Skip to content

Commit

Permalink
Merge branch 'topic/bbannier/zeek7-ci'
Browse files Browse the repository at this point in the history
  • Loading branch information
@bbannier
bbannier committed Nov 7, 2024
2 parents d41666f + 0f14957 commit 67b72ae
Show file tree
Hide file tree
Showing 8 changed files with 49 additions and 33 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/check.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ jobs:
matrix:
version:
- zeek:6.0
- zeek:7.0
- zeek-dev:latest

fail-fast: false
Expand All @@ -19,7 +20,7 @@ jobs:
container: zeek/${{ matrix.version }}

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: Prepare
run: |
apt-get update
Expand Down
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# See https://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
Expand Down
13 changes: 9 additions & 4 deletions tests/analyzer/basic.zeek
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,23 @@
# @TEST-EXEC: zeek -r ${TRACES}/test.pcap frameworks/files/extract-all-files frameworks/files/hash-all-files %INPUT
# @TEST-EXEC: for i in extract_files/*; do (printf "$i "; wc -c "$i" | awk '{print $1}'); done | sort >extracted.log
# @TEST-EXEC: for i in files.log extracted.log .stdout; do cat $i | sed 's#\(extract-[^-]*\)-[^-]*-#\1-xxx-#g' | sed 's#F[A-Za-z0-9]\{16,17\}#XXXXXXXXXXXXXXXXX#g' >$i.tmp && mv $i.tmp $i; done
#
# @TEST-EXEC: zeek-cut -Cn duration <files.log >files.log.tmp && mv files.log.tmp files.log
# @TEST-EXEC: btest-diff files.log
#
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff extracted.log
#
# @TEST-DOC: Test ZIP analyzer with a download of a simple ZIP file that contains an entry with data descriptor (i.e., its compressed size is not known in advance).

@load analyzer

event ZIP::file(f: fa_file, meta: ZIP::File) {
event ZIP::file(f: fa_file, meta: ZIP::File)
{
print meta;
}
}

event ZIP::end_of_directory(f: fa_file, comment: string) {
event ZIP::end_of_directory(f: fa_file, comment: string)
{
print comment;
}
}
13 changes: 9 additions & 4 deletions tests/analyzer/descriptor.zeek
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
# @TEST-EXEC: zeek -C -r ${TRACES}/descriptor.pcap frameworks/files/extract-all-files frameworks/files/hash-all-files %INPUT
# @TEST-EXEC: for i in extract_files/*; do (printf "$i "; wc -c "$i" | awk '{print $1}'); done | sort >extracted.log
# @TEST-EXEC: for i in files.log extracted.log .stdout; do cat $i | sed 's#\(extract-[^-]*\)-[^-]*-#\1-xxx-#g' | sed 's#F[A-Za-z0-9]\{16,17\}#XXXXXXXXXXXXXXXXX#g' >$i.tmp && mv $i.tmp $i; done
#
# @TEST-EXEC: zeek-cut -Cn duration <files.log >files.log.tmp && mv files.log.tmp files.log
# @TEST-EXEC: btest-diff files.log
#
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff extracted.log
#
Expand All @@ -14,10 +17,12 @@

@load analyzer

event ZIP::file(f: fa_file, meta: ZIP::File) {
event ZIP::file(f: fa_file, meta: ZIP::File)
{
print meta;
}
}

event ZIP::end_of_directory(f: fa_file, comment: string) {
event ZIP::end_of_directory(f: fa_file, comment: string)
{
print comment;
}
}
13 changes: 9 additions & 4 deletions tests/analyzer/nested.zeek
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,23 @@
# @TEST-EXEC: zeek -Cr ${TRACES}/nested.pcap frameworks/files/extract-all-files frameworks/files/hash-all-files %INPUT
# @TEST-EXEC: for i in extract_files/*; do (printf "$i "; wc -c "$i" | awk '{print $1}'); done | sort >extracted.log
# @TEST-EXEC: for i in files.log extracted.log .stdout; do cat $i | sed 's#\(extract-[^-]*\)-[^-]*-#\1-xxx-#g' | sed 's#F[A-Za-z0-9]\{16,17\}#XXXXXXXXXXXXXXXXX#g' >$i.tmp && mv $i.tmp $i; done
#
# @TEST-EXEC: zeek-cut -Cn duration <files.log >files.log.tmp && mv files.log.tmp files.log
# @TEST-EXEC: btest-diff files.log
#
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff extracted.log
#
# @TEST-DOC: Test ZIP analyzer with a download of a ZIP containing the standard virus checker test file inside another ZIP file.

@load analyzer

event ZIP::file(f: fa_file, meta: ZIP::File) {
event ZIP::file(f: fa_file, meta: ZIP::File)
{
print meta;
}
}

event ZIP::end_of_directory(f: fa_file, comment: string) {
event ZIP::end_of_directory(f: fa_file, comment: string)
{
print comment;
}
}
12 changes: 6 additions & 6 deletions tests/baseline/analyzer.basic/files.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
#unset_field -
#path files
#open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count time
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string bool bool count count count count bool string string string string string bool count time
#close XXXX-XX-XX-XX-XX-XX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - 0.644241 F F 129598 129598 0 0 F - e97e67328c12b639ff9fa84bfa9aaf27 9cfff9d9672f3e14d6ac49df074cb85f46432366 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT image/png test/bro-web-eye-only.png 0.259282 - F 14739 14734 0 0 F XXXXXXXXXXXXXXXXX a996d43b224cef8772977a5605ec706e daa31a4d9e5e5918876f58a8a8a940ff401b025d - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT image/png test/spicy-logo.png 0.384940 - F 112322 112196 0 0 F XXXXXXXXXXXXXXXXX f2d1a7eb1403e0674ad50006c6773bb3 3c5ed2659000432a42e11b6df95a69c289fe04e3 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - test/README.md 0.000005 - F 5294 2146 0 0 F XXXXXXXXXXXXXXXXX afcdeb85e51aecc6cef747546058ddab 7e2ada78ae1b5f06750d6f830004e6fee6e66479 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - F F 129598 129598 0 0 F - e97e67328c12b639ff9fa84bfa9aaf27 9cfff9d9672f3e14d6ac49df074cb85f46432366 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT image/png test/bro-web-eye-only.png - F 14739 14734 0 0 F XXXXXXXXXXXXXXXXX a996d43b224cef8772977a5605ec706e daa31a4d9e5e5918876f58a8a8a940ff401b025d - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT image/png test/spicy-logo.png - F 112322 112196 0 0 F XXXXXXXXXXXXXXXXX f2d1a7eb1403e0674ad50006c6773bb3 3c5ed2659000432a42e11b6df95a69c289fe04e3 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX CHhAvVGS1DHFjwGM9 192.168.7.120 54454 192.150.187.12 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - test/README.md - F 5294 2146 0 0 F XXXXXXXXXXXXXXXXX afcdeb85e51aecc6cef747546058ddab 7e2ada78ae1b5f06750d6f830004e6fee6e66479 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
8 changes: 4 additions & 4 deletions tests/baseline/analyzer.descriptor/files.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
#unset_field -
#path files
#open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count time
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string bool bool count count count count bool string string string string string bool count time
#close XXXX-XX-XX-XX-XX-XX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50531 127.0.0.1 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - 0.000000 T F 247 247 0 0 F - 61d0055c64568b049c6b0dabdffdb125 5a577696c7af86b1a2f0b8e290a5be884f6615e6 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50531 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - test/file.txt 0.000000 - F 15 15 0 0 F XXXXXXXXXXXXXXXXX f62ac84ff9e6229509abcb9ac87b5602 b52b86e9df692a2d639c1b387bf8a48be28ae06f - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50531 127.0.0.1 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - T F 247 247 0 0 F - 61d0055c64568b049c6b0dabdffdb125 5a577696c7af86b1a2f0b8e290a5be884f6615e6 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50531 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - test/file.txt - F 15 15 0 0 F XXXXXXXXXXXXXXXXX f62ac84ff9e6229509abcb9ac87b5602 b52b86e9df692a2d639c1b387bf8a48be28ae06f - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
18 changes: 9 additions & 9 deletions tests/baseline/analyzer.nested/files.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
#unset_field -
#path files
#open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string string bool count time
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size ftime
#types time string string addr port addr port string count set[string] string string bool bool count count count count bool string string string string string bool count time
#close XXXX-XX-XX-XX-XX-XX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - 0.000000 T F 938 938 0 0 F - 75991ed996d25b62841fdc9e15845dfc e25eab4e6ca9e95cac0eca9faa3ec04eebf8747b - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - 0.000000 - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - 0.000000 - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - 0.000000 - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT text/plain bar/bar.txt 0.000000 - F 15 10 0 0 F XXXXXXXXXXXXXXXXX b794f48dec8c7e1c093c5d74e602e062 c78895764271120c2b33882516e86d4447b6f263 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT text/plain foo/foo.txt 0.000000 - F 15 10 0 0 F XXXXXXXXXXXXXXXXX 44a6634c024833519906aa73e750b208 a41bceee4d740eac2b53d9646023c2d6b78ad3dd - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip bar<...>/foo.zip 0.000000 - F 318 318 0 0 F XXXXXXXXXXXXXXXXX 86a250119e8b0c065b565cda9e9d6534 e97e2496029057f7e59019a7b23ac1d08b7ca0dc - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 HTTP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip - T F 938 938 0 0 F - 75991ed996d25b62841fdc9e15845dfc e25eab4e6ca9e95cac0eca9faa3ec04eebf8747b - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT - - - F 0 0 0 0 F XXXXXXXXXXXXXXXXX - - - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - -
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT text/plain bar/bar.txt - F 15 10 0 0 F XXXXXXXXXXXXXXXXX b794f48dec8c7e1c093c5d74e602e062 c78895764271120c2b33882516e86d4447b6f263 - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SHA1,MD5,EXTRACT text/plain foo/foo.txt - F 15 10 0 0 F XXXXXXXXXXXXXXXXX 44a6634c024833519906aa73e750b208 a41bceee4d740eac2b53d9646023c2d6b78ad3dd - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX
XXXXXXXXXX.XXXXXX XXXXXXXXXXXXXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 50858 127.0.0.1 80 SPICY_ZIP 0 SPICY_ZIP,EXTRACT,SHA1,MD5 application/zip bar<...>/foo.zip - F 318 318 0 0 F XXXXXXXXXXXXXXXXX 86a250119e8b0c065b565cda9e9d6534 e97e2496029057f7e59019a7b23ac1d08b7ca0dc - extract-XXXXXXXXXX.XXXXXX-xxx-XXXXXXXXXXXXXXXXX F - XXXXXXXXXX.XXXXXX

0 comments on commit 67b72ae

Please sign in to comment.