Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Updated intel framework test to include matching.

Browse source
This commit is contained in:
Seth Hall 2012-09-28 14:52:05 -04:00
parent 0bcedcd204
commit 38f0b7927c
5 changed files with 29 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/base/frameworks/intel/main.bro
View file

@ -18,7 +18,7 @@ export {
## String data needs to be further categoried since it could represent ## String data needs to be further categoried since it could represent
## and number of types of data. ## and number of types of data.
type StrType: enum { type StrType: enum {
## A complete URL. ## A complete URL without the prefix "http://".
URL, URL,
## User-Agent string, typically HTTP or mail message body. ## User-Agent string, typically HTTP or mail message body.
USER_AGENT, USER_AGENT,
@ -59,7 +59,7 @@ export {
## Enum to represent where data came from when it was discovered. ## Enum to represent where data came from when it was discovered.
type Where: enum { type Where: enum {
## A catchall value to represent data of unknown provenance. ## A catchall value to represent data of unknown provenance.
ANYWHERE, IN_ANYWHERE,
}; };
type Seen: record { type Seen: record {
@ -104,6 +104,8 @@ export {
## intelligence framework. ## intelligence framework.
global new_item: event(item: Item); global new_item: event(item: Item);
global updated_item: event(item: Item); global updated_item: event(item: Item);
global log_intel: event(rec: Info);
} }
# Event to represent a match happening in a connection. On clusters there # Event to represent a match happening in a connection. On clusters there
@ -128,7 +130,7 @@ global data_store: DataStore;
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Log::create_stream(LOG, [$columns=Info]); Log::create_stream(LOG, [$columns=Info, $ev=log_intel]);
} }
function find(s: Seen): bool function find(s: Seen): bool
@ -192,7 +194,6 @@ function get_items(s: Seen): set[Item]
return return_data; return return_data;
} }
#global total_seen=0; #global total_seen=0;
#event bro_done() #event bro_done()
# { # {

10
testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2012-09-28-18-50-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.host seen.str seen.str_type seen.where
#types time string addr port addr port addr string enum enum
1348858243.346443 - - - - - 123.123.123.123 - - Intel::IN_ANYWHERE
#close 2012-09-28-18-50-53

2
testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
View file

@ -1,4 +1,4 @@
cluster_new_item: 1.2.3.4 from source manager (from peer: manager-1) cluster_new_item: 1.2.3.4 from source manager (from peer: manager-1)
cluster_new_item: 123.123.123.123 from source worker-1 (from peer: manager-1) cluster_new_item: 123.123.123.123 from source worker-1 (from peer: manager-1)
cluster_new_item: 4.3.2.1 from source worker-2 (from peer: manager-1) cluster_new_item: 4.3.2.1 from source worker-2 (from peer: manager-1)
terminating! Doing a lookup

18
testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
View file

@ -5,6 +5,7 @@
# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT # @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
# @TEST-EXEC: btest-bg-wait -k 10 # @TEST-EXEC: btest-bg-wait -k 10
# @TEST-EXEC: btest-diff manager-1/.stdout # @TEST-EXEC: btest-diff manager-1/.stdout
# @TEST-EXEC: btest-diff manager-1/intel.log
# @TEST-EXEC: btest-diff worker-1/.stdout # @TEST-EXEC: btest-diff worker-1/.stdout
# @TEST-EXEC: btest-diff worker-2/.stdout # @TEST-EXEC: btest-diff worker-2/.stdout
@ -20,6 +21,8 @@ redef Cluster::nodes = {
module Intel; module Intel;
redef Log::default_rotation_interval=0sec;
event remote_connection_handshake_done(p: event_peer) event remote_connection_handshake_done(p: event_peer)
{ {
# Insert the data once both workers are connected. # Insert the data once both workers are connected.
@ -49,18 +52,25 @@ event Intel::cluster_new_item(item: Intel::Item)
Intel::insert([$host=4.3.2.1,$meta=[$source="worker-2"]]); Intel::insert([$host=4.3.2.1,$meta=[$source="worker-2"]]);
} }
# We're forcing worker-2 to die first when it has three intelligence items # We're forcing worker-2 to do a lookup when it has three intelligence items
# which were distributed over the cluster (data inserted locally is resent). # which were distributed over the cluster (data inserted locally is resent).
if ( Cluster::node == "worker-2" ) if ( Cluster::node == "worker-2" )
{ {
++worker2_data; ++worker2_data;
if ( worker2_data == 3 ) if ( worker2_data == 3 )
{ {
print "terminating!"; # Now that everything is inserted, see if we can match on the data inserted
# by worker-1.
print "Doing a lookup";
Intel::seen([$host=123.123.123.123, $where=Intel::IN_ANYWHERE]);
}
}
}
event Intel::log_intel(rec: Intel::Info)
{
event Control::shutdown_request(); event Control::shutdown_request();
} }
}
}
event remote_connection_closed(p: event_peer) event remote_connection_closed(p: event_peer)
{ {

18
testing/btest/scripts/base/frameworks/intel/dns-zone-plugin.bro
View file

@ -1,18 +0,0 @@
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
Intel::insert([$str="bad.com", $subtype=Intel::DNS_ZONE, $meta=[$source="src1", $class=Intel::MALICIOUS]]);
local q: Intel::Query = [$str="some.host.bad.com", $subtype=Intel::DOMAIN, $class=Intel::MALICIOUS];
if ( Intel::query(q) )
{
print "It matched!";
local items = Intel::lookup(q);
for ( item in items )
{
print item$str;
print item$subtype;
}
}
}