Merge remote-tracking branch 'origin/master' into topic/johanna/gh-859

testing/btest/scripts/base/frameworks/config/missing-enum-value.zeek

@@ -5,6 +5,10 @@
 
 @TEST-START-FILE configfile
 mycolors Red,asdf,Blue
+nocolors 
+color_vec Green
+bad_color_vec Green,1234,Blue
+no_color_vec 
 @TEST-END-FILE
 
 @load base/frameworks/config
@@ -12,9 +16,21 @@ mycolors Red,asdf,Blue
 type Color: enum { Red, Green, Blue, };
 
 option mycolors = set(Red, Green);
+option nocolors = set(Red, Green);
+
+option color_vec: vector of Color = { Red };
+option bad_color_vec: vector of Color = { Red };
+option no_color_vec: vector of Color = { Red };
 
 event zeek_init()
 	{ Config::read_config("../configfile"); }
 
 event Input::end_of_data(name: string, source:string)
-	{ print mycolors; terminate(); }
+	{
+	print mycolors;
+	print nocolors;
+	print color_vec;
+	print bad_color_vec;
+	print no_color_vec;
+	terminate();
+	}

testing/btest/scripts/base/frameworks/config/read_config_cluster.zeek

@@ -1,3 +1,8 @@
+# Don't run the test for compiled scripts.  To work, they need separate
+# compilation of the manager and worker parts, and that also leads to
+# lines (and sets) being displayed in a different order due to different
+# hash function seedings (though probably -D would control for that).
+# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
 # @TEST-PORT: BROKER_PORT1
 # @TEST-PORT: BROKER_PORT2
 # @TEST-PORT: BROKER_PORT3

testing/btest/scripts/base/frameworks/control/configuration_update.zeek

@@ -1,7 +1,7 @@
 # @TEST-PORT: BROKER_PORT
 #
-# @TEST-EXEC: btest-bg-run controllee  ZEEKPATH=$ZEEKPATH:.. zeek -b -Bbroker %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
-# @TEST-EXEC: btest-bg-run controller  ZEEKPATH=$ZEEKPATH:.. zeek -b -Bbroker %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=configuration_update
+# @TEST-EXEC: btest-bg-run controllee  ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT frameworks/control/controllee Broker::default_port=$BROKER_PORT
+# @TEST-EXEC: btest-bg-run controller  ZEEKPATH=$ZEEKPATH:.. zeek -b %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=$BROKER_PORT Control::cmd=configuration_update
 # @TEST-EXEC: btest-bg-wait 30
 # @TEST-EXEC: btest-diff controllee/.stdout
 

testing/btest/scripts/base/frameworks/logging/ascii-logdir.zeek

@@ -0,0 +1,38 @@
+#
+# @TEST-EXEC: mkdir logdir
+# @TEST-EXEC: zeek -b %INPUT LogAscii::logdir=logdir
+# @TEST-EXEC: cat logdir/ssh.log | grep -v PREFIX.*20..- >ssh-filtered.log
+# @TEST-EXEC: btest-diff ssh-filtered.log
+
+redef LogAscii::output_to_stdout = F;
+redef LogAscii::separator = "|";
+redef LogAscii::empty_field = "EMPTY";
+redef LogAscii::unset_field = "NOT-SET";
+redef LogAscii::meta_prefix = "PREFIX<>";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+		b: bool &optional;
+	} &log;
+}
+
+event zeek_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="BR"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
+}

testing/btest/scripts/base/frameworks/logging/remove.zeek

@@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -b -B logging %INPUT
+# @TEST-EXEC: zeek -b %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff ssh.failure.log
 # @TEST-EXEC: btest-diff .stdout

testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.zeek

@@ -5,10 +5,11 @@
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.zeek . && CLUSTER_NODE=manager-1 zeek -b %INPUT"
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-1 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
 
-# @TEST-EXEC: $SCRIPTS/wait-for-file manager-1/lost 15 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: $SCRIPTS/wait-for-file manager-1/lost 45 || (btest-bg-wait -k 1 && false)
 
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.zeek . && CLUSTER_NODE=worker-2 zeek -b --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-wait 30
+# This timeout needs to be large to accommodate ZAM compilation delays.
+# @TEST-EXEC: btest-bg-wait 90
 # @TEST-EXEC: btest-diff worker-1/.stdout
 # @TEST-EXEC: btest-diff worker-2/.stdout
 

testing/btest/scripts/base/frameworks/notice/action-email-admin.zeek

@@ -0,0 +1,28 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+# @TEST-EXEC: btest-diff notice.log
+
+@load base/frameworks/notice
+@load base/utils/site
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef Site::local_admins += {
+	[1.0.0.0/8] = set("cloudflare@example.net", "postmaster@the.cloud"),
+	[2.0.0.0/8] = set("2_dot@example.net"),
+	};
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static", $src=1.1.1.1, $dst=2.2.2.2]);
+	}
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_EMAIL_ADMIN];
+	}

testing/btest/scripts/base/frameworks/notice/action-email-custom-address.zeek

@@ -0,0 +1,29 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+
+# Tests overriding the e-mail destination for a specific notice
+
+
+@load base/frameworks/notice
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_EMAIL];
+	}
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	}
+
+hook Notice::policy(n: Notice::Info)
+	{
+	n$email_dest = set("admin@example.net");
+	}

testing/btest/scripts/base/frameworks/notice/action-email-multiple.zeek

@@ -0,0 +1,25 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+
+# Test what happens with PAGE and EMAIL
+
+@load base/frameworks/notice
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::mail_page_dest = "page@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	}
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_PAGE];
+	add n$actions[Notice::ACTION_EMAIL];
+	}

testing/btest/scripts/base/frameworks/notice/action-email.zeek

@@ -0,0 +1,21 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+
+@load base/frameworks/notice
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	}
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_EMAIL];
+	}

testing/btest/scripts/base/frameworks/notice/action-page-with-hostnames.zeek

@@ -0,0 +1,23 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+
+@load base/frameworks/notice
+@load frameworks/notice/extend-email/hostnames
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::mail_page_dest = "page@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static", $src=1.1.1.1, $dst=[::1]]);
+	}
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_PAGE];
+	}

testing/btest/scripts/base/frameworks/notice/action-page.zeek

@@ -0,0 +1,22 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff sendmail.out
+
+@load base/frameworks/notice
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::mail_page_dest = "page@example.net";
+redef Notice::sendmail = "fake-sendmail";
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+event zeek_init()
+	{
+	NOTICE([$note=Test_Notice, $msg="test", $identifier="static"]);
+	}
+
+hook Notice::policy(n: Notice::Info) &priority=1
+	{
+	add n$actions[Notice::ACTION_PAGE];
+	}

testing/btest/scripts/base/frameworks/sumstats/sample-cluster.zeek

@@ -5,7 +5,8 @@
 # @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek -b %INPUT
 # @TEST-EXEC: btest-bg-run worker-1  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -b %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-2 zeek -b %INPUT
-# @TEST-EXEC: btest-bg-wait 45
+# This timeout needs to be large to accommodate ZAM compilation delays.
+# @TEST-EXEC: btest-bg-wait 90
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 
 @load base/frameworks/sumstats

testing/btest/scripts/base/protocols/ssh/set_version.zeek

@@ -0,0 +1,117 @@
+# @TEST-EXEC: zeek -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+@load base/bif/event.bif.zeek
+@load base/protocols/ssh
+
+module SSH;
+
+# Creates a mock connection. This connection is good enough for e.g.,
+# `SSH::set_version`, but not in line with what Zeek considers active
+# connections.
+function make_conn(server: string, client: string): connection
+	{
+	local c: connection;
+	c$uid = "uid";
+
+	local id: conn_id;
+	id$orig_h = 127.0.0.1;
+	id$resp_h = 127.0.0.1;
+	id$orig_p = 40/tcp;
+	id$resp_p = 40/tcp;
+	c$id = id;
+
+	local ssh: SSH::Info;
+	ssh$ts = network_time();
+	ssh$server = server;
+	ssh$client = client;
+	c$ssh = ssh;
+
+	SSH::set_session(c);
+
+	delete c$ssh$version;
+	return c;
+	}
+
+# While `SSH::set_version` triggers a `conn_weird` we are dealing with mock
+# connections which since they are injected are always considered expired by
+# Zeek.
+event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string)
+	{
+	print "conn_weird:", name, id, addl, source;
+	}
+
+const v1 = "SSH-1.5-OpenSSH_6.2";
+const v199 = "SSH-1.99-OpenSSH_3.1p1";
+const v2 = "SSH-2.0-OpenSSH_5.9";
+
+event zeek_init()
+	{
+	local c: connection;
+
+	# Good cases.
+		{
+		# SSH1 vs SSH1 -> 1.
+		c = make_conn(v1, v1);
+		SSH::set_version(c);
+		print "SSH1 vs SSH1", c$ssh$version;
+
+		# SSH199 vs SSH1 -> 1.
+		c = make_conn(v1, v199);
+		SSH::set_version(c);
+		print "SSH199 vs SSH1", c$ssh$version; # 1.
+
+		# SSH2 vs SSH2 -> 2.
+		c = make_conn(v2, v2);
+		SSH::set_version(c);
+		print "SSH2 vs SSH2", c$ssh$version; # 2.
+
+		# SSH199 vs SSH2 -> 2.
+		c = make_conn(v2, v199);
+		SSH::set_version(c);
+		print "SSH199 vs SSH2", c$ssh$version; # 2.
+		}
+
+	# Error cases.
+		{
+		# Unset vs unset -> unset.
+		c = make_conn("", "");
+		c$ssh$version = 42;
+		SSH::set_version(c);
+		print "unset vs unset", c$ssh?$version; # Unset.
+
+		# Client unset.
+		c = make_conn(v2, "");
+		c$ssh$version = 42;
+		SSH::set_version(c);
+		print "client unset", c$ssh?$version; # Unset.
+
+		# Server unset.
+		c = make_conn("", v2);
+		c$ssh$version = 42;
+		SSH::set_version(c);
+		print "server unset", c$ssh?$version; # Unset.
+
+		# Unable to extract full server version.
+		c = make_conn("SSH", v1);
+		c$ssh$version = 42;
+		SSH::set_version(c);
+		print "incomplete server version", c$ssh?$version;
+
+		# Unable to extract full client version.
+		c = make_conn(v1, "SSH");
+		c$ssh$version = 42;
+		SSH::set_version(c);
+		print "incomplete client version", c$ssh?$version;
+
+		# SSH1 vs SSH2.
+		c = make_conn(v1, v2);
+		SSH::set_version(c);
+		print "SSH1 vs SSH2", c$ssh?$version; # Unset.
+
+		# SSH2 vs SSH1.
+		c = make_conn(v2, v1);
+		SSH::set_version(c);
+		print "SSH2 vs SSH1", c$ssh?$version; # Unset.
+		}
+	}