From d387da9f7111fa6c69d3cdf939fb9a1650987ec1 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 8 Feb 2023 19:28:50 -0800
Subject: [PATCH] Fix scripts.policy.frameworks.intel.removal test given
 address locality info

This test used `Site::is_local_addr()` as part of a filtering criterion, perhaps
unintentionally. The fact that it applied to all tested addresses kept a Zeek
process from exiting, failing the test. It also doesn't need to prioritize its
zeek_init() handler.
---
 testing/btest/scripts/policy/frameworks/intel/removal.zeek | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/scripts/policy/frameworks/intel/removal.zeek b/testing/btest/scripts/policy/frameworks/intel/removal.zeek
index 5b40130a23..a17983cfb6 100644
--- a/testing/btest/scripts/policy/frameworks/intel/removal.zeek
+++ b/testing/btest/scripts/policy/frameworks/intel/removal.zeek
@@ -18,7 +18,7 @@ redef enum Intel::Where += { SOMEWHERE };
 hook Intel::filter_item(item: Intel::Item)
 	{
 	if ( item$indicator_type == Intel::ADDR &&
-		 Site::is_local_addr(to_addr(item$indicator)) )
+		! Site::is_local_addr(to_addr(item$indicator)) )
 		break;
 	}
 
@@ -42,7 +42,7 @@ event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item:
 		}
 	}
 
-event zeek_init() &priority=+100
+event zeek_init()
 	{
 	Intel::insert([$indicator="10.0.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
 	Intel::insert([$indicator="10.0.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);