
scripts/base/protocols/conn/inactivity.bro
scripts/base/protocols/conn/polling.bro
scripts/base/protocols/dhcp/__load__.bro
scripts/base/protocols/dhcp/consts.bro
scripts/base/protocols/dhcp/main.bro
scripts/base/protocols/dhcp/utils.bro
scripts/base/protocols/dns/__load__.bro
scripts/base/protocols/dns/consts.bro
scripts/base/protocols/dns/main.bro
@ -202,4 +208,4 @@ scripts/base/init-default.bro
scripts/base/files/extract/main.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/policy/misc/loaded-scripts.bro
#close 2013-07-29-22-37-53
#close 2013-08-09-16-13-37

2
testing/btest/Baseline/scripts.base.frameworks.sumstats.cluster-intermediate-update/manager-1..stdout
View file

@ -1,3 +1,3 @@
A test metric threshold was crossed with a value of: 101.0
End of epoch handler was called
101.0
End of epoch handler was called

2
testing/btest/Baseline/scripts.base.frameworks.sumstats.on-demand-cluster/manager-1..stdout Normal file
View file

@ -0,0 +1,2 @@
SumStat key request
Host: 7.2.1.5 -> 145

2
testing/btest/Baseline/scripts.base.frameworks.sumstats.on-demand/.stdout Normal file
View file

@ -0,0 +1,2 @@
Key request for 1.2.3.4
Host: 1.2.3.4 -> 42

8
testing/btest/Baseline/scripts.base.frameworks.sumstats.sample-cluster/manager-1..stdout Normal file
View file

@ -0,0 +1,8 @@
Host: 6.5.4.3 Sampled observations: 2
[2, 5]
Host: 10.10.10.10 Sampled observations: 1
[5]
Host: 1.2.3.4 Sampled observations: 34
[5, 22, 52, 91, 94]
Host: 7.2.1.5 Sampled observations: 2
[1, 91]

18
testing/btest/Baseline/scripts.base.frameworks.sumstats.sample-cluster/out
View file

@ -1,18 +0,0 @@
1
1.2.3.4
10.10.10.10
2
2
34
6.5.4.3
7.2.1.5
[num=1, dbl=<uninitialized>, str=<uninitialized>]
[num=2, dbl=<uninitialized>, str=<uninitialized>]
[num=22, dbl=<uninitialized>, str=<uninitialized>]
[num=5, dbl=<uninitialized>, str=<uninitialized>]
[num=5, dbl=<uninitialized>, str=<uninitialized>]
[num=5, dbl=<uninitialized>, str=<uninitialized>]
[num=52, dbl=<uninitialized>, str=<uninitialized>]
[num=91, dbl=<uninitialized>, str=<uninitialized>]
[num=91, dbl=<uninitialized>, str=<uninitialized>]
[num=94, dbl=<uninitialized>, str=<uninitialized>]

10
testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2013-07-31-21-00-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id
#types time string addr port addr port string addr interval count
1370200444.371332 nQcgTWjvg4c 128.2.6.189 68 128.2.6.152 67 90:b1:1c:99:49:29 128.2.6.189 900.000000 1984
#close 2013-07-31-21-00-50

10
testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dhcp
#open 2013-08-03-01-18-52
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id
#types time string addr port addr port string addr interval count
1374432420.191205 UWkUyAuUGXf 128.2.6.122 68 128.2.6.152 67 90:b1:1c:99:49:29 128.2.6.122 0.000000 2754407505
#close 2013-08-03-01-18-52

1
testing/btest/Baseline/scripts.base.utils.exec/bro..stdout
View file

@ -3,5 +3,4 @@ test1, [exit_code=0, signal_exit=F, stdout=[done, exit, stop], stderr=<uninitial
[out2] = [insert more text here, and there]
}]
test2, [exit_code=1, signal_exit=F, stdout=[here's something on stdout, some more stdout, last stdout], stderr=[and some stderr, more stderr, last stderr], files=<uninitialized>]
test3, [exit_code=9, signal_exit=F, stdout=[FML], stderr=<uninitialized>, files=<uninitialized>]
test4, [exit_code=0, signal_exit=F, stdout=[hibye], stderr=<uninitialized>, files=<uninitialized>]

11
testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path known_devices
#open 2013-07-31-21-27-41
#fields ts mac dhcp_host_name
#types time string string
1370200443.344965 90:b1:1c:99:49:29 btest.is.cool
1374432420.186878 90:b1:1c:99:49:29 (empty)
#close 2013-07-31-21-27-41

BIN
testing/btest/Traces/dhcp/dhcp.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dhcp/dhcp_inform.trace Normal file
View file

Binary file not shown.

16
testing/btest/core/leaks/basic-cluster.bro
View file

@ -26,16 +26,16 @@ global n = 0;
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)];
SumStats::create([$epoch=5secs,
SumStats::create([$name="test",
$epoch=5secs,
$reducers=set(r1),
$epoch_finished(rt: SumStats::ResultTable) =
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test"];
print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique);
},
$epoch_finished(ts: time) =
{
for ( key in rt )
{
local r = rt[key]["test"];
print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique);
}
terminate();
}]);
}

1
testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
View file

@ -39,6 +39,5 @@ event bro_init()
try = 0;
outfile = open("../out");
Input::add_event([$source="cat > ../test.txt |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings]);
Input::remove("input");
Input::add_event([$source="cat |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input2", $fields=Val, $ev=line, $want_record=F, $config=config_strings]);
}

16
testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
View file

@ -23,16 +23,16 @@ global n = 0;
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE)];
SumStats::create([$epoch=5secs,
SumStats::create([$name="test",
$epoch=5secs,
$reducers=set(r1),
$epoch_finished(rt: SumStats::ResultTable) =
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test"];
print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique);
},
$epoch_finished(ts: time) =
{
for ( key in rt )
{
local r = rt[key]["test"];
print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique);
}
terminate();
}]);
}

18
testing/btest/scripts/base/frameworks/sumstats/basic.bro
View file

@ -11,16 +11,14 @@ event bro_init() &priority=5
SumStats::MIN,
SumStats::STD_DEV,
SumStats::UNIQUE)];
SumStats::create([$epoch=3secs,
$reducers=set(r1),
$epoch_finished(data: SumStats::ResultTable) =
{
for ( key in data )
{
local r = data[key]["test.metric"];
print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique);
}
}
SumStats::create([$name="test",
$epoch=3secs,
$reducers=set(r1),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test.metric"];
print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique);
}
]);
SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]);

23
testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
View file

@ -20,20 +20,23 @@ redef Log::default_rotation_interval = 0secs;
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)];
SumStats::create([$epoch=10secs,
SumStats::create([$name="test",
$epoch=10secs,
$reducers=set(r1),
$epoch_finished(data: SumStats::ResultTable) =
{
print "End of epoch handler was called";
for ( res in data )
print data[res]["test.metric"]$sum;
terminate();
},
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
print result["test.metric"]$sum;
},
$epoch_finished(ts: time) =
{
print "End of epoch handler was called";
terminate();
},
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return double_to_count(result["test.metric"]$sum);
return result["test.metric"]$sum;
},
$threshold=100,
$threshold=100.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
print fmt("A test metric threshold was crossed with a value of: %.1f", result["test.metric"]$sum);

96
testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro Normal file
View file

@ -0,0 +1,96 @@
# @TEST-SERIALIZE: comm
#
# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
# @TEST-EXEC: sleep 1
# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
# @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: btest-diff manager-1/.stdout
@TEST-START-FILE cluster-layout.bro
redef Cluster::nodes = {
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
};
@TEST-END-FILE
redef Log::default_rotation_interval = 0secs;
global n = 0;
event bro_init() &priority=5
{
local r1 = SumStats::Reducer($stream="test", $apply=set(SumStats::SUM, SumStats::MIN, SumStats::MAX, SumStats::AVERAGE, SumStats::STD_DEV, SumStats::VARIANCE, SumStats::UNIQUE));
SumStats::create([$name="test sumstat",
$epoch=1hr,
$reducers=set(r1)]);
}
event remote_connection_closed(p: event_peer)
{
terminate();
}
global ready_for_data: event();
redef Cluster::manager2worker_events += /^ready_for_data$/;
event ready_for_data()
{
if ( Cluster::node == "worker-1" )
{
SumStats::observe("test", [$host=1.2.3.4], [$num=34]);
SumStats::observe("test", [$host=1.2.3.4], [$num=30]);
SumStats::observe("test", [$host=6.5.4.3], [$num=1]);
SumStats::observe("test", [$host=7.2.1.5], [$num=54]);
}
if ( Cluster::node == "worker-2" )
{
SumStats::observe("test", [$host=1.2.3.4], [$num=75]);
SumStats::observe("test", [$host=1.2.3.4], [$num=30]);
SumStats::observe("test", [$host=7.2.1.5], [$num=91]);
SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
}
}
event on_demand2()
{
local host = 7.2.1.5;
when ( local result = SumStats::request_key("test sumstat", [$host=host]) )
{
print "SumStat key request";
if ( "test" in result )
print fmt(" Host: %s -> %.0f", host, result["test"]$sum);
terminate();
}
}
event on_demand()
{
#when ( local results = SumStats::request("test sumstat") )
# {
# print "Complete SumStat request";
# print fmt(" Host: %s -> %.0f", 6.5.4.3, results[[$host=6.5.4.3]]["test"]$sum);
# print fmt(" Host: %s -> %.0f", 10.10.10.10, results[[$host=10.10.10.10]]["test"]$sum);
# print fmt(" Host: %s -> %.0f", 1.2.3.4, results[[$host=1.2.3.4]]["test"]$sum);
# print fmt(" Host: %s -> %.0f", 7.2.1.5, results[[$host=7.2.1.5]]["test"]$sum);
event on_demand2();
# }
}
global peer_count = 0;
event remote_connection_handshake_done(p: event_peer) &priority=-5
{
++peer_count;
if ( peer_count == 2 )
{
if ( Cluster::local_node_type() == Cluster::MANAGER )
event ready_for_data();
schedule 1sec { on_demand() };
}
}

46
testing/btest/scripts/base/frameworks/sumstats/on-demand.bro Normal file
View file

@ -0,0 +1,46 @@
# @TEST-EXEC: bro %INPUT
# @TEST-EXEC: btest-diff .stdout
redef exit_only_after_terminate=T;
## Requesting a full sumstats resulttable is not supported yet.
#event on_demand()
# {
# when ( local results = SumStats::request("test") )
# {
# print "Complete SumStat request";
# for ( key in results )
# {
# print fmt(" Host: %s -> %.0f", key$host, results[key]["test.reducer"]$sum);
# }
# }
# }
event on_demand_key()
{
local host = 1.2.3.4;
when ( local result = SumStats::request_key("test", [$host=host]) )
{
print fmt("Key request for %s", host);
print fmt(" Host: %s -> %.0f", host, result["test.reducer"]$sum);
terminate();
}
}
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.reducer",
$apply=set(SumStats::SUM)];
SumStats::create([$name="test",
$epoch=1hr,
$reducers=set(r1)]);
# Seed some data but notice there are no callbacks defined in the sumstat!
SumStats::observe("test.reducer", [$host=1.2.3.4], [$num=42]);
SumStats::observe("test.reducer", [$host=4.3.2.1], [$num=7]);
#schedule 0.1 secs { on_demand() };
schedule 1 secs { on_demand_key() };
}

28
testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
View file

@ -5,8 +5,7 @@
# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
# @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: cat manager-1/.stdout | sort > out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff manager-1/.stdout
@TEST-START-FILE cluster-layout.bro
redef Cluster::nodes = {
@ -18,25 +17,24 @@ redef Cluster::nodes = {
redef Log::default_rotation_interval = 0secs;
global n = 0;
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test", $apply=set(SumStats::SAMPLE), $num_samples=5];
SumStats::create([$epoch=5secs,
SumStats::create([$name="test",
$epoch=5secs,
$reducers=set(r1),
$epoch_finished(rt: SumStats::ResultTable) =
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
for ( key in rt )
{
print key$host;
local r = rt[key]["test"];
for ( sample in r$samples ) {
print r$samples[sample];
}
print r$sample_elements;
}
local r = result["test"];
print fmt("Host: %s Sampled observations: %d", key$host, r$sample_elements);
local sample_nums: vector of count = vector();
for ( sample in r$samples )
sample_nums[|sample_nums|] =r$samples[sample]$num;
print fmt(" %s", sort(sample_nums));
},
$epoch_finished(ts: time) =
{
terminate();
}]);
}

23
testing/btest/scripts/base/frameworks/sumstats/sample.bro
View file

@ -5,19 +5,16 @@ event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.metric",
$apply=set(SumStats::SAMPLE), $num_samples=2];
SumStats::create([$epoch=3secs,
$reducers=set(r1),
$epoch_finished(data: SumStats::ResultTable) =
{
for ( key in data )
{
print key$host;
local r = data[key]["test.metric"];
print r$samples;
print r$sample_elements;
}
}
]);
SumStats::create([$name="test",
$epoch=3secs,
$reducers=set(r1),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
print key$host;
local r = result["test.metric"];
print r$samples;
print r$sample_elements;
}]);
SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]);
SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]);

23
testing/btest/scripts/base/frameworks/sumstats/thresholding.bro
View file

@ -8,14 +8,15 @@ redef enum Notice::Type += {
event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)];
SumStats::create([$epoch=3secs,
SumStats::create([$name="test1",
$epoch=3secs,
$reducers=set(r1),
#$threshold_val = SumStats::sum_threshold("test.metric"),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return double_to_count(result["test.metric"]$sum);
return result["test.metric"]$sum;
},
$threshold=5,
$threshold=5.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test.metric"];
@ -24,14 +25,15 @@ event bro_init() &priority=5
]);
local r2: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)];
SumStats::create([$epoch=3secs,
SumStats::create([$name="test2",
$epoch=3secs,
$reducers=set(r2),
#$threshold_val = SumStats::sum_threshold("test.metric"),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return double_to_count(result["test.metric"]$sum);
return result["test.metric"]$sum;
},
$threshold_series=vector(3,6,800),
$threshold_series=vector(3.0,6.0,800.0),
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test.metric"];
@ -41,19 +43,20 @@ event bro_init() &priority=5
local r3: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)];
local r4: SumStats::Reducer = [$stream="test.metric2", $apply=set(SumStats::SUM)];
SumStats::create([$epoch=3secs,
SumStats::create([$name="test3",
$epoch=3secs,
$reducers=set(r3, r4),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
# Calculate a ratio between sums of two reducers.
if ( "test.metric2" in result && "test.metric" in result &&
result["test.metric"]$sum > 0 )
return double_to_count(result["test.metric2"]$sum / result["test.metric"]$sum);
return result["test.metric2"]$sum / result["test.metric"]$sum;
else
return 0;
return 0.0;
},
# Looking for metric2 sum to be 5 times the sum of metric
$threshold=5,
$threshold=5.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local thold = result["test.metric2"]$sum / result["test.metric"]$sum;

39
testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
View file

@ -23,27 +23,24 @@ event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.metric",
$apply=set(SumStats::TOPK)];
SumStats::create([$epoch=5secs,
$reducers=set(r1),
$epoch_finished(data: SumStats::ResultTable) =
{
for ( key in data )
{
local r = data[key]["test.metric"];
local s: vector of SumStats::Observation;
s = topk_get_top(r$topk, 5);
print fmt("Top entries for key %s", key$str);
for ( element in s )
{
print fmt("Num: %d, count: %d, epsilon: %d", s[element]$num, topk_count(r$topk, s[element]), topk_epsilon(r$topk, s[element]));
}
terminate();
}
}
]);
SumStats::create([$name="topk-test",
$epoch=5secs,
$reducers=set(r1),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test.metric"];
local s: vector of SumStats::Observation;
s = topk_get_top(r$topk, 5);
print fmt("Top entries for key %s", key$str);
for ( element in s )
{
print fmt("Num: %d, count: %d, epsilon: %d", s[element]$num, topk_count(r$topk, s[element]), topk_epsilon(r$topk, s[element]));
}
},
$epoch_finished(ts: time) =
{
terminate();
}]);
}

