mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
General btest cleanup
- Use `-b` most everywhere, it will save time. - Start some intel tests upon the input file being fully read instead of at an arbitrary time. - Improve termination condition for some sumstats/cluster tests. - Filter uninteresting output from some supervisor tests. - Test for `notice_policy.log` is no longer needed.
This commit is contained in:
Jon Siwek
Tim Wojtulewicz
parent
670bf02c95
commit
7967a5b0aa
350 changed files with 1139 additions and 638 deletions
|
|
@ -3,12 +3,12 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2020-07-22-05-02-04
|
||||
#open 2020-08-08-05-49-42
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1254722767.492060 CHhAvVGS1DHFjwGM9 10.10.1.4 56166 10.10.1.1 53 udp dns 0.034025 34 100 SF - - 0 Dd 1 62 1 128 -
|
||||
1254722776.690444 C4J4Th3PJpwUYZZ6gc 10.10.1.20 138 10.10.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 -
|
||||
1254722767.529046 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 tcp - 0.346950 0 0 S1 - - 0 Sh 1 48 1 48 -
|
||||
1437831776.764391 CtPZjS20MLrsMUOJi2 192.168.133.100 49285 66.196.121.26 5050 tcp - 0.343008 41 0 OTH - - 0 Da 1 93 1 52 -
|
||||
1437831787.856895 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 tcp - 0.004707 0 0 S1 - - 0 Sh 1 64 1 60 -
|
||||
#close 2020-07-22-05-02-04
|
||||
1437831776.764391 CUM0KZ3MLUfNB0cl11 192.168.133.100 49285 66.196.121.26 5050 tcp - 0.343008 41 0 OTH - - 0 Da 1 93 1 52 -
|
||||
1437831787.856895 CtPZjS20MLrsMUOJi2 192.168.133.100 49648 192.168.133.102 25 tcp - 0.004707 0 0 S1 - - 0 Sh 1 64 1 60 -
|
||||
#close 2020-08-08-05-49-42
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
> 2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid ClEkJM2Vm5giqnMf4h)
|
||||
> 2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid CHhAvVGS1DHFjwGM9)
|
||||
test
|
||||
# 141.42.64.125 = <skipped> 125.190.109.199 = <skipped>
|
||||
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-00-46
|
||||
#open 2020-08-08-04-23-29
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1509735979.080381 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek
|
||||
1509735979.080381 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek
|
||||
1509735981.241042 CtPZjS20MLrsMUOJi2 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek
|
||||
#close 2019-06-07-02-00-46
|
||||
1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 contentline_size_exceeded - F zeek
|
||||
1509735979.080381 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_line_size_exceeded - F zeek
|
||||
1509735981.241042 CHhAvVGS1DHFjwGM9 127.0.0.1 50164 127.0.0.1 6667 irc_invalid_command - F zeek
|
||||
#close 2020-08-08-04-23-29
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-00-46
|
||||
#open 2020-08-08-04-25-02
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1536797872.428637 ClEkJM2Vm5giqnMf4h 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek
|
||||
#close 2019-06-07-02-00-46
|
||||
1536797872.428637 CHhAvVGS1DHFjwGM9 127.0.0.1 65389 127.0.0.1 6666 irc_invalid_names_line - F zeek
|
||||
#close 2020-08-08-04-25-02
|
||||
|
|
|
|||
|
|
@ -3,37 +3,37 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ntp
|
||||
#open 2019-06-16-00-50-01
|
||||
#open 2020-08-08-04-53-23
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version mode stratum poll precision root_delay root_disp ref_id ref_time org_time rec_time xmt_time num_exts
|
||||
#types time string addr port addr port count count count interval interval interval interval string time time time time count
|
||||
1096255084.954975 ClEkJM2Vm5giqnMf4h 192.168.50.50 123 67.129.68.9 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.955306 C4J4Th3PJpwUYZZ6gc 192.168.50.50 123 69.44.57.60 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.955760 CtPZjS20MLrsMUOJi2 192.168.50.50 123 207.234.209.181 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956155 CUM0KZ3MLUfNB0cl11 192.168.50.50 123 209.132.176.4 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956577 CmES5u32sYpV7JYN 192.168.50.50 123 216.27.185.42 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956975 CP5puj4I8PtEU4qzYg 192.168.50.50 123 24.34.79.42 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.957457 C37jN32gN3y3AZzyf6 192.168.50.50 123 24.123.202.230 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.957903 C3eiCBGOLw3VtHfOj 192.168.50.50 123 63.164.62.249 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.958625 CwjjYJ2WqgTbAqiHl6 192.168.50.50 123 64.112.189.11 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.959273 C0LAHyvtKSQHyJxIl 192.168.50.50 123 65.125.233.206 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.960065 CFLRIC3zaTU1loLGxh 192.168.50.50 123 66.33.206.5 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.960866 C9rXSW3KSpTYvPrlI1 192.168.50.50 123 66.33.216.11 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.961475 Ck51lg1bScffFj34Ri 192.168.50.50 123 66.92.68.246 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.962222 C9mvWx3ezztgzcexV7 192.168.50.50 123 66.111.46.200 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.962915 CNnMIj2QSd84NKf7U3 192.168.50.50 123 66.115.136.4 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255085.012029 C4J4Th3PJpwUYZZ6gc 192.168.50.50 123 69.44.57.60 123 3 2 3 1024.000000 0.000004 0.109238 0.081726 81.174.128.183 1096254668.551001 1096255084.922896 1096255083.809713 1096255083.809760 0
|
||||
1096255085.049280 C37jN32gN3y3AZzyf6 192.168.50.50 123 24.123.202.230 123 3 2 2 1024.000000 0.000001 0.030319 0.185547 198.30.92.2 1096252181.259041 1096255084.922896 1096255083.821124 1096255083.821134 0
|
||||
1096255085.092991 ClEkJM2Vm5giqnMf4h 192.168.50.50 123 67.129.68.9 123 3 2 2 1024.000000 0.000008 0.060455 7.464310 17.254.0.49 1095788645.064548 1096255084.922896 1096255083.848508 1096255083.848601 0
|
||||
1096255085.120557 C0LAHyvtKSQHyJxIl 192.168.50.50 123 65.125.233.206 123 3 2 2 1024.000000 0.000031 0.023254 0.012848 130.207.244.240 1096254901.858123 1096255084.922896 1096255083.828025 1096255083.828189 0
|
||||
1096255085.185955 C3eiCBGOLw3VtHfOj 192.168.50.50 123 63.164.62.249 123 3 2 2 1024.000000 0.000001 0.015015 0.037491 18.145.0.30 1096254668.213801 1096255084.922896 1096255083.829249 1096255083.829301 0
|
||||
1096255085.223026 CtPZjS20MLrsMUOJi2 192.168.50.50 123 207.234.209.181 123 3 2 3 1024.000000 0.000008 0.072678 0.035049 198.82.1.203 1096254326.189600 1096255084.922896 1096255083.824154 1096255083.824174 0
|
||||
1096255085.280949 Ck51lg1bScffFj34Ri 192.168.50.50 123 66.92.68.246 123 3 2 1 1024.000000 0.000015 0.000000 0.000320 GPS\x00 1096255078.223498 1096255084.932911 1096255083.836845 1096255083.836870 0
|
||||
1096255085.304774 CP5puj4I8PtEU4qzYg 192.168.50.50 123 24.34.79.42 123 3 2 2 1024.000000 0.000031 0.123322 0.039917 131.107.1.10 1096254970.010788 1096255084.922896 1096255083.825662 1096255083.825692 0
|
||||
1096255085.353360 CNnMIj2QSd84NKf7U3 192.168.50.50 123 66.115.136.4 123 3 2 2 1024.000000 0.000008 0.016632 0.028641 130.207.244.240 1096254406.517429 1096255084.932911 1096255083.853291 1096255083.853336 0
|
||||
1096255085.406368 CFLRIC3zaTU1loLGxh 192.168.50.50 123 66.33.206.5 123 3 2 2 1024.000000 0.000004 0.012360 0.022202 192.12.19.20 1096255027.694744 1096255084.932911 1096255083.850895 1096255083.850907 0
|
||||
1096255085.439833 C9rXSW3KSpTYvPrlI1 192.168.50.50 123 66.33.216.11 123 3 2 2 1024.000000 0.000001 0.009857 0.043747 204.123.2.72 1096254508.255586 1096255084.932911 1096255083.850965 1096255083.851024 0
|
||||
1096255085.480955 C9mvWx3ezztgzcexV7 192.168.50.50 123 66.111.46.200 123 3 2 2 1024.000000 0.000001 0.056396 0.062164 198.30.92.2 1096253376.841474 1096255084.932911 1096255083.847619 1096255083.847644 0
|
||||
1096255085.522297 CwjjYJ2WqgTbAqiHl6 192.168.50.50 123 64.112.189.11 123 3 2 2 1024.000000 0.000015 0.081268 0.029877 128.10.252.6 1096254706.140290 1096255084.922896 1096255083.850451 1096255083.850465 0
|
||||
1096255085.562197 CmES5u32sYpV7JYN 192.168.50.50 123 216.27.185.42 123 3 2 2 1024.000000 0.000004 0.029846 0.045456 164.67.62.194 1096254209.896379 1096255084.922896 1096255083.849099 1096255083.849269 0
|
||||
1096255085.599961 CUM0KZ3MLUfNB0cl11 192.168.50.50 123 209.132.176.4 123 3 2 1 1024.000000 0.000015 0.000000 0.000504 CDMA 1096255068.944018 1096255084.922896 1096255083.827772 1096255083.828313 0
|
||||
#close 2019-06-16-00-50-01
|
||||
1096255084.954975 CHhAvVGS1DHFjwGM9 192.168.50.50 123 67.129.68.9 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.955306 ClEkJM2Vm5giqnMf4h 192.168.50.50 123 69.44.57.60 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.955760 C4J4Th3PJpwUYZZ6gc 192.168.50.50 123 207.234.209.181 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956155 CtPZjS20MLrsMUOJi2 192.168.50.50 123 209.132.176.4 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956577 CUM0KZ3MLUfNB0cl11 192.168.50.50 123 216.27.185.42 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.956975 CmES5u32sYpV7JYN 192.168.50.50 123 24.34.79.42 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.957457 CP5puj4I8PtEU4qzYg 192.168.50.50 123 24.123.202.230 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.957903 C37jN32gN3y3AZzyf6 192.168.50.50 123 63.164.62.249 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.958625 C3eiCBGOLw3VtHfOj 192.168.50.50 123 64.112.189.11 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.959273 CwjjYJ2WqgTbAqiHl6 192.168.50.50 123 65.125.233.206 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.922896 0
|
||||
1096255084.960065 C0LAHyvtKSQHyJxIl 192.168.50.50 123 66.33.206.5 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.960866 CFLRIC3zaTU1loLGxh 192.168.50.50 123 66.33.216.11 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.961475 C9rXSW3KSpTYvPrlI1 192.168.50.50 123 66.92.68.246 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.962222 Ck51lg1bScffFj34Ri 192.168.50.50 123 66.111.46.200 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255084.962915 C9mvWx3ezztgzcexV7 192.168.50.50 123 66.115.136.4 123 3 1 0 1024.000000 0.015625 0.000000 1.010010 \x00\x00\x00\x00 0.000000 0.000000 0.000000 1096255084.932911 0
|
||||
1096255085.012029 ClEkJM2Vm5giqnMf4h 192.168.50.50 123 69.44.57.60 123 3 2 3 1024.000000 0.000004 0.109238 0.081726 81.174.128.183 1096254668.551001 1096255084.922896 1096255083.809713 1096255083.809760 0
|
||||
1096255085.049280 CP5puj4I8PtEU4qzYg 192.168.50.50 123 24.123.202.230 123 3 2 2 1024.000000 0.000001 0.030319 0.185547 198.30.92.2 1096252181.259041 1096255084.922896 1096255083.821124 1096255083.821134 0
|
||||
1096255085.092991 CHhAvVGS1DHFjwGM9 192.168.50.50 123 67.129.68.9 123 3 2 2 1024.000000 0.000008 0.060455 7.464310 17.254.0.49 1095788645.064548 1096255084.922896 1096255083.848508 1096255083.848601 0
|
||||
1096255085.120557 CwjjYJ2WqgTbAqiHl6 192.168.50.50 123 65.125.233.206 123 3 2 2 1024.000000 0.000031 0.023254 0.012848 130.207.244.240 1096254901.858123 1096255084.922896 1096255083.828025 1096255083.828189 0
|
||||
1096255085.185955 C37jN32gN3y3AZzyf6 192.168.50.50 123 63.164.62.249 123 3 2 2 1024.000000 0.000001 0.015015 0.037491 18.145.0.30 1096254668.213801 1096255084.922896 1096255083.829249 1096255083.829301 0
|
||||
1096255085.223026 C4J4Th3PJpwUYZZ6gc 192.168.50.50 123 207.234.209.181 123 3 2 3 1024.000000 0.000008 0.072678 0.035049 198.82.1.203 1096254326.189600 1096255084.922896 1096255083.824154 1096255083.824174 0
|
||||
1096255085.280949 C9rXSW3KSpTYvPrlI1 192.168.50.50 123 66.92.68.246 123 3 2 1 1024.000000 0.000015 0.000000 0.000320 GPS\x00 1096255078.223498 1096255084.932911 1096255083.836845 1096255083.836870 0
|
||||
1096255085.304774 CmES5u32sYpV7JYN 192.168.50.50 123 24.34.79.42 123 3 2 2 1024.000000 0.000031 0.123322 0.039917 131.107.1.10 1096254970.010788 1096255084.922896 1096255083.825662 1096255083.825692 0
|
||||
1096255085.353360 C9mvWx3ezztgzcexV7 192.168.50.50 123 66.115.136.4 123 3 2 2 1024.000000 0.000008 0.016632 0.028641 130.207.244.240 1096254406.517429 1096255084.932911 1096255083.853291 1096255083.853336 0
|
||||
1096255085.406368 C0LAHyvtKSQHyJxIl 192.168.50.50 123 66.33.206.5 123 3 2 2 1024.000000 0.000004 0.012360 0.022202 192.12.19.20 1096255027.694744 1096255084.932911 1096255083.850895 1096255083.850907 0
|
||||
1096255085.439833 CFLRIC3zaTU1loLGxh 192.168.50.50 123 66.33.216.11 123 3 2 2 1024.000000 0.000001 0.009857 0.043747 204.123.2.72 1096254508.255586 1096255084.932911 1096255083.850965 1096255083.851024 0
|
||||
1096255085.480955 Ck51lg1bScffFj34Ri 192.168.50.50 123 66.111.46.200 123 3 2 2 1024.000000 0.000001 0.056396 0.062164 198.30.92.2 1096253376.841474 1096255084.932911 1096255083.847619 1096255083.847644 0
|
||||
1096255085.522297 C3eiCBGOLw3VtHfOj 192.168.50.50 123 64.112.189.11 123 3 2 2 1024.000000 0.000015 0.081268 0.029877 128.10.252.6 1096254706.140290 1096255084.922896 1096255083.850451 1096255083.850465 0
|
||||
1096255085.562197 CUM0KZ3MLUfNB0cl11 192.168.50.50 123 216.27.185.42 123 3 2 2 1024.000000 0.000004 0.029846 0.045456 164.67.62.194 1096254209.896379 1096255084.922896 1096255083.849099 1096255083.849269 0
|
||||
1096255085.599961 CtPZjS20MLrsMUOJi2 192.168.50.50 123 209.132.176.4 123 3 2 1 1024.000000 0.000015 0.000000 0.000504 CDMA 1096255068.944018 1096255084.922896 1096255083.827772 1096255083.828313 0
|
||||
#close 2020-08-08-04-53-23
|
||||
|
|
|
|||
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path smtp
|
||||
#open 2020-07-06-19-15-32
|
||||
#open 2020-08-08-04-26-29
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids
|
||||
#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string]
|
||||
1254722768.219663 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 1 GP gurpartap@patriots.in raj_deol2002in@yahoo.co.in Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> - - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0 F FmFp351N5nhsMmAfQg,Fqrb1K5DWEfgy4WU2,FEFYSd1s8Onn9LynKj
|
||||
1437831787.867142 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 1 [192.168.133.100] albert@example.com felica4uu@hotmail.com,ericlim220@yahoo.com,davis_mark1@outlook.com Sat, 25 Jul 2015 16:43:07 +0300 Albert Zaharovits <albert@example.com> ericlim220@yahoo.com felica4uu@hotmail.com,davis_mark1@outlook.com - <A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com> Re: Bro SMTP CC Header - - - 250 Ok 192.168.133.102,192.168.133.100 Apple Mail (2.2102) F Fc5KpS3kUYqDLwWSMf
|
||||
#close 2020-07-06-19-15-32
|
||||
1254722768.219663 CHhAvVGS1DHFjwGM9 10.10.1.4 1470 74.53.140.153 25 1 GP gurpartap@patriots.in raj_deol2002in@yahoo.co.in Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> - - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0 F FmFp351N5nhsMmAfQg,Fqrb1K5DWEfgy4WU2,FEFYSd1s8Onn9LynKj
|
||||
1437831787.867142 CUM0KZ3MLUfNB0cl11 192.168.133.100 49648 192.168.133.102 25 1 [192.168.133.100] albert@example.com felica4uu@hotmail.com,ericlim220@yahoo.com,davis_mark1@outlook.com Sat, 25 Jul 2015 16:43:07 +0300 Albert Zaharovits <albert@example.com> ericlim220@yahoo.com felica4uu@hotmail.com,davis_mark1@outlook.com - <A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com> Re: Bro SMTP CC Header - - - 250 Ok 192.168.133.102,192.168.133.100 Apple Mail (2.2102) F Fc5KpS3kUYqDLwWSMf
|
||||
#close 2020-08-08-04-26-29
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event icmp_neighbor_solicitation(c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek %INPUT>out
|
||||
# @TEST-EXEC: zeek -b %INPUT>out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
|
|
|
|||
|
|
@ -2,16 +2,18 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: zeek %INPUT>out
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek runnumber=1 %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek runnumber=2 %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT>out
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT runnumber=1
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT runnumber=2
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
#
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
@ -33,6 +35,11 @@ event zeek_init()
|
|||
|
||||
global runnumber: count &redef; # differentiate runs
|
||||
|
||||
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
|
||||
{
|
||||
terminate();
|
||||
}
|
||||
|
||||
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
|
||||
{
|
||||
local c = hll_cardinality_init(0.01, 0.95);
|
||||
|
|
@ -78,8 +85,6 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
|
|||
}
|
||||
|
||||
event hll_data(c);
|
||||
|
||||
terminate();
|
||||
}
|
||||
|
||||
@endif
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event zeek_init()
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# Checks that accurate stats are returned when reading from a trace file.
