From aabd1e382575cda51eaec08286b6b442ccf7f55a Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 21 May 2025 11:46:26 +0200 Subject: [PATCH 1/2] btest/coverage/test-all-policy-zeekygen: Load test-all-policy with zeekygen enabled There should not be warnings produced. The default ZEEK_DISABLE_ZEEKYGEN=1 setting in the btest configuration hid some issues previously. --- .../Baseline/coverage.test-all-policy-zeekygen/.stderr | 1 + .../Baseline/coverage.test-all-policy-zeekygen/.stdout | 1 + testing/btest/coverage/test-all-policy-zeekygen.test | 7 +++++++ 3 files changed, 9 insertions(+) create mode 100644 testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stderr create mode 100644 testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stdout create mode 100644 testing/btest/coverage/test-all-policy-zeekygen.test diff --git a/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stderr b/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stdout b/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stdout new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/coverage.test-all-policy-zeekygen/.stdout @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/coverage/test-all-policy-zeekygen.test b/testing/btest/coverage/test-all-policy-zeekygen.test new file mode 100644 index 0000000000..f7dfbc3446 --- /dev/null +++ b/testing/btest/coverage/test-all-policy-zeekygen.test @@ -0,0 +1,7 @@ +# @TEST-DOC: Enable zeekygen and load test-all-policy, baseline stdout and stderr output for warnings or errors. +# +# @TEST-EXEC: unset ZEEK_DISABLE_ZEEKYGEN; zeek %INPUT +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: btest-diff .stderr + +@load test-all-policy From 8d588a10a9fb475495d3902dd223743e8585de4b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 21 May 2025 11:48:58 +0200 Subject: [PATCH 2/2] http/detect-sql-injection: Fix zeekygen comment Discarded extraneous Zeekygen comment: $src field; and always provides a victim IP address in the $dst field. --- scripts/policy/protocols/http/detect-sql-injection.zeek | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/policy/protocols/http/detect-sql-injection.zeek b/scripts/policy/protocols/http/detect-sql-injection.zeek index cb3ce31074..0c2e64311f 100644 --- a/scripts/policy/protocols/http/detect-sql-injection.zeek +++ b/scripts/policy/protocols/http/detect-sql-injection.zeek @@ -1,8 +1,8 @@ ##! SQL injection attack detection in HTTP. - -## The script annotates the notices it generates with an associated $uid -## connection identifier; always provides an attacker IP address in the -## $src field; and always provides a victim IP address in the $dst field. +##! +##! The script annotates the notices it generates with an associated $uid +##! connection identifier; always provides an attacker IP address in the +##! $src field; and always provides a victim IP address in the $dst field. @load base/frameworks/notice @load base/frameworks/sumstats