diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro index 1456182fd9..a9128d62f2 100644 --- a/scripts/base/frameworks/intel/main.bro +++ b/scripts/base/frameworks/intel/main.bro @@ -455,6 +455,22 @@ function insert(item: Item) event Intel::new_item(item); } +# Function to check whether an item is present. +function item_exists(item: Item): bool + { + local ds = have_full_data ? data_store : min_data_store; + + switch ( item$indicator_type ) + { + case ADDR: + return to_addr(item$indicator) in ds$host_data; + case SUBNET: + return to_subnet(item$indicator) in ds$subnet_data; + default: + return [item$indicator, item$indicator_type] in ds$string_data; + } + } + # Function to remove metadata of an item. The function returns T # if there is no metadata left for the given indicator. function remove_meta_data(item: Item): bool @@ -484,6 +500,14 @@ function remove_meta_data(item: Item): bool function remove(item: Item, purge_indicator: bool) { + # Check whether the indicator is present + if ( ! item_exists(item) ) + { + Reporter::info(fmt("Tried to remove non-existing item '%s' (%s).", + item$indicator, item$indicator_type)); + return; + } + # Delegate removal if we are on a worker if ( !have_full_data ) { diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output new file mode 100644 index 0000000000..7b4e5003c4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path reporter +#open 2016-09-20-22-35-58 +#fields ts level message location +#types time enum string string +0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 506-507 +0.000000 Reporter::INFO received termination signal (empty) +#close 2016-09-20-22-35-59 diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro new file mode 100644 index 0000000000..204300342f --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro @@ -0,0 +1,31 @@ +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: cat broproc/reporter.log > output +# @TEST-EXEC: cat broproc/.stdout >> output +# @TEST-EXEC: btest-diff output + +# @TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +192.168.1.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1 +# @TEST-END-FILE + +@load frameworks/communication/listen + +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +event do_it() + { + # not existing meta data: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source23"]]); + # existing: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + # not existing item: + Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); + terminate(); + } + +event bro_init() &priority=-10 + { + schedule 1sec { do_it() }; + }