72 lines
1.4 KiB
Plaintext
72 lines
1.4 KiB
Plaintext
# @TEST-DOC: Reading a jsonl file using the raw input reader and parsing via from_json()
|
|
# @TEST-EXEC: zeek -b %INPUT >out
|
|
# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
|
|
|
|
# @TEST-START-FILE denylist.jsonl
|
|
{"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-22T12:13:14"}
|
|
{"ip": "192.168.0.1", "source": "local", "timestamp": "1990-09-23T13:14:15"}
|
|
{"ip": "192.168.0.2", "source": "local"}
|
|
{"source": "local"}
|
|
{... ]
|
|
{"ip": "8.8.4.4", "source": "remote"}
|
|
# @TEST-END-FILE
|
|
|
|
redef exit_only_after_terminate = T;
|
|
|
|
module A;
|
|
|
|
type Line: record {
|
|
l: string;
|
|
};
|
|
|
|
type Deny: record {
|
|
ip: addr;
|
|
source: string;
|
|
timestamp: string &optional;
|
|
timestamp_parsed: time &optional;
|
|
};
|
|
|
|
event line(description: Input::EventDescription, tpe: Input::Event, line: string)
|
|
{
|
|
local r = from_json(line, Deny);
|
|
if ( r$valid )
|
|
{
|
|
local deny = r$v as Deny;
|
|
if ( deny?$timestamp )
|
|
deny$timestamp_parsed = strptime("%Y-%m-%dT%H:%M:%S", deny$timestamp);
|
|
|
|
print fmt("Valid: %s (%s)", deny, line);
|
|
}
|
|
else
|
|
print fmt("Invalid: '%s'", line);
|
|
}
|
|
|
|
event die()
|
|
{
|
|
if ( zeek_is_terminating() )
|
|
return;
|
|
|
|
print "error: test timeout";
|
|
exit(1);
|
|
}
|
|
|
|
event zeek_init()
|
|
{
|
|
Input::add_event([
|
|
$source="denylist.jsonl",
|
|
$name="denylist",
|
|
$reader=Input::READER_RAW,
|
|
$fields=Line,
|
|
$ev=line,
|
|
$want_record=F
|
|
]);
|
|
|
|
schedule 5sec { die() };
|
|
}
|
|
|
|
event Input::end_of_data(name: string, source:string)
|
|
{
|
|
Input::remove("deny");
|
|
terminate();
|
|
}
|