|
||||
# @TEST-EXEC: zeek -r $TRACES/wikipedia.trace >output %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace >output %INPUT
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event zeek_done()
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
# @TEST-EXEC: zeek -b %INPUT >out1
|
||||
# @TEST-EXEC: btest-diff out1
|
||||
# @TEST-EXEC: zeek -r $TRACES/web.trace %INPUT >out2
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/web.trace %INPUT >out2
|
||||
# @TEST-EXEC: btest-diff out2
|
||||
|
||||
event zeek_init()
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek order_rand | sort >out.1
|
||||
# @TEST-EXEC: zeek order_base | sort >out.2
|
||||
# @TEST-EXEC: zeek -b order_rand | sort >out.1
|
||||
# @TEST-EXEC: zeek -b order_base | sort >out.2
|
||||
# @TEST-EXEC: cmp out.1 out.2
|
||||
|
||||
@TEST-START-FILE order_rand.zeek
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/tls-expired-cert.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
|
||||
|
||||
# This is a hack: the results of OpenSSL 1.1's vs 1.0's
|
||||
# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
|
||||
|
|
@ -10,6 +10,8 @@
|
|||
|
||||
# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef SSL::root_certs = {
|
||||
["CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x36\x30\x82\x03\x1E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xF7\x1A\x33\xE6\xF2\x00\x04\x2D\x39\xE0\x4E\x5B\xED\x1F\xBC\x6C\x0F\xCD\xB5\xFA\x23\xB6\xCE\xDE\x9B\x11\x33\x97\xA4\x29\x4C\x7D\x93\x9F\xBD\x4A\xBC\x93\xED\x03\x1A\xE3\x8F\xCF\xE5\x6D\x50\x5A\xD6\x97\x29\x94\x5A\x80\xB0\x49\x7A\xDB\x2E\x95\xFD\xB8\xCA\xBF\x37\x38\x2D\x1E\x3E\x91\x41\xAD\x70\x56\xC7\xF0\x4F\x3F\xE8\x32\x9E\x74\xCA\xC8\x90\x54\xE9\xC6\x5F\x0F\x78\x9D\x9A\x40\x3C\x0E\xAC\x61\xAA\x5E\x14\x8F\x9E\x87\xA1\x6A\x50\xDC\xD7\x9A\x4E\xAF\x05\xB3\xA6\x71\x94\x9C\x71\xB3\x50\x60\x0A\xC7\x13\x9D\x38\x07\x86\x02\xA8\xE9\xA8\x69\x26\x18\x90\xAB\x4C\xB0\x4F\x23\xAB\x3A\x4F\x84\xD8\xDF\xCE\x9F\xE1\x69\x6F\xBB\xD7\x42\xD7\x6B\x44\xE4\xC7\xAD\xEE\x6D\x41\x5F\x72\x5A\x71\x08\x37\xB3\x79\x65\xA4\x59\xA0\x94\x37\xF7\x00\x2F\x0D\xC2\x92\x72\xDA\xD0\x38\x72\xDB\x14\xA8\x45\xC4\x5D\x2A\x7D\xB7\xB4\xD6\xC4\xEE\xAC\xCD\x13\x44\xB7\xC9\x2B\xDD\x43\x00\x25\xFA\x61\xB9\x69\x6A\x58\x23\x11\xB7\xA7\x33\x8F\x56\x75\x59\xF5\xCD\x29\xD7\x46\xB7\x0A\x2B\x65\xB6\xD3\x42\x6F\x15\xB2\xB8\x7B\xFB\xEF\xE9\x5D\x53\xD5\x34\x5A\x27\x02\x03\x01\x00\x01\xA3\x81\xDC\x30\x81\xD9\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x99\x06\x03\x55\x1D\x23\x04\x81\x91\x30\x81\x8E\x80\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\xA1\x73\xA4\x71\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB0\x9B\xE0\x85\x25\xC2\xD6\x23\xE2\x0F\x96\x06\x92\x9D\x41\x98\x9C\xD9\x84\x79\x81\xD9\x1E\x5B\x14\x07\x23\x36\x65\x8F\xB0\xD8\x77\xBB\xAC\x41\x6C\x47\x60\x83\x51\xB0\xF9\x32\x3D\xE7\xFC\xF6\x26\x13\xC7\x80\x16\xA5\xBF\x5A\xFC\x87\xCF\x78\x79\x89\x21\x9A\xE2\x4C\x07\x0A\x86\x35\xBC\xF2\xDE\x51\xC4\xD2\x96\xB7\xDC\x7E\x4E\xEE\x70\xFD\x1C\x39\xEB\x0C\x02\x51\x14\x2D\x8E\xBD\x16\xE0\xC1\xDF\x46\x75\xE7\x24\xAD\xEC\xF4\x42\xB4\x85\x93\x70\x10\x67\xBA\x9D\x06\x35\x4A\x18\xD3\x2B\x7A\xCC\x51\x42\xA1\x7A\x63\xD1\xE6\xBB\xA1\xC5\x2B\xC2\x36\xBE\x13\x0D\xE6\xBD\x63\x7E\x79\x7B\xA7\x09\x0D\x40\xAB\x6A\xDD\x8F\x8A\xC3\xF6\xF6\x8C\x1A\x42\x05\x51\xD4\x45\xF5\x9F\xA7\x62\x21\x68\x15\x20\x43\x3C\x99\xE7\x7C\xBD\x24\xD8\xA9\x91\x17\x73\x88\x3F\x56\x1B\x31\x38\x18\xB4\x71\x0F\x9A\xCD\xC8\x0E\x9E\x8E\x2E\x1B\xE1\x8C\x98\x83\xCB\x1F\x31\xF1\x44\x4C\xC6\x04\x73\x49\x76\x60\x0F\xC7\xF8\xBD\x17\x80\x6B\x2E\xE9\xCC\x4C\x0E\x5A\x9A\x79\x0F\x20\x0A\x2E\xD5\x9E\x63\x26\x1E\x55\x92\x94\xD8\x82\x17\x5A\x7B\xD0\xBC\xC7\x8F\x4E\x86\x04",
|
||||
["CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\x9B\x7E\x06\x49\xA3\x3E\x62\xB9\xD5\xEE\x90\x48\x71\x29\xEF\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\xBA\x9C\x52\xFC\x78\x1F\x1A\x1E\x6F\x1B\x37\x73\xBD\xF8\xC9\x6B\x94\x12\x30\x4F\xF0\x36\x47\xF5\xD0\x91\x0A\xF5\x17\xC8\xA5\x61\xC1\x16\x40\x4D\xFB\x8A\x61\x90\xE5\x76\x20\xC1\x11\x06\x7D\xAB\x2C\x6E\xA6\xF5\x11\x41\x8E\xFA\x2D\xAD\x2A\x61\x59\xA4\x67\x26\x4C\xD0\xE8\xBC\x52\x5B\x70\x20\x04\x58\xD1\x7A\xC9\xA4\x69\xBC\x83\x17\x64\xAD\x05\x8B\xBC\xD0\x58\xCE\x8D\x8C\xF5\xEB\xF0\x42\x49\x0B\x9D\x97\x27\x67\x32\x6E\xE1\xAE\x93\x15\x1C\x70\xBC\x20\x4D\x2F\x18\xDE\x92\x88\xE8\x6C\x85\x57\x11\x1A\xE9\x7E\xE3\x26\x11\x54\xA2\x45\x96\x55\x83\xCA\x30\x89\xE8\xDC\xD8\xA3\xED\x2A\x80\x3F\x7F\x79\x65\x57\x3E\x15\x20\x66\x08\x2F\x95\x93\xBF\xAA\x47\x2F\xA8\x46\x97\xF0\x12\xE2\xFE\xC2\x0A\x2B\x51\xE6\x76\xE6\xB7\x46\xB7\xE2\x0D\xA6\xCC\xA8\xC3\x4C\x59\x55\x89\xE6\xE8\x53\x5C\x1C\xEA\x9D\xF0\x62\x16\x0B\xA7\xC9\x5F\x0C\xF0\xDE\xC2\x76\xCE\xAF\xF7\x6A\xF2\xFA\x41\xA6\xA2\x33\x14\xC9\xE5\x7A\x63\xD3\x9E\x62\x37\xD5\x85\x65\x9E\x0E\xE6\x53\x24\x74\x1B\x5E\x1D\x12\x53\x5B\xC7\x2C\xE7\x83\x49\x3B\x15\xAE\x8A\x68\xB9\x57\x97\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x11\x14\x96\xC1\xAB\x92\x08\xF7\x3F\x2F\xC9\xB2\xFE\xE4\x5A\x9F\x64\xDE\xDB\x21\x4F\x86\x99\x34\x76\x36\x57\xDD\xD0\x15\x2F\xC5\xAD\x7F\x15\x1F\x37\x62\x73\x3E\xD4\xE7\x5F\xCE\x17\x03\xDB\x35\xFA\x2B\xDB\xAE\x60\x09\x5F\x1E\x5F\x8F\x6E\xBB\x0B\x3D\xEA\x5A\x13\x1E\x0C\x60\x6F\xB5\xC0\xB5\x23\x22\x2E\x07\x0B\xCB\xA9\x74\xCB\x47\xBB\x1D\xC1\xD7\xA5\x6B\xCC\x2F\xD2\x42\xFD\x49\xDD\xA7\x89\xCF\x53\xBA\xDA\x00\x5A\x28\xBF\x82\xDF\xF8\xBA\x13\x1D\x50\x86\x82\xFD\x8E\x30\x8F\x29\x46\xB0\x1E\x3D\x35\xDA\x38\x62\x16\x18\x4A\xAD\xE6\xB6\x51\x6C\xDE\xAF\x62\xEB\x01\xD0\x1E\x24\xFE\x7A\x8F\x12\x1A\x12\x68\xB8\xFB\x66\x99\x14\x14\x45\x5C\xAE\xE7\xAE\x69\x17\x81\x2B\x5A\x37\xC9\x5E\x2A\xF4\xC6\xE2\xA1\x5C\x54\x9B\xA6\x54\x00\xCF\xF0\xF1\xC1\xC7\x98\x30\x1A\x3B\x36\x16\xDB\xA3\x6E\xEA\xFD\xAD\xB2\xC2\xDA\xEF\x02\x47\x13\x8A\xC0\xF1\xB3\x31\xAD\x4F\x1C\xE1\x4F\x9C\xAF\x0F\x0C\x9D\xF7\x78\x0D\xD8\xF4\x35\x56\x80\xDA\xB7\x6D\x17\x8F\x9D\x1E\x81\x64\xE1\xFE\xC5\x45\xBA\xAD\x6B\xB9\x0A\x7A\x4E\x4F\x4B\x84\xEE\x4B\xF1\x7D\xDD\x11",
