test: Add btest verifying max_analyzer_violations functionality

The pcap has been generated roughly based on the example found on wikipedia with some added garbled response after the STAT command from the client.
2025-10-02 06:38:20 +00:00 · 2022-10-13 13:06:15 +02:00 · 2022-10-13 13:06:15 +02:00 · e688bfcf73
commit e688bfcf73
parent c58cdf407a
4 changed files with 59 additions and 0 deletions
--- a/testing/btest/Baseline/core.max-analyzer-violations/output
+++ b/testing/btest/Baseline/core.max-analyzer-violations/output
@ -0,0 +1,15 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 reply, CHhAvVGS1DHFjwGM9, OK, example.com POP3-Server
 request, CHhAvVGS1DHFjwGM9, USER, zeek@zeek.org
 reply, CHhAvVGS1DHFjwGM9, OK, Please enter your password
 request, CHhAvVGS1DHFjwGM9, PASS, zeek
 reply, CHhAvVGS1DHFjwGM9, OK, mailbox locked and ready
 request, CHhAvVGS1DHFjwGM9, STAT, 
 1, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (+)
 2, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???)
 3, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..)
 4, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???)
 5, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..x)
 reply, CHhAvVGS1DHFjwGM9, OK, 1 236
 request, CHhAvVGS1DHFjwGM9, QUIT, 
 reply, CHhAvVGS1DHFjwGM9, OK, Bye
--- a/testing/btest/Baseline/core.max-analyzer-violations/weird.log
+++ b/testing/btest/Baseline/core.max-analyzer-violations/weird.log
@ -0,0 +1,13 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
 #types	time	string	addr	port	addr	port	string	string	bool	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	pop3_server_command_unknown	-	F	zeek	POP3
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	line_terminated_with_single_CR	-	F	zeek	CONTENTLINE
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	too_many_analyzer_violations	-	F	zeek	POP3
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/pop3-unknown-commands.pcap
+++ b/testing/btest/Traces/pop3-unknown-commands.pcap
--- a/testing/btest/core/max-analyzer-violations.zeek
+++ b/testing/btest/core/max-analyzer-violations.zeek
@ -0,0 +1,31 @@
 # @TEST-DOC: In the pcap, the server responds with 10 unknown server commands and analyzer_violation_info events are raised for each. Verify that setting max_analyzer_violations creates a weird and suppresses further analyzer violation events.
 # @TEST-EXEC: zeek -b -r $TRACES/pop3-unknown-commands.pcap %INPUT >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff weird.log
@load base/protocols/pop3
@load base/frameworks/notice/weird
 # It would trigger 10
 redef max_analyzer_violations = 5;
 # Do not let DPD logic interfere with this test.
 redef DPD::ignore_violations += { Analyzer::ANALYZER_POP3 };
 global c = 0;
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
 	{
 	print ++c, "violation", atype, info$c$uid, info$aid, info$reason;
 	}
 event pop3_request(c: connection, is_orig: bool, command: string, arg: string)
 	{
 	print "request", c$uid, command, arg;
 	}
 event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string)
 	{
 	print "reply", c$uid, cmd, msg;
 	}