diff --git a/.cirrus.yml b/.cirrus.yml index 6f0a54b0b2..0a48ec9f48 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -16,7 +16,6 @@ static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enab asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache -openssl30_config: &OPENSSL30_CONFIG --build-type=release --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install --ccache resources_template: &RESOURCES_TEMPLATE cpu: *CPUS @@ -166,19 +165,19 @@ env: # Linux EOL timelines: https://linuxlifecycle.com/ # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle +fedora39_task: + container: + # Fedora 39 EOL: Around Nov 2024 + dockerfile: ci/fedora-39/Dockerfile + << : *RESOURCES_TEMPLATE + << : *CI_TEMPLATE + fedora38_task: container: # Fedora 38 EOL: Around May 2024 dockerfile: ci/fedora-38/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE - -fedora37_task: - container: - # Fedora 37 EOL: Around Dec 2024 - dockerfile: ci/fedora-37/Dockerfile - << : *RESOURCES_TEMPLATE - << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR centosstream9_task: @@ -208,11 +207,30 @@ centos7_task: debian12_task: container: - # Debian 12 (bookworm) EOL: (not yet released) + # Debian 12 (bookworm) EOL: TBD + dockerfile: ci/debian-12/Dockerfile + << : *RESOURCES_TEMPLATE + << : *CI_TEMPLATE + +arm_debian12_task: + arm_container: + # Debian 12 (bookworm) EOL: TBD + dockerfile: ci/debian-12/Dockerfile + << : *RESOURCES_TEMPLATE + << : *CI_TEMPLATE + env: + ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG + +debian12_static_task: + container: + # Just use a recent/common distro to run a static compile test. + # Debian 12 (bookworm) EOL: TBD dockerfile: ci/debian-12/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR + env: + ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG debian11_task: container: @@ -220,26 +238,7 @@ debian11_task: dockerfile: ci/debian-11/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE - -arm_debian11_task: - arm_container: - # Debian 11 EOL: June 2026 - dockerfile: ci/debian-11/Dockerfile - << : *RESOURCES_TEMPLATE - << : *CI_TEMPLATE - env: - ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG - -debian11_static_task: - container: - # Just use a recent/common distro to run a static compile test. - # Debian 11 EOL: June 2026 - dockerfile: ci/debian-11/Dockerfile - << : *RESOURCES_TEMPLATE - << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR - env: - ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG debian10_task: container: @@ -248,16 +247,6 @@ debian10_task: << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE -opensuse_leap_15_4_task: - container: - # Opensuse Leap 15.4 EOL: ~Nov 2023 - dockerfile: ci/opensuse-leap-15.4/Dockerfile - << : *RESOURCES_TEMPLATE - << : *CI_TEMPLATE - << : *SKIP_TASK_ON_PR - env: - ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG - opensuse_leap_15_5_task: container: # Opensuse Leap 15.5 EOL: ~Dec 2024 @@ -276,8 +265,8 @@ opensuse_tumbleweed_task: ubuntu23_task: container: - # Ubuntu 23.04 EOL: January 2024 - dockerfile: ci/ubuntu-23.04/Dockerfile + # Ubuntu 23.10 EOL: July 2024 + dockerfile: ci/ubuntu-23.10/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE @@ -350,6 +339,13 @@ alpine_task: # Apple doesn't publish official long-term support timelines. # We aim to support both the current and previous macOS release. +macos_sonoma_task: + macos_instance: + image: ghcr.io/cirruslabs/macos-sonoma-base:latest + prepare_script: ./ci/macos/prepare.sh + << : *CI_TEMPLATE + << : *MACOS_ENVIRONMENT + macos_ventura_task: macos_instance: image: ghcr.io/cirruslabs/macos-ventura-base:latest @@ -357,21 +353,11 @@ macos_ventura_task: << : *CI_TEMPLATE << : *MACOS_ENVIRONMENT -macos_monterey_task: - macos_instance: - image: ghcr.io/cirruslabs/macos-monterey-base:latest - prepare_script: ./ci/macos/prepare.sh - << : *CI_TEMPLATE - << : *MACOS_ENVIRONMENT - << : *SKIP_TASK_ON_PR - # FreeBSD EOL timelines: https://www.freebsd.org/security/#sup freebsd14_task: freebsd_instance: - # We don't support FreeBSD 14 yet, this is a purely informative task - image_family: freebsd-14-0-snap - allow_failures: true - skip_notification: true + # FreeBSD 14 EOL: Nov 30 2028 + image_family: freebsd-14-0 << : *FREEBSD_RESOURCES_TEMPLATE prepare_script: ./ci/freebsd/prepare.sh @@ -401,7 +387,6 @@ asan_sanitizer_task: env: CXXFLAGS: -DZEEK_DICT_DEBUG ZEEK_CI_CONFIGURE_FLAGS: *ASAN_SANITIZER_CONFIG - ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1 ASAN_OPTIONS: detect_leaks=1 ubsan_sanitizer_task: @@ -416,7 +401,6 @@ ubsan_sanitizer_task: env: CXXFLAGS: -DZEEK_DICT_DEBUG ZEEK_CI_CONFIGURE_FLAGS: *UBSAN_SANITIZER_CONFIG - ZEEK_CI_DISABLE_SCRIPT_PROFILING: 1 ZEEK_TAILORED_UB_CHECKS: 1 UBSAN_OPTIONS: print_stacktrace=1 @@ -683,7 +667,7 @@ cluster_testing_docker_builder: test_script: # Invoke btest directly here. This mirrors ci/test.sh, ensures we don't # accidentally build a Docker image, and enables console-level output: - - cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -d -b -j ${ZEEK_CI_BTEST_JOBS} + - cd testing/external/zeek-testing-cluster && ../../../auxil/btest/btest -A -d -b -j ${ZEEK_CI_BTEST_JOBS} on_failure: upload_cluster_testing_artifacts: path: "testing/external/zeek-testing-cluster/.tmp/**" diff --git a/CHANGES b/CHANGES index b85098c024..0979291a52 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,90 @@ +6.1.0-31 | 2024-01-18 16:25:51 -0700 + + * CI: Remove unused openssl30_config (Tim Wojtulewicz, Corelight) + + (cherry picked from commit 652ba502aab843574402ec53aa0a6561b21253f3) + + * ci: Remove ZEEK_CI_DISABLE_SCRIPT_PROFILING logic (Arne Welzel, Corelight) + + To my knowledge this doesn't make a huge difference anymore and locally + I'm only using ASAN builds. It's not actually too slow. + + (cherry picked from commit 344369f169b872b8dcb569f089b02e026fe7cfc2) + + * CI: Move Debian variations from 11 to 12 (Christian Kreibich, Corelight) + + This switches the ARM and static builds from 11 to 12. x86 and ARM now build by + default, and 11 only with fullci. 10 remains as-is, because we like to torture + ourselves. + + (cherry picked from commit 4f6c25bb91b935666b6748b95c2b6ee55c1491ad) + + * CI: Bump Ubuntu 23.04 to 23.10 (Christian Kreibich, Corelight) + + (cherry picked from commit 866d4b4127ccfd8904f8867b468babd330dd6d52) + + * CI: Drop openSUSE Leap 15.4, about to EOL. (Christian Kreibich, Corelight) + + (cherry picked from commit ddd56b9ad7171a9f8ee3de03bc362223f2fad0fc) + + * CI: FreeBSD 14 is out now, 12 is about to EOL. (Christian Kreibich, Corelight) + + (cherry picked from commit 18b8e6d6bceb4492d842d9bacbd3ad9dfbdd7702) + + * CI: distro EOL comment tweaks (Christian Kreibich, Corelight) + + (cherry picked from commit eb1c4bf019f6a39f1d76de717eee1b34cdc50378) + + * CI: drop Fedora 37, add Fedora 39 (Christian Kreibich, Corelight) + + This makes 39 the ony to run at all times, and 38 one to run only with fullci. + + (cherry picked from commit ee8cc77050e39aea18f2da144dc8108110bb42dc) + + * CI: Install missing packages on opensuse (Tim Wojtulewicz, Corelight) + + (cherry picked from commit a3ad1a24f11770d5b8c39af1671beb5d2b4c65b2) + + * CI: Use other base64 options on macOS Sonoma too (Tim Wojtulewicz, Corelight) + + (cherry picked from commit b1e63ffd268cdb2cd28098a0a8578a3038be8fd4) + + * CI: Add macOS Sonoma build, remove macOS Monterey build (Tim Wojtulewicz, Corelight) + + (cherry picked from commit 35ca1e88c7f1398c37bcbc4e20700a2aff2c4169) + + * Fix tests so they work both with GNU and BSD tools (Benjamin Bannier, Corelight) + + The GNU and BSD versions of `touch` and `truncate` allow slightly + different arguments, change the tests so they work in both versions. + + (cherry picked from commit caaffd0324ac0557ba4c5ce0290d07a4d013a735) + + * Install