Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Potentially improve intel/remove-item-cluster btest

Browse source
This commit is contained in:
Jon Siwek 2020-08-27 18:00:55 -07:00
parent 5b25870c83
commit dc9e175a61
3 changed files with 33 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
3.3.0-dev.211 | 2020-08-27 18:00:55 -0700
* Potentially improve intel/remove-item-cluster btest (Jon Siwek, Corelight)
3.3.0-dev.210 | 2020-08-27 15:34:14 -0700 3.3.0-dev.210 | 2020-08-27 15:34:14 -0700
* GH-158: Ensure packet-filter framework is loaded if -f option is passed (Tim Wojtulewicz, Corelight) * GH-158: Ensure packet-filter framework is loaded if -f option is passed (Tim Wojtulewicz, Corelight)

2
VERSION
View file

@ -1 +1 @@
3.3.0-dev.210 3.3.0-dev.211

49
testing/btest/scripts/base/frameworks/intel/remove-item-cluster.zeek
View file

@ -22,14 +22,6 @@ module Intel;
redef Log::default_rotation_interval=0sec; redef Log::default_rotation_interval=0sec;
event test_manager()
{
Intel::remove([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
Intel::seen([$host=192.168.0.1, $where=Intel::IN_ANYWHERE]);
Intel::remove([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]], T);
Intel::seen([$host=192.168.0.2, $where=Intel::IN_ANYWHERE]);
}
event test_worker() event test_worker()
{ {
Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]); Intel::remove([$indicator="192.168.1.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
@ -39,6 +31,16 @@ event test_worker()
Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]); Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]);
} }
event test_manager()
{
Intel::remove([$indicator="192.168.0.1", $indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
Intel::seen([$host=192.168.0.1, $where=Intel::IN_ANYWHERE]);
Intel::remove([$indicator="192.168.0.2", $indicator_type=Intel::ADDR, $meta=[$source="source1"]], T);
Intel::seen([$host=192.168.0.2, $where=Intel::IN_ANYWHERE]);
Broker::publish(Cluster::worker_topic, test_worker);
}
event ready() event ready()
{ {
# Insert the data once all workers are connected. # Insert the data once all workers are connected.
@ -58,32 +60,37 @@ event Cluster::node_up(name: string, id: string)
Broker::publish(Cluster::manager_topic, ready); Broker::publish(Cluster::manager_topic, ready);
} }
global worker_data = 0;
event Intel::insert_indicator(item: Intel::Item)
{
# Run test on worker-1 when all items have been inserted
if ( Cluster::node == "worker-1" )
{
++worker_data;
if ( worker_data == 4 )
event test_worker();
}
}
event Intel::remove_item(item: Item, purge_indicator: bool) event Intel::remove_item(item: Item, purge_indicator: bool)
{ {
print fmt("Removing %s (source: %s).", item$indicator, item$meta$source); print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
} }
global purge_count = 0;
global got_intel_hit = F;
function check_termination_condition()
{
if ( Cluster::node == "worker-1" && purge_count == 3 && got_intel_hit )
terminate();
}
event set_intel_hit()
{
got_intel_hit = T;
check_termination_condition();
}
event remove_indicator(item: Item) event remove_indicator(item: Item)
{ {
++purge_count;
print fmt("Purging %s.", item$indicator); print fmt("Purging %s.", item$indicator);
check_termination_condition();
} }
event Intel::log_intel(rec: Intel::Info) event Intel::log_intel(rec: Intel::Info)
{ {
print "Logging intel hit!"; print "Logging intel hit!";
terminate(); Broker::publish(Cluster::worker_topic, set_intel_hit);
} }
event Cluster::node_down(name: string, id: string) event Cluster::node_down(name: string, id: string)