mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
Merge remote-tracking branch 'origin/topic/timw/open-dict'
* origin/topic/timw/open-dict: (40 commits) Move Dict constants to detail namespace Add a few missing deprecation fixes Adjust Dict whitespace/style Adjust more btest timings Improve termination reliability/speed for brokerstore btests General btest cleanup Update NEWS about change in Dictionary implementation Improve Intel expire-item btest to be less time-sensitive Improve btests with unstable table/set output ordering Update doc submodule Adjust a few btests that were unstable due to time-sensitivity Fix DNS script deleting a table element while iterating Improve a brokerstore btest to filter out Broker connection messages Sort output of a few SumStats cluster tests Fix extract_first_email_addr() to really return the first email Add find_all_ordered() BIF Extend external test suite canonifier with set-sorting logic Update btests/baselines for OpenDict compat Fix new/malloc/delete/free mismatches in Dictionary code Add explanation for a Dict TODO item ...
This commit is contained in:
Tim Wojtulewicz
commit
c6e7d14757
551 changed files with 5191 additions and 4046 deletions
|
|
@ -1,9 +1,11 @@
|
|||
# Just a very basic test to check if ANALYZER_DATA_EVENT works.
|
||||
# Also check if "in" works with binary data.
|
||||
# @TEST-EXEC: zeek -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
@load base/protocols/ftp
|
||||
|
||||
event stream_data(f: fa_file, data: string)
|
||||
{
|
||||
if ( "Windows" in data )
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event file_new(f: fa_file)
|
||||
{
|
||||
|
|
@ -10,4 +11,4 @@ event file_new(f: fa_file)
|
|||
event file_entropy(f: fa_file, ent: entropy_test_result)
|
||||
{
|
||||
print ent;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
# This tests the PE analyzer against a PCAP of 4 PE files being downloaded via FTP.
|
||||
# The files are a mix of DLL/EXEs, signed/unsigned, and 32/64-bit files.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/pe/pe.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff pe.log
|
||||
|
||||
@load base/protocols/ftp
|
||||
@load base/files/pe
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# Test that the timestamp of a pre-y-2000 certificate is correctly parsed
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/telesec.pcap
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# Test that certificate caching works as expected.
|
||||
# Prevent certificate events to be raised/caching from occurring for cached certificates.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef X509::caching_required_encounters = 1;
|
||||
|
||||
hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
# Test that certificate caching works as expected.
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/google-duplicate.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef X509::caching_required_encounters = 1;
|
||||
|
||||
hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/certificate-with-sct.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/certificate-with-sct.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load protocols/ssl/validate-certs
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
|
||||
|
|
|
|||
|
|
@ -1,8 +1,13 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq dns
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh
|
||||
#
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service > service.out
|
||||
# @TEST-EXEC-FAIL: grep -q ssh service.out
|
||||
# @TEST-EXEC-FAIL: grep -q dns service.out
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/ssh
|
||||
@load base/frameworks/dpd
|
||||
|
||||
redef Analyzer::disabled_analyzers += { Analyzer::ANALYZER_SSH };
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/var-services-std-ports.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -q dns
|
||||
#
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0;
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -q ssh
|
||||
#
|
||||
# @TEST-EXEC: zeek -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0;
|
||||
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
|
||||
# @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh
|
||||
|
||||
event zeek_init()
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,11 +4,11 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
|
|
@ -16,6 +16,8 @@
|
|||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -6,14 +6,16 @@
|
|||
# Note: the logger names are chosen on purpose such that one is a prefix of the
|
||||
# other to help verify that the node-specific Cluster topics are able to
|
||||
# uniquely target a particular node.
|
||||
# @TEST-EXEC: btest-bg-run logger-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-10 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-10 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run logger-10 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=logger-10 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff logger-1/test.log
|
||||
# @TEST-EXEC: btest-diff logger-10/test.log
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::manager_is_logger = F;
|
||||
|
||||
|
|
|
|||
|
|
@ -5,13 +5,13 @@
|
|||
# @TEST-PORT: BROKER_PORT5
|
||||
# @TEST-PORT: BROKER_PORT6
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run logger-1 CLUSTER_NODE=logger-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 CLUSTER_NODE=proxy-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 CLUSTER_NODE=proxy-2 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 CLUSTER_NODE=worker-1 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 CLUSTER_NODE=worker-2 ZEEKPATH=$ZEEKPATH:.. zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run logger-1 CLUSTER_NODE=logger-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 CLUSTER_NODE=proxy-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 CLUSTER_NODE=proxy-2 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 CLUSTER_NODE=worker-1 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 CLUSTER_NODE=worker-2 ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff logger-1/.stdout
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
|
|
@ -19,6 +19,8 @@
|
|||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::manager_is_logger = F;
|
||||
redef Cluster::nodes = {
|
||||
|
|
|
|||
|
|
@ -4,18 +4,20 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-2/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,12 +4,14 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -4,14 +4,16 @@
|
|||
# @TEST-PORT: BROKER_PORT4
|
||||
# @TEST-PORT: BROKER_PORT5
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-1/.stdout
|
||||
# @TEST-EXEC: btest-diff proxy-2/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -2,10 +2,9 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: sleep 1
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 60
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: sleep 1
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
|
|
@ -13,6 +13,9 @@
|
|||
# @TEST-EXEC: btest-diff manager-1/config.log
|
||||
|
||||
@load base/frameworks/config
|
||||
@load base/frameworks/cluster
|
||||
@load base/protocols/ssh
|
||||
@load base/protocols/conn
|
||||
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/bro.org.pcap %INPUT >output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/bro.org.pcap %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff config.log
|
||||
|
||||
@load base/frameworks/config
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Config::set_value("Weird::sampling_duration", 5sec);
|
||||
|
|
@ -13,7 +15,14 @@ event zeek_init()
|
|||
|
||||
event zeek_init() &priority = -10
|
||||
{
|
||||
print Reporter::get_weird_sampling_whitelist();
|
||||
local v: vector of string = vector();
|
||||
local wl = Reporter::get_weird_sampling_whitelist();
|
||||
|
||||
for ( e in wl )
|
||||
v += e;
|
||||
|
||||
sort(v, strcmp);
|
||||
print v;
|
||||
print Reporter::get_weird_sampling_rate();
|
||||
print Reporter::get_weird_sampling_threshold();
|
||||
print Reporter::get_weird_sampling_duration();
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# @TEST-PORT: BROKER_PORT
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek -Bbroker %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek -Bbroker %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=configuration_update
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek -b -Bbroker %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek -b -Bbroker %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=configuration_update
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff controllee/.stdout
|
||||
|
||||
@load base/frameworks/control
|
||||
|
||||
const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
|
||||
|
||||
@TEST-START-FILE test-redef.zeek
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# @TEST-PORT: BROKER_PORT
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek %INPUT only-for-controllee frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=id_value Control::arg=test_var
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT only-for-controllee frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=id_value Control::arg=test_var
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff controller/.stdout
|
||||
|
||||
@load base/frameworks/control
|
||||
|
||||
# This value shouldn't ever be printed to the controllers stdout.
|
||||
const test_var = "Original value" &redef;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-PORT: BROKER_PORT
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=shutdown
|
||||
# @TEST-EXEC: btest-bg-wait 10
|
||||
# @TEST-EXEC: btest-bg-run controllee ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
|
||||
# @TEST-EXEC: btest-bg-run controller ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=shutdown
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_print_file_data_events = T;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT 2>&1
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
print "This should fail but not crash";
|
||||
|
|
|
|||
|
|
@ -1,6 +1,10 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/files/hash
|
||||
@load base/files/extract
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Files::register_for_mime_type(Files::ANALYZER_MD5, "text/plain");
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out
|
||||
# @TEST-EXEC: btest-diff get.out
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
redef test_get_file_name = function(f: fa_file): string
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: btest-bg-run zeek zeek -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 8
|
||||
# @TEST-EXEC: btest-bg-run zeek zeek -b -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-diff zeek/.stdout
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
global cnt: count = 0;
|
||||
global timeout_cnt: count = 0;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT >get.out
|
||||
# @TEST-EXEC: btest-diff get.out
|
||||
# @TEST-EXEC: test ! -s Cx92a0ym5R8-file
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
event file_new(f: fa_file)
|
||||
{
|
||||
Files::stop(f);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/files/hash
|
||||
@load base/files/extract
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
redef default_file_bof_buffer_size=5000;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This used to crash the file reassemly code.
|
||||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/byteranges.trace frameworks/files/extract-all-files FileExtract::default_limit=4000
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/byteranges.trace base/protocols/http base/files/hash frameworks/files/extract-all-files FileExtract::default_limit=4000
|
||||
#
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff thefile
|
||||
|
||||
@load base/protocols/ftp
|
||||
|
||||
redef test_file_analysis_source = "FTP_DATA";
|
||||
|
||||
redef test_get_file_name = function(f: fa_file): string
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=1 >get.out
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=2 >get-gzip.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=1 >get.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.zeek %INPUT c=2 >get-gzip.out
|
||||
# @TEST-EXEC: btest-diff get.out
|
||||
# @TEST-EXEC: btest-diff get-gzip.out
|
||||
# @TEST-EXEC: btest-diff 1-file
|
||||
# @TEST-EXEC: btest-diff 2-file
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
global c = 0 &redef;
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff 1-file
|
||||
# @TEST-EXEC: btest-diff 2-file
|
||||
# @TEST-EXEC: btest-diff 3-file
|
||||
# @TEST-EXEC: btest-diff 4-file
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
global cnt: count = 0;
|
||||
|
|
|
|||
|
|
@ -1,18 +1,20 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >a.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >a.out
|
||||
# @TEST-EXEC: btest-diff a.out
|
||||
# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size
|
||||
# @TEST-EXEC: btest-diff a.size
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >b.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >b.out
|
||||
# @TEST-EXEC: btest-diff b.out
|
||||
# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size
|
||||
# @TEST-EXEC: btest-diff b.size
|
||||
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >c.out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.zeek %INPUT >c.out
|
||||
# @TEST-EXEC: btest-diff c.out
|
||||
# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size
|
||||
# @TEST-EXEC: btest-diff c.size
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
global cnt: count = 0;
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff 1-file
|
||||
# @TEST-EXEC: btest-diff 2-file
|
||||
|
|
@ -6,6 +6,8 @@
|
|||
# @TEST-EXEC: btest-diff 4-file
|
||||
# @TEST-EXEC: btest-diff 5-file
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
global c = 0;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff 1-file
|
||||
# @TEST-EXEC: btest-diff 2-file
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
global c = 0;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff thefile
|
||||
|
||||
@load base/protocols/irc
|
||||
|
||||
redef test_file_analysis_source = "IRC_DATA";
|
||||
|
||||
global first: bool = T;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.zeek %INPUT
|
||||
# @TEST-EXEC: btest-diff files.log
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef test_file_analysis_source = "HTTP";
|
||||
|
||||
redef test_get_file_name = function(f: fa_file): string
|
||||
|
|
|
|||
|
|
@ -1,9 +1,12 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.zeek %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff thefile0
|
||||
# @TEST-EXEC: btest-diff thefile1
|
||||
# @TEST-EXEC: btest-diff thefile2
|
||||
|
||||
@load base/protocols/smtp
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef test_file_analysis_source = "SMTP";
|
||||
|
||||
global mycnt: count = 0;
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# It does a second test at the same time which configures the old
|
||||
# failing behavior.
|
||||
|
||||
# @TEST-EXEC: btest-bg-run zeek zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeek zeek -b %INPUT
|
||||
# @TEST-EXEC: $SCRIPTS/wait-for-file zeek/init 10 || (btest-bg-wait -k 1 && false)
|
||||
# @TEST-EXEC: mv does-exist.dat does-not-exist.dat
|
||||
# @TEST-EXEC: $SCRIPTS/wait-for-file zeek/next 10 || (btest-bg-wait -k 1 && false)
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@
|
|||
# @TEST-PORT: BROKER_PORT3
|
||||
# @TEST-PORT: BROKER_PORT4
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
|
||||
|
|
@ -22,6 +22,9 @@ redef Cluster::nodes = {
|
|||
};
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/intel
|
||||
|
||||
module Intel;
|
||||
|
||||
redef Log::default_rotation_interval=0sec;
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
|
||||
|
|
@ -19,6 +19,9 @@ redef Cluster::nodes = {
|
|||
};
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/intel
|
||||
|
||||
module Intel;
|
||||
|
||||
redef Log::default_rotation_interval=0sec;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: cat zeekproc/intel.log > output
|
||||
# @TEST-EXEC: cat zeekproc/.stdout >> output
|
||||
|
|
@ -16,52 +16,72 @@ redef exit_only_after_terminate = T;
|
|||
|
||||
redef Intel::read_files += { "../intel.dat" };
|
||||
redef enum Intel::Where += { SOMEWHERE };
|
||||
redef Intel::item_expiration = 9sec;
|
||||
redef table_expire_interval = 3sec;
|
||||
|
||||
global runs = 0;
|
||||
global entries_read = 0;
|
||||
global start_time: time;
|
||||
global expire_count = 0;
|
||||
const intel_expiry = 9sec;
|
||||
redef Intel::item_expiration = intel_expiry;
|
||||
redef table_expire_interval = 0.2sec;
|
||||
|
||||
event do_it()
|
||||
{
|
||||
++runs;
|
||||
print fmt("-- Run %s --", runs);
|
||||
|
||||
print "Trigger: 1.2.3.4";
|
||||
Intel::seen([$host=1.2.3.4,
|
||||
$where=SOMEWHERE]);
|
||||
print "Seen: 1.2.3.4";
|
||||
Intel::seen([$host=1.2.3.4, $where=SOMEWHERE]);
|
||||
|
||||
if ( runs == 2 )
|
||||
{
|
||||
# Reinserting the indicator should reset the expiration
|
||||
print "Reinsert: 1.2.3.4";
|
||||
local item = [
|
||||
$indicator="1.2.3.4",
|
||||
$indicator_type=Intel::ADDR,
|
||||
$meta=[
|
||||
$source="source2",
|
||||
$desc="this host is still bad",
|
||||
$url="http://some-data-distributor.com/2"]
|
||||
];
|
||||
Intel::insert(item);
|
||||
}
|
||||
|
||||
if ( runs < 6 )
|
||||
schedule 3sec { do_it() };
|
||||
else
|
||||
if ( runs == 4 )
|
||||
schedule 1sec { do_it() };
|
||||
else if ( runs > 4 )
|
||||
terminate();
|
||||
}
|
||||
|
||||
event Intel::match(s: Intel::Seen, items: set[Intel::Item])
|
||||
{
|
||||
print fmt("Seen: %s", s$indicator);
|
||||
print fmt("Match: %s", s$indicator);
|
||||
}
|
||||
|
||||
hook Intel::item_expired(indicator: string, indicator_type: Intel::Type,
|
||||
metas: set[Intel::MetaData])
|
||||
metas: set[Intel::MetaData])
|
||||
{
|
||||
print fmt("Expired: %s", indicator);
|
||||
++expire_count;
|
||||
|
||||
if ( expire_count == 2 )
|
||||
# Check that time of expiry indicates is approximately what's expected
|
||||
# after having been refreshed.
|
||||
print fmt("Expired: %s (took longer: %s)", indicator, (network_time() - start_time) > intel_expiry + 2sec);
|
||||
else
|
||||
print fmt("Expired: %s", indicator);
|
||||
|
||||
event do_it();
|
||||
}
|
||||
|
||||
event zeek_init() &priority=-10
|
||||
event refresh()
|
||||
{
|
||||
schedule 1.5sec { do_it() };
|
||||
# Reinserting the indicator should reset the expiration
|
||||
local item = [
|
||||
$indicator="1.2.3.4",
|
||||
$indicator_type=Intel::ADDR,
|
||||
$meta=[
|
||||
$source="source2",
|
||||
$desc="this host is still bad",
|
||||
$url="http://some-data-distributor.com/2"]
|
||||
];
|
||||
Intel::insert(item);
|
||||
event do_it();
|
||||
}
|
||||
|
||||
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
||||
{
|
||||
++entries_read;
|
||||
|
||||
if ( entries_read == 2 )
|
||||
{
|
||||
start_time = network_time();
|
||||
event do_it();
|
||||
schedule 3sec { refresh() };
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-diff zeekproc/intel.log
|
||||
|
||||
|
|
@ -9,6 +9,8 @@
|
|||
10.0.0.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1234
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/intel
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Site::local_nets += { 10.0.0.0/8 };
|
||||
redef Intel::read_files += { "../intel.dat" };
|
||||
|
|
@ -37,7 +39,11 @@ event Intel::log_intel(rec: Intel::Info)
|
|||
terminate();
|
||||
}
|
||||
|
||||
event zeek_init() &priority=-10
|
||||
global read = 0;
|
||||
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
||||
{
|
||||
schedule 1sec { do_it() };
|
||||
++read;
|
||||
|
||||
if ( read == 2 )
|
||||
event do_it();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-diff zeekproc/intel.log
|
||||
|
||||
|
|
@ -10,6 +10,8 @@
|
|||
e@mail.com Intel::EMAIL source1 Phishing email source http://some-data-distributor.com/100000
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/intel
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
redef Intel::read_files += { "../intel.dat" };
|
||||
redef enum Intel::Where += { SOMEWHERE };
|
||||
|
|
@ -32,7 +34,11 @@ event Intel::log_intel(rec: Intel::Info)
|
|||
terminate();
|
||||
}
|
||||
|
||||
event zeek_init() &priority=-10
|
||||
global reads = 0;
|
||||
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
||||
{
|
||||
schedule 1sec { do_it() };
|
||||
++reads;
|
||||
|
||||
if ( reads == 3 )
|
||||
event do_it();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: cat zeekproc/intel.log > output
|
||||
# @TEST-EXEC: cat zeekproc/.stdout >> output
|
||||
|
|
@ -14,6 +14,8 @@
|
|||
192.168.128.0/18 Intel::SUBNET source1 this subnetwork might be baaad http://some-data-distributor.com/5
|
||||
# @TEST-END-FILE
|
||||
|
||||
@load base/frameworks/intel
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
|
||||
redef Intel::read_files += { "../intel.dat" };
|
||||
|
|
@ -29,9 +31,13 @@ event do_it()
|
|||
$where=SOMEWHERE]);
|
||||
}
|
||||
|
||||
event zeek_init() &priority=-10
|
||||
global read = 0;
|
||||
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
||||
{
|
||||
schedule 1sec { do_it() };
|
||||
++read;
|
||||
|
||||
if ( read == 6 )
|
||||
event do_it();
|
||||
}
|
||||
|
||||
global log_lines = 0;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 40
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: btest-diff manager-1/intel.log
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
|
|
@ -27,6 +27,7 @@ e@mail.com Intel::EMAIL source1 Phishing email source http://some-data-distribut
|
|||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/control
|
||||
@load base/frameworks/intel
|
||||
redef Log::default_rotation_interval=0sec;
|
||||
|
||||
module Intel;
|
||||
|
|
@ -41,16 +42,44 @@ redef enum Intel::Where += {
|
|||
|
||||
event do_it()
|
||||
{
|
||||
if ( Cluster::node == "manager-1" )
|
||||
{
|
||||
Broker::publish(Cluster::node_topic("worker-2"), do_it);
|
||||
return;
|
||||
}
|
||||
|
||||
Intel::seen([$host=1.2.3.4, $where=Intel::IN_A_TEST]);
|
||||
Intel::seen([$indicator="e@mail.com", $indicator_type=Intel::EMAIL, $where=Intel::IN_A_TEST]);
|
||||
|
||||
if ( Cluster::node == "worker-1" )
|
||||
Broker::publish(Cluster::node_topic("manager-1"), do_it);
|
||||
}
|
||||
|
||||
event zeek_init()
|
||||
global hi_count = 0;
|
||||
|
||||
event start_it()