libmaxminddb in macOS CI (Benjamin Bannier, Corelight) + + (cherry picked from commit dfba2d6df707840cabf822d70354f9e2e635b863) + + * CI: Pass -A flag to btest for cluster-testing builds (Tim Wojtulewicz, Corelight) + + (cherry picked from commit ac7685c679cdb6d61768ac20449175eaaaacc34c) + + * Run clang-format on the branch to fix some issues from patch merges (Tim Wojtulewicz, Corelight) + + * Enable darwin builds for zeek-security repo (Tim Wojtulewicz, Corelight) + + (cherry picked from commit c4edd8410e7bd863e5ff528dcc321758103f678d) + + * OCSP: Open-code unknown revoke reason strings (Arne Welzel, Corelight) + + OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility. + + Reference: https://github.com/openssl/openssl/commit/1c8a7f5091e2c5aebc043be86bcbedc6947e1c6f + (cherry picked from commit 02d00a19849d15f472b32a98a8fee27b20f2cb14) + + * CI: Remove EOL (and broken) FreeBSD 12 build (Tim Wojtulewicz, Corelight) + + * Update broker, zeekctl, and cmake submodules [nomail] (Tim Wojtulewicz, Corelight) + 6.1.0-8 | 2024-01-12 13:04:08 -0700 * GH-3540: Known: Keep &create_expire on local tables/sets valid (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 9879e5836d..a625b8905b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.1.0-8 +6.1.0-31 diff --git a/ci/fedora-37/Dockerfile b/ci/fedora-39/Dockerfile similarity index 92% rename from ci/fedora-37/Dockerfile rename to ci/fedora-39/Dockerfile index a5955c5ef4..3b9177415a 100644 --- a/ci/fedora-37/Dockerfile +++ b/ci/fedora-39/Dockerfile @@ -1,8 +1,8 @@ -FROM fedora:37 +FROM fedora:39 # A version field to invalidate Cirrus's build cache when needed, as suggested in # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822 -ENV DOCKERFILE_VERSION 20230801 +ENV DOCKERFILE_VERSION 20231208 RUN dnf -y install \ bison \ diff --git a/ci/init-external-repos.sh b/ci/init-external-repos.sh index ce2d3f4a6d..7f27f582be 100755 --- a/ci/init-external-repos.sh +++ b/ci/init-external-repos.sh @@ -51,8 +51,8 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d banner "Trying to clone zeek-testing-private git repo" echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64 - if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" ]; then - # The base64 command provided with macOS Ventura requires an argument + if [ "${CIRRUS_TASK_NAME}" == "macos_ventura" -o "${CIRRUS_TASK_NAME}" == "macos_sonoma" ]; then + # The base64 command provided with macOS Ventura/Sonoma requires an argument # to pass the input filename base64 -d -i cirrus_key.b64 >cirrus_key else diff --git a/ci/macos/prepare.sh b/ci/macos/prepare.sh index 6d3909a90d..52c4472272 100755 --- a/ci/macos/prepare.sh +++ b/ci/macos/prepare.sh @@ -7,7 +7,7 @@ set -x brew update brew upgrade cmake -brew install openssl@3 swig bison flex ccache +brew install openssl@3 swig bison flex ccache libmaxminddb python3 -m pip install --user websockets # Brew doesn't create the /opt/homebrew/opt/openssl symlink if you install diff --git a/ci/opensuse-leap-15.4/Dockerfile b/ci/opensuse-leap-15.4/Dockerfile deleted file mode 100644 index 4c48f49e05..0000000000 --- a/ci/opensuse-leap-15.4/Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -FROM opensuse/leap:15.4 - -# A version field to invalidate Cirrus's build cache when needed, as suggested in -# https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822 -ENV DOCKERFILE_VERSION 20230801 - -RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.4:Update/standard/openSUSE:Leap:15.4:Update.repo \ - && zypper refresh \ - && zypper in -y \ - bison \ - ccache \ - cmake \ - curl \ - flex \ - gcc10 \ - gcc10-c++ \ - git \ - gzip \ - libopenssl-devel \ - libpcap-devel \ - make \ - python39 \ - python39-devel \ - python39-pip \ - swig \ - tar \ - which \ - zlib-devel \ - && rm -rf /var/cache/zypp - -RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.9 100 -RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 100 -RUN update-alternatives --install /usr/bin/python3-config python3-config /usr/bin/python3.9-config 100 - -RUN pip3 install websockets junit2html - -RUN update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-10 100 -RUN update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-10 100 diff --git a/ci/opensuse-leap-15.5/Dockerfile b/ci/opensuse-leap-15.5/Dockerfile index 3fee52ef48..605412a885 100644 --- a/ci/opensuse-leap-15.5/Dockerfile +++ b/ci/opensuse-leap-15.5/Dockerfile @@ -19,6 +19,7 @@ RUN zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.5 libopenssl-devel \ libpcap-devel \ make \ + openssh \ python311 \ python311-devel \ python311-pip \ diff --git a/ci/opensuse-tumbleweed/Dockerfile b/ci/opensuse-tumbleweed/Dockerfile index 8d7cfc0748..f701475504 100644 --- a/ci/opensuse-tumbleweed/Dockerfile +++ b/ci/opensuse-tumbleweed/Dockerfile @@ -10,6 +10,7 @@ RUN zypper modifyrepo --disable repo-openh264 || true RUN zypper refresh \ && zypper in -y \ + awk \ bison \ ccache \ cmake \ @@ -24,9 +25,11 @@ RUN zypper refresh \ libopenssl-devel \ libpcap-devel \ make \ + openssh \ python3 \ python3-devel \ python3-pip \ + python3-websockets \ swig \ tar \ util-linux \ @@ -34,4 +37,4 @@ RUN zypper refresh \ zlib-devel \ && rm -rf /var/cache/zypp -RUN pip3 install websockets junit2html +RUN pip3 install --break-system-packages junit2html diff --git a/ci/test.sh b/ci/test.sh index b643293911..310212ab00 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -59,13 +59,6 @@ function run_btests { pushd testing/btest - # Commenting out this line in btest.cfg causes the script profiling/coverage - # to be disabled. We do this for the sanitizer build right now because of a - # fairly significant performance bug when running tests. - if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then - sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' btest.cfg - fi - ${BTEST} -z ${ZEEK_CI_BTEST_RETRIES} -d -A -x btest-results.xml -j ${ZEEK_CI_BTEST_JOBS} || result=1 make coverage prep_artifacts @@ -74,15 +67,6 @@ function run_btests { } function run_external_btests { - # Commenting out this line in btest.cfg causes the script profiling/coverage - # to be disabled. We do this for the sanitizer build right now because of a - # fairly significant performance bug when running tests. - if [ "${ZEEK_CI_DISABLE_SCRIPT_PROFILING}" = "1" ]; then - pushd testing/external - sed -i 's/^ZEEK_PROFILER_FILE/#ZEEK_PROFILER_FILE/g' subdir-btest.cfg - popd - fi - local zeek_testing_pid="" local zeek_testing_pid_private="" pushd testing/external/zeek-testing diff --git a/ci/ubuntu-23.04/Dockerfile b/ci/ubuntu-23.10/Dockerfile similarity index 97% rename from ci/ubuntu-23.04/Dockerfile rename to ci/ubuntu-23.10/Dockerfile index b468bb9d23..de278f6f87 100644 --- a/ci/ubuntu-23.04/Dockerfile +++ b/ci/ubuntu-23.10/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:23.04 +FROM ubuntu:23.10 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles" diff --git a/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log b/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log index 5ec6a3e3ec..298339c2b6 100644 --- a/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log +++ b/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log @@ -3,15 +3,15 @@ ts level message location 1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-ASN.mmdb [The MaxMind DB file contains invalid metadata] , line 1 -1299470395.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83 +1299470395.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 99 1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-City.mmdb [The MaxMind DB file contains invalid metadata] , line 1 -1299470395.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84 +1299470395.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 100 1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 -1299473995.