diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output index 8f75b7e9d1..0efa22bebe 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output @@ -3,32 +3,25 @@ #empty_field (empty) #unset_field - #path intel -#open 2020-07-06-20-13-06 +#open 2020-08-07-23-04-27 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc #types time string addr port addr port string enum enum string set[enum] set[string] string string string -1594066386.095894 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source1 - - - -1594066389.097925 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source1 - - - -1594066392.099402 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source2,source1 - - - -1594066395.103419 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source2,source1 - - - -1594066398.103542 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source2,source1 - - - -#close 2020-07-06-20-13-21 +1596841467.743662 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source1 - - - +1596841470.744058 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source2,source1 - - - +1596841476.155569 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE zeek Intel::ADDR source2,source1 - - - +#close 2020-08-07-23-04-40 -- Run 1 -- -Trigger: 1.2.3.4 Seen: 1.2.3.4 +Match: 1.2.3.4 -- Run 2 -- -Trigger: 1.2.3.4 -Reinsert: 1.2.3.4 -Seen: 1.2.3.4 --- Run 3 -- -Trigger: 1.2.3.4 Seen: 1.2.3.4 +Match: 1.2.3.4 Expired: 192.168.0.0/16 +-- Run 3 -- +Seen: 1.2.3.4 +Match: 1.2.3.4 +Expired: 1.2.3.4 (took longer: T) -- Run 4 -- -Trigger: 1.2.3.4 Seen: 1.2.3.4 -- Run 5 -- -Trigger: 1.2.3.4 Seen: 1.2.3.4 -Expired: 1.2.3.4 --- Run 6 -- -Trigger: 1.2.3.4 diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.zeek b/testing/btest/scripts/base/frameworks/intel/expire-item.zeek index 97099bb272..e4f4be28dc 100644 --- a/testing/btest/scripts/base/frameworks/intel/expire-item.zeek +++ b/testing/btest/scripts/base/frameworks/intel/expire-item.zeek @@ -16,52 +16,72 @@ redef exit_only_after_terminate = T; redef Intel::read_files += { "../intel.dat" }; redef enum Intel::Where += { SOMEWHERE }; -redef Intel::item_expiration = 9sec; -redef table_expire_interval = 2sec; global runs = 0; +global entries_read = 0; +global start_time: time; +global expire_count = 0; +const intel_expiry = 9sec; +redef Intel::item_expiration = intel_expiry; +redef table_expire_interval = 0.2sec; + event do_it() { ++runs; print fmt("-- Run %s --", runs); - print "Trigger: 1.2.3.4"; - Intel::seen([$host=1.2.3.4, - $where=SOMEWHERE]); + print "Seen: 1.2.3.4"; + Intel::seen([$host=1.2.3.4, $where=SOMEWHERE]); - if ( runs == 2 ) - { - # Reinserting the indicator should reset the expiration - print "Reinsert: 1.2.3.4"; - local item = [ - $indicator="1.2.3.4", - $indicator_type=Intel::ADDR, - $meta=[ - $source="source2", - $desc="this host is still bad", - $url="http://some-data-distributor.com/2"] - ]; - Intel::insert(item); - } - - if ( runs < 6 ) - schedule 3sec { do_it() }; - else + if ( runs == 4 ) + schedule 1sec { do_it() }; + else if ( runs > 4 ) terminate(); } event Intel::match(s: Intel::Seen, items: set[Intel::Item]) { - print fmt("Seen: %s", s$indicator); + print fmt("Match: %s", s$indicator); } hook Intel::item_expired(indicator: string, indicator_type: Intel::Type, - metas: set[Intel::MetaData]) + metas: set[Intel::MetaData]) { - print fmt("Expired: %s", indicator); + ++expire_count; + + if ( expire_count == 2 ) + # Check that time of expiry indicates is approximately what's expected + # after having been refreshed. + print fmt("Expired: %s (took longer: %s)", indicator, (network_time() - start_time) > intel_expiry + 2sec); + else + print fmt("Expired: %s", indicator); + + event do_it(); } -event zeek_init() &priority=-10 +event refresh() { - schedule 4sec { do_it() }; + # Reinserting the indicator should reset the expiration + local item = [ + $indicator="1.2.3.4", + $indicator_type=Intel::ADDR, + $meta=[ + $source="source2", + $desc="this host is still bad", + $url="http://some-data-distributor.com/2"] + ]; + Intel::insert(item); + event do_it(); + } + +event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item) + { + ++entries_read; + + if ( entries_read == 2 ) + { + start_time = network_time(); + event do_it(); + schedule 3sec { refresh() }; + } }