Merge remote-tracking branch 'origin/topic/seth/metrics-merge' into topic/bernhard/hyperloglog-with-measurement

DocSourcesList.cmake

@@ -19,6 +19,7 @@ rest_target(${psd} base/init-bare.bro internal)
 rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
@@ -31,15 +32,31 @@ rest_target(${psd} base/frameworks/cluster/setup-connections.bro)
 rest_target(${psd} base/frameworks/communication/main.bro)
 rest_target(${psd} base/frameworks/control/main.bro)
 rest_target(${psd} base/frameworks/dpd/main.bro)
+rest_target(${psd} base/frameworks/input/main.bro)
+rest_target(${psd} base/frameworks/input/readers/ascii.bro)
+rest_target(${psd} base/frameworks/input/readers/benchmark.bro)
+rest_target(${psd} base/frameworks/input/readers/raw.bro)
+rest_target(${psd} base/frameworks/intel/cluster.bro)
+rest_target(${psd} base/frameworks/intel/input.bro)
 rest_target(${psd} base/frameworks/intel/main.bro)
 rest_target(${psd} base/frameworks/logging/main.bro)
 rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro)
 rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro)
 rest_target(${psd} base/frameworks/logging/writers/ascii.bro)
 rest_target(${psd} base/frameworks/logging/writers/dataseries.bro)
-rest_target(${psd} base/frameworks/metrics/cluster.bro)
+rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro)
-rest_target(${psd} base/frameworks/metrics/main.bro)
+rest_target(${psd} base/frameworks/logging/writers/none.bro)
-rest_target(${psd} base/frameworks/metrics/non-cluster.bro)
+rest_target(${psd} base/frameworks/measurement/cluster.bro)
+rest_target(${psd} base/frameworks/measurement/main.bro)
+rest_target(${psd} base/frameworks/measurement/non-cluster.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/average.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/max.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/min.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/sample.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/sum.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/unique.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/variance.bro)
 rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro)
 rest_target(${psd} base/frameworks/notice/actions/drop.bro)
 rest_target(${psd} base/frameworks/notice/actions/email_admin.bro)
@@ -48,18 +65,23 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
 rest_target(${psd} base/frameworks/notice/cluster.bro)
 rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
 rest_target(${psd} base/frameworks/notice/main.bro)
+rest_target(${psd} base/frameworks/notice/non-cluster.bro)
 rest_target(${psd} base/frameworks/notice/weird.bro)
 rest_target(${psd} base/frameworks/packet-filter/main.bro)
 rest_target(${psd} base/frameworks/packet-filter/netstats.bro)
 rest_target(${psd} base/frameworks/reporter/main.bro)
 rest_target(${psd} base/frameworks/signatures/main.bro)
 rest_target(${psd} base/frameworks/software/main.bro)
+rest_target(${psd} base/frameworks/tunnels/main.bro)
+rest_target(${psd} base/misc/find-checksum-offloading.bro)
 rest_target(${psd} base/protocols/conn/contents.bro)
 rest_target(${psd} base/protocols/conn/inactivity.bro)
 rest_target(${psd} base/protocols/conn/main.bro)
+rest_target(${psd} base/protocols/conn/polling.bro)
 rest_target(${psd} base/protocols/dns/consts.bro)
 rest_target(${psd} base/protocols/dns/main.bro)
 rest_target(${psd} base/protocols/ftp/file-extract.bro)
+rest_target(${psd} base/protocols/ftp/gridftp.bro)
 rest_target(${psd} base/protocols/ftp/main.bro)
 rest_target(${psd} base/protocols/ftp/utils-commands.bro)
 rest_target(${psd} base/protocols/http/file-extract.bro)
@@ -69,9 +91,13 @@ rest_target(${psd} base/protocols/http/main.bro)
 rest_target(${psd} base/protocols/http/utils.bro)
 rest_target(${psd} base/protocols/irc/dcc-send.bro)
 rest_target(${psd} base/protocols/irc/main.bro)
+rest_target(${psd} base/protocols/modbus/consts.bro)
+rest_target(${psd} base/protocols/modbus/main.bro)
 rest_target(${psd} base/protocols/smtp/entities-excerpt.bro)
 rest_target(${psd} base/protocols/smtp/entities.bro)
 rest_target(${psd} base/protocols/smtp/main.bro)
+rest_target(${psd} base/protocols/socks/consts.bro)
+rest_target(${psd} base/protocols/socks/main.bro)
 rest_target(${psd} base/protocols/ssh/main.bro)
 rest_target(${psd} base/protocols/ssl/consts.bro)
 rest_target(${psd} base/protocols/ssl/main.bro)
@@ -85,36 +111,50 @@ rest_target(${psd} base/utils/files.bro)
 rest_target(${psd} base/utils/numbers.bro)
 rest_target(${psd} base/utils/paths.bro)
 rest_target(${psd} base/utils/patterns.bro)
+rest_target(${psd} base/utils/queue.bro)
 rest_target(${psd} base/utils/site.bro)
 rest_target(${psd} base/utils/strings.bro)
 rest_target(${psd} base/utils/thresholds.bro)
+rest_target(${psd} base/utils/time.bro)
+rest_target(${psd} base/utils/urls.bro)
 rest_target(${psd} policy/frameworks/communication/listen.bro)
 rest_target(${psd} policy/frameworks/control/controllee.bro)
 rest_target(${psd} policy/frameworks/control/controller.bro)
 rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro)
 rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro)
-rest_target(${psd} policy/frameworks/metrics/conn-example.bro)
+rest_target(${psd} policy/frameworks/intel/conn-established.bro)
-rest_target(${psd} policy/frameworks/metrics/http-example.bro)
+rest_target(${psd} policy/frameworks/intel/dns.bro)
-rest_target(${psd} policy/frameworks/metrics/ssl-example.bro)
+rest_target(${psd} policy/frameworks/intel/http-host-header.bro)
+rest_target(${psd} policy/frameworks/intel/http-url.bro)
+rest_target(${psd} policy/frameworks/intel/http-user-agents.bro)
+rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro)
+rest_target(${psd} policy/frameworks/intel/smtp.bro)
+rest_target(${psd} policy/frameworks/intel/ssl.bro)
+rest_target(${psd} policy/frameworks/intel/where-locations.bro)
 rest_target(${psd} policy/frameworks/software/version-changes.bro)
 rest_target(${psd} policy/frameworks/software/vulnerable.bro)
 rest_target(${psd} policy/integration/barnyard2/main.bro)
 rest_target(${psd} policy/integration/barnyard2/types.bro)
+rest_target(${psd} policy/integration/collective-intel/main.bro)
 rest_target(${psd} policy/misc/analysis-groups.bro)
+rest_target(${psd} policy/misc/app-metrics.bro)
 rest_target(${psd} policy/misc/capture-loss.bro)
+rest_target(${psd} policy/misc/detect-traceroute/main.bro)
 rest_target(${psd} policy/misc/loaded-scripts.bro)
 rest_target(${psd} policy/misc/profiling.bro)
+rest_target(${psd} policy/misc/scan.bro)
 rest_target(${psd} policy/misc/stats.bro)
 rest_target(${psd} policy/misc/trim-trace-file.bro)
 rest_target(${psd} policy/protocols/conn/known-hosts.bro)
 rest_target(${psd} policy/protocols/conn/known-services.bro)
+rest_target(${psd} policy/protocols/conn/metrics.bro)
 rest_target(${psd} policy/protocols/conn/weirds.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
+rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ftp/detect.bro)
 rest_target(${psd} policy/protocols/ftp/software.bro)
 rest_target(${psd} policy/protocols/http/detect-MHR.bro)
-rest_target(${psd} policy/protocols/http/detect-intel.bro)
 rest_target(${psd} policy/protocols/http/detect-sqli.bro)
 rest_target(${psd} policy/protocols/http/detect-webapps.bro)
 rest_target(${psd} policy/protocols/http/header-names.bro)
@@ -122,8 +162,11 @@ rest_target(${psd} policy/protocols/http/software-browser-plugins.bro)
 rest_target(${psd} policy/protocols/http/software.bro)
 rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro)
 rest_target(${psd} policy/protocols/http/var-extraction-uri.bro)
+rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro)
+rest_target(${psd} policy/protocols/modbus/track-memmap.bro)
 rest_target(${psd} policy/protocols/smtp/blocklists.bro)
 rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro)
+rest_target(${psd} policy/protocols/smtp/metrics.bro)
 rest_target(${psd} policy/protocols/smtp/software.bro)
 rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ssh/geo-data.bro)
@@ -133,9 +176,11 @@ rest_target(${psd} policy/protocols/ssl/cert-hash.bro)
 rest_target(${psd} policy/protocols/ssl/expiring-certs.bro)
 rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro)
 rest_target(${psd} policy/protocols/ssl/known-certs.bro)
+rest_target(${psd} policy/protocols/ssl/notary.bro)
 rest_target(${psd} policy/protocols/ssl/validate-certs.bro)
 rest_target(${psd} policy/tuning/defaults/packet-fragments.bro)
 rest_target(${psd} policy/tuning/defaults/warnings.bro)
+rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro)
 rest_target(${psd} policy/tuning/track-all-assets.bro)
 rest_target(${psd} site/local-manager.bro)
 rest_target(${psd} site/local-proxy.bro)

doc/scripts/DocSourcesList.cmake

@@ -49,6 +49,14 @@ rest_target(${psd} base/frameworks/logging/writers/none.bro)
 rest_target(${psd} base/frameworks/measurement/cluster.bro)
 rest_target(${psd} base/frameworks/measurement/main.bro)
 rest_target(${psd} base/frameworks/measurement/non-cluster.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/average.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/max.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/min.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/sample.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/sum.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/unique.bro)
+rest_target(${psd} base/frameworks/measurement/plugins/variance.bro)
 rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro)
 rest_target(${psd} base/frameworks/notice/actions/drop.bro)
 rest_target(${psd} base/frameworks/notice/actions/email_admin.bro)
@@ -107,6 +115,7 @@ rest_target(${psd} base/utils/queue.bro)
 rest_target(${psd} base/utils/site.bro)
 rest_target(${psd} base/utils/strings.bro)
 rest_target(${psd} base/utils/thresholds.bro)
+rest_target(${psd} base/utils/time.bro)
 rest_target(${psd} base/utils/urls.bro)
 rest_target(${psd} policy/frameworks/communication/listen.bro)
 rest_target(${psd} policy/frameworks/control/controllee.bro)
@@ -122,9 +131,6 @@ rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro)
 rest_target(${psd} policy/frameworks/intel/smtp.bro)
 rest_target(${psd} policy/frameworks/intel/ssl.bro)
 rest_target(${psd} policy/frameworks/intel/where-locations.bro)
-rest_target(${psd} policy/frameworks/metrics/conn-example.bro)
-rest_target(${psd} policy/frameworks/metrics/http-example.bro)
-rest_target(${psd} policy/frameworks/metrics/ssl-example.bro)
 rest_target(${psd} policy/frameworks/software/version-changes.bro)
 rest_target(${psd} policy/frameworks/software/vulnerable.bro)
 rest_target(${psd} policy/integration/barnyard2/main.bro)
@@ -136,16 +142,17 @@ rest_target(${psd} policy/misc/capture-loss.bro)
 rest_target(${psd} policy/misc/detect-traceroute/main.bro)
 rest_target(${psd} policy/misc/loaded-scripts.bro)
 rest_target(${psd} policy/misc/profiling.bro)
+rest_target(${psd} policy/misc/scan.bro)
 rest_target(${psd} policy/misc/stats.bro)
 rest_target(${psd} policy/misc/trim-trace-file.bro)
 rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro)
 rest_target(${psd} policy/protocols/conn/known-hosts.bro)
 rest_target(${psd} policy/protocols/conn/known-services.bro)
 rest_target(${psd} policy/protocols/conn/metrics.bro)
-rest_target(${psd} policy/protocols/conn/scan.bro)
 rest_target(${psd} policy/protocols/conn/weirds.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
+rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ftp/detect.bro)
 rest_target(${psd} policy/protocols/ftp/software.bro)
 rest_target(${psd} policy/protocols/http/detect-MHR.bro)

scripts/base/frameworks/measurement/main.bro

@@ -1,6 +1,4 @@
-##! The metrics framework provides a way to count and measure data.  
+##! The measurement framework provides a way to count and measure data.  
-
-@load base/utils/queue
 
 module Measurement;
 
@@ -12,7 +10,7 @@ export {
 
 	## Represents a thing which is having measurement results collected for it.
 	type Key: record {
-		## A non-address related metric or a sub-key for an address based metric.
+		## A non-address related measurement or a sub-key for an address based measurement.
 		## An example might be successful SSH connections by client IP address
 		## where the client string would be the key value.
 		## Another example might be number of HTTP requests to a particular

scripts/base/frameworks/measurement/plugins/average.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/max.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/min.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/sample.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 @load base/utils/queue
 
 module Measurement;
@@ -10,40 +11,41 @@ export {
 	};
 
 	redef record ResultVal += {
-		## A sample of something being measured.  This is helpful in 
+		# This is the queue where samples
-		## some cases for collecting information to do further detection
+		# are maintained.  Use the :bro:see:`Measurement::get_samples`
-		## or better logging for forensic purposes.
+		## function to get a vector of the samples.
-		samples: vector of Measurement::DataPoint &optional;
+		samples: Queue::Queue &optional;
 	};
+
+	## Get a vector of sample DataPoint values from a ResultVal.
+	global get_samples: function(rv: ResultVal): vector of DataPoint;
 }
 
-redef record ResultVal += {
+function get_samples(rv: ResultVal): vector of DataPoint
-	# Internal use only.  This is the queue where samples
+	{
-	# are maintained since the queue is self managing for
+	local s: vector of DataPoint = vector();
-	# the number of samples requested.
+	if ( rv?$samples )
-	sample_queue: Queue::Queue &optional;
+		Queue::get_vector(rv$samples, s);
-};
+	return s;
+	}
 
 hook add_to_reducer_hook(r: Reducer, val: double, data: DataPoint, rv: ResultVal)
 	{
 	if ( r$samples > 0 )
 		{
-		if ( ! rv?$sample_queue )
-			rv$sample_queue = Queue::init([$max_len=r$samples]);
 		if ( ! rv?$samples )
-			rv$samples = vector();
+			rv$samples = Queue::init([$max_len=r$samples]);
-		Queue::put(rv$sample_queue, data);
+		Queue::put(rv$samples, data);
-		Queue::get_vector(rv$sample_queue, rv$samples);
 		}
 	}
 
 hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal)
 	{
-	# Merge $sample_queue
+	# Merge $samples
-	if ( rv1?$sample_queue && rv2?$sample_queue )
+	if ( rv1?$samples && rv2?$samples )
-		result$sample_queue = Queue::merge(rv1$sample_queue, rv2$sample_queue);
+		result$samples = Queue::merge(rv1$samples, rv2$samples);
-	else if ( rv1?$sample_queue )
+	else if ( rv1?$samples )
-		result$sample_queue = rv1$sample_queue;
+		result$samples = rv1$samples;
-	else if ( rv2?$sample_queue )
+	else if ( rv2?$samples )
-		result$sample_queue = rv2$sample_queue;
+		result$samples = rv2$samples;
 	}

scripts/base/frameworks/measurement/plugins/std-dev.bro

@@ -1,5 +1,5 @@
-@load ./sum
 @load ./variance
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/sum.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/unique.bro

@@ -1,3 +1,4 @@
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/plugins/variance.bro

@@ -1,4 +1,5 @@
 @load ./average
+@load base/frameworks/measurement
 
 module Measurement;
 

scripts/base/frameworks/measurement/simple.bro

@@ -1,6 +0,0 @@
-
-module Metrics;
-
-export {
-	
-}

scripts/base/protocols/ftp/main.bro

@@ -56,10 +56,10 @@ export {
 		tags:             set[string] &log &default=set();
 		
 		## Current working directory that this session is in.  By making
-		## the default value '/.', we can indicate that unless something
+		## the default value '.', we can indicate that unless something
 		## more concrete is discovered that the existing but unknown
 		## directory is ok to use.
-		cwd:                string  &default="/.";
+		cwd:                string  &default=".";
 		
 		## Command that is currently waiting for a response.
 		cmdarg:             CmdArg  &optional;
@@ -172,7 +172,12 @@ function ftp_message(s: Info)
 		
 		local arg = s$cmdarg$arg;
 		if ( s$cmdarg$cmd in file_cmds )
-			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), build_path_compressed(s$cwd, arg));
+			{
+			local comp_path = build_path_compressed(s$cwd, arg);
+			if ( s$cwd[0] != "/" )
+				comp_path = cat("/", comp_path);
+			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
+			}
 		
 		s$ts=s$cmdarg$ts;
 		s$command=s$cmdarg$cmd;

scripts/base/utils/paths.bro

@@ -19,7 +19,7 @@ function extract_path(input: string): string
 	}
 
 ## Compresses a given path by removing '..'s and the parent directory it
-## references and also removing '/'s.
+## references and also removing dual '/'s and extraneous '/./'s.
 ## dir: a path string, either relative or absolute
 ## Returns: a compressed version of the input path
 function compress_path(dir: string): string
@@ -41,7 +41,7 @@ function compress_path(dir: string): string
 		return compress_path(dir);
 		}
 
-	const multislash_sep = /(\/){2,}/;
+	const multislash_sep = /(\/\.?){2,}/;
 	parts = split_all(dir, multislash_sep);
 	for ( i in parts )
 		if ( i % 2 == 0 )

scripts/policy/frameworks/metrics/conn-example.bro

@@ -1,26 +0,0 @@
-##! An example of using the metrics framework to collect connection metrics 
-##! aggregated into /24 CIDR ranges.
-
-@load base/frameworks/measurement
-@load base/utils/site
-
-event bro_init()
-	{
-	#Metrics::add_filter("conns.originated", [$aggregation_mask=24, $break_interval=1mins]);
-	Metrics::add_filter("conns.originated", [$every=1mins, $measure=set(Metrics::SUM), 
-	                                         $aggregation_table=Site::local_nets_table, 
-	                                         $period_finished=Metrics::write_log]);
-	
-	
-	# Site::local_nets must be defined in order for this to actually do anything.
-	Metrics::add_filter("conns.responded",  [$every=1mins, $measure=set(Metrics::SUM),
-	                                         $aggregation_table=Site::local_nets_table, 
-	                                         $period_finished=Metrics::write_log]);
-
-	}
-
-event connection_established(c: connection)
-	{
-	Metrics::add_data("conns.originated", [$host=c$id$orig_h], [$num=1]);
-	Metrics::add_data("conns.responded",  [$host=c$id$resp_h], [$num=1]);
-	}

scripts/policy/frameworks/metrics/http-example.bro

@@ -1,29 +0,0 @@
-##! Provides an example of aggregating and limiting collection down to 
-##! only local networks.  Additionally, the status code for the response from
-##! the request is added into the metric.
-
-@load base/frameworks/measurement
-@load base/protocols/http
-@load base/utils/site
-
-event bro_init()
-	{
-	Metrics::add_filter("http.request.by_host_header", 
-	                    [$every=1min, $measure=set(Metrics::SUM), 
-	                     $pred(index: Metrics::Index, data: Metrics::DataPoint) = { return T; return Site::is_local_addr(index$host); },
-	                     $aggregation_mask=24,
-	                     $period_finished=Metrics::write_log]);
-	
-	# Site::local_nets must be defined in order for this to actually do anything.
-	Metrics::add_filter("http.request.by_status_code", [$every=1min, $measure=set(Metrics::SUM),
-	                                                    $aggregation_table=Site::local_nets_table,
-	                                                    $period_finished=Metrics::write_log]);
-	}
-
-event HTTP::log_http(rec: HTTP::Info)
-	{
-	if ( rec?$host )
-		Metrics::add_data("http.request.by_host_header", [$str=rec$host], [$num=1]);
-	if ( rec?$status_code )
-		Metrics::add_data("http.request.by_status_code", [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], [$num=1]);
-	}

scripts/policy/frameworks/metrics/ssl-example.bro

@@ -1,23 +0,0 @@
-##! Provides an example of using the metrics framework to collect the number
-##! of times a specific server name indicator value is seen in SSL session
-##! establishments.  Names ending in google.com are being filtered out as an
-##! example of the predicate based filtering in metrics filters.
-
-@load base/frameworks/measurement
-@load base/protocols/ssl
-
-event bro_init()
-	{
-	Metrics::add_filter("ssl.by_servername", 
-		[$name="no-google-ssl-servers",
-		 $every=10secs, $measure=set(Metrics::SUM),
-		 $pred(index: Metrics::Index, data: Metrics::DataPoint) = { 
-		    return (/google\.com$/ !in index$str); 
-		 }]);
-	}
-
-event SSL::log_ssl(rec: SSL::Info)
-	{
-	if ( rec?$server_name )
-		Metrics::add_data("ssl.by_servername", [$str=rec$server_name], [$num=1]);
-	}

scripts/policy/misc/loaded-scripts.bro

@@ -1,4 +1,5 @@
 ##! Log the loaded scripts.
+@load base/utils/paths
 
 module LoadedScripts;
 
@@ -34,5 +35,5 @@ event bro_init() &priority=5
 
 event bro_script_loaded(path: string, level: count)
 	{
-	Log::write(LoadedScripts::LOG, [$name=cat(depth[level], path)]);
+	Log::write(LoadedScripts::LOG, [$name=cat(depth[level], compress_path(path))]);
 	}

scripts/policy/protocols/conn/conn-stats-per-host.bro

@@ -1,27 +0,0 @@
-
-@load base/protocols/conn
-@load base/frameworks/measurement
-
-event bro_init() &priority=5
-	{
-	Metrics::add_filter("conn.orig.data", 
-	                    [$every=5mins,
-	                     $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV),
-	                     $period_finished=Metrics::write_log]);
-	Metrics::add_filter("conn.resp.data", 
-	                    [$every=5mins,
-	                     $measure=set(Metrics::VARIANCE, Metrics::AVG, Metrics::MAX, Metrics::MIN, Metrics::STD_DEV),
-	                     $period_finished=Metrics::write_log]);
-	}
-
-
-event connection_state_remove(c: connection)
-	{
-	if ( ! (c$conn$conn_state == "SF" && c$conn$proto == tcp) )
-		return;
-
-	if ( Site::is_local_addr(c$id$orig_h) )
-		Metrics::add_data("conn.orig.data", [$host=c$id$orig_h], [$num=c$orig$size]);
-	if ( Site::is_local_addr(c$id$resp_h) )
-		Metrics::add_data("conn.resp.data", [$host=c$id$resp_h], [$num=c$resp$size]);
-	}

scripts/policy/protocols/ftp/detect-bruteforcing.bro

@@ -25,19 +25,24 @@ export {
 
 event bro_init()
 	{
-	Metrics::add_filter("ftp.failed_auth", [$every=bruteforce_measurement_interval,
+	local r1: Measurement::Reducer = [$stream="ftp.failed_auth", $apply=set(Measurement::UNIQUE)];
-	                                        $measure=set(Metrics::UNIQUE),
+	Measurement::create([$epoch=bruteforce_measurement_interval,
-	                                        $threshold_val_func(val: Metrics::Result) = { return val$num; },
+	                     $reducers=set(r1),
-	                                        $threshold=bruteforce_threshold,
+	                     $threshold_val(key: Measurement::Key, result: Measurement::Result) =
-	                                        $threshold_crossed(index: Metrics::Index, val: Metrics::Result) = 
 	                     	{ 
-	                                        	local dur = duration_to_mins_secs(val$end-val$begin);
+	                     	return result["ftp.failed_auth"]$num;
-	                                        	local plural = val$unique>1 ? "s" : "";
+	                     	},
-	                                        	local message = fmt("%s had %d failed logins on %d FTP server%s in %s", index$host, val$num, val$unique, plural, dur);
+	                     $threshold=bruteforce_threshold,
+	                     $threshold_crossed(key: Measurement::Key, result: Measurement::Result) = 
+	                     	{
+	                     	local r = result["ftp.failed_auth"];
+	                     	local dur = duration_to_mins_secs(r$end-r$begin);
+	                     	local plural = r$unique>1 ? "s" : "";
+	                     	local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
 	                     	NOTICE([$note=FTP::Bruteforcing, 
-	                                        	        $src=index$host,
+	                     	        $src=key$host,
 	                     	        $msg=message,
-	                                        	        $identifier=cat(index$host)]);
+	                     	        $identifier=cat(key$host)]);
 	                     	}]);
 	}
 
@@ -47,6 +52,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
 	if ( cmd == "USER" || cmd == "PASS" )
 		{
 		if ( FTP::parse_ftp_reply_code(code)$x == 5 )
-			Metrics::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
+			Measurement::add_data("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
 		}
 	}

scripts/policy/protocols/http/detect-sqli.bro

@@ -76,7 +76,7 @@ event bro_init() &priority=3
 	                     	local r = result["http.sqli.attacker"];
 	                     	NOTICE([$note=SQL_Injection_Attacker,
 	                     	        $msg="An SQL injection attacker was discovered!",
-	                     	        $email_body_sections=vector(format_sqli_samples(r$samples)),
+	                     	        $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))),
 	                     	        $src=key$host,
 	                     	        $identifier=cat(key$host)]);
 	                     	}]);
@@ -94,7 +94,7 @@ event bro_init() &priority=3
 	                     	local r = result["http.sqli.victim"];
 	                     	NOTICE([$note=SQL_Injection_Victim,
 	                     	        $msg="An SQL injection victim was discovered!",
-	                     	        $email_body_sections=vector(format_sqli_samples(r$samples)),
+	                     	        $email_body_sections=vector(format_sqli_samples(Measurement::get_samples(r))),
 	                     	        $src=key$host,
 	                     	        $identifier=cat(key$host)]);
 	                     	}]);

scripts/test-all-policy.bro

@@ -24,9 +24,6 @@
 @load frameworks/intel/smtp.bro
 @load frameworks/intel/ssl.bro
 @load frameworks/intel/where-locations.bro
-@load frameworks/metrics/conn-example.bro
-@load frameworks/metrics/http-example.bro
-@load frameworks/metrics/ssl-example.bro
 @load frameworks/software/version-changes.bro
 @load frameworks/software/vulnerable.bro
 @load integration/barnyard2/__load__.bro

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2012-07-20-14-34-11
+#open	2013-04-02-04-24-03
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,20 +14,21 @@ scripts/base/init-bare.bro
   build/src/base/reporter.bif.bro
   build/src/base/event.bif.bro
   scripts/base/frameworks/logging/__load__.bro
-    scripts/base/frameworks/logging/./main.bro
+    scripts/base/frameworks/logging/main.bro
       build/src/base/logging.bif.bro
-    scripts/base/frameworks/logging/./postprocessors/__load__.bro
+    scripts/base/frameworks/logging/postprocessors/__load__.bro
-      scripts/base/frameworks/logging/./postprocessors/./scp.bro
+      scripts/base/frameworks/logging/postprocessors/scp.bro
-      scripts/base/frameworks/logging/./postprocessors/./sftp.bro
+      scripts/base/frameworks/logging/postprocessors/sftp.bro
-    scripts/base/frameworks/logging/./writers/ascii.bro
+    scripts/base/frameworks/logging/writers/ascii.bro
-    scripts/base/frameworks/logging/./writers/dataseries.bro
+    scripts/base/frameworks/logging/writers/dataseries.bro
-    scripts/base/frameworks/logging/./writers/elasticsearch.bro
+    scripts/base/frameworks/logging/writers/elasticsearch.bro
-    scripts/base/frameworks/logging/./writers/none.bro
+    scripts/base/frameworks/logging/writers/none.bro
   scripts/base/frameworks/input/__load__.bro
-    scripts/base/frameworks/input/./main.bro
+    scripts/base/frameworks/input/main.bro
       build/src/base/input.bif.bro
-    scripts/base/frameworks/input/./readers/ascii.bro
+    scripts/base/frameworks/input/readers/ascii.bro
-    scripts/base/frameworks/input/./readers/raw.bro
+    scripts/base/frameworks/input/readers/raw.bro
-    scripts/base/frameworks/input/./readers/benchmark.bro
+    scripts/base/frameworks/input/readers/benchmark.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2012-07-20-14-34-11
+  scripts/base/utils/paths.bro
+#close	2013-04-02-04-24-03

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-02-11-18-44-43
+#open	2013-04-02-04-22-32
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,24 +14,24 @@ scripts/base/init-bare.bro
   build/src/base/reporter.bif.bro
   build/src/base/event.bif.bro
   scripts/base/frameworks/logging/__load__.bro
-    scripts/base/frameworks/logging/./main.bro
+    scripts/base/frameworks/logging/main.bro
       build/src/base/logging.bif.bro
-    scripts/base/frameworks/logging/./postprocessors/__load__.bro
+    scripts/base/frameworks/logging/postprocessors/__load__.bro
-      scripts/base/frameworks/logging/./postprocessors/./scp.bro
+      scripts/base/frameworks/logging/postprocessors/scp.bro
-      scripts/base/frameworks/logging/./postprocessors/./sftp.bro
+      scripts/base/frameworks/logging/postprocessors/sftp.bro
-    scripts/base/frameworks/logging/./writers/ascii.bro
+    scripts/base/frameworks/logging/writers/ascii.bro
-    scripts/base/frameworks/logging/./writers/dataseries.bro
+    scripts/base/frameworks/logging/writers/dataseries.bro
-    scripts/base/frameworks/logging/./writers/elasticsearch.bro
+    scripts/base/frameworks/logging/writers/elasticsearch.bro
-    scripts/base/frameworks/logging/./writers/none.bro
+    scripts/base/frameworks/logging/writers/none.bro
   scripts/base/frameworks/input/__load__.bro
-    scripts/base/frameworks/input/./main.bro
+    scripts/base/frameworks/input/main.bro
       build/src/base/input.bif.bro
-    scripts/base/frameworks/input/./readers/ascii.bro
+    scripts/base/frameworks/input/readers/ascii.bro
-    scripts/base/frameworks/input/./readers/raw.bro
+    scripts/base/frameworks/input/readers/raw.bro
-    scripts/base/frameworks/input/./readers/benchmark.bro
+    scripts/base/frameworks/input/readers/benchmark.bro
 scripts/base/init-default.bro
   scripts/base/utils/site.bro
-    scripts/base/utils/./patterns.bro
+    scripts/base/utils/patterns.bro
   scripts/base/utils/addrs.bro
   scripts/base/utils/conn-ids.bro
   scripts/base/utils/directions-and-hosts.bro
@@ -41,83 +41,93 @@ scripts/base/init-default.bro
   scripts/base/utils/queue.bro
   scripts/base/utils/strings.bro
   scripts/base/utils/thresholds.bro
+  scripts/base/utils/time.bro
   scripts/base/utils/urls.bro
   scripts/base/frameworks/notice/__load__.bro
-    scripts/base/frameworks/notice/./main.bro
+    scripts/base/frameworks/notice/main.bro
-    scripts/base/frameworks/notice/./weird.bro
+    scripts/base/frameworks/notice/weird.bro
-    scripts/base/frameworks/notice/./actions/drop.bro
+    scripts/base/frameworks/notice/actions/drop.bro
-    scripts/base/frameworks/notice/./actions/email_admin.bro
+    scripts/base/frameworks/notice/actions/email_admin.bro
-    scripts/base/frameworks/notice/./actions/page.bro
+    scripts/base/frameworks/notice/actions/page.bro
-    scripts/base/frameworks/notice/./actions/add-geodata.bro
+    scripts/base/frameworks/notice/actions/add-geodata.bro
-    scripts/base/frameworks/notice/./extend-email/hostnames.bro
+    scripts/base/frameworks/notice/extend-email/hostnames.bro
     scripts/base/frameworks/cluster/__load__.bro
-      scripts/base/frameworks/cluster/./main.bro
+      scripts/base/frameworks/cluster/main.bro
         scripts/base/frameworks/control/__load__.bro
-          scripts/base/frameworks/control/./main.bro
+          scripts/base/frameworks/control/main.bro
-    scripts/base/frameworks/notice/./non-cluster.bro
+    scripts/base/frameworks/notice/non-cluster.bro
-    scripts/base/frameworks/notice/./actions/pp-alarms.bro
+    scripts/base/frameworks/notice/actions/pp-alarms.bro
   scripts/base/frameworks/dpd/__load__.bro
-    scripts/base/frameworks/dpd/./main.bro
+    scripts/base/frameworks/dpd/main.bro
   scripts/base/frameworks/signatures/__load__.bro
-    scripts/base/frameworks/signatures/./main.bro
+    scripts/base/frameworks/signatures/main.bro
   scripts/base/frameworks/packet-filter/__load__.bro
-    scripts/base/frameworks/packet-filter/./main.bro
+    scripts/base/frameworks/packet-filter/main.bro
-    scripts/base/frameworks/packet-filter/./netstats.bro
+    scripts/base/frameworks/packet-filter/netstats.bro
   scripts/base/frameworks/software/__load__.bro
-    scripts/base/frameworks/software/./main.bro
+    scripts/base/frameworks/software/main.bro
   scripts/base/frameworks/communication/__load__.bro
-    scripts/base/frameworks/communication/./main.bro
+    scripts/base/frameworks/communication/main.bro
-  scripts/base/frameworks/metrics/__load__.bro
+  scripts/base/frameworks/measurement/__load__.bro
-    scripts/base/frameworks/metrics/./main.bro
+    scripts/base/frameworks/measurement/main.bro
-    scripts/base/frameworks/metrics/./non-cluster.bro
+    scripts/base/frameworks/measurement/plugins/__load__.bro
+      scripts/base/frameworks/measurement/plugins/average.bro
+      scripts/base/frameworks/measurement/plugins/max.bro
+      scripts/base/frameworks/measurement/plugins/min.bro
+      scripts/base/frameworks/measurement/plugins/sample.bro
+      scripts/base/frameworks/measurement/plugins/std-dev.bro
+        scripts/base/frameworks/measurement/plugins/variance.bro
+      scripts/base/frameworks/measurement/plugins/sum.bro
+      scripts/base/frameworks/measurement/plugins/unique.bro
+    scripts/base/frameworks/measurement/non-cluster.bro
   scripts/base/frameworks/intel/__load__.bro
-    scripts/base/frameworks/intel/./main.bro
+    scripts/base/frameworks/intel/main.bro
-    scripts/base/frameworks/intel/./input.bro
+    scripts/base/frameworks/intel/input.bro
   scripts/base/frameworks/reporter/__load__.bro
-    scripts/base/frameworks/reporter/./main.bro
+    scripts/base/frameworks/reporter/main.bro
   scripts/base/frameworks/tunnels/__load__.bro
-    scripts/base/frameworks/tunnels/./main.bro
+    scripts/base/frameworks/tunnels/main.bro
   scripts/base/protocols/conn/__load__.bro
-    scripts/base/protocols/conn/./main.bro
+    scripts/base/protocols/conn/main.bro
-    scripts/base/protocols/conn/./contents.bro
+    scripts/base/protocols/conn/contents.bro
-    scripts/base/protocols/conn/./inactivity.bro
+    scripts/base/protocols/conn/inactivity.bro
-    scripts/base/protocols/conn/./polling.bro
+    scripts/base/protocols/conn/polling.bro
   scripts/base/protocols/dns/__load__.bro
-    scripts/base/protocols/dns/./consts.bro
+    scripts/base/protocols/dns/consts.bro
-    scripts/base/protocols/dns/./main.bro
+    scripts/base/protocols/dns/main.bro
   scripts/base/protocols/ftp/__load__.bro
-    scripts/base/protocols/ftp/./utils-commands.bro
+    scripts/base/protocols/ftp/utils-commands.bro
-    scripts/base/protocols/ftp/./main.bro
+    scripts/base/protocols/ftp/main.bro
-    scripts/base/protocols/ftp/./file-extract.bro
+    scripts/base/protocols/ftp/file-extract.bro
-    scripts/base/protocols/ftp/./gridftp.bro
+    scripts/base/protocols/ftp/gridftp.bro
       scripts/base/protocols/ssl/__load__.bro
-        scripts/base/protocols/ssl/./consts.bro
+        scripts/base/protocols/ssl/consts.bro
-        scripts/base/protocols/ssl/./main.bro
+        scripts/base/protocols/ssl/main.bro
-        scripts/base/protocols/ssl/./mozilla-ca-list.bro
+        scripts/base/protocols/ssl/mozilla-ca-list.bro
   scripts/base/protocols/http/__load__.bro
-    scripts/base/protocols/http/./main.bro
+    scripts/base/protocols/http/main.bro
-    scripts/base/protocols/http/./utils.bro
+    scripts/base/protocols/http/utils.bro
-    scripts/base/protocols/http/./file-ident.bro
+    scripts/base/protocols/http/file-ident.bro
-    scripts/base/protocols/http/./file-hash.bro
+    scripts/base/protocols/http/file-hash.bro
-    scripts/base/protocols/http/./file-extract.bro
+    scripts/base/protocols/http/file-extract.bro
   scripts/base/protocols/irc/__load__.bro
-    scripts/base/protocols/irc/./main.bro
+    scripts/base/protocols/irc/main.bro
-    scripts/base/protocols/irc/./dcc-send.bro
+    scripts/base/protocols/irc/dcc-send.bro
   scripts/base/protocols/modbus/__load__.bro
-    scripts/base/protocols/modbus/./consts.bro
+    scripts/base/protocols/modbus/consts.bro
-    scripts/base/protocols/modbus/./main.bro
+    scripts/base/protocols/modbus/main.bro
   scripts/base/protocols/smtp/__load__.bro
-    scripts/base/protocols/smtp/./main.bro
+    scripts/base/protocols/smtp/main.bro
-    scripts/base/protocols/smtp/./entities.bro
+    scripts/base/protocols/smtp/entities.bro
-    scripts/base/protocols/smtp/./entities-excerpt.bro
+    scripts/base/protocols/smtp/entities-excerpt.bro
   scripts/base/protocols/socks/__load__.bro
-    scripts/base/protocols/socks/./consts.bro
+    scripts/base/protocols/socks/consts.bro
-    scripts/base/protocols/socks/./main.bro
+    scripts/base/protocols/socks/main.bro
   scripts/base/protocols/ssh/__load__.bro
-    scripts/base/protocols/ssh/./main.bro
+    scripts/base/protocols/ssh/main.bro
   scripts/base/protocols/syslog/__load__.bro
-    scripts/base/protocols/syslog/./consts.bro
+    scripts/base/protocols/syslog/consts.bro
-    scripts/base/protocols/syslog/./main.bro
+    scripts/base/protocols/syslog/main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-02-11-18-44-43
+#close	2013-04-02-04-22-32

testing/btest/Baseline/coverage.init-default/missing_loads

@@ -3,5 +3,5 @@
 -./frameworks/cluster/nodes/worker.bro
 -./frameworks/cluster/setup-connections.bro
 -./frameworks/intel/cluster.bro
--./frameworks/metrics/cluster.bro
+-./frameworks/measurement/cluster.bro
 -./frameworks/notice/cluster.bro

testing/btest/Baseline/scripts.base.frameworks.measurement.thresholding/.stdout

@@ -1,6 +1,6 @@
 THRESHOLD_SERIES: hit a threshold series value at 3 for measurement_key(host=1.2.3.4)
-THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4)
 THRESHOLD_SERIES: hit a threshold series value at 6 for measurement_key(host=1.2.3.4)
-THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5)
+THRESHOLD: hit a threshold value at 6 for measurement_key(host=1.2.3.4)
 THRESHOLD_SERIES: hit a threshold series value at 1001 for measurement_key(host=7.2.1.5)
+THRESHOLD: hit a threshold value at 1001 for measurement_key(host=7.2.1.5)
 THRESHOLD WITH RATIO BETWEEN REDUCERS: hit a threshold value at 55x for measurement_key(host=7.2.1.5)

testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log

@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	metrics
-#open	2012-12-17-18-43-15
-#fields	ts	ts_delta	metric	index.str	index.host	index.network	result.begin	result.end	result.num	result.sum	result.min	result.max	result.avg	result.variance	result.std_dev	result.unique
-#types	time	interval	string	string	addr	subnet	time	time	count	double	double	double	double	double	double	count
-1355769795.365325	3.000000	test.metric	-	6.5.4.3	-	1355769793.449322	1355769793.458467	2	6.0	1.0	5.0	3.0	4.0	2.0	2
-1355769795.365325	3.000000	test.metric	-	1.2.3.4	-	1355769793.449322	1355769793.458467	9	437.0	3.0	95.0	48.555556	674.469136	25.970544	8
-1355769795.365325	3.000000	test.metric	-	7.2.1.5	-	1355769793.449322	1355769793.458467	2	145.0	54.0	91.0	72.5	342.25	18.5	2
-#close	2012-12-17-18-43-21

testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log

@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	metrics
-#open	2012-12-17-18-43-45
-#fields	ts	ts_delta	metric	index.str	index.host	index.network	result.begin	result.end	result.num	result.sum	result.min	result.max	result.avg	result.variance	result.std_dev	result.unique
-#types	time	interval	string	string	addr	subnet	time	time	count	double	double	double	double	double	double	count
-1355769825.947161	3.000000	test.metric	-	6.5.4.3	-	1355769825.947161	1355769825.947161	1	2.0	2.0	2.0	2.0	0.0	0.0	-
-1355769825.947161	3.000000	test.metric	-	1.2.3.4	-	1355769825.947161	1355769825.947161	5	221.0	5.0	94.0	44.2	915.36	30.254917	-
-1355769825.947161	3.000000	test.metric	-	7.2.1.5	-	1355769825.947161	1355769825.947161	1	1.0	1.0	1.0	1.0	0.0	0.0	-
-#close	2012-12-17-18-43-45

testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1..stdout

@@ -1 +0,0 @@
-A test metric threshold was crossed!

testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log

@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	notice
-#open	2013-02-11-18-41-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
-1360608063.517719	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 100/100	-	1.2.3.4	-	-	100	manager-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
-#close	2013-02-11-18-41-03

testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log

@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	notice
-#open	2012-07-20-01-49-23
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
-1342748963.085888	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 3/2	-	1.2.3.4	-	-	3	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
-1342748963.085888	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=6.5.4.3) 2/2	-	6.5.4.3	-	-	2	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	6.5.4.3	-	-
-#close	2012-07-20-01-49-23

testing/btest/Baseline/scripts.base.frameworks.metrics.thresholding/.stdout

@@ -1,8 +0,0 @@
-THRESHOLD_SERIES: hit a threshold series value at 3 for metric_index(host=1.2.3.4)
-THRESHOLD_FUNC: hit a threshold function value at 3 for metric_index(host=1.2.3.4)
-THRESHOLD_FUNC: hit a threshold function value at 2 for metric_index(host=6.5.4.3)
-THRESHOLD_FUNC: hit a threshold function value at 1 for metric_index(host=7.2.1.5)
-THRESHOLD: hit a threshold value at 6 for metric_index(host=1.2.3.4)
-THRESHOLD_SERIES: hit a threshold series value at 6 for metric_index(host=1.2.3.4)
-THRESHOLD: hit a threshold value at 1001 for metric_index(host=7.2.1.5)
-THRESHOLD_SERIES: hit a threshold series value at 1001 for metric_index(host=7.2.1.5)

testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-02-11-18-45-43
+#open	2013-04-02-02-21-00
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1360608343.088948	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+1364869260.950557	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-02-11-18-45-43
+#close	2013-04-02-02-21-00

testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-02-11-18-45-14
+#open	2013-04-02-02-21-29
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1360608314.794257	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+1364869289.545369	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-02-11-18-45-17
+#close	2013-04-02-02-21-32

testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-02-11-18-33-41
+#open	2013-04-02-02-19-21
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
+1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-02-11-18-33-41
+#close	2013-04-02-02-19-21

testing/btest/Baseline/scripts.base.utils.queue/output

@@ -1,9 +1,7 @@
-This is a get_cnt_vector test: 3
+This is a get_vector test: 3
-This is a get_cnt_vector test: 4
+This is a get_vector test: 4
-This is a get_str_vector test: 3
+Testing get: 3
-This is a get_str_vector test: 4
+Length after get: 1
-Testing pop: 3
-Length after pop: 1
 Size of q2: 4
 String queue value: test 1
 String queue value: test 2

testing/btest/scripts/base/utils/queue.test

@@ -7,29 +7,27 @@
 event bro_init()
 	{
 	local q = Queue::init([$max_len=2]);
-	Queue::push(q, 1);
+	Queue::put(q, 1);
-	Queue::push(q, 2);
+	Queue::put(q, 2);
-	Queue::push(q, 3);
+	Queue::put(q, 3);
-	Queue::push(q, 4);
+	Queue::put(q, 4);
-	local test1 =  Queue::get_cnt_vector(q);
+	local test1: vector of count = vector();
+	Queue::get_vector(q, test1);
 	for ( i in test1 )
-		print fmt("This is a get_cnt_vector test: %d", test1[i]);
+		print fmt("This is a get_vector test: %d", test1[i]);
 
-	local test2 =  Queue::get_str_vector(q);
+	local test_val = Queue::get(q);
-	for ( i in test2 )
+	print fmt("Testing get: %s", test_val);
-		print fmt("This is a get_str_vector test: %s", test2[i]);
+	print fmt("Length after get: %d", Queue::len(q));
-
-	local test_val = Queue::pop(q);
-	print fmt("Testing pop: %s", test_val);
-	print fmt("Length after pop: %d", Queue::len(q));
 
 	local q2 = Queue::init([]);
-	Queue::push(q2, "test 1");
+	Queue::put(q2, "test 1");
-	Queue::push(q2, "test 2");
+	Queue::put(q2, "test 2");
-	Queue::push(q2, "test 2");
+	Queue::put(q2, "test 2");
-	Queue::push(q2, "test 1");
+	Queue::put(q2, "test 1");
 	print fmt("Size of q2: %d", Queue::len(q2));
-	local test3: vector of string = Queue::get_str_vector(q2);
+	local test3: vector of string = vector();
+	Queue::get_vector(q2, test3);
 	for ( i in test3 )
 		print fmt("String queue value: %s", test3[i]);
 	}