Add test case and fix clustered preserve files.

The fix ensures that moves are only triggered on worker nodes inside a cluster. Due to the invocation inside the intel framework, handlers for Intel::match_remote would also be executed on the manager.
J-Gras · Mar 1, 2022 · 351591a · 351591a
1 parent 600353a
commit 351591a
Show file tree

Hide file tree

Showing 4 changed files with 185 additions and 3 deletions.
diff --git a/scripts/preserve_files.zeek b/scripts/preserve_files.zeek
@@ -81,14 +81,19 @@ function preserve_match(s: Seen)
 		}
 	}
 
-@if ( Cluster::is_enabled() )
-event Intel::match_remote(s: Seen)
-@else
+@if ( !Cluster::is_enabled() )
 event Intel::match(s: Seen, items: set[Item])
+	{
+	preserve_match(s);
+	}
 @endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::WORKER )
+event Intel::match_remote(s: Seen)
 	{
 	preserve_match(s);
 	}
+@endif
 
 event file_state_remove(f: fa_file)
 	{

diff --git a/testing/Baseline/scripts.test-preserve-files-cluster-2/manager-1.intel.log b/testing/Baseline/scripts.test-preserve-files-cluster-2/manager-1.intel.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	141.142.228.5	Intel::ADDR	Conn::IN_ORIG	worker-1	Intel::ADDR	source1	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	test-filename	Intel::FILE_NAME	Files::IN_NAME	worker-1	Intel::FILE_NAME	source1	FMnxxt3xjVcWNS2141	-	http://bro.org/download/CHANGES.bro-aux.txt
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	397168fd09991a0e712254df7bc639ac	Intel::FILE_HASH	Files::IN_HASH	worker-1	Intel::FILE_HASH	source1	FMnxxt3xjVcWNS2141	text/plain	http://bro.org/download/CHANGES.bro-aux.txt
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/Baseline/scripts.test-preserve-files-cluster/manager-1.intel.log b/testing/Baseline/scripts.test-preserve-files-cluster/manager-1.intel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	397168fd09991a0e712254df7bc639ac	Intel::FILE_HASH	Files::IN_HASH	worker-1	Intel::FILE_HASH	source1	FMnxxt3xjVcWNS2141	text/plain	http://bro.org/download/CHANGES.bro-aux.txt
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/scripts/test-preserve-files-cluster.zeek b/testing/scripts/test-preserve-files-cluster.zeek
@@ -0,0 +1,153 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: mkdir preserved_files
+# @TEST-EXEC: btest-bg-run manager-1 ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=manager-1 zeek %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  ZEEKPATH=$ZEEKPATH:.. CLUSTER_NODE=worker-1 zeek -r $TRACES/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait -k 13
+# @TEST-EXEC: btest-diff manager-1/intel.log
+# @TEST-EXEC: test -e preserved_files/extract-1362692527.009512-HTTP-FMnxxt3xjVcWNS2141
+
+# @TEST-START-FILE cluster-layout.zeek
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+};
+# @TEST-END-FILE
+
+# Scenario: Hit on FILE_HASH
+@load preserve_files
+@load frameworks/files/extract-all-files
+@load frameworks/files/hash-all-files
+@load frameworks/intel/seen/file-hashes
+
+redef Log::default_rotation_interval = 0secs;
+redef Intel::preserve_prefix = "../preserved_files/";
+
+module Intel;
+
+# Manager
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event Cluster::node_up(name: string, id: string)
+	{
+	# Insert the data once all workers are connected.
+	if ( Cluster::worker_count == 1 )
+		{
+		Intel::insert([$indicator="397168fd09991a0e712254df7bc639ac",
+			$indicator_type=Intel::FILE_HASH, $meta=[$source="source1"]]);
+		}
+	}
+@endif
+
+# Worker
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Intel::insert_indicator(item: Intel::Item)
+	{
+	# Run test on worker-1 when item has been inserted
+	if ( Cluster::node == "worker-1" )
+		continue_processing();
+	}
+@endif
+
+# Shutdown logic
+
+event die()
+	{
+	terminate();
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	if ( "source1" in rec$sources )
+		schedule 2sec { die() };
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	# Cascading termination
+	schedule 2sec { die() };
+	}
+
+# @TEST-START-NEXT
+
+# Scenario: Multiple hits on the same file
+@load preserve_files
+@load frameworks/files/extract-all-files
+@load frameworks/files/hash-all-files
+@load frameworks/intel/seen/file-hashes
+@load frameworks/intel/seen/file-names
+@load frameworks/intel/seen/conn-established
+
+redef Log::default_rotation_interval = 0secs;
+redef Intel::preserve_prefix = "../preserved_files/";
+
+module Intel;
+
+# Manager
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event Cluster::node_up(name: string, id: string)
+	{
+	# Insert the data once all workers are connected.
+	if ( Cluster::worker_count == 1 )
+		{
+		Intel::insert([$indicator="397168fd09991a0e712254df7bc639ac",
+			$indicator_type=Intel::FILE_HASH, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="test-filename",
+			$indicator_type=Intel::FILE_NAME, $meta=[$source="source1"]]);
+		Intel::insert([$indicator="141.142.228.5",
+			$indicator_type=Intel::ADDR, $meta=[$source="source1"]]);
+		}
+	}
+@endif
+
+# Worker
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+global worker_data = 0;
+event Intel::insert_indicator(item: Intel::Item)
+	{
+	# Run test on worker-1 when all items have been inserted
+	if ( Cluster::node == "worker-1" )
+		{
+		++worker_data;
+		if ( worker_data == 3 )
+			continue_processing();
+		}
+	}
+
+event file_new(f: fa_file) &priority=10
+	{
+	f$info$filename = "test-filename";
+	}
+@endif
+
+# Shutdown logic
+
+event die()
+	{
+	terminate();
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	if ( "source1" in rec$sources )
+		schedule 2sec { die() };
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	# Cascading termination
+	schedule 2sec { die() };
+	}