mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Event/zeek.bif: Add EventMetadata current() and current_values() accessors
...and basic smoke testing.
This commit is contained in:
Arne Welzel
parent
53b0f0ad64
commit
75aa6588fe
14 changed files with 155 additions and 0 deletions
34
src/Event.cc
34
src/Event.cc
|
|
@ -66,6 +66,40 @@ Event::Event(detail::EventMetadataVectorPtr arg_meta, const EventHandlerPtr& arg
|
||||||
Ref(obj);
|
Ref(obj);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
zeek::VectorValPtr Event::MetadataValues(const EnumValPtr& id) const {
|
||||||
|
static const auto& any_vec_t = zeek::id::find_type<zeek::VectorType>("any_vec");
|
||||||
|
auto result = zeek::make_intrusive<zeek::VectorVal>(any_vec_t);
|
||||||
|
|
||||||
|
if ( ! meta )
|
||||||
|
return result;
|
||||||
|
|
||||||
|
auto id_int = id->Get();
|
||||||
|
if ( id_int < 0 )
|
||||||
|
zeek::reporter->InternalError("Negative enum value %s: %" PRId64, obj_desc_short(id.get()).c_str(), id_int);
|
||||||
|
|
||||||
|
zeek_uint_t uintid = static_cast<zeek_uint_t>(id_int);
|
||||||
|
const auto* desc = event_registry->LookupMetadata(uintid);
|
||||||
|
if ( ! desc )
|
||||||
|
return result;
|
||||||
|
|
||||||
|
for ( const auto& entry : *meta ) {
|
||||||
|
if ( entry.Id() != uintid )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
// Sanity check the type.
|
||||||
|
if ( ! same_type(desc->Type(), entry.Val()->GetType()) ) {
|
||||||
|
zeek::reporter->InternalWarning("metadata has unexpected type %s, wanted %s",
|
||||||
|
obj_desc_short(entry.Val()->GetType().get()).c_str(),
|
||||||
|
obj_desc_short(desc->Type().get()).c_str());
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
result->Append(entry.Val());
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
double Event::Time() const {
|
double Event::Time() const {
|
||||||
if ( ! meta )
|
if ( ! meta )
|
||||||
return 0.0;
|
return 0.0;
|
||||||
|
|
|
||||||
12
src/Event.h
12
src/Event.h
|
|
@ -66,6 +66,18 @@ public:
|
||||||
const zeek::Args& Args() const { return args; }
|
const zeek::Args& Args() const { return args; }
|
||||||
double Time() const;
|
double Time() const;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return a pointer to the MetadataVector of this event or a nullptr.
|
||||||
|
*/
|
||||||
|
const detail::EventMetadataVector* Metadata() const { return meta.get(); }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return a vector of values for metadata matching identifier \a id.
|
||||||
|
*
|
||||||
|
* @param id The metadata identifier as an enum value.
|
||||||
|
*/
|
||||||
|
VectorValPtr MetadataValues(const EnumValPtr& id) const;
|
||||||
|
|
||||||
void Describe(ODesc* d) const override;
|
void Describe(ODesc* d) const override;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
|
|
|
||||||
44
src/zeek.bif
44
src/zeek.bif
|
|
@ -428,6 +428,50 @@ function EventMetadata::register%(id: EventMetadata::ID, t: any%): bool
|
||||||
return zeek::val_mgr->Bool(r);
|
return zeek::val_mgr->Bool(r);
|
||||||
%}
|
%}
|
||||||
|
|
||||||
|
## Query the current event's metadata with identifier *id*.
|
||||||
|
##
|
||||||
|
## id: The metadata identifier, e.g. ``EventMetadata::NETWORK_TIMESTAMP``.
|
||||||
|
##
|
||||||
|
## Returns: A vector of values. The vector is empty if no metadata with
|
||||||
|
## the given identifier is attached to this event, otherwise a
|
||||||
|
## vector whose elements are of the type used during registration.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: EventMetadata::register EventMetadata::current_all
|
||||||
|
function EventMetadata::current%(id: EventMetadata::ID%): any_vec
|
||||||
|
%{
|
||||||
|
static const auto& vt = zeek::id::find_type<zeek::VectorType>("any_vec");
|
||||||
|
|
||||||
|
const auto* event = zeek::event_mgr.CurrentEvent();
|
||||||
|
if ( ! event )
|
||||||
|
return zeek::make_intrusive<zeek::VectorVal>(vt);
|
||||||
|
|
||||||
|
return event->MetadataValues({zeek::NewRef{}, id->AsEnumVal()});
|
||||||
|
%}
|
||||||
|
|
||||||
|
## Query all of the current event's metadata.
|
||||||
|
##
|
||||||
|
## Returns: A vector :zeek:see:`EventMetadata::Entry` elements holding all
|
||||||
|
## the metadata attached to this event.
|
||||||
|
##
|
||||||
|
## .. zeek:see:: EventMetadata::register EventMetadata::current
|
||||||
|
function EventMetadata::current_all%(%): event_metadata_vec
|
||||||
|
%{
|
||||||
|
static const auto& vt = zeek::id::find_type<zeek::VectorType>("event_metadata_vec");
|
||||||
|
auto result = zeek::make_intrusive<zeek::VectorVal>(vt);
|
||||||
|
|
||||||
|
const auto* event = zeek::event_mgr.CurrentEvent();
|
||||||
|
if ( ! event )
|
||||||
|
return result;
|
||||||
|
|
||||||
|
if ( const auto* mdv = event->Metadata() ) {
|
||||||
|
for ( const auto& entry : *mdv )
|
||||||
|
result->Append(entry.BuildVal());
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
%}
|
||||||
|
|
||||||
## Returns a system environment variable.
|
## Returns a system environment variable.
|
||||||
##
|
##
|
||||||
## var: The name of the variable whose value to request.
|
## var: The name of the variable whose value to request.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
new_connection CHhAvVGS1DHFjwGM9 all=[[id=EventMetadata::NETWORK_TIMESTAMP, val=1362692526.869344]] network_timestamp=[1362692526.869344]
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
new_connection CHhAvVGS1DHFjwGM9 all=[] network_timestamp=[]
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
17
testing/btest/core/event-metadata/network-timestamp.zeek
Normal file
17
testing/btest/core/event-metadata/network-timestamp.zeek
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
# @TEST-DOC: Check network timestamp available if opt-in.
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT EventMetadata::add_network_timestamp=T > with_ts.out
|
||||||
|
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT EventMetadata::add_network_timestamp=F > without_ts.out
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff with_ts.out
|
||||||
|
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff without_ts.out
|
||||||
|
# @TEST-EXEC: btest-diff .stderr
|
||||||
|
|
||||||
|
|
||||||
|
event new_connection(c: connection)
|
||||||
|
{
|
||||||
|
print fmt("new_connection %s all=%s network_timestamp=%s",
|
||||||
|
c$uid,
|
||||||
|
EventMetadata::current_all(),
|
||||||
|
EventMetadata::current(EventMetadata::NETWORK_TIMESTAMP));
|
||||||
|
}
|
||||||
8
testing/btest/core/event-metadata/non-event.zeek
Normal file
8
testing/btest/core/event-metadata/non-event.zeek
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
# @TEST-DOC: Ensure EventMetadata::current() and EventMetadata::current_all() in non-event context returns empty vectors.
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: zeek -b %INPUT
|
||||||
|
# @TEST-EXEC: btest-diff .stdout
|
||||||
|
# @TEST-EXEC: btest-diff .stderr
|
||||||
|
|
||||||
|
assert |EventMetadata::current(EventMetadata::NETWORK_TIMESTAMP)| == 0;
|
||||||
|
assert |EventMetadata::current_all()| == 0;
|
||||||
30
testing/btest/core/event-metadata/register.zeek
Normal file
30
testing/btest/core/event-metadata/register.zeek
Normal file
|
|
@ -0,0 +1,30 @@
|
||||||
|
# @TEST-DOC: Very basic registration of event metadata identifiers.
|
||||||
|
#
|
||||||
|
# @TEST-EXEC: zeek -b %INPUT
|
||||||
|
# @TEST-EXEC: btest-diff .stdout
|
||||||
|
# @TEST-EXEC: btest-diff .stderr
|
||||||
|
|
||||||
|
module App;
|
||||||
|
|
||||||
|
export {
|
||||||
|
redef enum EventMetadata::ID += {
|
||||||
|
MY_STRING = 1000,
|
||||||
|
MY_COUNT = 1001,
|
||||||
|
MY_TABLE = 1002,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
event zeek_init()
|
||||||
|
{
|
||||||
|
assert EventMetadata::register(MY_STRING, string);
|
||||||
|
assert EventMetadata::register(MY_STRING, string); # double register is okay
|
||||||
|
assert EventMetadata::register(MY_COUNT, count);
|
||||||
|
assert EventMetadata::register(MY_COUNT, count);
|
||||||
|
assert EventMetadata::register(MY_TABLE, table[string] of count);
|
||||||
|
assert EventMetadata::register(MY_TABLE, table[string] of count);
|
||||||
|
|
||||||
|
# Type mismatch all return F, but no output on stderr.
|
||||||
|
assert ! EventMetadata::register(MY_STRING, count);
|
||||||
|
assert ! EventMetadata::register(MY_COUNT, string);
|
||||||
|
assert ! EventMetadata::register(MY_TABLE, table[count] of string);
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue