diff --git a/DocSourcesList.cmake b/DocSourcesList.cmake index 1743b0258f..5ac87a6305 100644 --- a/DocSourcesList.cmake +++ b/DocSourcesList.cmake @@ -19,6 +19,7 @@ rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) @@ -31,15 +32,31 @@ rest_target(${psd} base/frameworks/cluster/setup-connections.bro) rest_target(${psd} base/frameworks/communication/main.bro) rest_target(${psd} base/frameworks/control/main.bro) rest_target(${psd} base/frameworks/dpd/main.bro) +rest_target(${psd} base/frameworks/input/main.bro) +rest_target(${psd} base/frameworks/input/readers/ascii.bro) +rest_target(${psd} base/frameworks/input/readers/benchmark.bro) +rest_target(${psd} base/frameworks/input/readers/raw.bro) +rest_target(${psd} base/frameworks/intel/cluster.bro) +rest_target(${psd} base/frameworks/intel/input.bro) rest_target(${psd} base/frameworks/intel/main.bro) rest_target(${psd} base/frameworks/logging/main.bro) rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro) rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro) rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) -rest_target(${psd} base/frameworks/metrics/cluster.bro) -rest_target(${psd} base/frameworks/metrics/main.bro) -rest_target(${psd} base/frameworks/metrics/non-cluster.bro) +rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro) +rest_target(${psd} base/frameworks/logging/writers/none.bro) +rest_target(${psd} base/frameworks/measurement/cluster.bro) +rest_target(${psd} base/frameworks/measurement/main.bro) +rest_target(${psd} base/frameworks/measurement/non-cluster.bro) +rest_target(${psd} base/frameworks/measurement/plugins/average.bro) +rest_target(${psd} base/frameworks/measurement/plugins/max.bro) +rest_target(${psd} base/frameworks/measurement/plugins/min.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) +rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) +rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) +rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -48,18 +65,23 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro) rest_target(${psd} base/frameworks/notice/cluster.bro) rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro) rest_target(${psd} base/frameworks/notice/main.bro) +rest_target(${psd} base/frameworks/notice/non-cluster.bro) rest_target(${psd} base/frameworks/notice/weird.bro) rest_target(${psd} base/frameworks/packet-filter/main.bro) rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) +rest_target(${psd} base/frameworks/tunnels/main.bro) +rest_target(${psd} base/misc/find-checksum-offloading.bro) rest_target(${psd} base/protocols/conn/contents.bro) rest_target(${psd} base/protocols/conn/inactivity.bro) rest_target(${psd} base/protocols/conn/main.bro) +rest_target(${psd} base/protocols/conn/polling.bro) rest_target(${psd} base/protocols/dns/consts.bro) rest_target(${psd} base/protocols/dns/main.bro) rest_target(${psd} base/protocols/ftp/file-extract.bro) +rest_target(${psd} base/protocols/ftp/gridftp.bro) rest_target(${psd} base/protocols/ftp/main.bro) rest_target(${psd} base/protocols/ftp/utils-commands.bro) rest_target(${psd} base/protocols/http/file-extract.bro) @@ -69,9 +91,13 @@ rest_target(${psd} base/protocols/http/main.bro) rest_target(${psd} base/protocols/http/utils.bro) rest_target(${psd} base/protocols/irc/dcc-send.bro) rest_target(${psd} base/protocols/irc/main.bro) +rest_target(${psd} base/protocols/modbus/consts.bro) +rest_target(${psd} base/protocols/modbus/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) rest_target(${psd} base/protocols/smtp/main.bro) +rest_target(${psd} base/protocols/socks/consts.bro) +rest_target(${psd} base/protocols/socks/main.bro) rest_target(${psd} base/protocols/ssh/main.bro) rest_target(${psd} base/protocols/ssl/consts.bro) rest_target(${psd} base/protocols/ssl/main.bro) @@ -85,36 +111,50 @@ rest_target(${psd} base/utils/files.bro) rest_target(${psd} base/utils/numbers.bro) rest_target(${psd} base/utils/paths.bro) rest_target(${psd} base/utils/patterns.bro) +rest_target(${psd} base/utils/queue.bro) rest_target(${psd} base/utils/site.bro) rest_target(${psd} base/utils/strings.bro) rest_target(${psd} base/utils/thresholds.bro) +rest_target(${psd} base/utils/time.bro) +rest_target(${psd} base/utils/urls.bro) rest_target(${psd} policy/frameworks/communication/listen.bro) rest_target(${psd} policy/frameworks/control/controllee.bro) rest_target(${psd} policy/frameworks/control/controller.bro) rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro) rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro) -rest_target(${psd} policy/frameworks/metrics/conn-example.bro) -rest_target(${psd} policy/frameworks/metrics/http-example.bro) -rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) +rest_target(${psd} policy/frameworks/intel/conn-established.bro) +rest_target(${psd} policy/frameworks/intel/dns.bro) +rest_target(${psd} policy/frameworks/intel/http-host-header.bro) +rest_target(${psd} policy/frameworks/intel/http-url.bro) +rest_target(${psd} policy/frameworks/intel/http-user-agents.bro) +rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) +rest_target(${psd} policy/frameworks/intel/smtp.bro) +rest_target(${psd} policy/frameworks/intel/ssl.bro) +rest_target(${psd} policy/frameworks/intel/where-locations.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) +rest_target(${psd} policy/integration/collective-intel/main.bro) rest_target(${psd} policy/misc/analysis-groups.bro) +rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) +rest_target(${psd} policy/misc/detect-traceroute/main.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) +rest_target(${psd} policy/misc/scan.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) +rest_target(${psd} policy/protocols/conn/metrics.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) +rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ftp/detect.bro) rest_target(${psd} policy/protocols/ftp/software.bro) rest_target(${psd} policy/protocols/http/detect-MHR.bro) -rest_target(${psd} policy/protocols/http/detect-intel.bro) rest_target(${psd} policy/protocols/http/detect-sqli.bro) rest_target(${psd} policy/protocols/http/detect-webapps.bro) rest_target(${psd} policy/protocols/http/header-names.bro) @@ -122,8 +162,11 @@ rest_target(${psd} policy/protocols/http/software-browser-plugins.bro) rest_target(${psd} policy/protocols/http/software.bro) rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro) rest_target(${psd} policy/protocols/http/var-extraction-uri.bro) +rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro) +rest_target(${psd} policy/protocols/modbus/track-memmap.bro) rest_target(${psd} policy/protocols/smtp/blocklists.bro) rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro) +rest_target(${psd} policy/protocols/smtp/metrics.bro) rest_target(${psd} policy/protocols/smtp/software.bro) rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ssh/geo-data.bro) @@ -133,9 +176,11 @@ rest_target(${psd} policy/protocols/ssl/cert-hash.bro) rest_target(${psd} policy/protocols/ssl/expiring-certs.bro) rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro) rest_target(${psd} policy/protocols/ssl/known-certs.bro) +rest_target(${psd} policy/protocols/ssl/notary.bro) rest_target(${psd} policy/protocols/ssl/validate-certs.bro) rest_target(${psd} policy/tuning/defaults/packet-fragments.bro) rest_target(${psd} policy/tuning/defaults/warnings.bro) +rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro) rest_target(${psd} policy/tuning/track-all-assets.bro) rest_target(${psd} site/local-manager.bro) rest_target(${psd} site/local-proxy.bro) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 4e957d03a0..d4498b2fe3 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -49,6 +49,14 @@ rest_target(${psd} base/frameworks/logging/writers/none.bro) rest_target(${psd} base/frameworks/measurement/cluster.bro) rest_target(${psd} base/frameworks/measurement/main.bro) rest_target(${psd} base/frameworks/measurement/non-cluster.bro) +rest_target(${psd} base/frameworks/measurement/plugins/average.bro) +rest_target(${psd} base/frameworks/measurement/plugins/max.bro) +rest_target(${psd} base/frameworks/measurement/plugins/min.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sample.bro) +rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro) +rest_target(${psd} base/frameworks/measurement/plugins/sum.bro) +rest_target(${psd} base/frameworks/measurement/plugins/unique.bro) +rest_target(${psd} base/frameworks/measurement/plugins/variance.bro) rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro) rest_target(${psd} base/frameworks/notice/actions/drop.bro) rest_target(${psd} base/frameworks/notice/actions/email_admin.bro) @@ -107,6 +115,7 @@ rest_target(${psd} base/utils/queue.bro) rest_target(${psd} base/utils/site.bro) rest_target(${psd} base/utils/strings.bro) rest_target(${psd} base/utils/thresholds.bro) +rest_target(${psd} base/utils/time.bro) rest_target(${psd} base/utils/urls.bro) rest_target(${psd} policy/frameworks/communication/listen.bro) rest_target(${psd} policy/frameworks/control/controllee.bro) @@ -122,9 +131,6 @@ rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) rest_target(${psd} policy/frameworks/intel/smtp.bro) rest_target(${psd} policy/frameworks/intel/ssl.bro) rest_target(${psd} policy/frameworks/intel/where-locations.bro) -rest_target(${psd} policy/frameworks/metrics/conn-example.bro) -rest_target(${psd} policy/frameworks/metrics/http-example.bro) -rest_target(${psd} policy/frameworks/metrics/ssl-example.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) @@ -136,16 +142,17 @@ rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) +rest_target(${psd} policy/misc/scan.bro) rest_target(${psd} policy/misc/stats.bro) rest_target(${psd} policy/misc/trim-trace-file.bro) rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro) rest_target(${psd} policy/protocols/conn/known-hosts.bro) rest_target(${psd} policy/protocols/conn/known-services.bro) rest_target(${psd} policy/protocols/conn/metrics.bro) -rest_target(${psd} policy/protocols/conn/scan.bro) rest_target(${psd} policy/protocols/conn/weirds.bro) rest_target(${psd} policy/protocols/dns/auth-addl.bro) rest_target(${psd} policy/protocols/dns/detect-external-names.bro) +rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro) rest_target(${psd} policy/protocols/ftp/detect.bro) rest_target(${psd} policy/protocols/ftp/software.bro) rest_target(${psd} policy/protocols/http/detect-MHR.bro) diff --git a/scripts/base/frameworks/measurement/main.bro b/scripts/base/frameworks/measurement/main.bro index f649dbe1f2..5e33ff7a25 100644 --- a/scripts/base/frameworks/measurement/main.bro +++ b/scripts/base/frameworks/measurement/main.bro @@ -1,6 +1,4 @@ -##! The metrics framework provides a way to count and measure data. - -@load base/utils/queue +##! The measurement framework provides a way to count and measure data. module Measurement; @@ -12,7 +10,7 @@ export { ## Represents a thing which is having measurement results collected for it. type Key: record { - ## A non-address related metric or a sub-key for an address based metric. + ## A non-address related measurement or a sub-key for an address based measurement. ## An example might be successful SSH connections by client IP address ## where the client string would be the key value. ## Another example might be number of HTTP requests to a particular diff --git a/scripts/base/frameworks/measurement/plugins/average.bro b/scripts/base/frameworks/measurement/plugins/average.bro index 172e8c788d..9a3938640e 100644 --- a/scripts/base/frameworks/measurement/plugins/average.bro +++ b/scripts/base/frameworks/measurement/plugins/average.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/max.bro b/scripts/base/frameworks/measurement/plugins/max.bro index 02b536f849..816d249de3 100644 --- a/scripts/base/frameworks/measurement/plugins/max.bro +++ b/scripts/base/frameworks/measurement/plugins/max.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/min.bro b/scripts/base/frameworks/measurement/plugins/min.bro index 944ee9fcb4..910d2c76d7 100644 --- a/scripts/base/frameworks/measurement/plugins/min.bro +++ b/scripts/base/frameworks/measurement/plugins/min.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/sample.bro b/scripts/base/frameworks/measurement/plugins/sample.bro index 018b7c9652..399f572490 100644 --- a/scripts/base/frameworks/measurement/plugins/sample.bro +++ b/scripts/base/frameworks/measurement/plugins/sample.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement @load base/utils/queue module Measurement; @@ -10,40 +11,41 @@ export { }; redef record ResultVal += { - ## A sample of something being measured. This is helpful in - ## some cases for collecting information to do further detection - ## or better logging for forensic purposes. - samples: vector of Measurement::DataPoint &optional; + # This is the queue where samples + # are maintained. Use the :bro:see:`Measurement::get_samples` + ## function to get a vector of the samples. + samples: Queue::Queue &optional; }; + + ## Get a vector of sample DataPoint values from a ResultVal. + global get_samples: function(rv: ResultVal): vector of DataPoint; } -redef record ResultVal += { - # Internal use only. This is the queue where samples - # are maintained since the queue is self managing for - # the number of samples requested. - sample_queue: Queue::Queue &optional; -}; +function get_samples(rv: ResultVal): vector of DataPoint + { + local s: vector of DataPoint = vector(); + if ( rv?$samples ) + Queue::get_vector(rv$samples, s); + return s; + } hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal) { if ( r$samples > 0 ) { - if ( ! rv?$sample_queue ) - rv$sample_queue = Queue::init([$max_len=r$samples]); if ( ! rv?$samples ) - rv$samples = vector(); - Queue::put(rv$sample_queue, data); - Queue::get_vector(rv$sample_queue, rv$samples); + rv$samples = Queue::init([$max_len=r$samples]); + Queue::put(rv$samples, data); } } hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal) { - # Merge $sample_queue - if ( rv1?$sample_queue && rv2?$sample_queue ) - result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue); - else if ( rv1?$sample_queue ) - result$sample_queue = rv1$sample_queue; - else if ( rv2?$sample_queue ) - result$sample_queue = rv2$sample_queue; + # Merge $samples + if ( rv1?$samples && rv2?$samples ) + result$samples = Queue::merge(rv1$samples, rv2$samples); + else if ( rv1?$samples ) + result$samples = rv1$samples; + else if ( rv2?$samples ) + result$samples = rv2$samples; } \ No newline at end of file diff --git a/scripts/base/frameworks/measurement/plugins/std-dev.bro b/scripts/base/frameworks/measurement/plugins/std-dev.bro index bcf2cdcb00..bfcaa67910 100644 --- a/scripts/base/frameworks/measurement/plugins/std-dev.bro +++ b/scripts/base/frameworks/measurement/plugins/std-dev.bro @@ -1,5 +1,5 @@ -@load ./sum @load ./variance +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/sum.bro b/scripts/base/frameworks/measurement/plugins/sum.bro index 5a25573870..2ada26e1d0 100644 --- a/scripts/base/frameworks/measurement/plugins/sum.bro +++ b/scripts/base/frameworks/measurement/plugins/sum.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/unique.bro b/scripts/base/frameworks/measurement/plugins/unique.bro index 7664663d29..f1027157a7 100644 --- a/scripts/base/frameworks/measurement/plugins/unique.bro +++ b/scripts/base/frameworks/measurement/plugins/unique.bro @@ -1,3 +1,4 @@ +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/plugins/variance.bro b/scripts/base/frameworks/measurement/plugins/variance.bro index dc94f39840..2868a8a3ad 100644 --- a/scripts/base/frameworks/measurement/plugins/variance.bro +++ b/scripts/base/frameworks/measurement/plugins/variance.bro @@ -1,4 +1,5 @@ @load ./average +@load base/frameworks/measurement module Measurement; diff --git a/scripts/base/frameworks/measurement/simple.bro b/scripts/base/frameworks/measurement/simple.bro deleted file mode 100644 index 51bf7e8c44..0000000000 --- a/scripts/base/frameworks/measurement/simple.bro +++ /dev/null @@ -1,6 +0,0 @@ - -module Metrics; - -export { - -} \ No newline at end of file diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..69e7c331ae 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -56,10 +56,10 @@ export { tags: set[string] &log &default=set(); ## Current working directory that this session is in. By making - ## the default value '/.', we can indicate that unless something + ## the default value '.', we can indicate that unless something ## more concrete is discovered that the existing but unknown ## directory is ok to use. - cwd: string &default="/."; + cwd: string &default="."; ## Command that is currently waiting for a response. cmdarg: CmdArg &optional; @@ -172,7 +172,12 @@ function ftp_message(s: Info) local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) - arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), build_path_compressed(s$cwd, arg)); + { + local comp_path = build_path_compressed(s$cwd, arg); + if ( s$cwd[0] != "/" ) + comp_path = cat("/", comp_path); + arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); + } s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro index aa083ddf5b..f8ad384ea7 100644 --- a/scripts/base/utils/paths.bro +++ b/scripts/base/utils/paths.bro @@ -19,7 +19,7 @@ function extract_path(input: string): string } ## Compresses a given path by removing '..'s and the parent directory it -## references and also removing '/'s. +## references and also removing dual '/'s and extraneous '/./'s. ## dir: a path string, either relative or absolute ## Returns: a compressed version of the input path function compress_path(dir: string): string @@ -41,7 +41,7 @@ function compress_path(dir: string): string return compress_path(dir); } - const multislash_sep = /(\/){2,}/; + const multislash_sep = /(\/\.?){2,}/; parts = split_all(dir, multislash_sep); for ( i in parts ) if ( i % 2 == 0 ) diff --git a/scripts/policy/frameworks/metrics/conn-example.bro b/scripts/policy/frameworks/metrics/conn-example.bro deleted file mode 100644 index 3f87ecb283..0000000000 --- a/scripts/policy/frameworks/metrics/conn-example.bro +++ /dev/null @@ -1,26 +0,0 @@ -##! An example of using the metrics framework to collect connection metrics -##! aggregated into /24 CIDR ranges. - -@load base/frameworks/measurement -@load base/utils/site - -event bro_init() - { - #Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]); - Metrics::add_filter("conns.originated", [$every=1mins, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - - - # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("conns.responded", [$every=1mins, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - - } - -event connection_established(c: connection) - { - Metrics::add_data("conns.originated", [$host=c$id$orig_h], [$num=1]); - Metrics::add_data("conns.responded", [$host=c$id$resp_h], [$num=1]); - } diff --git a/scripts/policy/frameworks/metrics/http-example.bro b/scripts/policy/frameworks/metrics/http-example.bro deleted file mode 100644 index d7aa304754..0000000000 --- a/scripts/policy/frameworks/metrics/http-example.bro +++ /dev/null @@ -1,29 +0,0 @@ -##! Provides an example of aggregating and limiting collection down to -##! only local networks. Additionally, the status code for the response from -##! the request is added into the metric. - -@load base/frameworks/measurement -@load base/protocols/http -@load base/utils/site - -event bro_init() - { - Metrics::add_filter("http.request.by_host_header", - [$every=1min, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return T; return Site::is_local_addr(index$host); }, - $aggregation_mask=24, - $period_finished=Metrics::write_log]); - - # Site::local_nets must be defined in order for this to actually do anything. - Metrics::add_filter("http.request.by_status_code", [$every=1min, $measure=set(Metrics::SUM), - $aggregation_table=Site::local_nets_table, - $period_finished=Metrics::write_log]); - } - -event HTTP::log_http(rec: HTTP::Info) - { - if ( rec?$host ) - Metrics::add_data("http.request.by_host_header", [$str=rec$host], [$num=1]); - if ( rec?$status_code ) - Metrics::add_data("http.request.by_status_code", [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], [$num=1]); - } diff --git a/scripts/policy/frameworks/metrics/ssl-example.bro b/scripts/policy/frameworks/metrics/ssl-example.bro deleted file mode 100644 index 400373c06c..0000000000 --- a/scripts/policy/frameworks/metrics/ssl-example.bro +++ /dev/null @@ -1,23 +0,0 @@ -##! Provides an example of using the metrics framework to collect the number -##! of times a specific server name indicator value is seen in SSL session -##! establishments. Names ending in google.com are being filtered out as an -##! example of the predicate based filtering in metrics filters. - -@load base/frameworks/measurement -@load base/protocols/ssl - -event bro_init() - { - Metrics::add_filter("ssl.by_servername", - [$name="no-google-ssl-servers", - $every=10secs, $measure=set(Metrics::SUM), - $pred(index: Metrics::Index, data: Metrics::DataPoint) = { - return (/google\.com$/ !in index$str); - }]); - } - -event SSL::log_ssl(rec: SSL::Info) - { - if ( rec?$server_name ) - Metrics::add_data("ssl.by_servername", [$str=rec$server_name], [$num=1]); - } diff --git a/scripts/policy/misc/loaded-scripts.bro b/scripts/policy/misc/loaded-scripts.bro index 468478e682..516826aa7e 100644 --- a/scripts/policy/misc/loaded-scripts.bro +++ b/scripts/policy/misc/loaded-scripts.bro @@ -1,4 +1,5 @@ ##! Log the loaded scripts. +@load base/utils/paths module LoadedScripts; @@ -34,5 +35,5 @@ event bro_init() &priority=5 event bro_script_loaded(path: string, level: count) { - Log::write(LoadedScripts::LOG, [$name=cat(depth[level], path)]); + Log::write(LoadedScripts::LOG, [$name=cat(depth[level], compress_path(path))]); } \ No newline at end of file diff --git a/scripts/policy/protocols/conn/conn-stats-per-host.bro b/scripts/policy/protocols/conn/conn-stats-per-host.bro deleted file mode 100644 index d537d13b72..0000000000 --- a/scripts/policy/protocols/conn/conn-stats-per-host.bro +++ /dev/null @@ -1,27 +0,0 @@ - -@load base/protocols/conn -@load base/frameworks/measurement - -event bro_init() &priority=5 - { - Metrics::add_filter("conn.orig.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - Metrics::add_filter("conn.resp.data", - [$every=5mins, - $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV), - $period_finished=Metrics::write_log]); - } - - -event connection_state_remove(c: connection) - { - if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) ) - return; - - if ( Site::is_local_addr(c$id$orig_h) ) - Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]); - if ( Site::is_local_addr(c$id$resp_h) ) - Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]); - } \ No newline at end of file diff --git a/scripts/policy/protocols/ftp/detect-bruteforcing.bro b/scripts/policy/protocols/ftp/detect-bruteforcing.bro index 286cc95979..bcf7a59d06 100644 --- a/scripts/policy/protocols/ftp/detect-bruteforcing.bro +++ b/scripts/policy/protocols/ftp/detect-bruteforcing.bro @@ -25,20 +25,25 @@ export { event bro_init() { - Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval, - $measure=set(Metrics::UNIQUE), - $threshold_val_func(val: Metrics::Result) = { return val$num; }, - $threshold=bruteforce_threshold, - $threshold_crossed(index: Metrics::Index, val: Metrics::Result) = - { - local dur = duration_to_mins_secs(val$end-val$begin); - local plural = val$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=index$host, - $msg=message, - $identifier=cat(index$host)]); - }]); + local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)]; + Measurement::create([$epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: Measurement::Key, result: Measurement::Result) = + { + return result["ftp.failed_auth"]$num; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); } event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) @@ -47,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) if ( cmd == "USER" || cmd == "PASS" ) { if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); } } \ No newline at end of file diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro index bb47ec2f47..f5e15c5505 100644 --- a/scripts/policy/protocols/http/detect-sqli.bro +++ b/scripts/policy/protocols/http/detect-sqli.bro @@ -76,7 +76,7 @@ event bro_init() &priority=3 local r = result["http.sqli.attacker"]; NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), + $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), $src=key$host, $identifier=cat(key$host)]); }]); @@ -94,7 +94,7 @@ event bro_init() &priority=3 local r = result["http.sqli.victim"]; NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", - $email_body_sections=vector(format_sqli_samples(r$samples)), + $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))), $src=key$host, $identifier=cat(key$host)]); }]); diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a213031f4c..2fe32a4788 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -24,9 +24,6 @@ @load frameworks/intel/smtp.bro @load frameworks/intel/ssl.bro @load frameworks/intel/where-locations.bro -@load frameworks/metrics/conn-example.bro -@load frameworks/metrics/http-example.bro -@load frameworks/metrics/ssl-example.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 41209a4084..d521c151db 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-07-20-14-34-11 +#open 2013-04-02-04-24-03 #fields name #types string scripts/base/init-bare.bro @@ -14,20 +14,21 @@ scripts/base/init-bare.bro build/src/base/reporter.bif.bro build/src/base/event.bif.bro scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/./main.bro + scripts/base/frameworks/logging/main.bro build/src/base/logging.bif.bro - scripts/base/frameworks/logging/./postprocessors/__load__.bro - scripts/base/frameworks/logging/./postprocessors/./scp.bro - scripts/base/frameworks/logging/./postprocessors/./sftp.bro - scripts/base/frameworks/logging/./writers/ascii.bro - scripts/base/frameworks/logging/./writers/dataseries.bro - scripts/base/frameworks/logging/./writers/elasticsearch.bro - scripts/base/frameworks/logging/./writers/none.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/./main.bro + scripts/base/frameworks/input/main.bro build/src/base/input.bif.bro - scripts/base/frameworks/input/./readers/ascii.bro - scripts/base/frameworks/input/./readers/raw.bro - scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-07-20-14-34-11 + scripts/base/utils/paths.bro +#close 2013-04-02-04-24-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 097fc1f2ca..e691a906c2 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-02-11-18-44-43 +#open 2013-04-02-04-22-32 #fields name #types string scripts/base/init-bare.bro @@ -14,24 +14,24 @@ scripts/base/init-bare.bro build/src/base/reporter.bif.bro build/src/base/event.bif.bro scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/./main.bro + scripts/base/frameworks/logging/main.bro build/src/base/logging.bif.bro - scripts/base/frameworks/logging/./postprocessors/__load__.bro - scripts/base/frameworks/logging/./postprocessors/./scp.bro - scripts/base/frameworks/logging/./postprocessors/./sftp.bro - scripts/base/frameworks/logging/./writers/ascii.bro - scripts/base/frameworks/logging/./writers/dataseries.bro - scripts/base/frameworks/logging/./writers/elasticsearch.bro - scripts/base/frameworks/logging/./writers/none.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/./main.bro + scripts/base/frameworks/input/main.bro build/src/base/input.bif.bro - scripts/base/frameworks/input/./readers/ascii.bro - scripts/base/frameworks/input/./readers/raw.bro - scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro scripts/base/init-default.bro scripts/base/utils/site.bro - scripts/base/utils/./patterns.bro + scripts/base/utils/patterns.bro scripts/base/utils/addrs.bro scripts/base/utils/conn-ids.bro scripts/base/utils/directions-and-hosts.bro @@ -41,83 +41,93 @@ scripts/base/init-default.bro scripts/base/utils/queue.bro scripts/base/utils/strings.bro scripts/base/utils/thresholds.bro + scripts/base/utils/time.bro scripts/base/utils/urls.bro scripts/base/frameworks/notice/__load__.bro - scripts/base/frameworks/notice/./main.bro - scripts/base/frameworks/notice/./weird.bro - scripts/base/frameworks/notice/./actions/drop.bro - scripts/base/frameworks/notice/./actions/email_admin.bro - scripts/base/frameworks/notice/./actions/page.bro - scripts/base/frameworks/notice/./actions/add-geodata.bro - scripts/base/frameworks/notice/./extend-email/hostnames.bro + scripts/base/frameworks/notice/main.bro + scripts/base/frameworks/notice/weird.bro + scripts/base/frameworks/notice/actions/drop.bro + scripts/base/frameworks/notice/actions/email_admin.bro + scripts/base/frameworks/notice/actions/page.bro + scripts/base/frameworks/notice/actions/add-geodata.bro + scripts/base/frameworks/notice/extend-email/hostnames.bro scripts/base/frameworks/cluster/__load__.bro - scripts/base/frameworks/cluster/./main.bro + scripts/base/frameworks/cluster/main.bro scripts/base/frameworks/control/__load__.bro - scripts/base/frameworks/control/./main.bro - scripts/base/frameworks/notice/./non-cluster.bro - scripts/base/frameworks/notice/./actions/pp-alarms.bro + scripts/base/frameworks/control/main.bro + scripts/base/frameworks/notice/non-cluster.bro + scripts/base/frameworks/notice/actions/pp-alarms.bro scripts/base/frameworks/dpd/__load__.bro - scripts/base/frameworks/dpd/./main.bro + scripts/base/frameworks/dpd/main.bro scripts/base/frameworks/signatures/__load__.bro - scripts/base/frameworks/signatures/./main.bro + scripts/base/frameworks/signatures/main.bro scripts/base/frameworks/packet-filter/__load__.bro - scripts/base/frameworks/packet-filter/./main.bro - scripts/base/frameworks/packet-filter/./netstats.bro + scripts/base/frameworks/packet-filter/main.bro + scripts/base/frameworks/packet-filter/netstats.bro scripts/base/frameworks/software/__load__.bro - scripts/base/frameworks/software/./main.bro + scripts/base/frameworks/software/main.bro scripts/base/frameworks/communication/__load__.bro - scripts/base/frameworks/communication/./main.bro - scripts/base/frameworks/metrics/__load__.bro - scripts/base/frameworks/metrics/./main.bro - scripts/base/frameworks/metrics/./non-cluster.bro + scripts/base/frameworks/communication/main.bro + scripts/base/frameworks/measurement/__load__.bro + scripts/base/frameworks/measurement/main.bro + scripts/base/frameworks/measurement/plugins/__load__.bro + scripts/base/frameworks/measurement/plugins/average.bro + scripts/base/frameworks/measurement/plugins/max.bro + scripts/base/frameworks/measurement/plugins/min.bro + scripts/base/frameworks/measurement/plugins/sample.bro + scripts/base/frameworks/measurement/plugins/std-dev.bro + scripts/base/frameworks/measurement/plugins/variance.bro + scripts/base/frameworks/measurement/plugins/sum.bro + scripts/base/frameworks/measurement/plugins/unique.bro + scripts/base/frameworks/measurement/non-cluster.bro scripts/base/frameworks/intel/__load__.bro - scripts/base/frameworks/intel/./main.bro - scripts/base/frameworks/intel/./input.bro + scripts/base/frameworks/intel/main.bro + scripts/base/frameworks/intel/input.bro scripts/base/frameworks/reporter/__load__.bro - scripts/base/frameworks/reporter/./main.bro + scripts/base/frameworks/reporter/main.bro scripts/base/frameworks/tunnels/__load__.bro - scripts/base/frameworks/tunnels/./main.bro + scripts/base/frameworks/tunnels/main.bro scripts/base/protocols/conn/__load__.bro - scripts/base/protocols/conn/./main.bro - scripts/base/protocols/conn/./contents.bro - scripts/base/protocols/conn/./inactivity.bro - scripts/base/protocols/conn/./polling.bro + scripts/base/protocols/conn/main.bro + scripts/base/protocols/conn/contents.bro + scripts/base/protocols/conn/inactivity.bro + scripts/base/protocols/conn/polling.bro scripts/base/protocols/dns/__load__.bro - scripts/base/protocols/dns/./consts.bro - scripts/base/protocols/dns/./main.bro + scripts/base/protocols/dns/consts.bro + scripts/base/protocols/dns/main.bro scripts/base/protocols/ftp/__load__.bro - scripts/base/protocols/ftp/./utils-commands.bro - scripts/base/protocols/ftp/./main.bro - scripts/base/protocols/ftp/./file-extract.bro - scripts/base/protocols/ftp/./gridftp.bro + scripts/base/protocols/ftp/utils-commands.bro + scripts/base/protocols/ftp/main.bro + scripts/base/protocols/ftp/file-extract.bro + scripts/base/protocols/ftp/gridftp.bro scripts/base/protocols/ssl/__load__.bro - scripts/base/protocols/ssl/./consts.bro - scripts/base/protocols/ssl/./main.bro - scripts/base/protocols/ssl/./mozilla-ca-list.bro + scripts/base/protocols/ssl/consts.bro + scripts/base/protocols/ssl/main.bro + scripts/base/protocols/ssl/mozilla-ca-list.bro scripts/base/protocols/http/__load__.bro - scripts/base/protocols/http/./main.bro - scripts/base/protocols/http/./utils.bro - scripts/base/protocols/http/./file-ident.bro - scripts/base/protocols/http/./file-hash.bro - scripts/base/protocols/http/./file-extract.bro + scripts/base/protocols/http/main.bro + scripts/base/protocols/http/utils.bro + scripts/base/protocols/http/file-ident.bro + scripts/base/protocols/http/file-hash.bro + scripts/base/protocols/http/file-extract.bro scripts/base/protocols/irc/__load__.bro - scripts/base/protocols/irc/./main.bro - scripts/base/protocols/irc/./dcc-send.bro + scripts/base/protocols/irc/main.bro + scripts/base/protocols/irc/dcc-send.bro scripts/base/protocols/modbus/__load__.bro - scripts/base/protocols/modbus/./consts.bro - scripts/base/protocols/modbus/./main.bro + scripts/base/protocols/modbus/consts.bro + scripts/base/protocols/modbus/main.bro scripts/base/protocols/smtp/__load__.bro - scripts/base/protocols/smtp/./main.bro - scripts/base/protocols/smtp/./entities.bro - scripts/base/protocols/smtp/./entities-excerpt.bro + scripts/base/protocols/smtp/main.bro + scripts/base/protocols/smtp/entities.bro + scripts/base/protocols/smtp/entities-excerpt.bro scripts/base/protocols/socks/__load__.bro - scripts/base/protocols/socks/./consts.bro - scripts/base/protocols/socks/./main.bro + scripts/base/protocols/socks/consts.bro + scripts/base/protocols/socks/main.bro scripts/base/protocols/ssh/__load__.bro - scripts/base/protocols/ssh/./main.bro + scripts/base/protocols/ssh/main.bro scripts/base/protocols/syslog/__load__.bro - scripts/base/protocols/syslog/./consts.bro - scripts/base/protocols/syslog/./main.bro + scripts/base/protocols/syslog/consts.bro + scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-02-11-18-44-43 +#close 2013-04-02-04-22-32 diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 34ba654dec..554fcf012e 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -3,5 +3,5 @@ -./frameworks/cluster/nodes/worker.bro -./frameworks/cluster/setup-connections.bro -./frameworks/intel/cluster.bro --./frameworks/metrics/cluster.bro +-./frameworks/measurement/cluster.bro -./frameworks/notice/cluster.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout index 09c65c3864..ac8785d182 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout +++ b/testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout @@ -1,6 +1,6 @@ THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4) THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5) +THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5) THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5) diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log deleted file mode 100644 index bdc86c68bb..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ /dev/null @@ -1,12 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path metrics -#open 2012-12-17-18-43-15 -#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string addr subnet time time count double double double double double double count -1355769795.365325 3.000000 test.metric - 6.5.4.3 - 1355769793.449322 1355769793.458467 2 6.0 1.0 5.0 3.0 4.0 2.0 2 -1355769795.365325 3.000000 test.metric - 1.2.3.4 - 1355769793.449322 1355769793.458467 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 8 -1355769795.365325 3.000000 test.metric - 7.2.1.5 - 1355769793.449322 1355769793.458467 2 145.0 54.0 91.0 72.5 342.25 18.5 2 -#close 2012-12-17-18-43-21 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log deleted file mode 100644 index 51d892e8d5..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ /dev/null @@ -1,12 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path metrics -#open 2012-12-17-18-43-45 -#fields ts ts_delta metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string addr subnet time time count double double double double double double count -1355769825.947161 3.000000 test.metric - 6.5.4.3 - 1355769825.947161 1355769825.947161 1 2.0 2.0 2.0 2.0 0.0 0.0 - -1355769825.947161 3.000000 test.metric - 1.2.3.4 - 1355769825.947161 1355769825.947161 5 221.0 5.0 94.0 44.2 915.36 30.254917 - -1355769825.947161 3.000000 test.metric - 7.2.1.5 - 1355769825.947161 1355769825.947161 1 1.0 1.0 1.0 1.0 0.0 0.0 - -#close 2012-12-17-18-43-45 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout deleted file mode 100644 index 2d0750ca18..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout +++ /dev/null @@ -1 +0,0 @@ -A test metric threshold was crossed! diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log deleted file mode 100644 index c87853e2b4..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path notice -#open 2013-02-11-18-41-03 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - - -#close 2013-02-11-18-41-03 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log deleted file mode 100644 index ba6c680e27..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log +++ /dev/null @@ -1,11 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path notice -#open 2012-07-20-01-49-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet -1342748963.085888 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - - -1342748963.085888 - - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 6 3600.000000 F - - - - - 6.5.4.3 - - -#close 2012-07-20-01-49-23 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout b/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout deleted file mode 100644 index da692f2fe2..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout +++ /dev/null @@ -1,8 +0,0 @@ -THRESHOLD_SERIES: hit a threshold series value at 3 for metric_index(host=1.2.3.4) -THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4) -THRESHOLD_FUNC: hit a threshold function value at 2 for metric_index(host=6.5.4.3) -THRESHOLD_FUNC: hit a threshold function value at 1 for metric_index(host=7.2.1.5) -THRESHOLD: hit a threshold value at 6 for metric_index(host=1.2.3.4) -THRESHOLD_SERIES: hit a threshold series value at 6 for metric_index(host=1.2.3.4) -THRESHOLD: hit a threshold value at 1001 for metric_index(host=7.2.1.5) -THRESHOLD_SERIES: hit a threshold series value at 1001 for metric_index(host=7.2.1.5) diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log index ddbb59c565..e17610d69e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-45-43 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-45-43 +#open 2013-04-02-02-21-00 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1364869260.950557 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-21-00 diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log index 2f163a5491..c8b4306d22 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-45-14 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-45-17 +#open 2013-04-02-02-21-29 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1364869289.545369 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-21-32 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log index da5489e0b7..051f1c6266 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path notice -#open 2013-02-11-18-33-41 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet -1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - -#close 2013-02-11-18-33-41 +#open 2013-04-02-02-19-21 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double +1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - +#close 2013-04-02-02-19-21 diff --git a/testing/btest/Baseline/scripts.base.utils.queue/output b/testing/btest/Baseline/scripts.base.utils.queue/output index b878006310..e54dd89f7a 100644 --- a/testing/btest/Baseline/scripts.base.utils.queue/output +++ b/testing/btest/Baseline/scripts.base.utils.queue/output @@ -1,9 +1,7 @@ -This is a get_cnt_vector test: 3 -This is a get_cnt_vector test: 4 -This is a get_str_vector test: 3 -This is a get_str_vector test: 4 -Testing pop: 3 -Length after pop: 1 +This is a get_vector test: 3 +This is a get_vector test: 4 +Testing get: 3 +Length after get: 1 Size of q2: 4 String queue value: test 1 String queue value: test 2 diff --git a/testing/btest/scripts/base/utils/queue.test b/testing/btest/scripts/base/utils/queue.test index 50f541a25f..344ea73f45 100644 --- a/testing/btest/scripts/base/utils/queue.test +++ b/testing/btest/scripts/base/utils/queue.test @@ -7,29 +7,27 @@ event bro_init() { local q = Queue::init([$max_len=2]); - Queue::push(q, 1); - Queue::push(q, 2); - Queue::push(q, 3); - Queue::push(q, 4); - local test1 = Queue::get_cnt_vector(q); + Queue::put(q, 1); + Queue::put(q, 2); + Queue::put(q, 3); + Queue::put(q, 4); + local test1: vector of count = vector(); + Queue::get_vector(q, test1); for ( i in test1 ) - print fmt("This is a get_cnt_vector test: %d", test1[i]); + print fmt("This is a get_vector test: %d", test1[i]); - local test2 = Queue::get_str_vector(q); - for ( i in test2 ) - print fmt("This is a get_str_vector test: %s", test2[i]); - - local test_val = Queue::pop(q); - print fmt("Testing pop: %s", test_val); - print fmt("Length after pop: %d", Queue::len(q)); + local test_val = Queue::get(q); + print fmt("Testing get: %s", test_val); + print fmt("Length after get: %d", Queue::len(q)); local q2 = Queue::init([]); - Queue::push(q2, "test 1"); - Queue::push(q2, "test 2"); - Queue::push(q2, "test 2"); - Queue::push(q2, "test 1"); + Queue::put(q2, "test 1"); + Queue::put(q2, "test 2"); + Queue::put(q2, "test 2"); + Queue::put(q2, "test 1"); print fmt("Size of q2: %d", Queue::len(q2)); - local test3: vector of string = Queue::get_str_vector(q2); + local test3: vector of string = vector(); + Queue::get_vector(q2, test3); for ( i in test3 ) print fmt("String queue value: %s", test3[i]); } \ No newline at end of file