Reorganizing btest/policy directory to match new scripts/ organization

Addresses #545

testing/btest/scripts/base/protocols/http/http-header-crlf.bro

@@ -0,0 +1,10 @@
+# This tests for what looks like a problem in the HTTP parser:
+# it gets confused whether it's in a header or not; it should
+# not report that weird.
+#
+# @TEST-EXEC: bro -r $TRACES/http-byteranges.trace %INPUT
+# @TEST-EXEC: grep -q http_no_crlf_in_header_list weird.log && exit 1 || exit 0
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+

testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro

@@ -0,0 +1,22 @@
+# This tests md5 calculation for a specified mime type.  The http.log
+# will normalize mime types other than the target type to prevent sensitivity
+# to varying versions of libmagic.
+
+# @TEST-REQUIRES: grep -q '#define HAVE_LIBMAGIC' $BUILD/config.h
+# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: btest-diff http.log
+
+redef HTTP::generate_md5 += /image\/png/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(HTTP::HTTP);
+	Log::add_filter(HTTP::HTTP, [$name="normalized-mime-types",
+	                             $pred=function(rec: HTTP::Info): bool
+		{
+		if ( rec?$mime_type && HTTP::generate_md5 != rec$mime_type )
+				rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}

testing/btest/scripts/base/protocols/http/http-pipelining.bro

@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: btest-diff http.log
+
+# mime type is irrelevant to this test, so filter it out
+event bro_init()
+	{
+	Log::remove_default_filter(HTTP::HTTP);
+	Log::add_filter(HTTP::HTTP, [$name="less-mime-types", $exclude=set("mime_type")]);
+	}

testing/btest/scripts/base/protocols/irc/basic.test

@@ -0,0 +1,12 @@
+# This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
+# are logged for a client.
+
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff irc.log
+
+# dcc mime types are irrelevant to this test, so filter it out
+event bro_init()
+	{
+	Log::remove_default_filter(IRC::IRC);
+	Log::add_filter(IRC::IRC, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
+	}

testing/btest/scripts/base/protocols/irc/dcc-extract.test

@@ -0,0 +1,27 @@
+# This tests that the contents of a DCC transfer negotiated with IRC can be
+# correctly extracted.  The mime type of the file transferred is normalized
+# to prevent sensitivity to libmagic version being used.
+
+# @TEST-REQUIRES: grep -q '#define HAVE_LIBMAGIC' $BUILD/config.h
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff irc.log
+# @TEST-EXEC: btest-diff irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test"
+# @TEST-EXEC: test -e test_192.168.1.77:57655-209.197.168.151:1024_1.dat
+
+redef IRC::extract_file_types=/.*/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(IRC::IRC);
+	Log::add_filter(IRC::IRC, [$name="normalized-mime-types",
+	                           $pred=function(rec: IRC::Info): bool
+		{
+		if ( rec?$dcc_mime_type )
+			{
+			rec$dcc_mime_type = "FAKE_MIME";
+			}
+		return T;
+		}
+	]);
+	}

testing/btest/scripts/base/protocols/smtp/basic.test

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp.log
+
+@load base/protocols/smtp

testing/btest/scripts/base/protocols/smtp/mime-extract.test

@@ -0,0 +1,25 @@
+# @TEST-REQUIRES: grep -q '#define HAVE_LIBMAGIC' $BUILD/config.h
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp_entities.log
+# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat
+# @TEST-EXEC: btest-diff smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test"
+# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_1.dat
+# @TEST-EXEC: test -e test_10.10.1.4:1470-74.53.140.153:25_2.dat
+
+@load base/protocols/smtp
+
+redef SMTP::extract_file_types=/text\/plain/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(SMTP::SMTP_ENTITIES);
+	Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types",
+									  	$pred=function(rec: SMTP::EntityInfo): bool
+		{
+		if ( rec?$mime_type )
+			rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}

testing/btest/scripts/base/protocols/smtp/mime.test

@@ -0,0 +1,23 @@
+# Checks logging of mime types and md5 calculation.  Mime type in the log
+# is normalized to prevent sensitivity to libmagic version.
+
+# @TEST-REQUIRES: grep -q '#define HAVE_LIBMAGIC' $BUILD/config.h
+# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: btest-diff smtp_entities.log
+
+@load base/protocols/smtp
+
+redef SMTP::generate_md5=/text\/plain/;
+
+event bro_init()
+	{
+	Log::remove_default_filter(SMTP::SMTP_ENTITIES);
+	Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types",
+									  $pred=function(rec: SMTP::EntityInfo): bool
+		{
+		if ( rec?$mime_type )
+			rec$mime_type = "FAKE_MIME";
+		return T;
+		}
+	]);
+	}