mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 04:28:20 +00:00
Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details
This commit is contained in:
Johanna Amann
commit
6707328c55
182 changed files with 2281 additions and 1613 deletions
|
|
@ -61,7 +61,7 @@ config classification: default-login-attempt,Attempt to Login By a Default Usern
|
|||
|
||||
redef exit_only_after_terminate = T;
|
||||
|
||||
@load base/files/unified2
|
||||
@load policy/files/unified2
|
||||
|
||||
redef Unified2::sid_msg = @DIR+"/sid_msg.map";
|
||||
redef Unified2::gen_msg = @DIR+"/gen_msg.map";
|
||||
|
|
@ -73,4 +73,4 @@ event Unified2::alert(f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet)
|
|||
++i;
|
||||
if ( i == 2 )
|
||||
terminate();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
@TEST-START-FILE input.log
|
||||
#separator \x09
|
||||
#fields i p
|
||||
#types count pattern
|
||||
1 /d/og/
|
||||
2 /cat/sss
|
||||
3 /foo|bar
|
||||
4 this is not a pattern
|
||||
5 /5
|
||||
@TEST-END-FILE
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
|
||||
module A;
|
||||
|
||||
type Idx: record {
|
||||
i: int;
|
||||
};
|
||||
|
||||
type Val: record {
|
||||
p: pattern;
|
||||
};
|
||||
|
||||
event kill_me()
|
||||
{
|
||||
terminate();
|
||||
}
|
||||
|
||||
global pats: table[int] of Val = table();
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Input::add_table([$source="input.log", $name="pats", $idx=Idx, $val=Val, $destination=pats]);
|
||||
schedule 10msec { kill_me() };
|
||||
}
|
||||
47
testing/btest/scripts/base/frameworks/input/patterns.zeek
Normal file
47
testing/btest/scripts/base/frameworks/input/patterns.zeek
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 10
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
|
||||
@TEST-START-FILE input.log
|
||||
#separator \x09
|
||||
#fields i p
|
||||
#types count pattern
|
||||
1 /dog/
|
||||
2 /cat/
|
||||
3 /foo|bar/
|
||||
4 /^oob/
|
||||
@TEST-END-FILE
|
||||
|
||||
global outfile: file;
|
||||
|
||||
module A;
|
||||
|
||||
type Idx: record {
|
||||
i: int;
|
||||
};
|
||||
|
||||
type Val: record {
|
||||
p: pattern;
|
||||
};
|
||||
|
||||
global pats: table[int] of Val = table();
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
outfile = open("../out");
|
||||
# first read in the old stuff into the table...
|
||||
Input::add_table([$source="../input.log", $name="pats", $idx=Idx, $val=Val, $destination=pats]);
|
||||
}
|
||||
|
||||
event Input::end_of_data(name: string, source:string)
|
||||
{
|
||||
print outfile, (pats[3]$p in "foobar"); # T
|
||||
print outfile, (pats[4]$p in "foobar"); # F
|
||||
print outfile, (pats[3]$p == "foo"); # T
|
||||
print outfile, pats;
|
||||
Input::remove("pats");
|
||||
close(outfile);
|
||||
terminate();
|
||||
}
|
||||
|
|
@ -93,7 +93,7 @@ event zeek_init()
|
|||
$sn=10.0.0.1/24,
|
||||
$a=1.2.3.4,
|
||||
$d=3.14,
|
||||
$t=network_time(),
|
||||
$t=double_to_time(1559847346.10295),
|
||||
$iv=100secs,
|
||||
$s="hurz",
|
||||
$sc=set(1,2,3,4),
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ event zeek_init()
|
|||
$sn=10.0.0.1/24,
|
||||
$a=1.2.3.4,
|
||||
$d=3.14,
|
||||
$t=network_time(),
|
||||
$t=double_to_time(1559847346.10295),
|
||||
$iv=100secs,
|
||||
$s="hurz",
|
||||
$sc=set(1,2,3,4),
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ event zeek_init()
|
|||
$sn=10.0.0.1/24,
|
||||
$a=1.2.3.4,
|
||||
$d=3.14,
|
||||
$t=network_time(),
|
||||
$t=double_to_time(1559847346.10295),
|
||||
$iv=100secs,
|
||||
$s="hurz",
|
||||
$sc=set(1,2,3,4),
