44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
# @TEST-DOC: Check that extend-email/hostnames.zeek does not run lookup_addr() for non email type notices.
|
|
# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
@load base/frameworks/notice
|
|
|
|
@load frameworks/notice/extend-email/hostnames
|
|
|
|
|
|
redef enum Notice::Type += {
|
|
Test_New_Connection_Notice,
|
|
Test_Connection_State_Remove_Notice,
|
|
};
|
|
|
|
redef Notice::emailed_types += {
|
|
Test_Connection_State_Remove_Notice,
|
|
};
|
|
|
|
redef Notice::mail_dest = "user@example.net";
|
|
redef Notice::sendmail = "fake-sendmail"; # not in effect, but better safe than sorry.
|
|
|
|
|
|
module Notice;
|
|
|
|
hook Notice::notice(n: Notice::Info) &priority=-2
|
|
{
|
|
# email_delay_token population runs at priority -1
|
|
# in extend-email/hostnames.zeek, so we can look
|
|
# at the result during priority=-2 and observe
|
|
# that only Test_Connection_State_Remove_Notice
|
|
# has email_delay_tokens set.
|
|
print "email_delay_tokens", n$note, |n$email_delay_tokens| > 0 ? join_string_set(n$email_delay_tokens, ",") : "(empty)";
|
|
}
|
|
|
|
event new_connection(c: connection)
|
|
{
|
|
NOTICE([$note=Test_New_Connection_Notice, $conn=c]);
|
|
}
|
|
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
NOTICE([$note=Test_Connection_State_Remove_Notice, $conn=c]);
|
|
}
|