Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove deprecated log filter predicates for 4.1

Browse source 
Update the logging framework tests: since hooks operate
by name, they cannot be anonymous. I'm also dropping the &optional
attribute from the status field, since here know that the values are
actually defined, and access to an optional status field should
normally be guarded by the existence test operator.

Also includes baseline update for plugins.hooks, which picks up the
fact that the pred record field is now gone.
This commit is contained in:
Christian Kreibich 2021-01-25 17:00:25 -08:00 committed by Tim Wojtulewicz
parent 5f09793ce1
commit 4ce3bf3cd2
5 changed files with 302 additions and 316 deletions
Download patch file Download diff file Expand all files Collapse all files

18
testing/btest/scripts/base/frameworks/logging/pred.zeek
View file

@ -14,26 +14,32 @@ export {
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
status: string;
country: string &default="unknown";
} &log;
}
function fail(rec: Log): bool
hook success(rec: Log, id: Log::ID, filter: Log::Filter)
{
return rec$status != "success";
if ( rec$status != "success" )
break;
}
hook fail(rec: Log, id: Log::ID, filter: Log::Filter)
{
if ( rec$status == "success" )
break;
}
event zeek_init()
{
Log::create_stream(Test::LOG, [$columns=Log]);
Log::remove_default_filter(Test::LOG);
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $policy=success]);
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $policy=fail]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
local r: Log = [$t=network_time(), $id=cid, $status="success"];
Log::write(Test::LOG, r);
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
}

10
testing/btest/scripts/base/frameworks/logging/remove.zeek
View file

@ -15,15 +15,21 @@ export {
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
status: string;
country: string &default="unknown";
} &log;
}
hook fail_only(rec: Log, id: Log::ID, filter: Log::Filter)
{
if ( rec$status != "failure" )
break;
}
event zeek_init()
{
Log::create_stream(SSH::LOG, [$columns=Log]);
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $policy=fail_only]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];