Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 04:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GH-173: Support ranges of values for value_list elements in the signature parser

Browse source 
This adds support for ranged values everywhere a value_list is used, not just for source port fields.
This commit is contained in:
Tim Wojtulewicz 2019-05-22 14:04:59 -07:00
parent 42f7be0473
commit e10f9e4047
4 changed files with 43 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
testing/btest/signatures/src-port-header-condition.zeek
View file

@ -20,6 +20,8 @@
# @TEST-EXEC: zeek -b -s src-port-gte2 -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte2.out
# @TEST-EXEC: zeek -b -s src-port-gte-nomatch -r $TRACES/chksums/ip6-udp-good-chksum.pcap %INPUT >src-port-gte-nomatch.out
# @TEST-EXEC: zeek -b -s src-port-range -r $TRACES/udp-multiple-source-ports.pcap %INPUT >src-port-range.out
# @TEST-EXEC: btest-diff src-port-eq.out
# @TEST-EXEC: btest-diff src-port-eq-nomatch.out
# @TEST-EXEC: btest-diff src-port-eq-list.out
@ -39,6 +41,8 @@
# @TEST-EXEC: btest-diff src-port-gte2.out
# @TEST-EXEC: btest-diff src-port-gte-nomatch.out
# @TEST-EXEC: btest-diff src-port-range.out
@TEST-START-FILE src-port-eq.sig
signature id {
src-port == 30000
@ -158,6 +162,13 @@ signature id {
}
@TEST-END-FILE
@TEST-START-FILE src-port-range.sig
signature id {
src-port == 29997-29999,30001-30002,30003
event "src-port-range"
}
@TEST-END-FILE
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt("signature_match %s - %s", state$conn$id, msg);