Add tests for the deprecated-dpd-log.zeek policy script

This re-adds baselines for the old dpd.log to check functionality until its removal in 8.1
2025-10-02 06:38:20 +00:00 · 2025-07-24 11:06:50 +01:00 · 2025-07-24 11:06:50 +01:00 · a90969800c
commit a90969800c
parent 8de178d923
6 changed files with 73 additions and 0 deletions
--- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	tcp	FTP	non-numeric reply code [99 PASV invalid]
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	tcp	FTP	invalid reply line [230_no_space]
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.12.5	51792	192.0.78.212	80	tcp	HTTP	not a http request line
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.0.173	1068	192.168.0.2	4997	tcp	NTLM	NTLM AV Pair loop underflow
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
+++ b/testing/btest/scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
@ -0,0 +1,18 @@
+# @TEST-DOC: Test the deprecated dpd log with tests from before its removal.
+# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-missing-space-after-reply-code.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ftp-missing-space-after-reply-code.log
+# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ftp-invalid-reply-code.log
+# @TEST-EXEC: zeek -r $TRACES/http/http-11-request-then-cruft.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-http-11-request-then-cruft.log
+# @TEST-EXEC: zeek -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-gtp9_unknown_or_too_short_payload.log
+# @TEST-EXEC: zeek -r $TRACES/dce-rpc/ntlm-empty-av-sequence.pcap %INPUT
+# @TEST-EXEC: mv dpd.log dpd-ntlm-empty-av-sequence.log
+# @TEST-EXEC: btest-diff dpd-ftp-missing-space-after-reply-code.log
+# @TEST-EXEC: btest-diff dpd-ftp-invalid-reply-code.log
+# @TEST-EXEC: btest-diff dpd-http-11-request-then-cruft.log
+# @TEST-EXEC: btest-diff dpd-gtp9_unknown_or_too_short_payload.log
+# @TEST-EXEC: btest-diff dpd-ntlm-empty-av-sequence.log
+
+@load frameworks/analyzer/deprecated-dpd-log.zeek