mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 11:08:20 +00:00
93fac7a4be
(bug in PutTable when the table contained only one element and that element should not be wrapped into a record)
83 lines
1.4 KiB
Text
83 lines
1.4 KiB
Text
#
|
|
# @TEST-EXEC: bro %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
#
|
|
# only difference from predicate.bro is, that this one uses a stream source.
|
|
# the reason is, that the code-paths are quite different, because then the ascii reader uses the put and not the sendevent interface
|
|
|
|
@TEST-START-FILE input.log
|
|
#separator \x09
|
|
#path ssh
|
|
#fields i b
|
|
#types int bool
|
|
1 T
|
|
2 T
|
|
3 F
|
|
4 F
|
|
5 F
|
|
6 F
|
|
7 T
|
|
@TEST-END-FILE
|
|
|
|
redef InputAscii::empty_field = "EMPTY";
|
|
|
|
module A;
|
|
|
|
export {
|
|
redef enum Input::ID += { INPUT };
|
|
}
|
|
|
|
type Idx: record {
|
|
i: int;
|
|
};
|
|
|
|
type Val: record {
|
|
b: bool;
|
|
};
|
|
|
|
global servers: table[int] of Val = table();
|
|
global ct: int;
|
|
|
|
event line(tpe: Input::Event, left: Idx, right: bool) {
|
|
ct = ct + 1;
|
|
if ( ct < 3 ) {
|
|
return;
|
|
}
|
|
if ( ct > 3 ) {
|
|
print "Too many events";
|
|
return;
|
|
}
|
|
|
|
if ( 1 in servers ) {
|
|
print "VALID";
|
|
}
|
|
if ( 2 in servers ) {
|
|
print "VALID";
|
|
}
|
|
if ( !(3 in servers) ) {
|
|
print "VALID";
|
|
}
|
|
if ( !(4 in servers) ) {
|
|
print "VALID";
|
|
}
|
|
if ( !(5 in servers) ) {
|
|
print "VALID";
|
|
}
|
|
if ( !(6 in servers) ) {
|
|
print "VALID";
|
|
}
|
|
if ( 7 in servers ) {
|
|
print "VALID";
|
|
}
|
|
}
|
|
|
|
event bro_init()
|
|
{
|
|
ct = 0;
|
|
# first read in the old stuff into the table...
|
|
Input::create_stream(A::INPUT, [$source="input.log", $mode=Input::STREAM]);
|
|
Input::add_tablefilter(A::INPUT, [$name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F, $ev=line,
|
|
$pred(typ: Input::Event, left: Idx, right: bool) = { return right; }
|
|
]);
|
|
}
|
|
|