mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
88 lines
2.4 KiB
Text
88 lines
2.4 KiB
Text
# @TEST-REQUIRES: have-spicy
|
|
# @TEST-REQUIRES: test "$($BUILD/zeek-config --build_type)" = "debug"
|
|
#
|
|
# @TEST-EXEC: spicyz -d -o text.hlto text.spicy ./text.evt
|
|
# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace text.hlto %INPUT Spicy::enable_print=T | sort -k 3 >output
|
|
# @TEST-EXEC: btest-diff output
|
|
# @TEST-EXEC: cat files.log | zeek-cut source analyzers filename mime_type >files
|
|
# @TEST-EXEC: btest-diff files
|
|
#
|
|
# Check that exceeding max-file-depth leads to aborting and an event.
|
|
# @TEST-EXEC: zeek -t /tmp/zeek.trace -r ${TRACES}/http/post.trace text.hlto %INPUT Spicy::max_file_depth=2 | sort -k 3 >output-max
|
|
# @TEST-EXEC: cat notice.log | zeek-cut note | grep -q "Spicy_Max_File_Depth_Exceeded"
|
|
# @TEST-EXEC: btest-diff output-max
|
|
|
|
event text::data1(f: fa_file, data: string)
|
|
{
|
|
print "data1", f$id, data;
|
|
}
|
|
|
|
event text::data2(f: fa_file, data: string)
|
|
{
|
|
print "data2", f$id, data;
|
|
}
|
|
|
|
event text::data3(f: fa_file, data: string)
|
|
{
|
|
print "data3", f$id, data;
|
|
}
|
|
|
|
event Spicy::max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count)
|
|
{
|
|
print "depth warning", f$id, args, limit;
|
|
}
|
|
|
|
# @TEST-START-FILE text.spicy
|
|
module Text;
|
|
|
|
import zeek;
|
|
import zeek_file;
|
|
|
|
# This unit uses the zeek_file::File wrapper to pass data into Zeek's file analysis.
|
|
public type Data1 = unit {
|
|
on %init {
|
|
self.content.connect(new zeek_file::File("text/plain2"));
|
|
self.content.write(b"from 1:");
|
|
}
|
|
|
|
data: bytes &eod -> self.content;
|
|
|
|
sink content;
|
|
};
|
|
|
|
# This unit passes data into Zeek's file analysis directly, without the File wrapper.
|
|
public type Data2 = unit {
|
|
data: bytes &eod {
|
|
zeek::file_begin("text/plain3");
|
|
zeek::file_data_in(b"from 2a:" + self.data);
|
|
zeek::file_end();
|
|
|
|
zeek::file_begin("text/plain3");
|
|
zeek::file_data_in(b"from 2b:" + self.data);
|
|
zeek::file_end();
|
|
}
|
|
};
|
|
|
|
public type Data3 = unit {
|
|
data: bytes &eod;
|
|
};
|
|
# @TEST-END-FILE
|
|
|
|
# @TEST-START-FILE text.evt
|
|
|
|
file analyzer spicy::Text1:
|
|
parse with Text::Data1,
|
|
mime-type text/plain;
|
|
|
|
file analyzer spicy::Text2:
|
|
parse with Text::Data2,
|
|
mime-type text/plain2;
|
|
|
|
file analyzer spicy::Text3:
|
|
parse with Text::Data3,
|
|
mime-type text/plain3;
|
|
|
|
on Text::Data1 -> event text::data1($file, self.data);
|
|
on Text::Data2 -> event text::data2($file, self.data);
|
|
on Text::Data3 -> event text::data3($file, self.data);
|
|
# @TEST-END-FILE
|