Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

btest/core: Add tests for connection$endpoint updates

Browse source
This commit is contained in:
Arne Welzel 2025-08-24 16:48:48 +02:00
parent 629069f1b6
commit f4063f3ca9
5 changed files with 124 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
testing/btest/Baseline/core.conn-size-endpoint-update-timer/out Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1112172470.501268, new_connection, CHhAvVGS1DHFjwGM9
1112172470.501268, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 1, resp num_pkts, 0, pkts_recvd, 1
1112172487.320873, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 3, resp num_pkts, 2, pkts_recvd, 5
1112172558.685951, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 4, resp num_pkts, 3, pkts_recvd, 7
1112172575.461181, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 5, resp num_pkts, 4, pkts_recvd, 9
1112172635.52344, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 6, resp num_pkts, 5, pkts_recvd, 11
1112172654.349862, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 8, resp num_pkts, 7, pkts_recvd, 15
1112172695.204348, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 9, resp num_pkts, 8, pkts_recvd, 17
1112172706.819984, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 10, resp num_pkts, 9, pkts_recvd, 19
1112172737.66078, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 10, pkts_recvd, 21
1112172737.733384, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 11, pkts_recvd, 22
1112172737.733384, connection_state_remove, CHhAvVGS1DHFjwGM9
1112172737.733384, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 11, pkts_recvd, 22

37
testing/btest/Baseline/core.conn-size-endpoint-update/out Normal file
View file

@ -0,0 +1,37 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
==== zeek_init, syn.pcap
new_connection, CHhAvVGS1DHFjwGM9
orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_state_remove, CHhAvVGS1DHFjwGM9
orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
==== zeek_init, synack.pcap
new_connection, CHhAvVGS1DHFjwGM9
orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
connection_state_remove, CHhAvVGS1DHFjwGM9
orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
==== zeek_init, get.trace
new_connection, CHhAvVGS1DHFjwGM9
orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig
orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_SYN_packet, CHhAvVGS1DHFjwGM9, resp
orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_established, CHhAvVGS1DHFjwGM9
orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef]
connection_state_remove, CHhAvVGS1DHFjwGM9
orig, [size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0]
resp, [size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef]

BIN
testing/btest/Traces/tcp/synack.pcap Normal file
View file

Binary file not shown.

32
testing/btest/core/conn-size-endpoint-update-timer.zeek Normal file
View file

@ -0,0 +1,32 @@
# @TEST-DOC: Ensure that a connection's orig and resp records have up-to-date data when accessing the connection within a timer event.
#
# @TEST-EXEC: zeek -b -r $TRACES/dns/long-connection.pcap %INPUT >> out
#
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
@load base/protocols/conn
redef udp_inactivity_timeout = 30min;
event print_connection(c: connection)
{
print network_time(), "print_connection", c$uid, "orig num_pkts", c$orig$num_pkts, "resp num_pkts", c$resp$num_pkts, "pkts_recvd", get_net_stats()$pkts_recvd;
if ( connection_exists(c$id) )
schedule 10sec { print_connection(c) };
}
event new_connection(c: connection)
{
print network_time(), "new_connection", c$uid;
event print_connection(c);
}
event connection_state_remove(c: connection)
{
print network_time(), "connection_state_remove", c$uid;
# Print it once more!
event print_connection(c);
}

41
testing/btest/core/conn-size-endpoint-update.zeek Normal file
View file

@ -0,0 +1,41 @@
# @TEST-DOC: Ensure that a connection's orig and resp records have up-to-date data
# @TEST-EXEC: zeek -b -r $TRACES/tcp/syn.pcap %INPUT >> out
# @TEST-EXEC: zeek -b -r $TRACES/tcp/synack.pcap %INPUT >> out
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >> out
#
# @TEST-EXEC: btest-diff out
event zeek_init()
{
print "==== zeek_init", split_string(packet_source()$path, /\//)[-1];
}
event new_connection(c: connection)
{
print "new_connection", c$uid;
print " orig", c$orig;
print " resp", c$resp;
}
event connection_SYN_packet(c: connection, pkt: SYN_packet)
{
print "connection_SYN_packet", c$uid, pkt$is_orig ? "orig" : "resp";
print " orig", c$orig;
print " resp", c$resp;
}
event connection_established(c: connection)
{
print "connection_established", c$uid;
print " orig", c$orig;
print " resp", c$resp;
}
event connection_state_remove(c: connection)
{
print "connection_state_remove", c$uid;
print " orig", c$orig;
print " resp", c$resp;
}