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# @TEST-PORT: BROKER_PORT
|
||||
|
||||
# @TEST-EXEC: btest-bg-run master "zeek -B broker -b %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run clone "zeek -B broker -b %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run master "zeek -b -B broker -b %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run clone "zeek -b -B broker -b %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
#
|
||||
# @TEST-EXEC: btest-diff clone.out
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC-FAIL: zeek -B broker %INPUT
|
||||
# @TEST-EXEC-FAIL: zeek -b -B broker %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
|
||||
module TestModule;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -B broker ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -B broker ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -B broker ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b -B broker ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b -B broker ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b -B broker ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
#
|
||||
# @TEST-EXEC: grep -v PEER_UNAVAILABLE worker-1/.stderr > worker-1-stderr
|
||||
# @TEST-EXEC: btest-diff worker-1-stderr
|
||||
|
|
@ -20,6 +20,7 @@ redef Cluster::nodes = {
|
|||
|
||||
|
||||
@TEST-START-FILE master.zeek
|
||||
@load base/frameworks/cluster
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
@ -44,6 +45,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
|
|||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE clone.zeek
|
||||
@load base/frameworks/cluster
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -B broker %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -B broker %DIR/sort-stuff.zeek ../clone2.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b -B broker %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b -B broker %DIR/sort-stuff.zeek ../clone2.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
#
|
||||
# @TEST-EXEC: btest-diff master.out
|
||||
|
|
@ -22,6 +22,8 @@ redef Cluster::nodes = {
|
|||
|
||||
|
||||
@TEST-START-FILE master.zeek
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
@ -65,6 +67,8 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
|
|||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE clone.zeek
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
@ -120,6 +124,8 @@ event Broker::announce_masters(masters: set[string])
|
|||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE clone2.zeek
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -B broker %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b -B broker ../common.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b -B broker ../common.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b -B broker ../common.zeek ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
#
|
||||
# @TEST-EXEC: btest-diff master.out
|
||||
# @TEST-EXEC: btest-diff clone.out
|
||||
|
|
@ -20,6 +20,42 @@ redef Cluster::nodes = {
|
|||
};
|
||||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE common.zeek
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/broker
|
||||
|
||||
function sort_set(s: set[string]): vector of string
|
||||
{
|
||||
local v: vector of string = vector();
|
||||
|
||||
for ( e in s )
|
||||
v += e;
|
||||
|
||||
sort(v, strcmp);
|
||||
return v;
|
||||
}
|
||||
|
||||
type TableEntry: record {
|
||||
key: string;
|
||||
val: any;
|
||||
};
|
||||
|
||||
function sort_table(t: table[string] of any): vector of TableEntry
|
||||
{
|
||||
local vs: vector of string = vector();
|
||||
local rval: vector of TableEntry = vector();
|
||||
|
||||
for ( k, v in t )
|
||||
vs += k;
|
||||
|
||||
sort(vs, strcmp);
|
||||
|
||||
for ( i in vs )
|
||||
rval += TableEntry($key=vs[i], $val=t[vs[i]]);
|
||||
|
||||
return rval;
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE master.zeek
|
||||
redef exit_only_after_terminate = T;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
|
||||
# @TEST-EXEC: zeek %DIR/sort-stuff.zeek preseed-sqlite.zeek;
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -B broker %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: zeek -b %DIR/sort-stuff.zeek preseed-sqlite.zeek;
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b -B broker %DIR/sort-stuff.zeek ../master.zeek >../master.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone.out"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b -B broker %DIR/sort-stuff.zeek ../clone.zeek >../clone2.out"
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
#
|
||||
# @TEST-EXEC: btest-diff master.out
|
||||
|
|
@ -57,6 +57,8 @@ event zeek_init()
|
|||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE master.zeek
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
@ -96,6 +98,8 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
|
|||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE clone.zeek
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Log::enable_local_logging = T;
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
|
|
|||
|
|
@ -1,15 +1,17 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=32 >32
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=32 >32
|
||||
# @TEST-EXEC: btest-diff 32
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=64 >64
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=64 >64
|
||||
# @TEST-EXEC: btest-diff 64
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=96 >96
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=96 >96
|
||||
