mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
a4af46e1f4
- All 5 intelligence tests pass. - Some initial memory optimizations done. - More work needs done to reduce duplicate data in memory. - Input framework integration. - Define files to read in the "Bro intelligence format" in Intel::read_files. - Cluster transparency. - DNS Zones are a fully supported data type. - Queries for Intel::DOMAIN values will automatically check in DNS_ZONE intelligence.
23 lines
1.1 KiB
Text
23 lines
1.1 KiB
Text
# @TEST-EXEC: bro %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
event bro_init()
|
|
{
|
|
Intel::insert([$ip=1.2.3.4, $meta=[$source="source1-feed1", $class=Intel::MALICIOUS, $tags=set("foo")]]);
|
|
Intel::insert([$ip=1.2.3.4, $meta=[$source="source2-special-sauce", $class=Intel::MALICIOUS, $tags=set("foo","bar")]]);
|
|
|
|
# Lookup should return the items matching the query.
|
|
local items = Intel::lookup([$ip=1.2.3.4]);
|
|
print fmt("Number of matching intel items: %d (should be 2)", |items|);
|
|
|
|
# This can be considered an update of a previous value since the
|
|
# data, source, and class are the matching points for determining sameness.
|
|
Intel::insert([$ip=1.2.3.4, $meta=[$source="source2-special-sauce", $class=Intel::MALICIOUS, $tags=set("foobar", "testing")]]);
|
|
items = Intel::lookup([$ip=1.2.3.4]);
|
|
print fmt("Number of matching intel items: %d (should still be 2)", |items|);
|
|
|
|
# This is a new value.
|
|
Intel::insert([$ip=1.2.3.4, $meta=[$source="source3", $class=Intel::MALICIOUS]]);
|
|
items = Intel::lookup([$ip=1.2.3.4]);
|
|
print fmt("Number of matching intel items: %d (should be 3)", |items|);
|
|
}
|