|
||||
{
|
||||
# Delay the workers searching for hits briefly to allow for the data distribution
|
||||
# mechanism to distribute the data to the workers.
|
||||
if ( Cluster::local_node_type() == Cluster::WORKER )
|
||||
schedule 2sec { do_it() };
|
||||
Broker::publish(Cluster::node_topic("worker-1"), do_it);
|
||||
}
|
||||
|
||||
event hi()
|
||||
{
|
||||
if ( Cluster::node == "manager-1" )
|
||||
{
|
||||
++hi_count;
|
||||
|
||||
if ( hi_count == 2 )
|
||||
# Give more time for intel distribution.
|
||||
schedule 1sec { start_it() };
|
||||
}
|
||||
else
|
||||
Broker::publish(Cluster::node_topic("manager-1"), hi);
|
||||
}
|
||||
|
||||
event Cluster::node_up(name: string, id: string) &priority=-100
|
||||
{
|
||||
if ( Cluster::node == "manager-1" )
|
||||
Broker::publish(Cluster::node_topic(name), hi);
|
||||
}
|
||||
|
||||
event do_terminate()
|
||||
|
|
|
|||
|
|
@ -1,13 +1,16 @@
|
|||
# @TEST-PORT: BROKER_PORT1
|
||||
# @TEST-PORT: BROKER_PORT2
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff manager-1/intel.log
|
||||
|
||||
@load base/frameworks/intel
|
||||
@load base/frameworks/cluster
|
||||
|
||||
# @TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: cat zeekproc/reporter.log > output
|
||||
# @TEST-EXEC: cat zeekproc/.stdout >> output
|
||||
|
|
@ -9,6 +9,9 @@
|
|||
192.168.1.1 Intel::ADDR source1 this host is just plain baaad http://some-data-distributor.com/1
|
||||
# @TEST-END-FILE
|
||||
|
||||
@load base/frameworks/intel
|
||||
@load base/frameworks/reporter
|
||||
|
||||
redef exit_only_after_terminate = T;
|
||||
|
||||
redef Intel::read_files += { "../intel.dat" };
|
||||
|
|
@ -25,7 +28,7 @@ event do_it()
|
|||
terminate();
|
||||
}
|
||||
|
||||
event zeek_init() &priority=-10
|
||||
event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
|
||||
{
|
||||
schedule 1sec { do_it() };
|
||||
event do_it();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# @TEST-EXEC: cp intel1.dat intel.dat
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run zeekproc zeek -b %INPUT
|
||||
# @TEST-EXEC: $SCRIPTS/wait-for-file zeekproc/got1 15 || (btest-bg-wait -k 1 && false)
|
||||
# @TEST-EXEC: cp intel2.dat intel.dat
|
||||
# @TEST-EXEC: $SCRIPTS/wait-for-file zeekproc/got2 15 || (btest-bg-wait -k 1 && false)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/www-odd-url.trace
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/www-odd-url.trace base/protocols/http
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,4 @@
|
|||
# @TEST-EXEC: ZEEK_LOG_SUFFIX=txt zeek -r $TRACES/wikipedia.trace
|
||||
# @TEST-EXEC: ZEEK_LOG_SUFFIX=txt zeek -b -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: test -f conn.txt
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -1,14 +1,13 @@
|
|||
# @TEST-PORT: BROKER_PORT1
|
||||
# @TEST-PORT: BROKER_PORT2
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: grep qux manager-1/reporter.log | sed 's#line ..#line XX#g' > manager-reporter.log
|
||||
# @TEST-EXEC: grep qux manager-1/reporter-2.log | sed 's#line ..*#line XX#g' >> manager-reporter.log
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | $SCRIPTS/diff-remove-abspath | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log
|
||||
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
@ -16,6 +15,9 @@ redef Cluster::nodes = {
|
|||
};
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/logging
|
||||
@load base/frameworks/reporter
|
||||
@load base/protocols/conn
|
||||
|
||||
@if ( Cluster::node == "worker-1" )
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# @TEST-PORT: BROKER_PORT1
|
||||
# @TEST-PORT: BROKER_PORT2
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/http.log
|
||||
|
||||
|
|
@ -15,6 +15,8 @@ redef Cluster::nodes = {
|
|||
@TEST-END-FILE
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@if ( Cluster::node == "worker-1" )
|
||||
redef exit_only_after_terminate = T;
|
||||
|
|
|
|||
|
|
@ -3,8 +3,13 @@
|
|||
# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
|
||||
# @TEST-GROUP: sqlite
|
||||
#
|
||||
# @TEST-EXEC: zeek -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT Log::default_writer=Log::WRITER_SQLITE
|
||||
# @TEST-EXEC: sqlite3 conn.sqlite 'select * from conn order by ts' | sort -n > conn.select
|
||||
# @TEST-EXEC: sqlite3 http.sqlite 'select * from http order by ts' | sort -n > http.select
|
||||
# @TEST-EXEC: btest-diff conn.select
|
||||
# @TEST-EXEC: btest-diff http.select
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/protocols/dns
|
||||
@load base/protocols/conn
|
||||
@load base/frameworks/dpd
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff reporter.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff http-2.log
|
||||
|
|
@ -6,6 +6,7 @@
|
|||
# @TEST-EXEC: btest-diff http-2-2.log
|
||||
|
||||
@load base/protocols/http
|
||||
@load base/frameworks/reporter
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
|
||||
|
||||
# @TEST-EXEC: $SCRIPTS/wait-for-file manager-1/lost 15 || (btest-bg-wait -k 1 && false)
|
||||
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 zeek --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff worker-1/.stdout
|
||||
# @TEST-EXEC: btest-diff worker-2/.stdout
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff netcontrol.log
|
||||
# @TEST-EXEC: btest-diff netcontrol_shunt.log
|
||||
# @TEST-EXEC: btest-diff netcontrol_drop.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
# Verify the state of internal tables after rules have been deleted...
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
@load base/frameworks/netcontrol
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff netcontrol.log
|
||||
|
||||
@load base/frameworks/netcontrol
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
|
||||
# @TEST-EXEC: btest-diff openflow.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff netcontrol.log
|
||||
# @TEST-EXEC: btest-diff openflow.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,10 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/smtp
|
||||
@load base/protocols/dns
|
||||
@load base/frameworks/dpd
|
||||
@load base/frameworks/netcontrol
|
||||
|
||||
event NetControl::init()
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff netcontrol.log
|
||||
# @TEST-EXEC: btest-diff openflow.log
|
||||
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
# @TEST-EXEC: btest-diff manager-1/notice.log
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/notice
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
# This test checks that the default notice policy ordering does not
|
||||
# change from run to run.
|
||||
# @TEST-EXEC: zeek -e ''
|
||||
# @TEST-EXEC: cat notice_policy.log | $SCRIPTS/diff-remove-timestamps > notice_policy.log.1
|
||||
# @TEST-EXEC: zeek -e ''
|
||||
# @TEST-EXEC: cat notice_policy.log | $SCRIPTS/diff-remove-timestamps > notice_policy.log.2
|
||||
# @TEST-EXEC: zeek -e ''
|
||||
# @TEST-EXEC: cat notice_policy.log | $SCRIPTS/diff-remove-timestamps > notice_policy.log.3
|
||||
# @TEST-EXEC: diff notice_policy.log.1 notice_policy.log.2
|
||||
# @TEST-EXEC: diff notice_policy.log.1 notice_policy.log.3
|
||||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -C -r $TRACES/web.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/web.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff alarm-mail.txt
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
hook Notice::policy(n: Notice::Info) &priority=1
|
||||
{
|
||||
add n$actions[Notice::ACTION_ALARM];
|
||||
|
|
|
|||
|
|
@ -3,13 +3,16 @@
|
|||
# @TEST-PORT: BROKER_PORT3
|
||||
# @TEST-PORT: BROKER_PORT4
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run proxy-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=proxy-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/notice.log
|
||||
|
||||
@load base/frameworks/notice
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
@ -30,7 +33,7 @@ event Cluster::node_down(name: string, id: string)
|
|||
terminate();
|
||||
}
|
||||
|
||||
event delayed_notice()
|
||||
event do_notice()
|
||||
{
|
||||
NOTICE([$note=Test_Notice,
|
||||
$msg="test notice!",
|
||||
|
|
@ -38,19 +41,35 @@ event delayed_notice()
|
|||
}
|
||||
|
||||
event ready()
|
||||
{
|
||||
{
|
||||
print "ready";
|
||||
|
||||
if ( Cluster::node == "manager-1" )
|
||||
Broker::publish(Cluster::node_topic("worker-1"), ready);
|
||||
if ( Cluster::node == "worker-1" )
|
||||
schedule 4secs { delayed_notice() };
|
||||
schedule 1sec { do_notice() };
|
||||
if ( Cluster::node == "worker-2" )
|
||||
schedule 1secs { delayed_notice() };
|
||||
}
|
||||
{
|
||||
event do_notice();
|
||||
Broker::publish(Cluster::node_topic("manager-1"), ready);
|
||||
}
|
||||
}
|
||||
|
||||
event Notice::suppressed(n: Notice::Info)
|
||||
{
|
||||
print "suppressed", n$note, n$identifier;
|
||||
|
||||
if ( Cluster::node == "worker-1" )
|
||||
terminate();
|
||||
}
|
||||
|
||||
event Notice::begin_suppression(ts: time, suppress_for: interval, note: Notice::Type,
|
||||
identifier: string)
|
||||
{
|
||||
print "begin suppression", suppress_for, note, identifier;
|
||||
Broker::publish(Cluster::node_topic("manager-1"), ready);
|
||||
}
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
||||
global peer_count = 0;
|
||||
|
|
@ -60,7 +79,7 @@ event Cluster::node_up(name: string, id: string)
|
|||
peer_count = peer_count + 1;
|
||||
|
||||
if ( peer_count == 3 )
|
||||
Broker::publish(Cluster::worker_topic, ready);
|
||||
Broker::publish(Cluster::node_topic("worker-2"), ready);
|
||||
}
|
||||
|
||||
@endif
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff openflow.log
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek %INPUT"
|
||||
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
|
||||
# @TEST-EXEC: btest-bg-wait 20
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
# @TEST-EXEC: btest-diff manager-1/openflow.log
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC-FAIL: zeek -r $TRACES/web.trace -f "bad filter"
|
||||