# @TEST-EXEC: btest-diff 96
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=128 >128
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=128 >128
|
||||
# @TEST-EXEC: btest-diff 128
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=256 >256
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv4.trace %INPUT bits_per_uid=256 >256
|
||||
# @TEST-EXEC: btest-diff 256
|
||||
# @TEST-EXEC: cmp 128 256
|
||||
|
||||
@load base/protocols/ftp
|
||||
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
print c$uid;
|
||||
|
|
|
|||
|
|
@ -1,42 +1,44 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: mv weird.log bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-tcp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-tcp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-udp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-udp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-icmp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-icmp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-tcp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-tcp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-udp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-udp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-icmp6-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-icmp6-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-tcp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-tcp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-udp-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-udp-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-icmp6-bad-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-icmp6-bad-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> bad.out
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-tcp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-tcp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: mv weird.log good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-udp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -e weird.log
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip4-icmp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-icmp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -e weird.log
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-tcp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-tcp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-udp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-udp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-route0-icmp6-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-route0-icmp6-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-tcp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-tcp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-udp-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> good.out
|
||||
|
||||
# @TEST-EXEC: btest-diff bad.out
|
||||
# @TEST-EXEC: btest-diff good.out
|
||||
|
||||
@load base/frameworks/notice/weird
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
|
|
|
|||
|
|
@ -1,15 +1,17 @@
|
|||
#
|
||||
# In "normal" test mode, connection uids should be determistic.
|
||||
#
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
#
|
||||
# Without a seed, they should differ each time:
|
||||
#
|
||||
# @TEST-EXEC: unset ZEEK_SEED_FILE && unset BRO_SEED_FILE && zeek -C -r $TRACES/wikipedia.trace %INPUT >output2
|
||||
# @TEST-EXEC: unset ZEEK_SEED_FILE && unset BRO_SEED_FILE && zeek -b -C -r $TRACES/wikipedia.trace %INPUT >output2
|
||||
# @TEST-EXEC: cat output output2 | sort | uniq -c | wc -l | sed 's/ //g' >counts
|
||||
# @TEST-EXEC: btest-diff counts
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
print c$id, c$uid;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# We once had a bug where DNS lookups at init time lead to an immediate crash.
|
||||
#
|
||||
# @TEST-EXEC: zeek %INPUT >output 2>&1
|
||||
# @TEST-EXEC: zeek -b %INPUT >output 2>&1
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
const foo: set[addr] = {
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# Expressions in an event handler that raise interpreter exceptions
|
||||
# shouldn't abort Zeek entirely, but just return from the function body.
|
||||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace base/protocols/ftp base/protocols/http base/frameworks/reporter %INPUT >output
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/tcp/missing-syn.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/missing-syn.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/dpd
|
||||
@load policy/protocols/conn/mac-logging
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/ipv6-http-atomic-frag.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ipv6-http-atomic-frag.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
if ( c$id$resp_p == 80/tcp )
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/ipv6-fragmented-dns.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ipv6-fragmented-dns.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
|
||||
@load base/protocols/dns
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( p?$ip6 && p?$ udp )
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# A test of prefix-based @load'ing
|
||||
|
||||
# @TEST-EXEC: zeek addprefixes >output
|
||||
# @TEST-EXEC: zeek -b base/utils/site base/protocols/http addprefixes >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@TEST-START-FILE addprefixes.zeek
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/nflog-http.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/nflog-http.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
@load base/protocols/http
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Zeek shouldn't crash when doing nothing, nor outputting anything.