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83 +1299473995.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 99 1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 -1299473995.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84 +1299473995.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 100 1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 1299477595.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 diff --git a/testing/btest/core/mmdb/reopen.zeek b/testing/btest/core/mmdb/reopen.zeek index d9c120c8dc..f764097e85 100644 --- a/testing/btest/core/mmdb/reopen.zeek +++ b/testing/btest/core/mmdb/reopen.zeek @@ -14,17 +14,24 @@ redef mmdb_dir = "./mmdb"; global pkt = 0; +function timestamp(n: count): string + { + assert n <= 60; + return fmt("2020-01-01T00:%s:00", n); + } + event new_packet(c: connection, p: pkt_hdr) { ++pkt; - # Set MMDB's modification time to current network time. + + # Increment MMDB's modification time. local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb"); local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb"); - if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), asn_fn), "") ) + if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), asn_fn), "") ) exit(1); - if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), city_fn), "") ) + if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), city_fn), "") ) exit(1); print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1); diff --git a/testing/btest/core/mmdb/temporary-error.zeek b/testing/btest/core/mmdb/temporary-error.zeek index 0a5102535c..a425732726 100644 --- a/testing/btest/core/mmdb/temporary-error.zeek +++ b/testing/btest/core/mmdb/temporary-error.zeek @@ -15,16 +15,32 @@ redef mmdb_dir = "./mmdb"; global pkt = 0; +global asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb"); +global city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb"); + +global asn_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-ASN.mmdb"); +global city_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-City.mmdb"); + +function timestamp(n: count): string + { + assert n <= 60; + return fmt("2020-01-01T00:%s:00", n); + } + +event zeek_init() + { + # Set the initial modification time for the MMDBs. + for ( db in vector(asn_fn, city_fn, asn_fn_backup, city_fn_backup) ) + { + if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", db, timestamp(pkt), db), "") ) + exit(1); + } + } + event new_packet(c: connection, p: pkt_hdr) { ++pkt; - local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb"); - local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb"); - - local asn_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-ASN.mmdb"); - local city_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-City.mmdb"); - if ( pkt == 1 ) { print "start"; @@ -32,10 +48,10 @@ event new_packet(c: connection, p: pkt_hdr) if ( pkt == 2 ) { print "corrupting db"; - if ( ! piped_exec(fmt("truncate --size=8 %s", asn_fn), "") ) + if ( ! piped_exec(fmt("truncate -s 8 %s", asn_fn), "") ) exit(1); - if ( ! piped_exec(fmt("truncate --size=8 %s", city_fn), "") ) + if ( ! piped_exec(fmt("truncate -s 8 %s", city_fn), "") ) exit(1); } else if ( pkt == 4 ) @@ -73,11 +89,11 @@ event new_packet(c: connection, p: pkt_hdr) exit(1); } - # Set MMDB's modification time to current network time for predictability. - if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", asn_fn, network_time(), asn_fn), "") ) + # Increment MMDB's modification time. + if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", asn_fn, timestamp(pkt), asn_fn), "") ) exit(1); - if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", city_fn, network_time(), city_fn), "") ) + if ( ! piped_exec(fmt("test -f %s && touch -d %s %s", city_fn, timestamp(pkt), city_fn), "") ) exit(1); print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1);