From 4bddcd23794bfcdd43eabd5da5e33d4227b117eb Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 25 Apr 2013 14:56:14 -0400
Subject: [PATCH] Fixed a bug in the vulnerable software script and added a
 test.

---
 .../policy/frameworks/software/vulnerable.bro | 27 ++++++++++++-------
 .../notice.log                                | 11 ++++++++
 .../policy/frameworks/software/vulnerable.bro | 23 ++++++++++++++++
 3 files changed, 51 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
 create mode 100644 testing/btest/scripts/policy/frameworks/software/vulnerable.bro

diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro
index aedb309dba..47c64885f5 100644
--- a/scripts/policy/frameworks/software/vulnerable.bro
+++ b/scripts/policy/frameworks/software/vulnerable.bro
@@ -43,15 +43,6 @@ export {
 
 global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table();
 
-event Control::configuration_update()
-	{
-	internal_vulnerable_versions = table();
-
-	# Copy the const vulnerable versions into the global modifiable one.
-	for ( sw in vulnerable_versions )
-		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
-	}
-
 function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRange
 	{
 	# Create a max value with a dunce value only because the $max field
@@ -115,11 +106,27 @@ event grab_vulnerable_versions(i: count)
 		}
 	}
 
-event bro_init()
+function update_vulnerable_sw()
 	{
+	internal_vulnerable_versions = table();
+
+	# Copy the const vulnerable versions into the global modifiable one.
+	for ( sw in vulnerable_versions )
+		internal_vulnerable_versions[sw] = vulnerable_versions[sw];
+
 	event grab_vulnerable_versions(1);
 	}
 
+event bro_init() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
+event Control::configuration_update() &priority=3
+	{
+	update_vulnerable_sw();
+	}
+
 event log_software(rec: Info)
 	{
 	if ( rec$name !in internal_vulnerable_versions )
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
new file mode 100644
index 0000000000..21b5342a13
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2013-04-25-18-55-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
+1366916126.685057	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+1366916126.685057	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+#close	2013-04-25-18-55-26
diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro
new file mode 100644
index 0000000000..2ea7009a21
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load frameworks/software/vulnerable
+
+redef Software::asset_tracking = ALL_HOSTS;
+
+global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=43]];
+global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]];
+redef Software::vulnerable_versions += {
+        ["Java"] = set(java_1_6_vuln, java_1_7_vuln)
+};
+
+event bro_init()
+	{
+	Software::found([$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.4, $version=[$major=1, $minor=7, $minor2=0, $minor3=15]]);
+	Software::found([$orig_h=1.2.3.5, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.5, $version=[$major=1, $minor=6, $minor2=0, $minor3=43]]);
+	Software::found([$orig_h=1.2.3.6, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], 
+	                [$name="Java", $host=1.2.3.6, $version=[$major=1, $minor=6, $minor2=0, $minor3=50]]);
+
+	}