# @TEST-EXEC-FAIL: zeek -b -r $TRACES/web.trace base/frameworks/packet-filter -f "bad filter"
|
||||
# @TEST-EXEC: test -s .stderr
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b base/frameworks/reporter %INPUT
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT base/frameworks/reporter
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek %INPUT > output
|
||||
# @TEST-EXEC: zeek -b %INPUT > output
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff output
|
||||
|
||||
@load base/frameworks/software
|
||||
|
||||
module Software;
|
||||
|
||||
global matched_software: table[string] of Software::Description = {
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
|
|
@ -20,6 +23,7 @@ redef Cluster::nodes = {
|
|||
redef Log::default_rotation_interval = 0secs;
|
||||
|
||||
global n = 0;
|
||||
global did_data = F;
|
||||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
|
|
@ -29,12 +33,14 @@ event zeek_init() &priority=5
|
|||
$reducers=set(r1),
|
||||
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
if ( ! did_data ) return;
|
||||
local r = result["test"];
|
||||
print fmt("Host: %s - num:%d - sum:%.1f - avg:%.1f - max:%.1f - min:%.1f - var:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$average, r$max, r$min, r$variance, r$std_dev, r$unique, r$hll_unique);
|
||||
},
|
||||
$epoch_finished(ts: time) =
|
||||
{
|
||||
terminate();
|
||||
if ( did_data )
|
||||
terminate();
|
||||
}]);
|
||||
}
|
||||
|
||||
|
|
@ -67,6 +73,8 @@ event ready_for_data()
|
|||
SumStats::observe("test", [$host=7.2.1.5], [$num=91]);
|
||||
SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
|
||||
}
|
||||
|
||||
did_data = T;
|
||||
}
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
# @TEST-EXEC: btest-bg-run standalone zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 10
|
||||
# @TEST-EXEC: btest-bg-run standalone zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-diff standalone/.stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
redef exit_only_after_terminate=T;
|
||||
|
||||
event zeek_init() &priority=5
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
@ -22,7 +25,7 @@ event zeek_init() &priority=5
|
|||
{
|
||||
local r1: SumStats::Reducer = [$stream="test.metric", $apply=set(SumStats::SUM)];
|
||||
SumStats::create([$name="test",
|
||||
$epoch=10secs,
|
||||
$epoch=15secs,
|
||||
$reducers=set(r1),
|
||||
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
|
|
@ -64,7 +67,7 @@ event Cluster::node_up(name: string, id: string)
|
|||
if ( Cluster::node == "worker-1" )
|
||||
{
|
||||
schedule 0.1sec { do_stats(1) };
|
||||
schedule 5secs { do_stats(60) };
|
||||
schedule 1secs { do_stats(60) };
|
||||
}
|
||||
if ( Cluster::node == "worker-2" )
|
||||
schedule 0.5sec { do_stats(40) };
|
||||
|
|
|
|||
|
|
@ -1,12 +1,15 @@
|
|||
# @TEST-PORT: BROKER_PORT1
|
||||
# @TEST-PORT: BROKER_PORT2
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 25
|
||||
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
#
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
|
|||
|
|
@ -2,14 +2,17 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 15
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 30
|
||||
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
#
|
||||
|
||||
@load base/frameworks/cluster
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=to_port(getenv("BROKER_PORT1"))],
|
||||
|
|
@ -37,11 +40,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
|
|||
|
||||
global ready_for_data: event();
|
||||
|
||||
event zeek_init()
|
||||
{
|
||||
Broker::auto_publish(Cluster::worker_topic, ready_for_data);
|
||||
}
|
||||
|
||||
event on_demand()
|
||||
{
|
||||
local host = 7.2.1.5;
|
||||
|
|
@ -56,6 +54,15 @@ event on_demand()
|
|||
}
|
||||
}
|
||||
|
||||
global ready_count = 0;
|
||||
event ready_to_demand()
|
||||
{
|
||||
++ready_count;
|
||||
|
||||
if ( ready_count == 2 )
|
||||
event on_demand();
|
||||
}
|
||||
|
||||
event ready_for_data()
|
||||
{
|
||||
if ( Cluster::node == "worker-1" )
|
||||
|
|
@ -73,7 +80,7 @@ event ready_for_data()
|
|||
SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
|
||||
}
|
||||
|
||||
schedule 1sec { on_demand() };
|
||||
Broker::publish(Cluster::manager_topic, ready_to_demand);
|
||||
}
|
||||
|
||||
global peer_count = 0;
|
||||
|
|
@ -84,8 +91,6 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
|
|||
|
||||
++peer_count;
|
||||
if ( peer_count == 2 )
|
||||
{
|
||||
event ready_for_data();
|
||||
}
|
||||
Broker::publish(Cluster::worker_topic, ready_for_data);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
redef exit_only_after_terminate=T;
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -2,11 +2,14 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/cluster
|
||||
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
|
|
@ -17,6 +20,7 @@ redef Cluster::nodes = {
|
|||
@TEST-END-FILE