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff netcontrol_catch_release.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/frameworks/netcontrol
|
||||
|
||||
redef NetControl::catch_release_intervals = vector(1sec, 2sec, 2sec);
|
||||
|
||||
event NetControl::init()
|
||||
{
|
||||
local netcontrol_debug = NetControl::create_debug(T);
|
||||
NetControl::activate(netcontrol_debug, 0);
|
||||
}
|
||||
|
||||
global pc: count = 0;
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( ++pc == 1 )
|
||||
NetControl::drop_address_catch_release(10.0.0.1);
|
||||
}
|
||||
|
||||
event NetControl::catch_release_forgotten(a: addr, bi: NetControl::BlockInfo)
|
||||
{
|
||||
print "Forgotten: ", a, bi;
|
||||
}
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
|
||||
# @TEST-EXEC: btest-diff netcontrol_catch_release.log
|
||||
|
||||
@load base/frameworks/netcontrol
|
||||
|
||||
event NetControl::init()
|
||||
{
|
||||
local netcontrol_debug = NetControl::create_debug(T);
|
||||
NetControl::activate(netcontrol_debug, 0);
|
||||
}
|
||||
|
||||
global i: count = 0;
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
NetControl::drop_address_catch_release(id$orig_h);
|
||||
# second one should be ignored because duplicate
|
||||
NetControl::drop_address_catch_release(id$orig_h);
|
||||
}
|
||||
|
||||
event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
|
||||
{
|
||||
if ( ++i == 6 )
|
||||
return;
|
||||
|
||||
# delete directly, without notifying anything.
|
||||
NetControl::delete_rule(r$id, "testing");
|
||||
NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
|
||||
}
|
||||
|
||||
@TEST-START-NEXT
|
||||
|
||||
@load base/frameworks/netcontrol
|
||||
|
||||
event NetControl::init()
|
||||
{
|
||||
local netcontrol_debug = NetControl::create_debug(T);
|
||||
NetControl::activate(netcontrol_debug, 0);
|
||||
}
|
||||
|
||||
global i: count = 0;
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
NetControl::drop_address(id$orig_h, 2min);
|
||||
NetControl::drop_address_catch_release(id$orig_h, "test drop");
|
||||
}
|
||||
|
||||
event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
|
||||
{
|
||||
if ( ++i == 3 )
|
||||
return;
|
||||
|
||||
# delete directly, without notifying anything.
|
||||
NetControl::delete_rule(r$id);
|
||||
NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
|
||||
}
|
||||
|
||||
|
|
@ -22,7 +22,7 @@ print Version::parse("1.12-beta-drunk");
|
|||
print Version::parse("JustARandomString");
|
||||
|
||||
# check that current running version of Zeek parses without error
|
||||
Version::parse(bro_version());
|
||||
Version::parse(zeek_version());
|
||||
|
||||
@TEST-START-NEXT
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/protocols/rdp
|
||||
|
||||
event rdp_client_security_data(c: connection, data: RDP::ClientSecurityData)
|
||||
{
|
||||
print "rdp_client_security_data", data;
|
||||
print " 40-bit flag", data$encryption_methods & 0x00000001 != 0;
|
||||
print " 128-bit flag", data$encryption_methods & 0x00000002 != 0;
|
||||
print " 56-bit flag", data$encryption_methods & 0x00000008 != 0;
|
||||
print " fips flag", data$encryption_methods & 0x00000010 != 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/protocols/rdp
|
||||
|
||||
event rdp_native_encrypted_data(c: connection, orig: bool, len: count)
|
||||
{
|
||||
print "rdp native encrypted data", orig, len;
|
||||
|
||||
if ( ! orig )
|
||||
# That's fine to stop here, we don't need to check the entire
|
||||
# encrypted conversation for the purpose of the unit test.
|
||||
terminate();
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue