Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/jsiwek/reorg-followup'

Browse source
This commit is contained in:
Seth Hall 2011-08-25 16:44:31 -04:00
commit fc5f22cb5d
234 changed files with 295 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

33
testing/btest/scripts/base/frameworks/logging/adapt-filter.bro Normal file
View file

@ -0,0 +1,33 @@
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh-new-default.log
# @TEST-EXEC: test '!' -e ssh.log
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { SSH };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Info: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Info]);
local filter = Log::get_filter(SSH, "default");
filter$path= "ssh-new-default";
Log::add_filter(SSH, filter);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
}

25
testing/btest/scripts/base/frameworks/logging/ascii-binary.bro Normal file
View file

@ -0,0 +1,25 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Info: record {
data: string;
data2: string;
} &log;
}
redef LogAscii::separator = "|";
event bro_init()
{
Log::create_stream(SSH, [$columns=Info]);
Log::write(SSH, [$data="abc\n\xffdef", $data2="DATA2"]);
Log::write(SSH, [$data="abc|\xffdef", $data2="DATA2"]);
Log::write(SSH, [$data="abc\xff|def", $data2="DATA2"]);
}

38
testing/btest/scripts/base/frameworks/logging/ascii-empty.bro Normal file
View file

@ -0,0 +1,38 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
redef LogAscii::output_to_stdout = F;
redef LogAscii::separator = "|";
redef LogAscii::empty_field = "EMPTY";
redef LogAscii::unset_field = "NOT-SET";
redef LogAscii::header_prefix = "PREFIX<>";
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
b: bool &optional;
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
}

32
testing/btest/scripts/base/frameworks/logging/ascii-escape.bro Normal file
View file

@ -0,0 +1,32 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
redef LogAscii::separator = "||";
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

35
testing/btest/scripts/base/frameworks/logging/ascii-options.bro Normal file
View file

@ -0,0 +1,35 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
redef LogAscii::output_to_stdout = F;
redef LogAscii::separator = "|";
redef LogAscii::include_header = F;
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

27
testing/btest/scripts/base/frameworks/logging/ascii-timestamps.bro Normal file
View file

@ -0,0 +1,27 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff test.log
module Test;
export {
redef enum Log::ID += { TEST };
type Info: record {
data: time &log;
};
}
event bro_init()
{
Log::create_stream(TEST, [$columns=Info]);
Log::write(TEST, [$data=double_to_time(1234567890)]);
Log::write(TEST, [$data=double_to_time(1234567890.0)]);
Log::write(TEST, [$data=double_to_time(1234567890.01)]);
Log::write(TEST, [$data=double_to_time(1234567890.001)]);
Log::write(TEST, [$data=double_to_time(1234567890.0001)]);
Log::write(TEST, [$data=double_to_time(1234567890.00001)]);
Log::write(TEST, [$data=double_to_time(1234567890.000001)]);
Log::write(TEST, [$data=double_to_time(1234567890.0000001)]);
}

37
testing/btest/scripts/base/frameworks/logging/attr-extend.bro Normal file
View file

@ -0,0 +1,37 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id;
status: string &optional &log;
country: string &default="unknown" &log;
};
}
redef record Log += {
a1: count &log &optional;
a2: count &optional;
};
redef record Log += {
b1: count &optional;
b2: count &optional;
} &log;
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]);
}

31
testing/btest/scripts/base/frameworks/logging/attr.bro Normal file
View file

@ -0,0 +1,31 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id;
status: string &optional &log;
country: string &default="unknown" &log;
};
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

33
testing/btest/scripts/base/frameworks/logging/disable-stream.bro Normal file
View file

@ -0,0 +1,33 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: test '!' -e ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::disable_stream(SSH);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

33
testing/btest/scripts/base/frameworks/logging/empty-event.bro Normal file
View file

@ -0,0 +1,33 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
global log_ssh: event(rec: Log);
event bro_init()
{
Log::create_stream(SSH, [$columns=Log, $ev=log_ssh]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

37
testing/btest/scripts/base/frameworks/logging/events.bro Normal file
View file

@ -0,0 +1,37 @@
# @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff output
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { SSH };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
global ssh_log: event(rec: Log);
event bro_init()
{
Log::create_stream(SSH, [$columns=Log, $ev=ssh_log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
local r: Log = [$t=network_time(), $id=cid, $status="success"];
Log::write(SSH, r);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
}
event ssh_log(rec: Log)
{
print rec;
}

34
testing/btest/scripts/base/frameworks/logging/exclude.bro Normal file
View file

@ -0,0 +1,34 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::remove_default_filter(SSH);
Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

23
testing/btest/scripts/base/frameworks/logging/file.bro Normal file
View file

@ -0,0 +1,23 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
f: file;
} &log;
}
const foo_log = open_log_file("Foo") &redef;
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::write(SSH, [$t=network_time(), $f=foo_log]);
}

34
testing/btest/scripts/base/frameworks/logging/include.bro Normal file
View file

@ -0,0 +1,34 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::remove_default_filter(SSH);
Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

33
testing/btest/scripts/base/frameworks/logging/no-local.bro Normal file
View file

@ -0,0 +1,33 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: test '!' -e ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
redef Log::enable_local_logging = F;
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

48
testing/btest/scripts/base/frameworks/logging/path-func.bro Normal file
View file

@ -0,0 +1,48 @@
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: ( ls static-*; cat static-* ) >output
# @TEST-EXEC: btest-diff output
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { SSH };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
global c = -1;
function path_func(id: Log::ID, path: string, rec: Log) : string
{
c = (c + 1) % 3;
return fmt("%s-%d-%s", path, c, rec$country);
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::remove_default_filter(SSH);
Log::add_filter(SSH, [$name="dyn", $path="static-prefix", $path_func=path_func]);
Log::set_buf(SSH, F);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]);
}

39
testing/btest/scripts/base/frameworks/logging/pred.bro Normal file
View file

@ -0,0 +1,39 @@
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.success.log
# @TEST-EXEC: btest-diff ssh.failure.log
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { SSH };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
function fail(rec: Log): bool
{
return rec$status != "success";
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::remove_default_filter(SSH);
Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
local r: Log = [$t=network_time(), $id=cid, $status="success"];
Log::write(SSH, r);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
}

87
testing/btest/scripts/base/frameworks/logging/remote-types.bro Normal file
View file

@ -0,0 +1,87 @@
#
# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
# @TEST-EXEC: btest-bg-wait -k 1
# @TEST-EXEC: btest-diff receiver/test.log
# @TEST-EXEC: cmp receiver/test.log sender/test.log
# Remote version testing all types.
# This is the common part loaded by both sender and receiver.
redef LogAscii::empty_field = "EMPTY";
module Test;
export {
# Create a new ID for our log stream
redef enum Log::ID += { TEST };
type Log: record {
b: bool;
i: int;
e: Log::ID;
c: count;
p: port;
sn: subnet;
a: addr;
d: double;
t: time;
iv: interval;
s: string;
sc: set[count];
ss: set[string];
se: set[string];
vc: vector of count;
ve: vector of string;
} &log;
}
event bro_init()
{
Log::create_stream(TEST, [$columns=Log]);
}
#####
@TEST-START-FILE sender.bro
module Test;
@load frameworks/communication/listen-clear
event remote_connection_handshake_done(p: event_peer)
{
local empty_set: set[string];
local empty_vector: vector of string;
Log::write(TEST, [
$b=T,
$i=-42,
$e=TEST,
$c=21,
$p=123/tcp,
$sn=10.0.0.1/24,
$a=1.2.3.4,
$d=3.14,
$t=network_time(),
$iv=100secs,
$s="hurz",
$sc=set(1,2,3,4),
$ss=set("AA", "BB", "CC"),
$se=empty_set,
$vc=vector(10, 20, 30),
$ve=empty_vector
]);
}
@TEST-END-FILE
@TEST-START-FILE receiver.bro
#####
redef Communication::nodes += {
["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
};
@TEST-END-FILE

75
testing/btest/scripts/base/frameworks/logging/remote.bro Normal file
View file

@ -0,0 +1,75 @@
#
# @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
# @TEST-EXEC: sleep 1
# @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
# @TEST-EXEC: sleep 1
# @TEST-EXEC: btest-bg-wait -k 1
# @TEST-EXEC: btest-diff sender/test.log
# @TEST-EXEC: btest-diff sender/test.failure.log
# @TEST-EXEC: btest-diff sender/test.success.log
# @TEST-EXEC: cmp receiver/test.log sender/test.log
# @TEST-EXEC: cmp receiver/test.failure.log sender/test.failure.log
# @TEST-EXEC: cmp receiver/test.success.log sender/test.success.log
# This is the common part loaded by both sender and receiver.
module Test;
export {
# Create a new ID for our log stream
redef enum Log::ID += { TEST };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(TEST, [$columns=Log]);
Log::add_filter(TEST, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
}
#####
@TEST-START-FILE sender.bro
module Test;
@load frameworks/communication/listen-clear
function fail(rec: Log): bool
{
return rec$status != "success";
}
event remote_connection_handshake_done(p: event_peer)
{
Log::add_filter(TEST, [$name="f2", $path="test.failure", $pred=fail]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
local r: Log = [$t=network_time(), $id=cid, $status="success"];
# Log something.
Log::write(TEST, r);
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(TEST, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}
@TEST-END-FILE
@TEST-START-FILE receiver.bro
#####
redef Communication::nodes += {
["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
};
@TEST-END-FILE

41
testing/btest/scripts/base/frameworks/logging/remove.bro Normal file
View file

@ -0,0 +1,41 @@
#
# @TEST-EXEC: bro -b -B logging %INPUT
# @TEST-EXEC: btest-diff ssh.log
# @TEST-EXEC: btest-diff ssh.failure.log
module SSH;
export {
# Create a new ID for our log stream
redef enum Log::ID += { SSH };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
Log::add_filter(SSH, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
# Log something.
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::remove_filter(SSH, "f1");
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
Log::remove_filter(SSH, "default");
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
Log::remove_filter(SSH, "doesn-not-exist");
}

