Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/christian/sync-ignore_checksums-from-cli'

Browse source 
* origin/topic/christian/sync-ignore_checksums-from-cli:
  Given the -C flag, set script-layer ignore_checksums to true.
  Add btest for "-C" flag vs the script-layer ignore_checksums global.
This commit is contained in:
Arne Welzel 2023-04-25 12:39:01 +02:00
commit e856e953b8
12 changed files with 79 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,3 +1,9 @@
6.0.0-dev.421 | 2023-04-25 12:39:01 +0200
* Given the -C flag, set script-layer ignore_checksums to true. (Christian Kreibich, Corelight)
* Remove references to bro_broker in broker/Manager.h (Tim Wojtulewicz, Corelight)
6.0.0-dev.416 | 2023-04-24 18:22:27 +0200 6.0.0-dev.416 | 2023-04-24 18:22:27 +0200
* Add irc_dcc_send_ack event and fix missing fields (Fupeng Zhao) * Add irc_dcc_send_ack event and fix missing fields (Fupeng Zhao)

3
NEWS
View file

@ -277,6 +277,9 @@ Changed Functionality
- The IRC base script now use ``file_sniff()`` instead of ``file_new()`` for - The IRC base script now use ``file_sniff()`` instead of ``file_new()`` for
DCC file transfers to capture ``fuid`` and inferred MIME type in irc.log. DCC file transfers to capture ``fuid`` and inferred MIME type in irc.log.
- The ``ignore_checksums`` script variable now reflects the correct value
when using the ``-C`` command-line flag.
Removed Functionality Removed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
6.0.0-dev.416 6.0.0-dev.421

14
src/zeek-setup.cc
View file

@ -1010,6 +1010,17 @@ SetupResult setup(int argc, char** argv, Options* zopts)
exit(0); exit(0);
} }
if ( options.ignore_checksums )
{
const auto& id = global_scope()->Find("ignore_checksums");
if ( ! id )
reporter->InternalError("global ignore_checksums not defined");
id->SetVal(zeek::val_mgr->True());
ignore_checksums = 1;
}
// Print the ID. // Print the ID.
if ( options.identifier_to_print ) if ( options.identifier_to_print )
{ {
@ -1082,9 +1093,6 @@ SetupResult setup(int argc, char** argv, Options* zopts)
g_frame_stack.pop_back(); g_frame_stack.pop_back();
} }
if ( options.ignore_checksums )
ignore_checksums = 1;
if ( zeek_script_loaded ) if ( zeek_script_loaded )
{ {
// Queue events reporting loaded scripts. // Queue events reporting loaded scripts.

3
testing/btest/Baseline/core.checksums-cli/out1 Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
F
bad_IP_checksum

2
testing/btest/Baseline/core.checksums-cli/out2 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T

2
testing/btest/Baseline/core.checksums-cli/out3 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T

2
testing/btest/Baseline/core.checksums-cli/out4 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T

2
testing/btest/Baseline/core.checksums-cli/out5 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T

2
testing/btest/Baseline/core.checksums-cli/out6 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T

2
testing/btest/Baseline/core.checksums-cli/out7 Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ignore_checksums : bool = T &redef

43
testing/btest/core/checksums-cli.test Normal file
View file

@ -0,0 +1,43 @@
# This verifies the interaction between the -C flag and the script-layer
# ignore_checksums global.
#
# Normal use: checksums not ignored, weird-event triggers
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-bad-chksum.pcap %INPUT >out1
# @TEST-EXEC: btest-diff out1
#
# Redef to T works: checksums now ignored, no weird-event.
# @TEST-EXEC: zeek -b -r $TRACES/chksums/ip4-bad-chksum.pcap %INPUT ignore_checksums=T >out2
# @TEST-EXEC: btest-diff out2
#
# "-C" leads to ignore_checksum = T.
# @TEST-EXEC: zeek -C -b -r $TRACES/chksums/ip4-bad-chksum.pcap %INPUT >out3
# @TEST-EXEC: btest-diff out3
#
# "-C" has final say over CLI-based redef.
# @TEST-EXEC: zeek -C -b -r $TRACES/chksums/ip4-bad-chksum.pcap %INPUT ignore_checksums=F >out4
# @TEST-EXEC: btest-diff out4
#
# "-C" applies before global statements, including those given at CLI.
# @TEST-EXEC: zeek -C -e 'print ignore_checksums' >out5
# @TEST-EXEC: btest-diff out5
#
# "-C" applies after declarations, including those given at the CLI.
# @TEST-EXEC: zeek -C -e 'redef ignore_checksums=F' %INPUT >out6
# @TEST-EXEC: btest-diff out6
#
# "-C" applies before the print-id feature.
# @TEST-EXEC: zeek -C -I ignore_checksums >out7
# @TEST-EXEC: btest-diff out7
@load base/frameworks/notice/weird
event zeek_init()
{
print ignore_checksums;
}
event flow_weird(name: string, src: addr, dst: addr, addl: string, source: string)
{
if ( name == "bad_IP_checksum" )
print name;
}