From 1f6fc4415f66a105bcef085be09c2356eb9d9ead Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 25 Sep 2020 11:27:54 +0000
Subject: [PATCH] Tweak find-filtered-trace to not flag traces if they have
 non-TCP traffic.

Closes #160.
---
 scripts/base/misc/find-filtered-trace.zeek       |   7 +++++++
 .../scripts.base.misc.find-filtered-trace/out1   |   2 +-
 .../scripts.base.misc.find-filtered-trace/out3   |   0
 .../Traces/wikipedia-filtered-plus-udp.trace     | Bin 0 -> 7891 bytes
 .../scripts/base/misc/find-filtered-trace.test   |   2 ++
 5 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out3
 create mode 100644 testing/btest/Traces/wikipedia-filtered-plus-udp.trace

diff --git a/scripts/base/misc/find-filtered-trace.zeek b/scripts/base/misc/find-filtered-trace.zeek
index 504b58916e..7d25e70a6f 100644
--- a/scripts/base/misc/find-filtered-trace.zeek
+++ b/scripts/base/misc/find-filtered-trace.zeek
@@ -32,6 +32,7 @@ function should_detect(): bool
 
 global saw_tcp_conn_with_data: bool = F;
 global saw_a_tcp_conn: bool = F;
+global saw_a_non_tcp_conn: bool = F;
 
 event connection_state_remove(c: connection)
 	{
@@ -42,7 +43,10 @@ event connection_state_remove(c: connection)
 		return;
 
 	if ( ! is_tcp_port(c$id$orig_p) )
+		{
+		saw_a_non_tcp_conn = T;
 		return;
+		}
 
 	saw_a_tcp_conn = T;
 
@@ -58,6 +62,9 @@ event zeek_done()
 	if ( ! saw_a_tcp_conn )
 		return;
 