|
||||
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
global did_data = F;
|
||||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
|
|
@ -26,6 +30,7 @@ event zeek_init() &priority=5
|
|||
$reducers=set(r1),
|
||||
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
if ( ! did_data ) return;
|
||||
local r = result["test"];
|
||||
print fmt("Host: %s Sampled observations: %d", key$host, r$sample_elements);
|
||||
local sample_nums: vector of count = vector();
|
||||
|
|
@ -36,7 +41,8 @@ event zeek_init() &priority=5
|
|||
},
|
||||
$epoch_finished(ts: time) =
|
||||
{
|
||||
terminate();
|
||||
if ( did_data )
|
||||
terminate();
|
||||
}]);
|
||||
}
|
||||
|
||||
|
|
@ -102,6 +108,8 @@ event ready_for_data()
|
|||
SumStats::observe("test", [$host=7.2.1.5], [$num=91]);
|
||||
SumStats::observe("test", [$host=10.10.10.10], [$num=5]);
|
||||
}
|
||||
|
||||
did_data = T;
|
||||
}
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
local r1: SumStats::Reducer = [$stream="test.metric",
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# @TEST-EXEC: zeek %INPUT | sort >output
|
||||
# @TEST-EXEC: zeek -b %INPUT | sort >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/notice
|
||||
|
||||
redef enum Notice::Type += {
|
||||
Test_Notice,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
# @TEST-PORT: BROKER_PORT2
|
||||
# @TEST-PORT: BROKER_PORT3
|
||||
#
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek %INPUT
|
||||
# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-run worker-2 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 45
|
||||
|
||||
# @TEST-EXEC: btest-diff manager-1/.stdout
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
|
||||
#
|
||||
@TEST-START-FILE cluster-layout.zeek
|
||||
redef Cluster::nodes = {
|
||||
|
|
@ -17,8 +17,12 @@ redef Cluster::nodes = {
|
|||
};
|
||||
@TEST-END-FILE
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
@load base/frameworks/cluster
|
||||
|
||||
redef Log::default_rotation_interval = 0secs;
|
||||
|
||||
global did_data = F;
|
||||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
|
|
@ -29,6 +33,7 @@ event zeek_init() &priority=5
|
|||
$reducers=set(r1),
|
||||
$epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
if ( ! did_data ) return;
|
||||
local r = result["test.metric"];
|
||||
local s: vector of SumStats::Observation;
|
||||
s = topk_get_top(r$topk, 5);
|
||||
|
|
@ -40,7 +45,8 @@ event zeek_init() &priority=5
|
|||
},
|
||||
$epoch_finished(ts: time) =
|
||||
{
|
||||
terminate();
|
||||
if ( did_data )
|
||||
terminate();
|
||||
}]);
|
||||
|
||||
|
||||
|
|
@ -96,6 +102,8 @@ event ready_for_data()
|
|||
SumStats::observe("test.metric", [$str="counter"], [$num=995]);
|
||||
}
|
||||
}
|
||||
|
||||
did_data = T;
|
||||
}
|
||||
|
||||
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek %INPUT
|
||||
# @TEST-EXEC: zeek -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/frameworks/sumstats
|
||||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
local r1: SumStats::Reducer = [$stream="test.metric",
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/http/bro.org-filtered.pcap >out1 2>&1
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/bro.org-filtered.pcap "FilteredTraceDetection::enable=F" >out2 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT >out1 2>&1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/bro.org-filtered.pcap %INPUT "FilteredTraceDetection::enable=F" >out2 2>&1
|
||||
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
|
||||
# @TEST-EXEC: btest-diff out2
|
||||
|
||||
@load base/misc/find-filtered-trace
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/arp-leak.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/arp-leak.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has-radiotap.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has-radiotap.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# @TEST-EXEC: zeek -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
|
||||
# @TEST-EXEC: zeek -b -f "tcp port 21" -r $TRACES/ftp/ipv6.trace base/protocols/conn "Conn::default_extract=T"
|
||||
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_orig.dat
|
||||
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_resp.dat
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event new_connection_contents(c: connection)
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
#
|
||||
# This tests that no events are raised once all thresholds have been deleted.
|
||||
|
||||
@load base/protocols/conn
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
ConnThreshold::set_bytes_threshold(c, 1, T);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/conn
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
print fmt("Threshold set for %s", cat(c$id));
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue