Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix scripts.policy.frameworks.intel.removal test given address locality info

Browse source 
This test used `Site::is_local_addr()` as part of a filtering criterion, perhaps
unintentionally. The fact that it applied to all tested addresses kept a Zeek
process from exiting, failing the test. It also doesn't need to prioritize its
zeek_init() handler.
This commit is contained in:
Christian Kreibich 2023-02-08 19:28:50 -08:00
parent 693d8e9251
commit d387da9f71
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
testing/btest/scripts/policy/frameworks/intel/removal.zeek
View file

@ -18,7 +18,7 @@ redef enum Intel::Where += { SOMEWHERE };
hook Intel::filter_item(item: Intel::Item)
{
if ( item$indicator_type == Intel::ADDR &&
Site::is_local_addr(to_addr(item$indicator)) )
! Site::is_local_addr(to_addr(item$indicator)) )
break;
}
@ -42,7 +42,7 @@ event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item:
}
}
event zeek_init() &priority=+100
event zeek_init()
{
Intel::insert([$indicator="10.0.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
Intel::insert([$indicator="10.0.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);