Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/spicy/tcp-eod-behavior.zeek
Johanna Amann 130c89a0a7 dpd->analyzer.log change - rename files 
To address review feedback in GH-4362: rename analyzer-failed-log.zeek
to loggig.zeek, analyzer-debug-log.zeek to debug-logging.zeek and
dpd-log.zeek to deprecated-dpd-log.zeek.

Includes respective test, NEWS, etc updates.
2025-06-03 16:32:52 +01:00

111 lines
4.2 KiB
Text
Raw Blame History

# @TEST-REQUIRES: have-spicy
#
# @TEST-DOC: Exercise end-of-data behavior for combinations of units expected certain amounts and regular vs non-regular connection termination.
#
# @TEST-EXEC: spicyz -d -o foo-16.hlto test.spicy foo-16.evt
# @TEST-EXEC: spicyz -d -o foo-136.hlto test.spicy foo-136.evt
# @TEST-EXEC: spicyz -d -o foo-1024.hlto test.spicy foo-1024.evt
# @TEST-EXEC: spicyz -d -o foo-eod.hlto test.spicy foo-eod.evt
# @TEST-EXEC: echo "=== Too much data, regular FINs (expect event output)" >>output-16-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get.trace Zeek::Spicy foo-16.hlto %INPUT >>output-16-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-16-fins
# @TEST-EXEC: echo "=== Too much data, missing FINs (expect event output)" >>output-16-no-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get-without-fins.trace Zeek::Spicy foo-16.hlto %INPUT >>output-16-no-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-16-no-fins
# @TEST-EXEC: echo "=== Exact data, regular FINs (expect event output)" >>output-136-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get.trace Zeek::Spicy foo-136.hlto %INPUT >>output-136-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-136-fins
# @TEST-EXEC: echo "=== Exact data, missing FINs (expect event output)" >>output-136-no-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get-without-fins.trace Zeek::Spicy foo-136.hlto %INPUT >>output-136-no-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-136-no-fins
# @TEST-EXEC: echo "=== Not enough data, regular FINs (expect analyzer error)" >>output-1024-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get.trace Zeek::Spicy foo-1024.hlto %INPUT >>output-1024-fins
# @TEST-EXEC: test -f analyzer_debug.log && zeek-cut failure_reason <analyzer_debug.log | diff-remove-abspath >>output-1024-fins
# @TEST-EXEC: btest-diff output-1024-fins
# @TEST-EXEC: echo "=== Not enough data, missing FINs (expect no output)" >>output-1024-no-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get-without-fins.trace Zeek::Spicy foo-1024.hlto %INPUT >>output-1024-no-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-1024-no-fins
# @TEST-EXEC: echo "=== Until EOD, regular FINs (expect event output)" >>output-eod-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get.trace Zeek::Spicy foo-eod.hlto %INPUT >>output-eod-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-eod-fins
# @TEST-EXEC: echo "=== Until EOD, missing FINs (expect no output)" >>output-eod-no-fins
# @TEST-EXEC: rm -f analyzer_debug.log && zeek -b -r ${TRACES}/http/get-without-fins.trace Zeek::Spicy foo-eod.hlto %INPUT >>output-eod-no-fins
# @TEST-EXEC: test '!' -f analyzer_debug.log
# @TEST-EXEC: btest-diff output-eod-no-fins
@load frameworks/analyzer/debug-logging.zeek
redef Analyzer::DebugLogging::include_confirmations = F;
redef Analyzer::DebugLogging::include_disabling = F;
event Test::foo() {
print "event foo()";
}
# @TEST-START-FILE test.spicy
module Test;
public type Foo16 = unit {
: bytes &size=16;
};
public type Foo136 = unit {
: bytes &size=136;
};
public type Foo1024 = unit {
: bytes &size=1024;
};
public type FooEOD = unit {
: bytes &eod;
};
# @TEST-END-FILE
# @TEST-START-FILE foo-16.evt
protocol analyzer spicy::Foo over TCP:
parse originator with Test::Foo16,
port 80/tcp;
on Test::Foo16 -> event Test::foo();
# @TEST-END-FILE
# @TEST-START-FILE foo-136.evt
protocol analyzer spicy::Foo over TCP:
parse originator with Test::Foo136,
port 80/tcp;
on Test::Foo136 -> event Test::foo();
# @TEST-END-FILE
# @TEST-START-FILE foo-1024.evt
protocol analyzer spicy::Foo over TCP:
parse originator with Test::Foo1024,
port 80/tcp;
on Test::Foo1024 -> event Test::foo();
# @TEST-END-FILE
# @TEST-START-FILE foo-eod.evt
protocol analyzer spicy::Foo over TCP:
parse originator with Test::FooEOD,
port 80/tcp;
on Test::FooEOD -> event Test::foo();
# @TEST-END-FILE
Reference in a new issue View git blame Copy permalink