Merge branch 'topic/amazingpp/irc-fuid-missing' of github.com:AmazingPP/zeek

* 'topic/amazingpp/irc-fuid-missing' of github.com:AmazingPP/zeek: Add irc_dcc_send_ack event and fix missing fields I've moved IRC_Data back into the zeek::analyzer::file namespace, but we did move the declaration from protocol/file/File.h to protocol/irc/IRC.h. But, if someone actually customized IRC_Data and didn't include protocol/irc/IRC.h for other reasons, I'll be surprised (and also just suggest to update the include).
2025-10-02 14:48:21 +00:00 · 2023-04-24 17:55:53 +02:00 · 2023-04-24 17:55:53 +02:00 · 1b69b4d26f
commit 1b69b4d26f
parent 9b1bfe63f4 161ffb4192
17 changed files with 209 additions and 107 deletions
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
@ -2,18 +2,6 @@
 FILE_NEW
 file #0, 0, 0
 FILE_OVER_NEW_CONNECTION
-FILE_NEW
-file #1, 0, 0
-FILE_OVER_NEW_CONNECTION
-FILE_STATE_REMOVE
-file #1, 124, 0
-[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
-FILE_BOF_BUFFER
-\x00\x00\x05x\x00\x00\x0a\xf0\x00\x00\x10
-source: IRC_DATA
-MD5: 35288fd50a74c7d675909ff83424d7a1
-SHA1: 8a98f177cb47e6bf771bf57c2f7e94c4b5e79ffa
-SHA256: b24dde52b933a0d76e885ab418cb6d697b14a4e2fef45fce66e12ecc5a6a81aa
 FILE_STATE_REMOVE
 file #0, 42208, 0
 [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log
@ -5,10 +5,10 @@
 #unset_field	-
 #path	irc
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	fuid
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	dcc_mime_type	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	application/zip	F2tE1m1WMORrNXXg7b
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/out
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/out
@ -57,3 +57,34 @@ Nachos,
 dx3d51,
 TooFast
 }
+irc_dcc_send_ack, 1400
+irc_dcc_send_ack, 2800
+irc_dcc_send_ack, 4200
+irc_dcc_send_ack, 5600
+irc_dcc_send_ack, 7000
+irc_dcc_send_ack, 8400
+irc_dcc_send_ack, 9800
+irc_dcc_send_ack, 11200
+irc_dcc_send_ack, 12288
+irc_dcc_send_ack, 13688
+irc_dcc_send_ack, 15088
+irc_dcc_send_ack, 16384
+irc_dcc_send_ack, 17784
+irc_dcc_send_ack, 19184
+irc_dcc_send_ack, 20480
+irc_dcc_send_ack, 21880
+irc_dcc_send_ack, 23280
+irc_dcc_send_ack, 24576
+irc_dcc_send_ack, 25976
+irc_dcc_send_ack, 27376
+irc_dcc_send_ack, 28672
+irc_dcc_send_ack, 30072
+irc_dcc_send_ack, 31472
+irc_dcc_send_ack, 32768
+irc_dcc_send_ack, 34168
+irc_dcc_send_ack, 35568
+irc_dcc_send_ack, 36864
+irc_dcc_send_ack, 38264
+irc_dcc_send_ack, 39664
+irc_dcc_send_ack, 40960
+irc_dcc_send_ack, 42208
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek
+++ b/testing/btest/scripts/base/frameworks/file-analysis/irc.zeek
@ -6,17 +6,9 @@

 redef test_file_analysis_source = "IRC_DATA";

-global first: bool = T;
-
 function myfile(f: fa_file): string
 	{
-	if ( first )
-		{
-		first = F;
-		return "thefile";
-		}
-	else
-		return "";
+	return "thefile";
 	}

 redef test_get_file_name = myfile;
--- a/testing/btest/scripts/base/protocols/irc/basic.test
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@ -9,14 +9,12 @@
@load base/protocols/conn
@load base/protocols/irc

-# dcc mime types are irrelevant to this test, so filter it out
-event zeek_init()
-	{
-	Log::remove_default_filter(IRC::LOG);
-	Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
-	}
-
 event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
 	{
 	print "irc_names_info", channel, users;
 	}
+
+event irc_dcc_send_ack(c: connection, bytes_received: count)
+	{
+	print "irc_dcc_send_ack", bytes_received;
+	}