+	if ( saw_a_non_tcp_conn )
+		return;
+
 	if ( ! saw_tcp_conn_with_data )
 		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
 	}
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
index 6452fb1883..ce9f0cecc7 100644
--- a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
+++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
@@ -1 +1 @@
-1389719059.311687 warning in /home/jon/pro/zeek/zeek/scripts/base/misc/find-filtered-trace.zeek, line 62: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
+1389719059.311687 warning in /Users/robin/bro/topic/scripts/base/misc/find-filtered-trace.zeek, line 69: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out3 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out3
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Traces/wikipedia-filtered-plus-udp.trace b/testing/btest/Traces/wikipedia-filtered-plus-udp.trace
new file mode 100644
index 0000000000000000000000000000000000000000..a35da062d5b8c308878ca704fd0831fd682ef5ca
GIT binary patch
literal 7891
zcmdT}3s6+&6+ZjmvEr&LjQFauf-y{JMUaM~SlE{&5m<-@tU<EE1_|;AEGU*BKEPTd
zc^OS&DjIaucC5Bdbqp1*4;Yncw4!y4(&8iP>P(8M&7{G)J?GzD?p>C>3${4zh5zo}
z|Nirx|9t11@BaVY3nzZNQwnl$9yS|*1TQA<Uz;3UDS-_9PE7)f0eT=Z>FAu3{-6hV
z4j=(+s>sw$^;gey;k_VhkQHK9Ey2Nd2>kHPGZ*F;<twtwUbU2bzpQMjJlm2};<Kzc
z$FvMU4H7c*V5I~u;$Ujg(Rk{C;IA*8HP>~%f)~)BvOTJyF96cuuWgU;j!kO6cAV{|
z8+2BHb<{=kmwPc?LxWbpNE#1g9D}(j+>c<Q<JPFYR`H(1aZip;M{&bpy5m}b-+cgT
zAOQzCJN@yyJORL;oV-&jfn#WjnuAN`B;)dT<>i1}_V^KOmy^qeCXB`Zq(dR-(6r$J
z@H{$04FXp+ziET8>aOqoo;fu8^NR_P;QQftbg1H-@q>zH1sF57hnr~d4(XV4&(6YV
z%6&eSOZ|tzgxjA|zeFbUBjoG<5Fj&5JH8#6(r$)tMK_@mIvAT3G3v8d5Pivx(PMTj
zc#lW+>$vcM&=FZd$Q%8XU_?vQ+~%ygeGKQUS~#CjH`Pm}zuF2h@Pm~{_B_B`!GAh@
z%S)COn{pM)^9%9|&AIs|S#fC|z(kM`{v3r8*5W8?b~XevFK=59FiX|4h_KnrW6*-B
za?hRzt7{lO+VG6e1%fY)QXYnBvZAs`E^ye=;xbF2smx+7<pP&?TKxg`ayXX|7>(%!
z(oCAtYd9sWT-MxNHac83I9+}(0$rYM*qt}qi_7w&oHCQVJik0gX3j-x4gy95C}9&?
zqvl4ys<xjo0*pKXXs_UlioDsiYefm@#~P=$(;-_2p^Of-Z;{!OYp%c>kaGiI#3%r~
zsfeqgPog3QCpYluZ%?7<pHZ8;y--29!J>b3xDu|R-_+ck?`YdV&Nuh)&ZC8vU%qPY
zX3>{|3}hankN8Yqa3W9zBORlBN(wC{CN7YRq6whPECV?fg$xr#O4nQx_#!hiaD;15
zlv@ub6SvxdlEqNga9J+b^;|K3y{PTiaw1frREkJIQ#MJ!ei`K!&FjQGFlHvbyq(w~
z33yb&7b+I%G3s|pz!XvB!$%1D;J#kuWE7VJ#uZNFfEdrnxxs@;f|@!?f{xD0Ye*>m
z)8QdVjtba0R#XCh&MF|2PXe@HI^SM-Z3rdcI8JHc5@6j+643OQZFOE;?x!dzDaMT#
zm4J<mfMlKkv{#UNa9iCIk${Cbxq(Z7RYTGD|MF_A7b<!s;M@dJ33!u9z_$YDHPB)W
zzZyHV65w9&?xN721PDqV3%Fh=2~G)^Fi}hbzO14`U306qP*YF>G}5C~MkE25FMBT3
zhaZWC>Leno7N$8LTsIa|s3xCp5Aqr+N1>*EELx~<u{?c|4;5N4P2$>vhOkg;aY`bE
zYIj-dba|_d3U$|?<ndly_E4x7ej!?@Z!-dtcmmK~L2RQu{)rUoBb=N_q4tTsbqPhk
zDJb0Pg^J!nZEO%N)OT2+{+)LoEwpS~7;gQ)E!6wyu;=A^=~Gmw-^}hU)Ko0g)c0{2
zWiQm$P?th&rGDqL+JA=_a`j7ue0O*+vJs!vpL~dmbUX6#$)1tJc8MlIE0X|RP1=|1
z2ToBEBu?$j@R|e;3D~t;R07^*6(Crxq6JezU}we<O2D6SN+J?qcUj|f`Divtz_pt@
zPkV9Mg9HTb5tRT867E;@d=;R*g7QN<Pd^a}(BkAoB%n|9{{R&I^buT|7b<!s;O<^g
z3E0depqqCdEwn_v$fXUf1oZ!8c3;4|KAYW_>w@LH^I09bPpnY0;;2vq!g~uf4JF|9
z&+rw5y-*ua3<NuN7YQgou7ngEN6l@MnQ+@4s&r@8e(^1aDq{L!O%ER`d7;^2^02G+
zJE?^I2u#gwU)9j|KFiWjK2V6ian5y3k0VfM#1p!6S0(KLKe@%c!osPzNbsSRzBCP#
ztjn>@QgJH#hI87xj{Ubvxc^pp+J8sm<Ofd8rI|#{%nVJO7iw_FM~m%!txD)dR;amA
zbG>Z~%i+KB)FA%nDIaU%7&W-z1X;h-Ao`%F(eiskTqsJBD%Tw-ktghlM4nxHqOhmh
z1!WDl%;mbCdz-&@ru04Z-}6)LR5+#djyOk3OE<=0O0SvzHzJFcpG&@TN$ED~cRtl_
z{!@VL;U(1a9NO0sIv7tRtF~`hhr7^9dI?qa6pySnw>HxL7LnOYs4d?O5_#T(58_|J
zopS>rCnX4wGjpUu<Y3tdo{fRbIi+OJt-H7&ZzkkZcX;GUS>tvJkyo!DB(m|f#`|yK
zbAB@+`yCS?|K!JCA#$seja`F9PK}?X&cL<FO+t?RhDV-wYwUR;@`iT?Ip?$~XM#^>
zzTO0c{LE4wSzR=Cs}NatZ~(};R0;On*ckWHvu*b=^STN7HwOgBwWUW8xsBLRV?94}
zCjjPP7E*(*E0VJ>2wosY>M%n~e4n4YpKGi^<a=NoKO_C4*foa|vzM2QPJs4**^wm@
zxs=d~jwm4qfv7p&IghCby?lecNL>K-_xINjDWc2y&N=bvFdWRDk@Vq{S6pab>EZSL
zD5es422gFr^At3B@M$IBrj9imJGzrUnfuvPW-_IE9KIu0-L6BE*Rk1P1OCMwud)?M
z7z~*V(Q6G_Ly}&nOVsQ1TAfb!oKC0L>ooegI=xPtn219_5{kAOG8AIA#xq;B{~cQq
zDZ?NeXGbkM8l9Ed{c`+95w4Ore=Uf#1YZnEKN05g8wHNHWd+@X@K&oK1R;<zI!0>J
zGqjOfO>}IuZiZoI6yu#-yF7mwynq9!vB*6X&=_Am342xDVdPpDz{5+62)ey>K+q8v
z1D>QO^;ZJKJi*mJdV&w{$M9s|jS*t;4`K0N)hGTdY^8(EwJ;2be7%pDEj6=M-N)8r
z<Tcq+s{+JqO<}g)=ws_K{F;ikl&2*BVK#KMQu0+TXqv}z6;B@Wn#`4+k%(nO1j~jo
z&TP26oS^5wF(ByFOlcq1AT;XGaD!cW3h{Tv1XZjFp})dr>r5o&+1(tLFUST|9iu_3
zpQlg4v(aEMBx(hJ8eGPOfP~z*l`MObto_s|6Jza%j5XR}Gc_0#Ykyqi+lMuQ(4<r+
lvRqqC(8QWUuPwF;0c!)&Yhq22=qF}N!)#^svGo{v{cm=PX%GMa

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/misc/find-filtered-trace.test b/testing/btest/scripts/base/misc/find-filtered-trace.test
index 65a7f2ec5a..1875f4de0e 100644
--- a/testing/btest/scripts/base/misc/find-filtered-trace.test
+++ b/testing/btest/scripts/base/misc/find-filtered-trace.test
@@ -1,6 +1,8 @@
 # @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT >out1 2>&1
 # @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT "FilteredTraceDetection::enable=F" >out2 2>&1
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia-filtered-plus-udp.trace %INPUT >out3 2>&1
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
 # @TEST-EXEC: btest-diff out2
+# @TEST-EXEC: btest-diff out3
 
 @load base/misc/find-filtered-trace