Zeek 7.1 compatibility changes

Zeek 7.1 introduced the 'ip_proto' field in the conn.log. To maintain consistent baselines across Zeek 7 version, cut the ip_proto field in affected btests. Also, some btests print the c$id field, which also changed. Instead, print the c$uid field. This required updates to baselines.
corelight · Jan 24, 2025 · 5201762 · 5201762
1 parent f42d5b9
commit 5201762
Show file tree

Hide file tree

Showing 12 changed files with 351 additions and 351 deletions.
diff --git a/tests/analyzer/basic.zeek b/tests/analyzer/basic.zeek
@@ -1,6 +1,6 @@
 # @TEST-REQUIRES: test -e ${TRACES}/ipsec_client.pcap
 # @TEST-EXEC: zeek -Cr ${TRACES}/ipsec_client.pcap %INPUT
-# @TEST-EXEC: cat conn.log | zeek-cut -m -n local_orig local_resp >conn.log.filtered
+# @TEST-EXEC: zeek-cut -m -n local_orig local_resp ip_proto < conn.log > conn.log.filtered
 # @TEST-EXEC: btest-diff ipsec.log
 # @TEST-EXEC: btest-diff conn.log.filtered
 # @TEST-EXEC: btest-diff .stdout
@@ -9,22 +9,22 @@
 
 @load analyzer
 
-event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$id, msg); }
-event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$id, msg); }
-event IPSEC::ikev2_sa_proposal(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Proposal_Msg) { print cat("ike_sa_proposal ", is_orig, c$id, msg); }
-event IPSEC::ikev2_sa_transform(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Msg) { print cat("ike_sa_transform ", is_orig, c$id, msg); }
-event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$id, msg); }
-event IPSEC::ikev2_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_KE_Msg) { print cat("ike_ke_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_idi_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ID_Msg) { print cat("ike_idi_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_idr_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ID_Msg) { print cat("ike_idr_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ike_cert_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ike_certreq_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_auth_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_AUTH_Msg) { print cat("ike_auth_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ike_nonce_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ike_notify_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ike_delete_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_vendorid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ike_vendorid_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_ts_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_TRAFFICSELECTOR_Msg) { print cat("ike_ts_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_encrypted_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ENCRYPTED_Msg) { print cat("ike_encrypted_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev2_configuration_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_CONFIG_ATTR_Msg) { print cat("ike_configuration_attribute ", is_orig, c$id, msg); }
-event IPSEC::ikev2_eap_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_EAP_Msg) { print cat("ike_eap_payload ", is_orig, c$id, msg); }
+event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$uid, msg); }
+event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_sa_proposal(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Proposal_Msg) { print cat("ike_sa_proposal ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_sa_transform(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Msg) { print cat("ike_sa_transform ", is_orig, c$uid, msg); }
+event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_KE_Msg) { print cat("ike_ke_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_idi_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ID_Msg) { print cat("ike_idi_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_idr_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ID_Msg) { print cat("ike_idr_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ike_cert_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ike_certreq_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_auth_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_AUTH_Msg) { print cat("ike_auth_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ike_nonce_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ike_notify_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ike_delete_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_vendorid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ike_vendorid_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_ts_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_TRAFFICSELECTOR_Msg) { print cat("ike_ts_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_encrypted_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_ENCRYPTED_Msg) { print cat("ike_encrypted_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_configuration_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_CONFIG_ATTR_Msg) { print cat("ike_configuration_attribute ", is_orig, c$uid, msg); }
+event IPSEC::ikev2_eap_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_EAP_Msg) { print cat("ike_eap_payload ", is_orig, c$uid, msg); }
diff --git a/tests/analyzer/ike-zero-length.zeek b/tests/analyzer/ike-zero-length.zeek
@@ -1,5 +1,5 @@
 # @TEST-EXEC: zeek -C -r ${TRACES}/ipsec-ikev1-zero-length.pcap %INPUT
-# @TEST-EXEC: cat conn.log | zeek-cut -m -n local_orig local_resp >conn.log.filtered
+# @TEST-EXEC: zeek-cut -m -n local_orig local_resp ip_proto < conn.log > conn.log.filtered
 # @TEST-EXEC: btest-diff conn.log.filtered
 #
 # @TEST-DOC: Test that IPSecIKE with length 0 does not produce integer overflow analyzer errors

diff --git a/tests/analyzer/ikev1-a.zeek b/tests/analyzer/ikev1-a.zeek
@@ -1,25 +1,25 @@
 # @TEST-EXEC: zeek -C -r ${TRACES}/ikev1-certs.pcap %INPUT
-# @TEST-EXEC: cat conn.log | zeek-cut -m -n local_orig local_resp >conn.log.filtered
+# @TEST-EXEC: zeek-cut -m -n local_orig local_resp ip_proto < conn.log > conn.log.filtered
 # @TEST-EXEC: btest-diff conn.log.filtered
 #     Zeek 3.0 sorts dictionaries differently, leading to a change in vendor ID; not worth worrying about, so we just skip the diff for 3.0.
 # @TEST-EXEC: if zeek-version 40000; then btest-diff ipsec.log; fi
 # @TEST-EXEC: btest-diff .stdout
 
