55 lines
1.5 KiB
Plaintext
55 lines
1.5 KiB
Plaintext
# Verifies analyzer ID retrieval from a connection.
|
|
#
|
|
# Not compatible with -O gen-C++ due to use of multiple scripts.
|
|
# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
|
|
#
|
|
# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT >output
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
# This first test should trigger one analyzer violation, since the given pcap
|
|
# has non-HTTP content on port 80. The analyzer will be disabled after the first
|
|
# violation (missing request line).
|
|
|
|
@load base/protocols/http
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
|
{
|
|
print atype;
|
|
}
|
|
|
|
# @TEST-START-NEXT
|
|
|
|
# This one should not trigger violations since we suppress HTTP analysis when
|
|
# the TCP connection establishes.
|
|
|
|
@load base/protocols/http
|
|
|
|
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
|
|
{
|
|
print atype;
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
local aid = lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP);
|
|
if ( aid > 0 )
|
|
disable_analyzer(c$id, aid, T, T);
|
|
}
|
|
|
|
# @TEST-START-NEXT
|
|
|
|
# This one validates the return values of analyzer ID lookup calls for valid &
|
|
# invalid connection IDs and analyzers.
|
|
|
|
@load base/protocols/http
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
assert lookup_connection_analyzer_id(c$id, Analyzer::ANALYZER_HTTP) != 0;
|
|
|
|
local wrong_cid = copy(c$id);
|
|
wrong_cid$orig_h = 1.2.3.4;
|
|
|
|
assert lookup_connection_analyzer_id(wrong_cid, Analyzer::ANALYZER_HTTP) == 0;
|
|
}
|