Update some doc tests and line numbers

2025-10-02 14:48:21 +00:00 · 2014-05-16 16:53:56 -05:00 · 2014-05-16 16:53:56 -05:00 · bb7781d2f6
commit bb7781d2f6
parent d230eed7f8
4 changed files with 50 additions and 32 deletions
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@ -87,7 +87,7 @@ Up until this point, the script has merely done some basic setup.  With the next
 the script starts to define instructions to take in a given event.

 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 38-62
+   :lines: 38-71

 The workhorse of the script is contained in the event handler for
 ``file_hash``.  The :bro:see:`file_hash` event allows scripts to access
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
@ -39,28 +39,37 @@ export {
 	const notice_threshold = 10 &redef;
 }

-event file_hash(f: fa_file, kind: string, hash: string)
-	{
-	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
 	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
 	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
 		# Data is returned as "<dateFirstDetected> <detectionRate>"
 		local MHR_answer = split1(MHR_result, / /);
+
 		if ( |MHR_answer| == 2 )
 			{
-				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
 			local mhr_detect_rate = to_count(MHR_answer[2]);

-				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 			if ( mhr_detect_rate >= notice_threshold )
 				{
+				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 				local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
 				local virustotal_url = fmt(match_sub_url, hash);
-					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+				# We don't have the full fa_file record here in order to
+				# avoid the "when" statement cloning it (expensive!).
+				local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+				Notice::populate_file_info2(fi, n);
+				NOTICE(n);
 				}
 			}
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+		do_mhr_lookup(hash, Notice::create_file_info(f));
 	}
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
@ -2,28 +2,37 @@

 detect-MHR.bro

-event file_hash(f: fa_file, kind: string, hash: string)
-	{
-	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
 	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
 	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
 		# Data is returned as "<dateFirstDetected> <detectionRate>"
 		local MHR_answer = split1(MHR_result, / /);
+
 		if ( |MHR_answer| == 2 )
 			{
-				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
 			local mhr_detect_rate = to_count(MHR_answer[2]);

-				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 			if ( mhr_detect_rate >= notice_threshold )
 				{
+				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 				local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
 				local virustotal_url = fmt(match_sub_url, hash);
-					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+				# We don't have the full fa_file record here in order to
+				# avoid the "when" statement cloning it (expensive!).
+				local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+				Notice::populate_file_info2(fi, n);
+				NOTICE(n);
 				}
 			}
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
+		do_mhr_lookup(hash, Notice::create_file_info(f));
 	}
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
@ -5,4 +5,4 @@ expiring-certs.bro
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+		        $fuid=fuid]);