mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
signatures: Support custom event via [event_name] syntax
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
This commit is contained in:
Arne Welzel
parent
d11ac929af
commit
a7b077aa17
10 changed files with 202 additions and 10 deletions
|
|
@ -0,0 +1,8 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
warning in <...>/custom-event-errors.zeek, line 7: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string))
|
||||
error: wrong event parameters for 'wrong_signature2'
|
||||
warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string))
|
||||
error: wrong event parameters for 'wrong_signature3'
|
||||
warning in <...>/custom-event-errors.zeek, line 11: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string))
|
||||
error: wrong event parameters for 'wrong_signature4'
|
||||
error: unknown event 'non_existing_event' specified in rule
|
||||
1
testing/btest/Baseline/signatures.custom-event/.stderr
Normal file
1
testing/btest/Baseline/signatures.custom-event/.stderr
Normal file
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
1
testing/btest/Baseline/signatures.custom-event/id.out
Normal file
1
testing/btest/Baseline/signatures.custom-event/id.out
Normal file
|
|
@ -0,0 +1 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
5
testing/btest/Baseline/signatures.custom-event/out
Normal file
5
testing/btest/Baseline/signatures.custom-event/out
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
signature_match2 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp]
|
||||
signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
|
||||
signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
|
||||
signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message
|
||||
33
testing/btest/signatures/custom-event-errors.zeek
Normal file
33
testing/btest/signatures/custom-event-errors.zeek
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# @TEST-DOC: Using the wrong paramters for custom signature events.
|
||||
#
|
||||
# @TEST-EXEC-FAIL: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
|
||||
@TEST-START-FILE id.sig
|
||||
signature udp-proto {
|
||||
ip-proto == 17
|
||||
event [wrong_signature2] "id"
|
||||
}
|
||||
|
||||
signature udp-proto2 {
|
||||
ip-proto == 17
|
||||
event [wrong_signature3]
|
||||
}
|
||||
|
||||
signature udp-proto3 {
|
||||
ip-proto == 17
|
||||
event [wrong_signature4] "not a count"
|
||||
}
|
||||
|
||||
signature udp-proto4 {
|
||||
ip-proto == 17
|
||||
event [non_existing_event]
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
|
||||
event wrong_signature2(state: signature_state, data: string) { }
|
||||
|
||||
event wrong_signature3(state: signature_state, msg: string, data: string) { }
|
||||
|
||||
event wrong_signature4(state: signature_state, msg: count, data: string) { }
|
||||
51
testing/btest/signatures/custom-event.zeek
Normal file
51
testing/btest/signatures/custom-event.zeek
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
# @TEST-DOC: Test the [event_name] notation within the event keyword of rules.
|
||||
#
|
||||
# @TEST-EXEC: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >out
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@TEST-START-FILE id.sig
|
||||
signature udp-proto {
|
||||
ip-proto == 17
|
||||
event [my_signature_match3] "message"
|
||||
}
|
||||
|
||||
signature udp-proto-msg-id {
|
||||
ip-proto == 17
|
||||
event [my_signature_match3] message_as_id
|
||||
}
|
||||
|
||||
signature udp-proto-msg-id2 {
|
||||
ip-proto == 17
|
||||
event message_as_id
|
||||
}
|
||||
|
||||
signature udp-stuff {
|
||||
dst-ip == mynets
|
||||
event [my_signature_match2]
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
|
||||
const message_as_id = "message from identifier (cannot be changed)";
|
||||
|
||||
const mynets: set[subnet] = {
|
||||
192.168.1.0/24,
|
||||
10.0.0.0/8,
|
||||
127.0.0.0/24
|
||||
};
|
||||
|
||||
event signature_match(state: signature_state, msg: string, data: string)
|
||||
{
|
||||
print fmt("signature_match %s - %s", state$conn$id, msg);
|
||||
}
|
||||
|
||||
event my_signature_match2(state: signature_state, data: string)
|
||||
{
|
||||
print fmt("signature_match2 %s", state$conn$id);
|
||||
}
|
||||
|
||||
event my_signature_match3(state: signature_state, msg: string, data: string)
|
||||
{
|
||||
print fmt("signature_match3 %s - %s", state$conn$id, msg);
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue