mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Expand scripts.base.frameworks.intel.cluster-transparency test
This simply expands this test to match the behavior of cluster-transparency-with-proxy, since the two are so similar. This test does not seem to need disabling the worker's initial send of the data store.
This commit is contained in:
parent
ed5d60f758
commit
984d6c0136
4 changed files with 28 additions and 12 deletions
|
@ -1,4 +1,5 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
### NOTE: This file has been sorted with diff-sort.
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
|
@ -7,5 +8,6 @@
|
|||
#open XXXX-XX-XX-XX-XX-XX
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||
XXXXXXXXXX.XXXXXX - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-2 Intel::ADDR worker-1 - - -
|
||||
#close XXXX-XX-XX-XX-XX-XX
|
||||
XXXXXXXXXX.XXXXXX - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-2 Intel::ADDR worker-1 - - -
|
||||
XXXXXXXXXX.XXXXXX - - - - - 4.3.2.1 Intel::ADDR Intel::IN_ANYWHERE worker-1 Intel::ADDR worker-2 - - -
|
||||
|
|
|
@ -4,3 +4,4 @@ new_indicator: 1.2.3.4 inserted by manager
|
|||
new_indicator: 123.123.123.123 inserted by worker-1
|
||||
new_indicator: 4.3.2.1 inserted by worker-2
|
||||
new_item triggered for 123.123.123.123 by worker-1 on worker-1
|
||||
seeing 4.3.2.1
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
### NOTE: This file has been sorted with diff-sort.
|
||||
Doing a lookup
|
||||
new_indicator: 1.2.3.4 inserted by manager
|
||||
new_indicator: 123.123.123.123 inserted by worker-1
|
||||
new_indicator: 4.3.2.1 inserted by worker-2
|
||||
new_item triggered for 4.3.2.1 by worker-2 on worker-2
|
||||
seeing 123.123.123.123
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
# This test verifies intel data propagation via a cluster. The manager and both
|
||||
# workers insert intel items, and both workers do lookups that we expect to hit.
|
||||
|
||||
# @TEST-PORT: BROKER_PORT1
|
||||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
|
@ -9,7 +12,7 @@
|
|||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout
|
||||
# @TEST-EXEC: btest-diff manager-1/intel.log
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-timestamps-and-sort btest-diff manager-1/intel.log
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
|
@ -35,8 +38,10 @@ event Cluster::node_up(name: string, id: string)
|
|||
}
|
||||
}
|
||||
|
||||
global worker2_data = 0;
|
||||
global log_writes = 0;
|
||||
global worker_data = 0;
|
||||
global sent_data = F;
|
||||
|
||||
# Watch for new indicators send to workers.
|
||||
event Intel::insert_indicator(item: Intel::Item)
|
||||
{
|
||||
|
@ -53,16 +58,23 @@ event Intel::insert_indicator(item: Intel::Item)
|
|||
Intel::insert([$indicator="4.3.2.1", $indicator_type=Intel::ADDR, $meta=[$source="worker-2"]]);
|
||||
}
|
||||
|
||||
# We're forcing worker-2 to do a lookup when it has three intelligence items
|
||||
# which were distributed over the cluster (data inserted locally is resent).
|
||||
# Each worker does a lookup when it has 3 intel items which were
|
||||
# distributed over the cluster (data inserted locally is resent).
|
||||
# Worker 1 observes the host inserted by worker 2, and vice versa.
|
||||
if ( Cluster::node == "worker-1" )
|
||||
{
|
||||
if ( ++worker_data == 3 )
|
||||
{
|
||||
print "seeing 4.3.2.1";
|
||||
Intel::seen([$host=4.3.2.1, $where=Intel::IN_ANYWHERE]);
|
||||
}
|
||||
}
|
||||
|
||||
if ( Cluster::node == "worker-2" )
|
||||
{
|
||||
++worker2_data;
|
||||
if ( worker2_data == 3 )
|
||||
if ( ++worker_data == 3 )
|
||||
{
|
||||
# Now that everything is inserted, see if we can match on the data inserted
|
||||
# by worker-1.
|
||||
print "Doing a lookup";
|
||||
print "seeing 123.123.123.123";
|
||||
Intel::seen([$host=123.123.123.123, $where=Intel::IN_ANYWHERE]);
|
||||
}
|
||||
}
|
||||
|
@ -83,6 +95,7 @@ event Intel::new_item(item: Intel::Item)
|
|||
|
||||
event Intel::log_intel(rec: Intel::Info)
|
||||
{
|
||||
if ( ++log_writes == 2 )
|
||||
terminate();
|
||||
}
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue