Merge remote-tracking branch 'origin/master' into topic/seth/log-framework-ext

testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro

@@ -0,0 +1,76 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff logger-1/.stdout
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff proxy-1/.stdout
+# @TEST-EXEC: btest-diff proxy-2/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::manager_is_logger = F;
+redef Cluster::nodes = {
+	["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37757/tcp],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37758/tcp, $logger="logger-1", $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-1")],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37760/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-2")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37762/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global fully_connected: event();
+
+global peer_count = 0;
+
+global fully_connected_nodes = 0;
+
+event fully_connected()
+	{
+	++fully_connected_nodes;
+	if ( Cluster::node == "logger-1" )
+		{
+		if ( peer_count == 5 && fully_connected_nodes == 5 )
+			terminate_communication();
+		}
+	}
+
+redef Cluster::worker2logger_events += /fully_connected/;
+redef Cluster::proxy2logger_events += /fully_connected/;
+redef Cluster::manager2logger_events += /fully_connected/;
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print "Connected to a peer";
+	++peer_count;
+	if ( Cluster::node == "logger-1" )
+		{
+		if ( peer_count == 5 && fully_connected_nodes == 5 )
+			terminate_communication();
+		}
+	else if ( Cluster::node == "manager-1" )
+		{
+		if ( peer_count == 5 )
+			event fully_connected();
+		}
+	else
+		{
+		if ( peer_count == 3 )
+			event fully_connected();
+		}
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	terminate();
+	}

testing/btest/scripts/base/frameworks/input/default.bro

@@ -0,0 +1,48 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	i	b
+#types	int	bool
+1	T
+2	T
+3	F
+4	F
+5	F
+6	F
+7	T
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+global outfile: file;
+
+module A;
+
+type Val: record {
+	i: int;
+	b: bool;
+	s: string &default="leer";
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, val: Val)
+	{
+	print outfile, val;
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=T]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, "End-of-data";
+	Input::remove("input");
+	close(outfile);
+	terminate();
+	}

testing/btest/scripts/base/frameworks/input/errors.bro

@@ -118,6 +118,31 @@ event event10(description: Input::TableDescription, tpe: Input::Event, i: Idx, c
 	{
 	}
 
