Handle removing non-existent intel items.

The intel framework raises a reporter info on removing non-existent intel items. An according test case has been added. Fixes #1679.
2025-10-07 00:58:19 +00:00 · 2016-09-21 00:37:38 +02:00 · 2016-09-21 00:37:38 +02:00 · 8c024ca094
commit 8c024ca094
parent cb53a930a2
3 changed files with 66 additions and 0 deletions
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@ -455,6 +455,22 @@ function insert(item: Item)
 		event Intel::new_item(item);
 	}

+# Function to check whether an item is present.
+function item_exists(item: Item): bool
+	{
+	local ds = have_full_data ? data_store : min_data_store;
+
+	switch ( item$indicator_type )
+		{
+		case ADDR:
+			return to_addr(item$indicator) in ds$host_data;
+		case SUBNET:
+			return to_subnet(item$indicator) in ds$subnet_data;
+		default:
+			return [item$indicator, item$indicator_type] in ds$string_data;
+		}
+	}
+
 # Function to remove metadata of an item. The function returns T
 # if there is no metadata left for the given indicator.
 function remove_meta_data(item: Item): bool
@ -484,6 +500,14 @@ function remove_meta_data(item: Item): bool

 function remove(item: Item, purge_indicator: bool)
 	{
+	# Check whether the indicator is present
+	if ( ! item_exists(item) )
+		{
+		Reporter::info(fmt("Tried to remove non-existing item '%s' (%s).",
+			item$indicator, item$indicator_type));
+		return;
+		}
+
 	# Delegate removal if we are on a worker
 	if ( !have_full_data )
 		{
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open	2016-09-20-22-35-58
+#fields	ts	level	message	location
+#types	time	enum	string	string
+0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 506-507
+0.000000	Reporter::INFO	received termination signal	(empty)
+#close	2016-09-20-22-35-59
--- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
@ -0,0 +1,31 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: cat broproc/reporter.log > output
+# @TEST-EXEC: cat broproc/.stdout >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
+# @TEST-END-FILE
+
+@load frameworks/communication/listen
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+event do_it()
+	{
+	# not existing meta data:
+	Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source23"]]);
+	# existing:
+	Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	# not existing item:
+	Intel::remove([$indicator="192.168.1.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	terminate();
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}