From f4063f3ca9303b5656c72c99704e102dcf76df8c Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Sun, 24 Aug 2025 16:48:48 +0200 Subject: [PATCH] btest/core: Add tests for connection$endpoint updates --- .../core.conn-size-endpoint-update-timer/out | 14 ++++++ .../core.conn-size-endpoint-update/out | 37 ++++++++++++++++ testing/btest/Traces/tcp/synack.pcap | Bin 0 -> 114 bytes .../core/conn-size-endpoint-update-timer.zeek | 32 ++++++++++++++ .../btest/core/conn-size-endpoint-update.zeek | 41 ++++++++++++++++++ 5 files changed, 124 insertions(+) create mode 100644 testing/btest/Baseline/core.conn-size-endpoint-update-timer/out create mode 100644 testing/btest/Baseline/core.conn-size-endpoint-update/out create mode 100644 testing/btest/Traces/tcp/synack.pcap create mode 100644 testing/btest/core/conn-size-endpoint-update-timer.zeek create mode 100644 testing/btest/core/conn-size-endpoint-update.zeek diff --git a/testing/btest/Baseline/core.conn-size-endpoint-update-timer/out b/testing/btest/Baseline/core.conn-size-endpoint-update-timer/out new file mode 100644 index 0000000000..9f774779d0 --- /dev/null +++ b/testing/btest/Baseline/core.conn-size-endpoint-update-timer/out @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +1112172470.501268, new_connection, CHhAvVGS1DHFjwGM9 +1112172470.501268, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 1, resp num_pkts, 0, pkts_recvd, 1 +1112172487.320873, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 3, resp num_pkts, 2, pkts_recvd, 5 +1112172558.685951, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 4, resp num_pkts, 3, pkts_recvd, 7 +1112172575.461181, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 5, resp num_pkts, 4, pkts_recvd, 9 +1112172635.52344, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 6, resp num_pkts, 5, pkts_recvd, 11 +1112172654.349862, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 8, resp num_pkts, 7, pkts_recvd, 15 +1112172695.204348, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 9, resp num_pkts, 8, pkts_recvd, 17 +1112172706.819984, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 10, resp num_pkts, 9, pkts_recvd, 19 +1112172737.66078, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 10, pkts_recvd, 21 +1112172737.733384, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 11, pkts_recvd, 22 +1112172737.733384, connection_state_remove, CHhAvVGS1DHFjwGM9 +1112172737.733384, print_connection, CHhAvVGS1DHFjwGM9, orig num_pkts, 11, resp num_pkts, 11, pkts_recvd, 22 diff --git a/testing/btest/Baseline/core.conn-size-endpoint-update/out b/testing/btest/Baseline/core.conn-size-endpoint-update/out new file mode 100644 index 0000000000..64cd65346d --- /dev/null +++ b/testing/btest/Baseline/core.conn-size-endpoint-update/out @@ -0,0 +1,37 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +==== zeek_init, syn.pcap +new_connection, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig + orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_state_remove, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef] +==== zeek_init, synack.pcap +new_connection, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] +connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig + orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] +connection_state_remove, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=2, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] +==== zeek_init, get.trace +new_connection, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_SYN_packet, CHhAvVGS1DHFjwGM9, orig + orig, [size=0, state=1, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_SYN_packet, CHhAvVGS1DHFjwGM9, resp + orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_established, CHhAvVGS1DHFjwGM9 + orig, [size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef] +connection_state_remove, CHhAvVGS1DHFjwGM9 + orig, [size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0] + resp, [size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef] diff --git a/testing/btest/Traces/tcp/synack.pcap b/testing/btest/Traces/tcp/synack.pcap new file mode 100644 index 0000000000000000000000000000000000000000..56689cccd23de78acdc0db951a0063714c9884f6 GIT binary patch literal 114 zcmca|c+)~A1{MYw`2U}Qff2}A$7vbp6T-*f1!RNpi9IK#U0T2(aJ%EudkzLy1_m1j z1_uUxwz#wd({^k3_B~-`2zYs6>H2ea{}hd^7YJEQ&> out +# +# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out + +@load base/protocols/conn + +redef udp_inactivity_timeout = 30min; + +event print_connection(c: connection) + { + print network_time(), "print_connection", c$uid, "orig num_pkts", c$orig$num_pkts, "resp num_pkts", c$resp$num_pkts, "pkts_recvd", get_net_stats()$pkts_recvd; + + if ( connection_exists(c$id) ) + schedule 10sec { print_connection(c) }; + } + +event new_connection(c: connection) + { + print network_time(), "new_connection", c$uid; + + event print_connection(c); + } + +event connection_state_remove(c: connection) + { + print network_time(), "connection_state_remove", c$uid; + + # Print it once more! + event print_connection(c); + } diff --git a/testing/btest/core/conn-size-endpoint-update.zeek b/testing/btest/core/conn-size-endpoint-update.zeek new file mode 100644 index 0000000000..6a6a147ccf --- /dev/null +++ b/testing/btest/core/conn-size-endpoint-update.zeek @@ -0,0 +1,41 @@ +# @TEST-DOC: Ensure that a connection's orig and resp records have up-to-date data + + +# @TEST-EXEC: zeek -b -r $TRACES/tcp/syn.pcap %INPUT >> out +# @TEST-EXEC: zeek -b -r $TRACES/tcp/synack.pcap %INPUT >> out +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >> out +# +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + print "==== zeek_init", split_string(packet_source()$path, /\//)[-1]; + } + +event new_connection(c: connection) + { + print "new_connection", c$uid; + print " orig", c$orig; + print " resp", c$resp; + } + +event connection_SYN_packet(c: connection, pkt: SYN_packet) + { + print "connection_SYN_packet", c$uid, pkt$is_orig ? "orig" : "resp"; + print " orig", c$orig; + print " resp", c$resp; + } + +event connection_established(c: connection) + { + print "connection_established", c$uid; + print " orig", c$orig; + print " resp", c$resp; + } + +event connection_state_remove(c: connection) + { + print "connection_state_remove", c$uid; + print " orig", c$orig; + print " resp", c$resp; + }