+# these are legit to test the error events
+event event11(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	}
+
+event errorhandler1(desc: Input::TableDescription, msg: string, level: Reporter::Level)
+	{
+	}
+
+event errorhandler2(desc: Input::EventDescription, msg: string, level: Reporter::Level)
+	{
+	}
+
+event errorhandler3(desc: string, msg: string, level: Reporter::Level)
+	{
+	}
+
+event errorhandler4(desc: Input::EventDescription, msg: count, level: Reporter::Level)
+	{
+	}
+
+event errorhandler5(desc: Input::EventDescription, msg: string, level: count)
+	{
+	}
+
 event kill_me()
 	{
 	terminate();
@@ -129,23 +154,23 @@ event bro_init()
 	Input::add_event([$source="input.log", $name="file", $fields=FileVal, $ev=line_file, $want_record=T]);
 	Input::add_event([$source="input.log", $name="optionalrecord", $fields=OptionalRecordVal, $ev=line_record, $want_record=T]);
 	Input::add_event([$source="input.log", $name="optionalfile", $fields=OptionalFileVal, $ev=optional_line_file, $want_record=T]);
-	Input::add_table([$source="input.log", $name="filetable", $idx=Idx, $val=FileVal, $destination=file_table]);	
-	Input::add_table([$source="input.log", $name="optionalrecordtable", $idx=Idx, $val=OptionalRecordVal, $destination=record_table]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable", $idx=Idx, $val=OptionalFileVal, $destination=record_table]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable2", $idx=Idx, $val=OptionalFileVal, $destination=string_table]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable3", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=terminate]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable3", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=kill_me]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable4", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event1]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable5", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event2]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable6", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event3]);	
-	Input::add_table([$source="input.log", $name="optionalfiletable7", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event4]);	
+	Input::add_table([$source="input.log", $name="filetable", $idx=Idx, $val=FileVal, $destination=file_table]);
+	Input::add_table([$source="input.log", $name="optionalrecordtable", $idx=Idx, $val=OptionalRecordVal, $destination=record_table]);
+	Input::add_table([$source="input.log", $name="optionalfiletable", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table]);
+	Input::add_table([$source="input.log", $name="optionalfiletable", $idx=Idx, $val=OptionalFileVal, $destination=record_table]);
+	Input::add_table([$source="input.log", $name="optionalfiletable2", $idx=Idx, $val=OptionalFileVal, $destination=string_table]);
+	Input::add_table([$source="input.log", $name="optionalfiletable3", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=terminate]);
+	Input::add_table([$source="input.log", $name="optionalfiletable3", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=kill_me]);
+	Input::add_table([$source="input.log", $name="optionalfiletable4", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event1]);
+	Input::add_table([$source="input.log", $name="optionalfiletable5", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event2]);
+	Input::add_table([$source="input.log", $name="optionalfiletable6", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event3]);
+	Input::add_table([$source="input.log", $name="optionalfiletable7", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event4]);
 	Input::add_table([$source="input.log", $name="optionalfiletable8", $idx=Idx, $val=Val, $destination=val_table4, $want_record=F]);
 	Input::add_table([$source="input.log", $name="optionalfiletable9", $idx=Idx2, $val=Val, $destination=val_table, $want_record=F]);
 	Input::add_table([$source="input.log", $name="optionalfiletable10", $idx=Idx, $val=Val, $destination=val_table2, $want_record=F]);
 	Input::add_table([$source="input.log", $name="optionalfiletable11", $idx=Idx2, $val=Idx, $destination=val_table3, $want_record=F]);
 	Input::add_table([$source="input.log", $name="optionalfiletable12", $idx=Idx2, $val=Idx, $destination=val_table2, $want_record=F]);
-	Input::add_table([$source="input.log", $name="optionalfiletable14", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event10, $want_record=F]);	
+	Input::add_table([$source="input.log", $name="optionalfiletable14", $idx=Idx, $val=OptionalFileVal, $destination=optional_file_table, $ev=event10, $want_record=F]);
 	Input::add_table([$source="input.log", $name="optionalfiletable15", $idx=Idx2, $val=Idx, $destination=val_table2, $want_record=T]);
 	Input::add_event([$source="input.log", $name="event1", $fields=OptionalFileVal, $ev=terminate, $want_record=T]);
 	Input::add_event([$source="input.log", $name="event2", $fields=OptionalFileVal, $ev=kill_me, $want_record=T]);
@@ -157,5 +182,11 @@ event bro_init()
 	Input::add_event([$source="input.log", $name="event8", $fields=Val, $ev=event8, $want_record=F]);
 	Input::add_event([$source="input.log", $name="event9", $fields=Val, $ev=event9, $want_record=F]);
 
+	Input::add_event([$source="input.log", $name="error1", $fields=Val, $ev=event11, $want_record=T, $error_ev=errorhandler1]);
+	Input::add_table([$source="input.log", $name="error2", $idx=Idx, $val=Val, $destination=val_table, $error_ev=errorhandler2]);
+	Input::add_event([$source="input.log", $name="error3", $fields=Val, $ev=event11, $want_record=T, $error_ev=errorhandler3]);
+	Input::add_event([$source="input.log", $name="error4", $fields=Val, $ev=event11, $want_record=T, $error_ev=errorhandler4]);
+	Input::add_event([$source="input.log", $name="error5", $fields=Val, $ev=event11, $want_record=T, $error_ev=errorhandler5]);
+
 	schedule 3secs { kill_me() };
 	}

testing/btest/scripts/base/frameworks/input/invalidtext.bro

@@ -26,18 +26,46 @@ type Val: record {
 	c: count;
 };
 
+global endcount: count = 0;
+
 global servers: table[string] of Val = table();
 
+event handle_our_errors(desc: Input::TableDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "TableErrorEvent", msg, level;
+	}
+
+event handle_our_errors_event(desc: Input::EventDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "EventErrorEvent", msg, level;
+	}
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print outfile, "Event", v;
+	}
+
 event bro_init()
 	{
 	outfile = open("../out");
 	# first read in the old stuff into the table...
-	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_table([$source="../input.log", $name="ssh", $error_ev=handle_our_errors, $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_event([$source="../input.log", $name="sshevent", $error_ev=handle_our_errors_event, $fields=Val, $want_record=T, $ev=line]);
 	}
 
 event Input::end_of_data(name: string, source:string)
 	{
-	print outfile, servers;
-	Input::remove("ssh");
-	terminate();
+	++endcount;
+
+	if ( endcount == 1 )
+		{
+		print outfile, servers;
+		Input::remove("ssh");
+		}
+
+	if ( endcount == 2 )
+		{
+		Input::remove("sshevent");
+		terminate();
+		}
 	}

testing/btest/scripts/base/frameworks/input/windows.bro

@@ -0,0 +1,64 @@
+# Test windows linebreaks
+
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+@TEST-END-FILE
+
+@load base/protocols/ssh
+
+global outfile: file;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: int;
+};
+
+type Val: record {
+	b: bool;
+	e: Log::ID;
+	c: count;
+	p: port;
+	sn: subnet;
+	a: addr;
+	d: double;
+	t: time;
+	iv: interval;
+	s: string;
+	ns: string;
+	sc: set[count];
+	ss: set[string];
+	se: set[string];
+	vc: vector of int;
+	ve: vector of int;
+};
+
+global servers: table[int] of Val = table();
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, servers;
+	print outfile, to_count(servers[-42]$ns); # try to actually use a string. If null-termination is wrong this will fail.
+	Input::remove("ssh");
+	close(outfile);
+	terminate();
+	}

testing/btest/scripts/base/frameworks/intel/expire-item.bro

@@ -0,0 +1,46 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 7
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/.stdout >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
+# @TEST-END-FILE
+
+@load frameworks/communication/listen
+@load frameworks/intel/do_expire
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+redef Intel::item_expiration = 3sec;
+redef table_expire_interval = 1sec;
+
+global runs = 0;
+event do_it()
+	{
+	print "Trigger: 1.2.3.4";
+	Intel::seen([$host=1.2.3.4,
+	             $where=SOMEWHERE]);
+
+	++runs;
+	if ( runs < 6 )
+		schedule 1sec { do_it() };
+	}
+
+event Intel::match(s: Intel::Seen, items: set[Intel::Item])
+	{
+	print fmt("Seen: %s", s$indicator);
+	}
+
+hook Intel::item_expired(indicator: string, indicator_type: Intel::Type,
+	metas: set[Intel::MetaData])
+	{
+	print fmt("Expired: %s", indicator);
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}

testing/btest/scripts/base/frameworks/intel/match-subnet.bro

@@ -0,0 +1,51 @@
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/.stdout >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
+192.168.2.0/24	Intel::SUBNET	source1	this subnetwork is just plain baaad	http://some-data-distributor.com/2
+192.168.142.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/3
+192.168.142.0/24	Intel::SUBNET	source1	this subnetwork is baaad	http://some-data-distributor.com/4
+192.168.142.0/26	Intel::SUBNET	source1	this subnetwork is inside	http://some-data-distributor.com/4
+192.168.128.0/18	Intel::SUBNET	source1	this subnetwork might be baaad	http://some-data-distributor.com/5
+# @TEST-END-FILE
+
+@load frameworks/communication/listen
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+event do_it()
+	{
+	Intel::seen([$host=192.168.1.1,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=192.168.2.1,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=192.168.142.1,
+	             $where=SOMEWHERE]);
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}
+
+global log_lines = 0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++log_lines;
+	if ( log_lines == 2 )
+		terminate();
+	}
+
+event Intel::match(s: Intel::Seen, items: set[Intel::Item])
+	{
+	print "";
+	print fmt("Seen: %s", s);
+	for ( item in items )
+		print fmt("Item: %s", item);
+	}

testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro

@@ -0,0 +1,88 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+
+# @TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+};
+# @TEST-END-FILE
+
+@load base/frameworks/control
+
+module Intel;
+
+redef Log::default_rotation_interval=0sec;
+
+event test_manager()
+	{
+	Intel::remove([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	Intel::seen([$host=192.168.0.1, $where=Intel::IN_ANYWHERE]);
+	Intel::remove([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]], T);
+	Intel::seen([$host=192.168.0.2, $where=Intel::IN_ANYWHERE]);
+	}
+
+event test_worker()
+	{
+	Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+	Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+	Intel::seen([$host=192.168.1.2, $where=Intel::IN_ANYWHERE]);
+	# Trigger shutdown by matching data that should be present
+	Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]);
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	# Insert the data once all workers are connected.
+	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 1 )
+		{
+		Intel::insert([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+		Intel::insert([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source2"]]);
+		Intel::insert([$indicator="10.10.10.10", $indicator_type=Intel::ADDR, $meta=[$source="end"]]);
+
+		event test_manager();
+		}
+	}
+
+global worker_data = 0;
+event Intel::cluster_new_item(item: Intel::Item)
+	{
+	# Run test on worker-1 when all items have been inserted
+	if ( Cluster::node == "worker-1" )
+		{
+		++worker_data;
+		if ( worker_data == 4 )
+			event test_worker();
+		}
+	}
+
+event Intel::remove_item(item: Item, purge_indicator: bool)
+	{
+	print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
+	}
+
+event purge_item(item: Item)
+	{
+	print fmt("Purging %s.", item$indicator);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	print "Logging intel hit!";
+	event Control::shutdown_request();
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	# Cascading termination
+	terminate_communication();
+	}

testing/btest/scripts/base/frameworks/intel/updated-match.bro

@@ -0,0 +1,62 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: cp intel1.dat intel.dat
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: cp intel2.dat intel.dat
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: cp intel3.dat intel.dat
+# @TEST-EXEC: btest-bg-wait 6
+# @TEST-EXEC: cat broproc/intel.log > output
+# @TEST-EXEC: cat broproc/notice.log >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE intel1.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234	F
+# @TEST-END-FILE
+
+# @TEST-START-FILE intel2.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source2	this host is just plain baaad	http://some-data-distributor.com/1234	F
+4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	F
+# @TEST-END-FILE
+
+# @TEST-START-FILE intel3.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url	meta.do_notice
+1.2.3.4	Intel::ADDR	source2	this host is just plain baaad	http://some-data-distributor.com/1234	T
+4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	T
+# @TEST-END-FILE
+
+@load base/frameworks/communication # let network-time run
+@load frameworks/intel/do_notice
+
+redef exit_only_after_terminate = T;
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+global runs = 0;
+event do_it()
+	{
+	Intel::seen([$host=1.2.3.4,
+	             $where=SOMEWHERE]);
+	Intel::seen([$host=4.3.2.1,
+	             $where=SOMEWHERE]);
+
+	++runs;
+	if ( runs < 3 )
+		schedule 3sec { do_it() };
+	}
+
+global log_lines = 0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++log_lines;
+	if ( log_lines == 5 )
+		terminate();
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}

testing/btest/scripts/base/frameworks/logging/ascii-double.bro

@@ -0,0 +1,29 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff test.log
+# 
+# Make sure  we do not write out scientific notation for doubles.
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		d: double &log;
+	};
+}
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Info]);
+	Log::write(Test::LOG, [$d=2153226000.0]);
+	Log::write(Test::LOG, [$d=2153226000.1]);
+	Log::write(Test::LOG, [$d=2153226000.123456789]);
+	Log::write(Test::LOG, [$d=1.0]);
+	Log::write(Test::LOG, [$d=1.1]);
+	Log::write(Test::LOG, [$d=1.123456789]);
+	Log::write(Test::LOG, [$d=1.1234]);
+	Log::write(Test::LOG, [$d=3.14e15]);
+}
+

testing/btest/scripts/base/frameworks/logging/ascii-escape-empty-str.bro

@@ -0,0 +1,24 @@
+#
+# @TEST-EXEC: bro -b %INPUT 
+# @TEST-EXEC: btest-diff test.log
+
+redef LogAscii::empty_field = "EMPTY";
+
+module test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		ss: set[string];
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(test::LOG, [$columns=Log]);
+
+	Log::write(test::LOG, [
+		$ss=set("EMPTY")
+		]);
+}

testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.bro

@@ -0,0 +1,90 @@
+# Test simultaneous writes to the same database file.
+#
+# @TEST-REQUIRES: which sqlite3
+# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-GROUP: sqlite
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: sqlite3 ssh.sqlite 'select * from ssh' > ssh.select
+# @TEST-EXEC: sqlite3 ssh.sqlite 'select * from sshtwo' >> ssh.select
+# @TEST-EXEC: btest-diff ssh.select
+#
+# Testing all possible types.
+
+redef LogSQLite::unset_field = "(unset)";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG, LOG2 };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	Log::create_stream(SSH::LOG2, [$columns=Log]);
+	Log::remove_filter(SSH::LOG, "default");
+	Log::remove_filter(SSH::LOG2, "default");
+
+	local filter: Log::Filter = [$name="sqlite", $path="ssh", $config=table(["tablename"] = "ssh"), $writer=Log::WRITER_SQLITE];
+	Log::add_filter(SSH::LOG, filter);
+	local filter2 = copy(filter);
+	filter2$name = "sqlite2";
+	filter2$config = table(["tablename"] = "sshtwo");
+	Log::add_filter(SSH::LOG2, filter2);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	local out = [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		];
+
+	Log::write(SSH::LOG, out);
+	Log::write(SSH::LOG2, out);
+}
+

testing/btest/scripts/base/frameworks/netcontrol/acld.bro

@@ -4,6 +4,7 @@
 # @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff send/netcontrol.log
 # @TEST-EXEC: btest-diff recv/recv.out
 # @TEST-EXEC: btest-diff send/send.out
 
@@ -67,6 +68,12 @@ event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, ms
 	NetControl::remove_rule(r$id);
 	}
 
+event NetControl::rule_exists(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule exists", r$entity, r$ty;
+	NetControl::remove_rule(r$id);
+	}
+
 event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
 	{
 	print "rule removed", r$entity, r$ty;
@@ -98,7 +105,10 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	if ( r$cid != 3 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	else
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_exists, id, r, ar$command));
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)

testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro

@@ -6,7 +6,8 @@
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff manager-1/netcontrol.log
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
@@ -26,6 +27,11 @@ event bro_init()
 	{
 	suspend_processing();
 	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	continue_processing();
+	}
 @endif
 
 event NetControl::init()
@@ -34,13 +40,6 @@ event NetControl::init()
 	NetControl::activate(netcontrol_debug, 0);
 	}
 
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-event remote_connection_handshake_done(p: event_peer)
-	{
-	continue_processing();
-	}
-@endif
-
 event connection_established(c: connection)
 	{
 	local id = c$id;
@@ -59,4 +58,12 @@ event remote_connection_closed(p: event_peer) {
 event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
 	{
 	print "Rule added", r$id, r$cid;
+	if ( r$entity?$ip )
+		print |NetControl::find_rules_subnet(r$entity$ip)|;
+	}
+
+event NetControl::rule_destroyed(r: NetControl::Rule)
+	{
+	if ( r$entity?$ip )
+		print "Rule destroyed", r$id, r$cid, |NetControl::find_rules_subnet(r$entity$ip)|;
 	}

testing/btest/scripts/base/frameworks/netcontrol/broker.bro

@@ -18,7 +18,7 @@ redef exit_only_after_terminate = T;
 event NetControl::init()
 	{
 	suspend_processing();
-	local netcontrol_broker = NetControl::create_broker(127.0.0.1, broker_port, "bro/event/netcontroltest", T);
+	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=broker_port, $topic="bro/event/netcontroltest"), T);
 	NetControl::activate(netcontrol_broker, 0);
 	}
 
@@ -50,7 +50,12 @@ event connection_established(c: connection)
 event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
 	{
 	print "rule added", r$entity, r$ty;
-	NetControl::remove_rule(r$id);
+	NetControl::remove_rule(r$id, "removing");
+	}
+
+event NetControl::rule_exists(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule exists", r$entity, r$ty;
 	}
 
 event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
@@ -89,14 +94,19 @@ event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
 	{
 	print "add_rule", id, r$entity, r$ty;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+	if ( r$cid == 3 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+	if ( r$cid == 2 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_exists, id, r, ""));
+
+	if ( r$cid == 2 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
 	}
 
-event NetControl::broker_remove_rule(id: count, r: NetControl::Rule)
+event NetControl::broker_remove_rule(id: count, r: NetControl::Rule, reason: string)
 	{
-	print "remove_rule", id, r$entity, r$ty;
+	print "remove_rule", id, r$entity, r$ty, reason;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
 	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
 
 	if ( r$cid == 3 )

testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro

@@ -0,0 +1,130 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff manager-1/netcontrol.log
+# @TEST-EXEC: btest-diff manager-1/netcontrol_catch_release.log
+# @TEST-EXEC: btest-diff worker-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+@load base/frameworks/netcontrol
+redef NetControl::catch_release_warn_blocked_ip_encountered = T;
+
+global ready_for_data_1: event();
+global ready_for_data_2: event();
+redef Cluster::manager2worker_events += /^ready_for_data_(1|2)$/;
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+global peer_count = 0;
+event remote_connection_handshake_done(p: event_peer) &priority=-5
+	{
+	++peer_count;
+	if ( peer_count == 2 )
+		{
+		event ready_for_data_1();
+		schedule 1.5sec { ready_for_data_2() };
+		}
+	}
+
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
+	{
+	print "Suspend", Cluster::node;
+	suspend_processing();
+	}
+
+@endif
+
+@if ( Cluster::node == "worker-1" )
+event ready_for_data_1()
+	{
+	print "Resume", Cluster::node;
+	continue_processing();
+	}
+@endif
+
+@if ( Cluster::node == "worker-2" )
+event ready_for_data_2()
+	{
+	print "Resume", Cluster::node;
+	continue_processing();
+	}
+@endif
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+global i: count = 0;
+
+event connection_established(c: connection)
+	{
+	print "Connection established";
+	local id = c$id;
+	local info = NetControl::get_catch_release_info(id$orig_h);
+	print "Info", info;
+	NetControl::drop_address_catch_release(id$orig_h);
+	if ( info$current_block_id != "" )
+		{
+		NetControl::unblock_address_catch_release(id$orig_h, "reason here");
+		}
+	}
+
+@if ( Cluster::node == "worker-1" )
+event connection_established(c: connection)
+	{
+	NetControl::drop_address(8.8.8.8, 0.1secs);
+	NetControl::drop_address_catch_release(8.8.8.8);
+	}
+@endif
+
+@if ( Cluster::node == "worker-2" )
+event connection_established(c: connection)
+	{
+	NetControl::catch_release_seen(8.8.8.8);
+	}
+@endif
+
+event NetControl::catch_release_block_new(a: addr, b: NetControl::BlockInfo)
+	{
+	print "New block", a, b;
+	}
+
+event NetControl::catch_release_block_delete(a: addr)
+	{
+	print "Delete block", a;
+	}
+
+event terminate_me() {
+	print "Terminate";
+	terminate();
+}
+
+event remote_connection_closed(p: event_peer) {
+	schedule 1sec { terminate_me() };
+}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "Scheduling terminate";
+	schedule 3sec { terminate_me() };
+	}
+@endif

testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-forgotten.bro

@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff netcontrol_catch_release.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/frameworks/netcontrol
+
+redef NetControl::catch_release_intervals = vector(1sec, 2sec, 2sec);
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+global pc: count = 0;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	if ( ++pc == 1 )
+		NetControl::drop_address_catch_release(10.0.0.1);
+	}
+
+event NetControl::catch_release_forgotten(a: addr, bi: NetControl::BlockInfo)
+	{
+	print "Forgotten: ", a, bi;
+	}

testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro

@@ -1,5 +1,6 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff netcontrol_catch_release.log
 
 @load base/frameworks/netcontrol
 
@@ -9,7 +10,7 @@ event NetControl::init()
 	NetControl::activate(netcontrol_debug, 0);
 	}
 
-module NetControl;
+global i: count = 0;
 
 event connection_established(c: connection)
 	{
@@ -17,15 +18,44 @@ event connection_established(c: connection)
 	NetControl::drop_address_catch_release(id$orig_h);
 	# second one should be ignored because duplicate
 	NetControl::drop_address_catch_release(id$orig_h);
-
-	# mean call directly into framework - simulate new connection
-	delete current_blocks[id$orig_h];
-	check_conn(id$orig_h);
-	delete current_blocks[id$orig_h];
-	check_conn(id$orig_h);
-	delete current_blocks[id$orig_h];
-	check_conn(id$orig_h);
-	delete current_blocks[id$orig_h];
-	check_conn(id$orig_h);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
+	{
+	if ( ++i == 6 )
+		return;
+
+	# delete directly, without notifying anything.
+	NetControl::delete_rule(r$id, "testing");
+	NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
+	}
+
+@TEST-START-NEXT
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+global i: count = 0;
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address(id$orig_h, 2min);
+	NetControl::drop_address_catch_release(id$orig_h, "test drop");
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
+	{
+	if ( ++i == 3 )
+		return;
+
+	# delete directly, without notifying anything.
+	NetControl::delete_rule(r$id);
+	NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
 	}