43
testing/btest/scripts/base/frameworks/logging/rotate-custom.bro Normal file
View file

@ -0,0 +1,43 @@
#
# @TEST-EXEC: bro -b -r %DIR/rotation.trace %INPUT 2>&1 | egrep "test|test2" | sort >out
# @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out
# @TEST-EXEC: btest-diff out
module Test;
export {
# Create a new ID for our log stream
redef enum Log::ID += { Test };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
} &log;
}
redef Log::default_rotation_interval = 1hr;
redef Log::default_rotation_postprocessor_cmd = "echo 1st";
function custom_rotate(info: Log::RotationInfo) : bool
{
print "custom rotate", info;
return T;
}
redef Log::rotation_control += {
[Log::WRITER_ASCII, "test2"] = [$interv=30mins, $postprocessor=custom_rotate]
};
event bro_init()
{
Log::create_stream(Test, [$columns=Log]);
Log::add_filter(Test, [$name="2nd", $path="test2"]);
}
event new_connection(c: connection)
{
Log::write(Test, [$t=network_time(), $id=c$id]);
}

31
testing/btest/scripts/base/frameworks/logging/rotate.bro Normal file
View file

@ -0,0 +1,31 @@
#
# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT 2>&1 | grep "test" >out
# @TEST-EXEC: for i in test.*.log; do printf '> %s\n' $i; cat $i; done >>out
# @TEST-EXEC: btest-diff out
module Test;
export {
# Create a new ID for our log stream
redef enum Log::ID += { Test };
# Define a record with all the columns the log file can have.
# (I'm using a subset of fields from ssh-ext for demonstration.)
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
} &log;
}
redef Log::default_rotation_interval = 1hr;
redef Log::default_rotation_postprocessor_cmd = "echo";
event bro_init()
{
Log::create_stream(Test, [$columns=Log]);
}
event new_connection(c: connection)
{
Log::write(Test, [$t=network_time(), $id=c$id]);
}

BIN
testing/btest/scripts/base/frameworks/logging/rotation.trace Normal file
View file

Binary file not shown.

36
testing/btest/scripts/base/frameworks/logging/stdout.bro Normal file
View file

@ -0,0 +1,36 @@
#
# @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: test '!' -e ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local filter = Log::get_filter(SSH, "default");
filter$path= "/dev/stdout";
Log::add_filter(SSH, filter);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

31
testing/btest/scripts/base/frameworks/logging/test-logging.bro Normal file
View file

@ -0,0 +1,31 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
t: time;
id: conn_id; # Will be rolled out into individual columns.
status: string &optional;
country: string &default="unknown";
} &log;
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
}

70
testing/btest/scripts/base/frameworks/logging/types.bro Normal file
View file

@ -0,0 +1,70 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
#
# Testing all possible types.
redef LogAscii::empty_field = "EMPTY";
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
b: bool;
i: int;
e: Log::ID;
c: count;
p: port;
sn: subnet;
a: addr;
d: double;
t: time;
iv: interval;
s: string;
sc: set[count];
ss: set[string];
se: set[string];
vc: vector of count;
ve: vector of string;
f: function(i: count) : string;
} &log;
}
function foo(i : count) : string
{
if ( i > 0 )
return "Foo";
else
return "Bar";
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local empty_set: set[string];
local empty_vector: vector of string;
Log::write(SSH, [
$b=T,
$i=-42,
$e=SSH,
$c=21,
$p=123/tcp,
$sn=10.0.0.1/24,
$a=1.2.3.4,
$d=3.14,
$t=network_time(),
$iv=100secs,
$s="hurz",
$sc=set(1,2,3,4),
$ss=set("AA", "BB", "CC"),
$se=empty_set,
$vc=vector(10, 20, 30),
$ve=empty_vector,
$f=foo
]);
}

28
testing/btest/scripts/base/frameworks/logging/unset-record.bro Normal file
View file

@ -0,0 +1,28 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff testing.log
redef enum Log::ID += { TESTING };
type Foo: record {
val1: count;
val2: count;
} &log;
type Bar: record {
a: Foo &log &optional;
b: count &log;
};
event bro_init()
{
Log::create_stream(TESTING, [$columns=Bar]);
local x: Bar;
x = [$b=6];
Log::write(TESTING, x);
x = [$a=[$val1=1,$val2=2], $b=3];
Log::write(TESTING, x);
}

27
testing/btest/scripts/base/frameworks/logging/vec.bro Normal file
View file

@ -0,0 +1,27 @@
#
# @TEST-EXEC: bro -b %INPUT
# @TEST-EXEC: btest-diff ssh.log
module SSH;
export {
redef enum Log::ID += { SSH };
type Log: record {
vec: vector of string &log;
};
}
event bro_init()
{
Log::create_stream(SSH, [$columns=Log]);
local v: vector of string;
v[1] = "2";
v[4] = "5";
Log::write(SSH, [$vec=v]);
}