 @load analyzer
 
-event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$id, msg); }
-event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$id, msg); }
-event IPSEC::ikev1_sa_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SA_Msg) { print cat("ikev1_sa_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_vid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ikev1_vid_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_KE_Msg) { print cat("ikev1_ke_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ikev1_n_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ikev1_cert_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ikev1_certreq_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_id_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_ID_Msg) { print cat("ikev1_id_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_hash_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_HASH_Msg) { print cat("ikev1_hash_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_sig_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SIG_Msg) { print cat("ikev1_sig_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_p_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_P_Msg) { print cat("ikev1_p_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_t_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_T_Msg) { print cat("ikev1_t_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ikev1_notify_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ikev1_delete_payload ", is_orig, c$id, msg); }
-event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$id, msg); }
+event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$uid, msg); }
+event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_sa_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SA_Msg) { print cat("ikev1_sa_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_vid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ikev1_vid_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_KE_Msg) { print cat("ikev1_ke_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ikev1_n_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ikev1_cert_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ikev1_certreq_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_id_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_ID_Msg) { print cat("ikev1_id_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_hash_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_HASH_Msg) { print cat("ikev1_hash_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_sig_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SIG_Msg) { print cat("ikev1_sig_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_p_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_P_Msg) { print cat("ikev1_p_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_t_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_T_Msg) { print cat("ikev1_t_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ikev1_notify_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ikev1_delete_payload ", is_orig, c$uid, msg); }
+event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$uid, msg); }
diff --git a/tests/analyzer/ikev1-b.zeek b/tests/analyzer/ikev1-b.zeek
@@ -1,24 +1,24 @@
 # @TEST-EXEC: zeek -C -r ${TRACES}/ipsec-ikev1-isakmp-aggressive-mode.pcap %INPUT
-# @TEST-EXEC: cat conn.log | zeek-cut -m -n local_orig local_resp >conn.log.filtered
+# @TEST-EXEC: zeek-cut -m -n local_orig local_resp ip_proto < conn.log > conn.log.filtered
 # @TEST-EXEC: btest-diff conn.log.filtered
 # @TEST-EXEC: btest-diff ipsec.log
 # @TEST-EXEC: btest-diff .stdout
 
 @load analyzer
 
-event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$id, msg); }
-event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$id, msg); }
-event IPSEC::ikev1_sa_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SA_Msg) { print cat("ikev1_sa_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_vid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ikev1_vid_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_KE_Msg) { print cat("ikev1_ke_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ikev1_n_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ikev1_cert_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ikev1_certreq_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_id_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_ID_Msg) { print cat("ikev1_id_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_hash_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_HASH_Msg) { print cat("ikev1_hash_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_sig_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SIG_Msg) { print cat("ikev1_sig_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_p_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_P_Msg) { print cat("ikev1_p_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_t_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_T_Msg) { print cat("ikev1_t_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ikev1_notify_payload ", is_orig, c$id, msg); }
-event IPSEC::ikev1_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ikev1_delete_payload ", is_orig, c$id, msg); }
-event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$id, msg); }
+event IPSEC::ike_message(c: connection, is_orig: bool, msg: IPSEC::IKEMsg) { print cat("ike_message ", is_orig, c$uid, msg); }
+event IPSEC::esp_message(c: connection, is_orig: bool, msg: IPSEC::ESPMsg) { print cat("esp_message ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_sa_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SA_Msg) { print cat("ikev1_sa_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_vid_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_VENDORID_Msg) { print cat("ikev1_vid_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_ke_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_KE_Msg) { print cat("ikev1_ke_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_nonce_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NONCE_Msg) { print cat("ikev1_n_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_cert_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERT_Msg) { print cat("ikev1_cert_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_certreq_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_CERTREQ_Msg) { print cat("ikev1_certreq_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_id_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_ID_Msg) { print cat("ikev1_id_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_hash_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_HASH_Msg) { print cat("ikev1_hash_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_sig_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_SIG_Msg) { print cat("ikev1_sig_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_p_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_P_Msg) { print cat("ikev1_p_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_t_payload(c: connection, is_orig: bool, msg: IPSEC::IKEv1_T_Msg) { print cat("ikev1_t_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_notify_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_NOTIFY_Msg) { print cat("ikev1_notify_payload ", is_orig, c$uid, msg); }
+event IPSEC::ikev1_delete_payload(c: connection, is_orig: bool, msg: IPSEC::IKE_DELETE_Msg) { print cat("ikev1_delete_payload ", is_orig, c$uid, msg); }
+event IPSEC::ike_data_attribute(c: connection, is_orig: bool, msg: IPSEC::IKE_SA_Transform_Attribute_Msg) { print cat("ike_data_attribute ", is_orig, c$uid, msg); }