Complete removal of the old table based notice policy mechanism.

2025-10-12 03:28:19 +00:00 · 2013-03-06 09:44:25 -05:00 · 2013-03-06 09:44:25 -05:00 · 00eeadf2f5
commit 00eeadf2f5
parent 9f8ba408ba
2 changed files with 9 additions and 116 deletions
--- a/scripts/base/frameworks/notice/cluster.bro
+++ b/scripts/base/frameworks/notice/cluster.bro
@ -25,15 +25,6 @@ event Notice::begin_suppression(n: Notice::Info)
 	{
 	suppressing[n$note, n$identifier] = n;
 	}
 event bro_init() &priority=-3
 	{
 	# Workers and proxies need to disable the notice streams because notice
 	# events are forwarded directly instead of being logged remotely.
 	Log::disable_stream(Notice::LOG);
 	Log::disable_stream(Notice::POLICY_LOG);
 	Log::disable_stream(Notice::ALARM_LOG);
 	}
@endif
@if ( Cluster::local_node_type() == Cluster::MANAGER )
@ -46,17 +37,16 @@ event Notice::cluster_notice(n: Notice::Info)
 module GLOBAL;
-## This is the entry point in the global namespace for notice framework.
+## This is the entry point in the global namespace for the notice framework.
 function NOTICE(n: Notice::Info)
 	{
 	# Suppress this notice if necessary.
 	if ( Notice::is_being_suppressed(n) )
 		return;
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
 		Notice::internal_NOTICE(n);
-@else
+	else
 		# For non-managers, send the notice on to the manager.
 		event Notice::cluster_notice(n);
@endif
 	}
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@ -10,9 +10,6 @@ export {
 	redef enum Log::ID += {
 		## This is the primary logging stream for notices.
 		LOG,
 		## This is the notice policy auditing log.  It records what the current
 		## notice policy is at Bro init time.
 		POLICY_LOG,
 		## This is the alarm stream.
 		ALARM_LOG,
 	};
@ -42,9 +39,6 @@ export {
 		## version of the alarm log is emailed in bulk to the address(es)
 		## configured in :bro:id:`Notice::mail_dest`.
 		ACTION_ALARM,
 		## Indicates that the notice should not be supressed by the normal
 		## duplicate notice suppression that the notice framework does.
 		ACTION_NO_SUPPRESS,
 	};
 	## The notice framework is able to do automatic notice supression by
@ -138,9 +132,8 @@ export {
 		identifier:          string         &optional;
 		## This field indicates the length of time that this
-		## unique notice should be suppressed.  This field is automatically
+		## unique notice should be suppressed.
-		## filled out and should not be written to by any other script.
+		suppress_for:        interval       &log &default=default_suppression_interval;
 		suppress_for:        interval       &log &optional;
 	};
 	## Ignored notice types.
@ -155,39 +148,6 @@ export {
 	## intervals for entire notice types.
 	const type_suppression_intervals: table[Notice::Type] of interval = {} &redef;
 	## This is the record that defines the items that make up the notice policy.
 	type PolicyItem: record {
 		## This is the exact positional order in which the
 		## :bro:type:`Notice::PolicyItem` records are checked.
 		## This is set internally by the notice framework.
 		position: count                            &log &optional;
 		## Define the priority for this check.  Items are checked in ordered
 		## from highest value (10) to lowest value (0).
 		priority: count                            &log &default=5;
 		## An action given to the notice if the predicate return true.
 		action:   Notice::Action                   &log &default=ACTION_NONE;
 		## The pred (predicate) field is a function that returns a boolean T
 		## or F value.  If the predicate function return true, the action in
 		## this record is applied to the notice that is given as an argument
 		## to the predicate function.  If no predicate is supplied, it's
 		## assumed that the PolicyItem always applies.
 		pred:     function(n: Notice::Info): bool  &log &optional;
 		## Indicates this item should terminate policy processing if the
 		## predicate returns T.
 		halt:     bool                             &log &default=F;
 		## This defines the length of time that this particular notice should
 		## be supressed.
 		suppress_for: interval                     &log &optional;
 	};
 	## Defines a notice policy that is extensible on a per-site basis.
 	## All notice processing is done through this variable.  This variable
 	## is the former 'policy' variable, and
 	## this variable is deprecated and will be removed in a future version.
 	## All notice policy decisions are going to be done through the 
 	## 'policy' hook now.
 	const policy_table: set[PolicyItem] = {} &redef;
 	## The hook to modify notice handling.
 	global policy: hook(n: Notice::Info);
@ -308,10 +268,6 @@ global suppressing: table[Type, string] of Notice::Info = {}
 		&create_expire=0secs
 		&expire_func=per_notice_suppression_interval;
 # This is an internal variable used to store the notice policy ordered by
 # priority.
 global ordered_policy: vector of PolicyItem = vector();
 function log_mailing_postprocessor(info: Log::RotationInfo): bool
 	{
 	if ( ! reading_traces() && mail_dest != "" )
@ -442,7 +398,7 @@ hook Notice::policy(n: Notice::Info) &priority=10
 		break;
 	if ( n$note in Notice::not_suppressed_types )
-		add n$actions[ACTION_NO_SUPPRESS];
+		n$suppress_for=0secs;
 	if ( n$note in Notice::alarmed_types )
 		add n$actions[ACTION_ALARM];
 	if ( n$note in Notice::emailed_types )
@ -467,7 +423,6 @@ hook Notice::notice(n: Notice::Info) &priority=-5
 	# Normally suppress further notices like this one unless directed not to.
 	#  n$identifier *must* be specified for suppression to function at all.
 	if ( n?$identifier &&
 	     ACTION_NO_SUPPRESS !in n$actions &&
 	     [n$note, n$identifier] !in suppressing &&
 	     n$suppress_for != 0secs )
 		{
@ -552,24 +507,6 @@ function apply_policy(n: Notice::Info)
 	if ( ! n?$email_delay_tokens )
 		n$email_delay_tokens = set();
 	for ( i in ordered_policy )
 		{
 		# If there's no predicate or the predicate returns F.
 		if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
 			{
 			add n$actions[ordered_policy[i]$action];
 			# If the predicate matched and there was a suppression interval,
 			# apply it to the notice now.
 			if ( ordered_policy[i]?$suppress_for )
 				n$suppress_for = ordered_policy[i]$suppress_for;
 			# If the policy item wants to halt policy processing, do it now!
 			if ( ordered_policy[i]$halt )
 				break;
 			}
 		}
 	# Apply the hook based policy.
 	hook Notice::policy(n);
@ -588,40 +525,6 @@ function apply_policy(n: Notice::Info)
 		delete n$iconn;
 	}
 # Create the ordered notice policy automatically which will be used at runtime
 # for prioritized matching of the notice policy.
 event bro_init() &priority=10
 	{
 	# Create the policy log here because it's only written to in this handler.
 	Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]);
 	local tmp: table[count] of set[PolicyItem] = table();
 	for ( pi in policy_table )
 		{
 		if ( pi$priority < 0 || pi$priority > 10 )
 			Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10");
 		if ( pi$priority !in tmp )
 			tmp[pi$priority] = set();
 		add tmp[pi$priority][pi];
 		}
 	local rev_count = vector(10,9,8,7,6,5,4,3,2,1,0);
 	for ( i in rev_count )
 		{
 		local j = rev_count[i];
 		if ( j in tmp )
 			{
 			for ( pi in tmp[j] )
 				{
 				pi$position = |ordered_policy|;
 				ordered_policy[|ordered_policy|] = pi;
 				Log::write(Notice::POLICY_LOG, pi);
 				}
 			}
 		}
 	}
 function internal_NOTICE(n: Notice::Info)
 	{
 	# Fill out fields that might be empty and do the policy processing.