|
||||
#
|
||||
# @TEST-EXEC: cat /dev/null | zeek >output 2>&1
|
||||
# @TEST-EXEC: cat /dev/null | zeek -b >output 2>&1
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC-FAIL: zeek %INPUT
|
||||
# @TEST-EXEC-FAIL: zeek -b %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
|
||||
option testbool;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
export {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
# options are allowed to be redef-able.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
|
||||
# Errors that happen during runtime. At least at the moment we are not
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# @TEST-REQUIRES: which hexdump
|
||||
# @TEST-EXEC: zeek -r $TRACES/workshop_2011_browse.trace -w dump
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/workshop_2011_browse.trace -w dump
|
||||
# @TEST-EXEC: hexdump -C $TRACES/workshop_2011_browse.trace >1
|
||||
# @TEST-EXEC: hexdump -C dump >2
|
||||
# @TEST-EXEC: diff 1 2 >output || true
|
||||
|
|
|
|||
|
|
@ -1,7 +1,12 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/protocols/dns
|
||||
@load base/frameworks/dpd
|
||||
|
||||
redef enum PcapFilterID += { A, B };
|
||||
|
||||
global cnt = 0;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-EXEC-FAIL: zeek -i NO_SUCH_INTERFACE 2>&1 >>output 2>&1
|
||||
# @TEST-EXEC-FAIL: zeek -b -i NO_SUCH_INTERFACE 2>&1 >>output 2>&1
|
||||
# @TEST-EXEC: cat output | sed 's/(.*)//g' >output2
|
||||
# @TEST-EXEC-FAIL: zeek -r NO_SUCH_TRACE 2>&1 >>output2 2>&1
|
||||
# @TEST-EXEC-FAIL: zeek -b -r NO_SUCH_TRACE 2>&1 >>output2 2>&1
|
||||
# @TEST-EXEC: btest-diff output2
|
||||
|
||||
redef enum PcapFilterID += { A };
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT --pseudo-realtime >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT --pseudo-realtime >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
global init = F;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/q-in-q.trace
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/q-in-q.trace base/protocols/conn
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/radiotap.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/radiotap.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/ipv4/fragmented-1.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/ipv4/fragmented-2.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/ipv4/fragmented-3.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/ipv4/fragmented-4.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/tcp/reassembly.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/ipv4/fragmented-1.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/ipv4/fragmented-2.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/ipv4/fragmented-3.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/ipv4/fragmented-4.pcap %INPUT >>output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/reassembly.pcap %INPUT >>output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event zeek_init()
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT 2>&1 | grep -v termination | sort | uniq | wc -l | awk '{print $1}' >output
|
||||
# @TEST-EXEC: zeek -b %INPUT 2>&1 | grep -v termination | sort | uniq | wc -l | awk '{print $1}' >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
# In old version, the event would keep triggering endlessely, with the network
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
# @TEST-EXEC: touch reporter.log && chmod -w reporter.log
|
||||
# @TEST-EXEC: zeek %INPUT >out 2>&1
|
||||
# @TEST-EXEC: zeek -b %INPUT >out 2>&1
|
||||
|
||||
# Output doesn't really matter, but we just want to know that Zeek shutdowns
|
||||
# without crashing in such scenarios (reporter log not writable
|
||||
# and also reporter errors being emitting during shutdown).
|
||||
|
||||
@load base/frameworks/config
|
||||
|
||||
redef Config::config_files += { "./config" };
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,11 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tcp/miss_end_data.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tcp/miss_end_data.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/dpd
|
||||
|
||||
redef report_gaps_for_partial = T;
|
||||
|
||||
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/tcp/missing-syn.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/missing-syn.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/tcp/ssh-dups.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/ssh-dups.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
event tcp_multiple_retransmissions(c: connection, is_orig: bool, threshold: count)
|
||||
|
|
|
|||
|
|
@ -1,43 +1,45 @@
|
|||
# Truncated IP packet's should not be analyzed, and generate truncated_IP weird
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/ip4-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/ip4-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: mv weird.log output
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/ip6-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/ip6-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/ip6-ext-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/ip6-ext-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# If an ICMP packet's payload is truncated due to too small snaplen,
|
||||
# the checksum calculation is bypassed (and Zeek doesn't crash, of course).
|
||||
|
||||
# @TEST-EXEC: rm -f weird.log
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/icmp-payload-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/icmp-payload-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -e weird.log
|
||||
|
||||
# If an ICMP packet has the ICMP header truncated due to too small snaplen,
|
||||
# an internally_truncated_header weird gets generated.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/icmp-header-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/icmp-header-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# Truncated packets where the captured length is less than the length required
|
||||
# for the packet header should also raise a Weird
|
||||
# @TEST-EXEC: zeek -r $TRACES/trunc/trunc-hdr.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/trunc/trunc-hdr.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# Truncated packet where the length of the IP header is larger than the total
|
||||
# packet length
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# Truncated packet where the captured length is big enough for the ip header
|
||||
# struct, but not large enough to capture the full header length (with options)
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# Truncated packet where the length of the IP header is larger than the total
|
||||
# packet length inside several tunnels
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@load base/frameworks/notice/weird
|
||||
|
|
|
|||
|
|
@ -1,4 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/ayiya3.trace
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/ayiya3.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
@load base/protocols/tunnels
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gre-within-gre.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-within-gre.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -1,4 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gre-pptp.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-pptp.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
#
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
|
|
|
|||
|
|
@ -1,5 +1,12 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gre-sample.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gre-sample.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff ssh.log
|
||||
#
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/ssh
|
||||
@load base/protocols/ntp
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
|
@ -8,3 +8,8 @@
|
|||
# The Downlink GTP tunnel uses port 2152 for both src and dst.
|
||||
# (checksums are incorrect because packets were anonymized and tcprewrite
|
||||
# seems to fail to correct the checksums when there's IP fragmentation).
|
||||
#
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/gtp_ext_header.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gtp/gtp_ext_header.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
|
||||
event gtpv1_message(c: connection, hdr: gtpv1_hdr)
|
||||
{
|
||||
print "gtpv1_message", c$id;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,11 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
# While the majority of user plane traffic inside the GTP tunnel is still IPv4,
|
||||
# there is sometimes already native IPv6.
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
|
@ -6,6 +6,11 @@
|
|||
# Some GTPv1 headers have some optional fields totaling to a 4-byte extension
|
||||
# of the mandatory header.
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/ssl
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
|
||||
event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)
|
||||
{
|
||||
print "gtpv1_packet", inner_gtp;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/gtp/pdp_ctx_messages.trace %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/gtp/pdp_ctx_messages.trace %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
|
||||
event gtpv1_message(c: connection, hdr: gtpv1_hdr)
|
||||
{
|
||||
print "gtpv1_message", c$id;
|
||||
|
|
|
|||
|
|
@ -1,12 +1,13 @@
|
|||
# Trace in we have mpls->ip6->ip6->ip4 where the ip4 packet
|
||||
# has an invalid IP version.
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap %INPUT
|
||||
# @TEST-EXEC: mv weird.log output
|
||||
|
||||
# Trace in which we have mpls->ip6->ip6 where the ip6 packet
|
||||
# has an invalid IP version.
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/mpls-6in6-6in6-invalid-version-6.pcap %INPUT
|
||||
# @TEST-EXEC: cat weird.log >> output
|
||||
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@load base/frameworks/notice/weird
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}"
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}"
|
||||
# @TEST-EXEC: btest-diff known_services.log
|
||||
|
||||
# Expect known_services.log to NOT indicate any service using teredo.
|
||||
|
|
|
|||
|
|
@ -1,9 +1,18 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/Teredo.pcap %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/frameworks/notice/weird
|
||||
@load base/protocols/tunnels
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/dhcp
|
||||
|
||||
function print_teredo(name: string, outer: connection, inner: teredo_hdr)
|
||||
{
|
||||
print fmt("%s: %s", name, outer$id);
|
||||
|
|
|
|||
|
|
@ -1,10 +1,17 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/teredo_bubble_with_payload.pcap %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/teredo_bubble_with_payload.pcap %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/frameworks/notice/weird
|
||||
@load base/protocols/tunnels
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
|
||||
function print_teredo(name: string, outer: connection, inner: teredo_hdr)
|
||||
{
|
||||
print fmt("%s: %s", name, outer$id);
|
||||
|
|
|
|||
|
|
@ -1,8 +1,12 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tunnels/vxlan.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
@load base/frameworks/tunnels
|
||||
@load base/frameworks/dpd
|
||||
@load base/protocols/conn
|
||||
|
||||
event vxlan_packet(c: connection, inner: pkt_hdr, vni: count)
|
||||
{
|
||||
print "vxlan_packet", c$id, inner, vni;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
|
||||
# This regression test checks a special case in the vector code. In this case
|
||||
# UnaryExpr will be called with a Type() of any. Tests succeeds if it does not
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/mixed-vlan-mpls.trace
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/mixed-vlan-mpls.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,2 +1,6 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wlanmon.pcap
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wlanmon.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/tls/x509-generalizedtime.pcap %INPUT >>output 2>&1
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2.trace %INPUT >>output 2>&1
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/x509-generalizedtime.pcap %INPUT >>output 2>&1
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls1.2.trace %INPUT >>output 2>&1
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
|
||||
{
|
||||
print "----- x509_certificate ----";
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: unset ZEEK_DISABLE_ZEEKYGEN; unset BRO_DISABLE_BROXYGEN; zeek -X zeekygen.config %INPUT
|
||||
# @TEST-EXEC: unset ZEEK_DISABLE_ZEEKYGEN; unset BRO_DISABLE_BROXYGEN; zeek -b -X zeekygen.config %INPUT
|
||||
# @TEST-EXEC: btest-diff example.rst
|
||||
|
||||
@TEST-START-FILE zeekygen.config
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/rotation.trace -b %INPUT >output 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/rotation.trace -b %INPUT >output 2>&1
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
|
||||
|
||||
module segfault;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
function inform_me(s: set[string], idx: string): interval
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff expire-nums-output
|
||||
# @TEST-EXEC: btest-diff expire-nets-output
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r ${TRACES}/wikipedia.trace %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/wikipedia.trace %INPUT >out
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
module Foo;
|
||||
|
||||
event zeek_init() {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT >output
|
||||
# @TEST-EXEC: zeek -b %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
module TestModule;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT >output
|
||||
# @TEST-EXEC: zeek -b %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
module TestModule;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/var-services-std-ports.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
function inform_me(s: table[string] of count, idx: string): interval
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: btest-bg-run test1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run test1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 10
|
||||
# @TEST-EXEC: mv test1/.stdout out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing WithPatchVersion
|
||||
# @TEST-EXEC: cp -r %DIR/plugin-withpatchversion-plugin/* .
|
||||
# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
|
||||
# @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -N Testing::WithPatchVersion >> output
|
||||
# @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -b -N Testing::WithPatchVersion >> output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
# Just a very basic test to check if ANALYZER_DATA_EVENT works.
|
||||
# Also check if "in" works with binary data.
|
||||
# @TEST-EXEC: zeek -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
@load base/protocols/ftp
|
||||
|
||||
event stream_data(f: fa_file, data: string)
|
||||
{
|
||||
if ( "Windows" in data )
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event file_new(f: fa_file)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
# This tests the PE analyzer against a PCAP of 4 PE files being downloaded via FTP.
|
||||
# The files are a mix of DLL/EXEs, signed/unsigned, and 32/64-bit files.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff pe.log
|
||||
|
||||
@load base/protocols/ftp
|
||||
@load base/files/pe
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# Test that the timestamp of a pre-y-2000 certificate is correctly parsed
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/telesec.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# Test that certificate caching works as expected.
|
||||
# Prevent certificate events to be raised/caching from occurring for cached certificates.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef X509::caching_required_encounters = 1;
|
||||
|
||||
hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
# Test that certificate caching works as expected.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef X509::caching_required_encounters = 1;
|
||||
|
||||
hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/certificate-with-sct.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/certificate-with-sct.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load protocols/ssl/validate-certs
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
|
|
|
|||
|
|
@ -1,8 +1,13 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq dns
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh
|
||||
#
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service > service.out
|
||||
# @TEST-EXEC-FAIL: grep -q ssh service.out
|
||||
# @TEST-EXEC-FAIL: grep -q dns service.out
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/ssh
|
||||
@load base/frameworks/dpd
|
||||
|
||||
redef Analyzer::disabled_analyzers += { Analyzer::ANALYZER_SSH };
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -q dns
|
||||
#
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0;
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -q ssh
|
||||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0;
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh
|
||||
|
||||
event zeek_init()
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,11 +4,11 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
|
|
@ -16,6 +16,8 @@
|
|||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -6,14 +6,16 @@
|
|||
# Note: the logger names are chosen on purpose such that one is a prefix of the
|
||||
# other to help verify that the node-specific Cluster topics are able to
|
||||
# uniquely target a particular node.
|
||||
# @TEST-EXEC: btest-bg-run logger-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-10 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-10 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-10 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-10 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff logger-1/test.log
|
||||
# @TEST-EXEC: btest-diff logger-10/test.log
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::manager_is_logger = F;
|
||||
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@
|
|||
# @TEST-PORT: BROKER_PORT5
|
||||
# @TEST-PORT: BROKER_PORT6
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run logger-1 CLUSTER_NODE=logger-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 CLUSTER_NODE=proxy-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 CLUSTER_NODE=proxy-2 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 CLUSTER_NODE=worker-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 CLUSTER_NODE=worker-2 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run logger-1 CLUSTER_NODE=logger-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 CLUSTER_NODE=proxy-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 CLUSTER_NODE=proxy-2 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 CLUSTER_NODE=worker-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 CLUSTER_NODE=worker-2 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff logger-1/.stdout
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
|
|
@ -19,6 +19,8 @@
|
|||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::manager_is_logger = F;
|
||||
redef Cluster::nodes = {
|
||||
|
|
|
|||
|
|
@ -4,18 +4,20 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-2/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,14 +4,16 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -2,10 +2,9 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: sleep 1
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 60
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: sleep 1
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
|
|
@ -13,6 +13,9 @@
|
|||
# @TEST-EXEC: btest-diff manager-1/config.log
|
||||
|
||||
@load base/frameworks/config
|
||||
@load base/frameworks/cluster
|
||||
@load base/protocols/ssh
|
||||
@load base/protocols/conn
|
||||
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue