Histogram is Back in Zui

package.json

@@ -100,7 +100,8 @@
     "typescript": "^4.6.2",
     "web-streams-polyfill": "^3.2.0",
     "whatwg-fetch": "^3.2.0",
-    "win-7zip": "^0.1.0"
+    "win-7zip": "^0.1.0",
+    "zui-test-data": "workspace:*"
   },
   "dependencies": {
     "@babel/core": "^7.17.9",

packages/e2e-tests/helpers/test-app.ts

@@ -22,6 +22,10 @@ export default class TestApp {
     this.zealot = new Client("http://localhost:9867")
   }
 
+  find(text: string) {
+    return this.mainWin.locator(text)
+  }
+
   async init() {
     const userDataDir = path.resolve(
       path.join(itestDir(), this.name, (this.testNdx++).toString())

packages/e2e-tests/tests/histogram.spec.ts

@@ -0,0 +1,37 @@
+import {test, expect} from "@playwright/test"
+import TestApp from "../helpers/test-app"
+import {getPath} from "zui-test-data"
+
+test.describe("Histogram Spec", () => {
+  const app = new TestApp("Histogram Spec")
+
+  test.beforeAll(async () => {
+    await app.init()
+  })
+
+  test.afterAll(async () => {
+    await app.shutdown()
+  })
+
+  test("Histogram appears for zeek data", async () => {
+    await app.createPool([getPath("small-zeek.zng")])
+    await app.find(`role=button[name="Query Pool"]`).click()
+
+    const results = app.find(`role=status[name="results"]`)
+    await expect(results).toHaveText(/Results:/)
+
+    const chart = app.find(`[aria-label="histogram"]`)
+    await expect(chart).toBeVisible()
+  })
+
+  test("Histogram does not appears for non-zeek data", async () => {
+    await app.createPool([getPath("prs.json")])
+    await app.find(`role=button[name="Query Pool"]`).click()
+
+    const results = app.find(`role=status[name="results"]`)
+    await expect(results).toHaveText(/Results:/)
+
+    const chart = app.find(`[aria-label="histogram"]`)
+    await expect(chart).toBeHidden()
+  })
+})

packages/zealot/src/client/client.test.ts

@@ -59,9 +59,7 @@ test("#query collector", async () => {
 
   const fn = jest.fn()
   await resp.collect(fn)
-  // It calls when the first 30 are returned, then when they
-  // are all returned
-  expect(fn).toHaveBeenCalledTimes(2)
+  expect(fn).toHaveBeenCalledTimes(1)
 })
 
 test("curl", () => {

packages/zealot/src/query/channel.ts

@@ -47,8 +47,8 @@ export class Channel extends EventEmitter {
      */
     let first = true
     let count = 0
-    let countThresh = 30
-    let timeThresh = 500
+    let countThresh = 2000
+    let timeThresh = 2000
     let timeId = 0
 
     const flush = () => {

packages/zui-test-data/data/brimcap-queries.json

@@ -0,0 +1,65 @@
+{
+  "name": "Brimcap",
+  "items": [
+    {
+      "name": "Activity Overview",
+      "value": "count() by _path | sort -r",
+      "description": "Shows a list of all Zeek streams in the data set, with a count of associated records"
+    },
+    {
+      "name": "Unique DNS Queries",
+      "value": "_path==\"dns\" | count() by query | sort -r",
+      "description": "Shows all unique DNS queries in the data set with count"
+    },
+    {
+      "name": "Windows Networking Activity",
+      "value": "grep(smb*,_path) OR _path==\"dce_rpc\"",
+      "description": "Filters and displays smb_files, smb_mapping and DCE_RPC activity"
+    },
+    {
+      "name": "HTTP Requests",
+      "value": "_path==\"http\" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c",
+      "description": "Displays a list of the count of unique HTTP requests including source and destination"
+    },
+    {
+      "name": "Unique Network Connections",
+      "value": "_path==\"conn\" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq",
+      "description": "Displays a table showing all unique source:port:destination connections pairings"
+    },
+    {
+      "name": "Connection Received Data",
+      "value": "_path==\"conn\" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes",
+      "description": "Shows the connections between hosts, sorted by data received"
+    },
+    {
+      "name": "File Activity",
+      "value": "filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1",
+      "description": "Displays a curated view of file data including md5 and sha1 for complete file transfers"
+    },
+    {
+      "name": "HTTP Post Requests",
+      "value": "method==\"POST\" | cut ts, uid, id, method, uri, status_code",
+      "description": "Displays all HTTP Post requests including the URI and HTTP status code"
+    },
+    {
+      "name": "Show IP Subnets",
+      "value": "_path==\"conn\" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r",
+      "description": "Enumerates the classful networks for all destination IP addresses including count of connections"
+    },
+    {
+      "name": "Suricata Alerts by Category",
+      "value": "event_type==\"alert\" | count() by alert.severity,alert.category | sort count",
+      "description": "Shows all Suricata alert counts by category and severity"
+    },
+    {
+      "name": "Suricata Alerts by Source and Destination",
+      "value": "event_type==\"alert\" | alerts := union(alert.category) by src_ip, dest_ip",
+      "description": "Shows all Suricata alerts in a list by unique source and destination IP addresses"
+    },
+    {
+      "name": "Suricata Alerts by Subnet",
+      "value": "event_type==\"alert\" | alerts := union(alert.category) by network_of(dest_ip)",
+      "description": "Displays a list of Suricata alerts by CIDR network"
+    }
+  ]
+}