mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 23:58:20 +00:00
f5aa5c3466
``` ## Tells Zeek to skip sending any further input data to the current analyzer. ## This is supported for protocol and file analyzers. public function skip_input() : void; ``` Closes #3443.
44 lines
1.1 KiB
Text
44 lines
1.1 KiB
Text
# @TEST-REQUIRES: have-spicy
|
|
#
|
|
# @TEST-EXEC: spicyz -d -o test.hlto test.spicy test.evt
|
|
# @TEST-EXEC: zeek -b -r ${TRACES}/dns/long-connection.pcap Zeek::Spicy test.hlto %INPUT "Spicy::enable_print = T;" >output
|
|
# @TEST-EXEC: btest-diff output
|
|
#
|
|
# @TEST-DOC: Validate that `skip_input` works for protocol analyzers.
|
|
|
|
redef likely_server_ports += { 53/udp }; # avoid flipping direction after termination
|
|
redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal
|
|
|
|
event Test::foo() { print "event"; }
|
|
|
|
# @TEST-START-FILE test.spicy
|
|
module Test;
|
|
|
|
import zeek;
|
|
|
|
type Counter = tuple<counter: int64>;
|
|
|
|
public type Foo = unit {
|
|
%context = Counter;
|
|
|
|
data: bytes &eod;
|
|
|
|
on %done {
|
|
self.context().counter = self.context().counter + 1;
|
|
|
|
print self.context().counter, zeek::is_orig(), |self.data|;
|
|
|
|
if ( self.context().counter == 3 )
|
|
zeek::skip_input();
|
|
}
|
|
};
|
|
|
|
# @TEST-END-FILE
|
|
|
|
# @TEST-START-FILE test.evt
|
|
protocol analyzer spicy::Test over UDP:
|
|
port 53/udp,
|
|
parse with Test::Foo;
|
|
|
|
on Test::Foo -> event Test::foo();
|
|
# @TEST-END-FILE
|