35
testing/btest/scripts/base/frameworks/sumstats/topk.bro
View file

@ -5,26 +5,21 @@ event bro_init() &priority=5
{
local r1: SumStats::Reducer = [$stream="test.metric",
$apply=set(SumStats::TOPK)];
SumStats::create([$epoch=3secs,
$reducers=set(r1),
$epoch_finished(data: SumStats::ResultTable) =
{
for ( key in data )
{
local r = data[key]["test.metric"];
local s: vector of SumStats::Observation;
s = topk_get_top(r$topk, 5);
print fmt("Top entries for key %s", key$str);
for ( element in s )
{
print fmt("Num: %d, count: %d, epsilon: %d", s[element]$num, topk_count(r$topk, s[element]), topk_epsilon(r$topk, s[element]));
}
}
}
]);
SumStats::create([$name="topk-test",
$epoch=3secs,
$reducers=set(r1),
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
{
local r = result["test.metric"];
local s: vector of SumStats::Observation;
s = topk_get_top(r$topk, 5);
print fmt("Top entries for key %s", key$str);
for ( element in s )
{
print fmt("Num: %d, count: %d, epsilon: %d", s[element]$num, topk_count(r$topk, s[element]), topk_epsilon(r$topk, s[element]));
}
}]);
const loop_v: vector of count = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100};

6
testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest Normal file
View file

@ -0,0 +1,6 @@
# This tests that DHCP leases are logged in dhcp.log
# The trace has a message of each DHCP message type,
# but only one lease should show up in the logs.
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace %INPUT
# @TEST-EXEC: btest-diff dhcp.log

5
testing/btest/scripts/base/protocols/dhcp/inform.test Normal file
View file

@ -0,0 +1,5 @@
# DHCPINFORM leases are special-cased in the code.
# This tests that those leases are correctly logged.
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_inform.trace %INPUT
# @TEST-EXEC: btest-diff dhcp.log

3
testing/btest/scripts/base/utils/active-http.test
View file

@ -1,4 +1,3 @@
# @TEST-REQUIRES: which httpd
# @TEST-REQUIRES: which python
#
# @TEST-EXEC: btest-bg-run httpd python $SCRIPTS/httpd.py --max 1
@ -8,7 +7,7 @@
# @TEST-EXEC: btest-diff bro/.stdout
@load base/utils/active-http
@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
redef exit_only_after_terminate = T;
event bro_init()

14
testing/btest/scripts/base/utils/dir.test
View file

@ -1,11 +1,11 @@
# @TEST-EXEC: btest-bg-run bro bro -b ../dirtest.bro
# @TEST-EXEC: btest-bg-wait 10
# @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
@TEST-START-FILE dirtest.bro
@load base/utils/dir
@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
redef exit_only_after_terminate = T;
global c: count = 0;
@ -33,14 +33,20 @@ function new_file2(fname: string)
event change_things()
{
system("touch ../testdir/newone");
system("rm ../testdir/bye && touch ../testdir/bye");
system("rm ../testdir/bye");
}
event change_things2()
{
system("touch ../testdir/bye");
}
event bro_init()
{
Dir::monitor("../testdir", new_file1, .5sec);
Dir::monitor("../testdir", new_file2, 1sec);
schedule 1sec { change_things() };
schedule 3sec { change_things() };
schedule 6sec { change_things2() };
}
@TEST-END-FILE

9
testing/btest/scripts/base/utils/exec.test
View file

@ -1,11 +1,11 @@
# @TEST-EXEC: btest-bg-run bro bro -b ../exectest.bro
# @TEST-EXEC: btest-bg-wait 10
# @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
@TEST-START-FILE exectest.bro
@load base/utils/exec
@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
redef exit_only_after_terminate = T;
global c: count = 0;
@ -14,7 +14,7 @@ function check_exit_condition()
{
c += 1;
if ( c == 4 )
if ( c == 3 )
terminate();
}
@ -32,7 +32,8 @@ event bro_init()
test_cmd("test1", [$cmd="bash ../somescript.sh",
$read_files=set("out1", "out2")]);
test_cmd("test2", [$cmd="bash ../nofiles.sh"]);
test_cmd("test3", [$cmd="bash ../suicide.sh"]);
# Not sure of a portable way to test signals yet.
#test_cmd("test3", [$cmd="bash ../suicide.sh"]);
test_cmd("test4", [$cmd="bash ../stdin.sh", $stdin="hibye"]);
}

8
testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test Normal file
View file

@ -0,0 +1,8 @@
# This tests that the known_devices log is created,
# that devices are logged by MAC address, and that
# the DHCP hostname is added, if available.
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace -r $TRACES/dhcp/dhcp_inform.trace %INPUT
# @TEST-EXEC: btest-diff known_devices.log
@load policy/protocols/dhcp/known-devices-and-hostnames