From a90969800c1652eee6125a2ed3d793c34a3359bb Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 24 Jul 2025 11:06:50 +0100
Subject: [PATCH] Add tests for the deprecated-dpd-log.zeek policy script

This re-adds baselines for the old dpd.log to check functionality until
its removal in 8.1
---
 .../dpd-ftp-invalid-reply-code.log             | 11 +++++++++++
 .../dpd-ftp-missing-space-after-reply-code.log | 11 +++++++++++
 .../dpd-gtp9_unknown_or_too_short_payload.log  | 11 +++++++++++
 .../dpd-http-11-request-then-cruft.log         | 11 +++++++++++
 .../dpd-ntlm-empty-av-sequence.log             | 11 +++++++++++
 .../analyzer/deprecated-dpd-log.zeek           | 18 ++++++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
 create mode 100644 testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek

diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
new file mode 100644
index 0000000000..4efd80fa0f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	tcp	FTP	non-numeric reply code [99 PASV invalid]
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
new file mode 100644
index 0000000000..00876f2723
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	tcp	FTP	invalid reply line [230_no_space]
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
new file mode 100644
index 0000000000..377275b772
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
new file mode 100644
index 0000000000..2948f61836
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.12.5	51792	192.0.78.212	80	tcp	HTTP	not a http request line
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
new file mode 100644
index 0000000000..1e90dc2f24
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM	NTLM AV Pair loop underflow
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek b/testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
new file mode 100644
index 0000000000..9784dccd1a
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
@@ -0,0 +1,18 @@
+# @TEST-DOC: Test the deprecated dpd log with tests from before its removal.
+# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-missing-space-after-reply-code.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ftp-missing-space-after-reply-code.log
+# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ftp-invalid-reply-code.log
+# @TEST-EXEC: zeek -r $TRACES/http/http-11-request-then-cruft.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-http-11-request-then-cruft.log
+# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-gtp9_unknown_or_too_short_payload.log
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/ntlm-empty-av-sequence.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ntlm-empty-av-sequence.log
+# @TEST-EXEC: btest-diff dpd-ftp-missing-space-after-reply-code.log
+# @TEST-EXEC: btest-diff dpd-ftp-invalid-reply-code.log
+# @TEST-EXEC: btest-diff dpd-http-11-request-then-cruft.log
+# @TEST-EXEC: btest-diff dpd-gtp9_unknown_or_too_short_payload.log
+# @TEST-EXEC: btest-diff dpd-ntlm-empty-av-sequence.log
+
+@load frameworks/analyzer/deprecated-dpd-log.zeek