Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Extend btest for logging of disabled analyzers

Browse source
This commit is contained in:
Jan Grashoefer 2024-07-09 12:27:36 +02:00
parent 0c06c604ab
commit c6c8d078c0
5 changed files with 39 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
testing/btest/Baseline/plugins.hooks/output
View file

@ -108,6 +108,8 @@
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
@ -302,6 +304,7 @@
0.000000 MetaHookPost CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations)) -> <no result>
0.000000 MetaHookPost CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_disabling)) -> <no result>
0.000000 MetaHookPost CallFunction(enable_module_events, <frame>, (Analyzer::Logging)) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
@ -313,6 +316,7 @@
0.000000 MetaHookPost CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> <no result>
0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F)) -> <no result>
0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T)) -> <no result>
0.000000 MetaHookPost CallFunction(lambda_<3084630089048204467>, <frame>, (Analyzer::Logging::include_disabling, F)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
0.000000 MetaHookPost CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
@ -1024,6 +1028,8 @@
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
@ -1218,6 +1224,7 @@
0.000000 MetaHookPre CallFunction(__init_primary_bifs, <null>, ())
0.000000 MetaHookPre CallFunction(__init_secondary_bifs, <null>, ())
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_confirmations))
0.000000 MetaHookPre CallFunction(disable_event_group, <frame>, (Analyzer::Logging::include_disabling))
0.000000 MetaHookPre CallFunction(enable_module_events, <frame>, (Analyzer::Logging))
0.000000 MetaHookPre CallFunction(getenv, <null>, (CLUSTER_NODE))
0.000000 MetaHookPre CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
@ -1229,6 +1236,7 @@
0.000000 MetaHookPre CallFunction(is_packet_analyzer, <frame>, (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, <frame>, (Analyzer::Logging::include_confirmations, F))
0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, <frame>, (Analyzer::Logging::enable, T))
0.000000 MetaHookPre CallFunction(lambda_<3084630089048204467>, <frame>, (Analyzer::Logging::include_disabling, F))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2123/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (2152/udp))
0.000000 MetaHookPre CallFunction(port_to_count, <frame>, (3544/udp))
@ -1939,6 +1947,8 @@
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Broker::peer_counts_as_iosource, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Conn::default_extract, Config::config_option_changed{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
@ -2133,6 +2143,7 @@
0.000000 | HookCallFunction __init_primary_bifs()
0.000000 | HookCallFunction __init_secondary_bifs()
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_disabling)
0.000000 | HookCallFunction enable_module_events(Analyzer::Logging)
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
@ -2144,6 +2155,7 @@
0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F)
0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T)
0.000000 | HookCallFunction lambda_<3084630089048204467>(Analyzer::Logging::include_disabling, F)
0.000000 | HookCallFunction port_to_count(2123/udp)
0.000000 | HookCallFunction port_to_count(2152/udp)
0.000000 | HookCallFunction port_to_count(3544/udp)

2
testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations → testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-default
View file

@ -13,6 +13,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
View file

@ -15,6 +15,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
#close XXXX-XX-XX-XX-XX-XX

17
testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-disabling Normal file
View file

@ -0,0 +1,17 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path analyzer
#open XXXX-XX-XX-XX-XX-XX
#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
#types time string string string string string addr port addr port string string
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31 -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX disabled protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 - Disabled after 6 violations
#close XXXX-XX-XX-XX-XX-XX

12
testing/btest/scripts/base/frameworks/analyzer/logging.zeek
View file

@ -1,11 +1,19 @@
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
# @TEST-EXEC: mv analyzer.log analyzer.log-no-confirmations
# @TEST-EXEC: btest-diff analyzer.log-no-confirmations
# @TEST-EXEC: mv analyzer.log analyzer.log-default
# @TEST-EXEC: btest-diff analyzer.log-default
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_disabling=T
# @TEST-EXEC: mv analyzer.log analyzer.log-include-disabling
# @TEST-EXEC: btest-diff analyzer.log-include-disabling
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/socks
# DCE RPC violations are ignored by default. Consider violations for this
# test so that the analyzer will be disabled eventually.
redef DPD::ignore_violations -= { Analyzer::ANALYZER_DCE_RPC };