diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output new file mode 100644 index 0000000000..3e7fa97f40 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output @@ -0,0 +1,25 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open 2016-03-19-16-01-52 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources +#types time string addr port addr port string string string string enum enum string set[string] +1458403312.669166 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro source1 +1458403315.672095 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro source2,source1 +1458403315.672095 - - - - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro source2 +1458403318.675592 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro source2,source1 +1458403318.675592 - - - - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro source2 +#close 2016-03-19-16-01-58 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path notice +#open 2016-03-19-16-01-58 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double +1458403318.675592 - - - - - - - - - Intel::Notice Intel hit on 1.2.3.4 at SOMEWHERE 1.2.3.4 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - +1458403318.675592 - - - - - - - - - Intel::Notice Intel hit on 4.3.2.1 at SOMEWHERE 4.3.2.1 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2016-03-19-16-01-58 diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.bro new file mode 100644 index 0000000000..75063d4b8f --- /dev/null +++ b/testing/btest/scripts/base/frameworks/intel/updated-match.bro @@ -0,0 +1,62 @@ +# @TEST-SERIALIZE: comm + +# @TEST-EXEC: cp intel1.dat intel.dat +# @TEST-EXEC: btest-bg-run broproc bro %INPUT +# @TEST-EXEC: sleep 2 +# @TEST-EXEC: cp intel2.dat intel.dat +# @TEST-EXEC: sleep 2 +# @TEST-EXEC: cp intel3.dat intel.dat +# @TEST-EXEC: btest-bg-wait 6 +# @TEST-EXEC: cat broproc/intel.log > output +# @TEST-EXEC: cat broproc/notice.log >> output +# @TEST-EXEC: btest-diff output + +# @TEST-START-FILE intel1.dat +#fields indicator indicator_type meta.source meta.desc meta.url meta.do_notice +1.2.3.4 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234 F +# @TEST-END-FILE + +# @TEST-START-FILE intel2.dat +#fields indicator indicator_type meta.source meta.desc meta.url meta.do_notice +1.2.3.4 Intel::ADDR source2 this host is just plain baaad http://some-data-distributor.com/1234 F +4.3.2.1 Intel::ADDR source2 this host might also be baaad http://some-data-distributor.com/4321 F +# @TEST-END-FILE + +# @TEST-START-FILE intel3.dat +#fields indicator indicator_type meta.source meta.desc meta.url meta.do_notice +1.2.3.4 Intel::ADDR source2 this host is just plain baaad http://some-data-distributor.com/1234 T +4.3.2.1 Intel::ADDR source2 this host might also be baaad http://some-data-distributor.com/4321 T +# @TEST-END-FILE + +@load base/frameworks/communication # let network-time run +@load frameworks/intel/do_notice + +redef exit_only_after_terminate = T; +redef Intel::read_files += { "../intel.dat" }; +redef enum Intel::Where += { SOMEWHERE }; + +global runs = 0; +event do_it() + { + Intel::seen([$host=1.2.3.4, + $where=SOMEWHERE]); + Intel::seen([$host=4.3.2.1, + $where=SOMEWHERE]); + + ++runs; + if ( runs < 3 ) + schedule 3sec { do_it() }; + } + +global log_lines = 0; +event Intel::log_intel(rec: Intel::Info) + { + ++log_lines; + if ( log_lines == 5 ) + terminate(); + } + +event bro_init() &priority=-10 + { + schedule 1sec { do_it() }; + }