From fbaf438a1d032bb03bdd71baa582d5a09cb98108 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 13 Nov 2024 16:11:04 -0700
Subject: [PATCH 1/2] Add btests for ip_proto policy files

---
 .../out                                           |  2 ++
 .../conn/disable-unknown-ip-proto-support.zeek    |  8 ++++++++
 .../protocols/conn/ip-proto-name-logging.zeek     | 15 +++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.conn.ip-proto-name-logging/out
 create mode 100644 testing/btest/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek
 create mode 100644 testing/btest/scripts/policy/protocols/conn/ip-proto-name-logging.zeek

diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.ip-proto-name-logging/out b/testing/btest/Baseline/scripts.policy.protocols.conn.ip-proto-name-logging/out
new file mode 100644
index 0000000000..ee2dc87228
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.ip-proto-name-logging/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+unknown-ip-proto-500
diff --git a/testing/btest/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek b/testing/btest/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek
new file mode 100644
index 0000000000..7e3b93a7cb
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek
@@ -0,0 +1,8 @@
+# @TEST-DOC: Test the policy for removing the unknown IP protocol field and connections from conn.log
+# @TEST-EXEC: zeek -r $TRACES/cisco-fabric-path.pcap %INPUT
+# @TEST-EXEC: test $(head -1 conn.log | jq 'has("ip_proto")') = "false"
+# @TEST-EXEC-FAIL: cat conn.log | jq .proto | sort | uniq | grep unknown_transport
+
+@load policy/protocols/conn/disable-unknown-ip-proto-support
+
+redef LogAscii::use_json = T;
diff --git a/testing/btest/scripts/policy/protocols/conn/ip-proto-name-logging.zeek b/testing/btest/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
new file mode 100644
index 0000000000..0d3ee7fd37
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/ip-proto-name-logging.zeek
@@ -0,0 +1,15 @@
+# @TEST-DOC: Tests the ip-proto-name-logging policy file
+# @TEST-EXEC: zeek -r $TRACES/cisco-fabric-path.pcap %INPUT > out
+
+# @TEST-EXEC-FAIL: cat conn.log | jq 'has("ip_proto_name")' | grep "false"
+# @TEST-EXEC: cat conn.log | jq .ip_proto_name | sort | uniq | grep private-encryption
+# @TEST-EXEC: btest-diff out
+
+@load policy/protocols/conn/ip-proto-name-logging
+
+redef LogAscii::use_json = T;
+
+event zeek_init() {
+	# Test printing out an unknown value from the protocol_names table
+	print IP::protocol_names[500];
+}

From d30f480ca98a9014b8f6000dbcda535f2ef4b23f Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 15 Nov 2024 16:50:10 -0700
Subject: [PATCH 2/2] The cisco-fabric-path pcap used in tests doesn't need the
 -C argument

---
 testing/btest/core/cisco-fabric-path.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/core/cisco-fabric-path.zeek b/testing/btest/core/cisco-fabric-path.zeek
index 183c16f84d..98a2a2f5ed 100644
--- a/testing/btest/core/cisco-fabric-path.zeek
+++ b/testing/btest/core/cisco-fabric-path.zeek
@@ -1,2 +1,2 @@
-# @TEST-EXEC: zeek -C -r $TRACES/cisco-fabric-path.pcap
+# @TEST-EXEC: zeek -r $TRACES/cisco-fabric-path.pcap
 # @TEST-EXEC: btest-diff conn.log