mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
0e48fda6ff
Generally tried to make them more reliable and execute quicker. They all now load the listen script as a trick to make sure input sources are fully read, but also terminate() at appropriate times so that they don't take more time than needed. They're also all serialized with the 'comm' group so listening on a port doesn't interfere with the communication tests.
88 lines
2.4 KiB
Text
88 lines
2.4 KiB
Text
# (uses listen.bro just to ensure input sources are more reliably fully-read).
|
|
# @TEST-SERIALIZE: comm
|
|
#
|
|
# @TEST-EXEC: cp input1.log input.log
|
|
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
|
|
# @TEST-EXEC: sleep 3
|
|
# @TEST-EXEC: cat input2.log >> input.log
|
|
# @TEST-EXEC: sleep 3
|
|
# @TEST-EXEC: cat input3.log >> input.log
|
|
# @TEST-EXEC: btest-bg-wait -k 5
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
@TEST-START-FILE input1.log
|
|
#separator \x09
|
|
#path ssh
|
|
#fields b i e c p sn a d t iv s sc ss se vc ve f
|
|
#types bool int enum count port subnet addr double time interval string table table table vector vector func
|
|
T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
|
|
@TEST-END-FILE
|
|
@TEST-START-FILE input2.log
|
|
T -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
|
|
@TEST-END-FILE
|
|
@TEST-START-FILE input3.log
|
|
F -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
|
|
@TEST-END-FILE
|
|
|
|
@load base/protocols/ssh
|
|
@load frameworks/communication/listen
|
|
|
|
redef InputAscii::empty_field = "EMPTY";
|
|
|
|
module A;
|
|
|
|
type Idx: record {
|
|
i: int;
|
|
};
|
|
|
|
type Val: record {
|
|
b: bool;
|
|
e: Log::ID;
|
|
c: count;
|
|
p: port;
|
|
sn: subnet;
|
|
a: addr;
|
|
d: double;
|
|
t: time;
|
|
iv: interval;
|
|
s: string;
|
|
sc: set[count];
|
|
ss: set[string];
|
|
se: set[string];
|
|
vc: vector of int;
|
|
ve: vector of int;
|
|
};
|
|
|
|
global servers: table[int] of Val = table();
|
|
|
|
global outfile: file;
|
|
|
|
global try: count;
|
|
|
|
event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val)
|
|
{
|
|
print outfile, "============EVENT============";
|
|
print outfile, tpe;
|
|
print outfile, left;
|
|
print outfile, right;
|
|
print outfile, "============SERVERS============";
|
|
print outfile, servers;
|
|
|
|
try = try + 1;
|
|
|
|
if ( try == 3 )
|
|
{
|
|
print outfile, "done";
|
|
close(outfile);
|
|
Input::remove("input");
|
|
terminate();
|
|
}
|
|
}
|
|
|
|
event bro_init()
|
|
{
|
|
outfile = open("../out");
|
|
try = 0;
|
|
# first read in the old stuff into the table...
|
|
Input::add_table([$source="../input.log", $mode=Input::STREAM, $name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line]);
|
|
}
|