Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge

Browse source 
Conflicts:
	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
	testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
This commit is contained in:
Seth Hall 2013-03-13 00:26:55 -04:00
commit 09cbaa7ccc
114 changed files with 2308 additions and 897 deletions
Download patch file Download diff file Expand all files Collapse all files

63
CHANGES
View file

@ -1,4 +1,67 @@
2.1-357 | 2013-03-08 09:18:35 -0800
* Fix race-condition in table-event test. (Bernhard Amann)
* s/bro-ids.org/bro.org/g. (Robin Sommer)
2.1-353 | 2013-03-07 13:31:37 -0800
* Fix function type-equivalence requiring same parameter names.
Addresses #957. (Jon Siwek)
2.1-351 | 2013-03-07 13:27:29 -0800
* Fix new/delete mismatch. Addresses #958. (Jacob Baines)
* Fix compiler warnings. (Jon Siwek)
2.1-347 | 2013-03-06 16:48:44 -0800
* Remove unused parameter from vector assignment method. (Bernhard Amann)
* Remove the byte_len() and length() bifs. (Bernhard Amann)
2.1-342 | 2013-03-06 15:42:52 -0800
* Moved the Notice::notice event and Notice::policy table to both be
hooks. See documentation and NEWS for information. (Seth Hall).
2.1-338 | 2013-03-06 15:10:43 -0800
* Fix init of local sets/vectors via curly brace initializer lists.
(Jon Siwek)
2.1-336 | 2013-03-06 15:08:06 -0800
* Fix memory leaks resulting from 'when' and 'return when'
statements. Addresses #946. (Jon Siwek)
* Fix three bugs with 'when' and 'return when' statements. Addresses
#946. (Jon Siwek)
2.1-333 | 2013-03-06 14:59:47 -0800
* Add parsing for GTPv1 extension headers and control messages. (Jon Siwek)
This includes:
- A new generic gtpv1_message() event generated for any GTP
message type.
- Specific events for the create/update/delete PDP context
request/response messages.
Addresses #934.
2.1-331 | 2013-03-06 14:54:33 -0800
* Fix possible null pointer dereference in identify_data BIF. Also
centralized libmagic calls for consistent error handling/output.
(Jon Siwek)
* Fix build on OpenBSD 5.2. (Jon Siwek)
2.1-328 | 2013-02-05 01:34:29 -0500
* New script to query the ICSI Certificate Notary

12
INSTALL
View file

@ -4,7 +4,7 @@
.. _MacPorts: http://www.macports.org
.. _Fink: http://www.finkproject.org
.. _Homebrew: http://mxcl.github.com/homebrew
.. _bro downloads page: http://bro-ids.org/download/index.html
.. _bro downloads page: http://bro.org/download/index.html
==============
Installing Bro
@ -189,15 +189,15 @@ Bro releases are bundled into source packages for convenience and
available from the `bro downloads page`_.
Alternatively, the latest Bro development version can be obtained through git
repositories hosted at `git.bro-ids.org <http://git.bro-ids.org>`_. See
repositories hosted at `git.bro.org <http://git.bro.org>`_. See
our `git development documentation
<http://bro-ids.org/development/process.html>`_ for comprehensive
<http://bro.org/development/process.html>`_ for comprehensive
information on Bro's use of git revision control, but the short story
for downloading the full source code experience for Bro via git is:
.. console::
git clone --recursive git://git.bro-ids.org/bro
git clone --recursive git://git.bro.org/bro
.. note:: If you choose to clone the ``bro`` repository non-recursively for
a "minimal Bro experience", be aware that compiling it depends on
@ -230,7 +230,7 @@ automatically. Finally, use ``make install-aux`` to install some of
the other programs that are in the ``aux/bro-aux`` directory.
OpenBSD users, please see our FAQ at
http://www.bro-ids.org/documentation/faq.html if you are having
http://www.bro.org/documentation/faq.html if you are having
problems installing Bro.
@ -298,7 +298,7 @@ Running Bro
Bro is a complex program and it takes a bit of time to get familiar
with it. A good place for newcomers to start is the Quick Start Guide
at http://www.bro-ids.org/documentation/quickstart.html.
at http://www.bro.org/documentation/quickstart.html.
For developers that wish to run Bro directly from the ``build/``
directory (i.e., without performing ``make install``), they will have

49
NEWS
View file

@ -67,6 +67,7 @@ Changed Functionality
- md5_*, sha1_*, sha256_*, and entropy_* have all changed
their signatures to work with opaque types (see above).
- Removed a now unused argument from "do_split" helper function.
- "this" is no longer a reserved keyword.
@ -81,6 +82,50 @@ Changed Functionality
value can now be set with the new broctl.cfg option
"MailAlarmsInterval".
- We have completely reworded the "notice_policy" mechanism. It now no
linger uses a record of policy items but a "hook", a new language
element that's roughly equivalent to a function with multiple
bodies. The documentation [TODO: insert link] describes how to use
the new notice policy. For existing code, the two main changes are:
- What used to be a "redef" of "Notice::policy" now becomes a hook
implementation. Example:
Old:
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
},
$action = Notice::ACTION_EMAIL]
};
New:
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
add n$actions[Notice::ACTION_EMAIL];
}
- notice() is now likewise a hook, no longer an event. If you have
handlers for that event, you'll likely just need to change the
type accordingly. Example:
Old:
event notice(n: Notice::Info) { ... }
New:
hook notice(n: Notice::Info) { ... }
- The notice_policy.log is gone. That's a result of the new notice
policy setup.
- Removed the byte_len() and length() bif functions. Use the "|...|"
operator instead.
Bro 2.1
-------
@ -247,7 +292,7 @@ Bro 2.0
As the version number jump suggests, Bro 2.0 is a major upgrade and
lots of things have changed. We have assembled a separate upgrade
guide with the most important changes compared to Bro 1.5 at
http://www.bro-ids.org/documentation/upgrade.html. You can find
http://www.bro.org/documentation/upgrade.html. You can find
the offline version of that document in ``doc/upgrade.rst.``.
Compared to the earlier 2.0 Beta version, the major changes in the
@ -255,7 +300,7 @@ final release are:
* The default scripts now come with complete reference
documentation. See
http://www.bro-ids.org/documentation/index.html.
http://www.bro.org/documentation/index.html.
* libz and libmagic are now required dependencies.

2
README
View file

@ -11,7 +11,7 @@ Please see COPYING for licensing information.
For more documentation, research publications, and community contact
information, please see Bro's home page:
http://www.bro-ids.org
http://www.bro.org
On behalf of the Bro Development Team,

2
VERSION
View file

@ -1 +1 @@
2.1-328
2.1-357

2
aux/binpac

@ -1 +1 @@
Subproject commit 2fd9086c9dc0e76f6ff1ae04a60cbbce60507aab
Subproject commit 72d121ade5a37df83d3252646de51cb77ce69a89

2
aux/bro-aux

@ -1 +1 @@
Subproject commit bea556198b69d30d64c0cf1b594e6de71176df6f
Subproject commit ae14da422bfb252c8a53bd00d3e5fd7da8bc112e

2
aux/broccoli

@ -1 +1 @@
Subproject commit c1ba9b44c4815c61c54c968f462ec5b0865e5990
Subproject commit e64204fec55759c614a276c1933bbff2069a63db

2
aux/broctl

@ -1 +1 @@
Subproject commit 2bf6b37177b895329173acac2bb98f38a8783bc1
Subproject commit 3d2172a60aa503745c92cef8ab3020d1dfc13f0d

2
aux/btest

@ -1 +1 @@
Subproject commit ba0700fe448895b654b90d50f389f6f1341234cb
Subproject commit d5b8df42cb9c398142e02d4bf8ede835fd0227f4

2
cmake

@ -1 +1 @@
Subproject commit 14537f56d66b18ab9d5024f798caf4d1f356fc67
Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c

4
doc/_templates/layout.html vendored
View file

@ -10,7 +10,7 @@
{% endblock %}
{% block header %}
<iframe src="http://www.bro-ids.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
<iframe src="http://www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
</iframe>
{% endblock %}
@ -108,6 +108,6 @@
{% endblock %}
{% block footer %}
<iframe src="http://www.bro-ids.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
<iframe src="http://www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
</iframe>
{% endblock %}

2
doc/index.rst
View file

@ -53,7 +53,7 @@ Other Bro Components
The following are snapshots of documentation for components that come
with this version of Bro (|version|). Since they can also be used
independently, see the `download page
<http://bro-ids.org/download/index.html>`_ for documentation of any
<http://bro.org/download/index.html>`_ for documentation of any
current, independent component releases.
.. toctree::

155
doc/notice.rst
View file

@ -6,7 +6,7 @@ Notice Framework
One of the easiest ways to customize Bro is writing a local notice
policy. Bro can detect a large number of potentially interesting
situations, and the notice policy tells which of them the user wants to be
situations, and the notice policy hook which of them the user wants to be
acted upon in some manner. In particular, the notice policy can specify
actions to be taken, such as sending an email or compiling regular
alarm emails. This page gives an introduction into writing such a notice
@ -24,8 +24,8 @@ of interest for the user. However, none of these scripts determines the
importance of what it finds itself. Instead, the scripts only flag situations
as *potentially* interesting, leaving it to the local configuration to define
which of them are in fact actionable. This decoupling of detection and
reporting allows Bro to address the different needs that sites have:
definitions of what constitutes an attack or even a compromise differ quite a
reporting allows Bro to address the different needs that sites have.
Definitions of what constitutes an attack or even a compromise differ quite a
bit between environments, and activity deemed malicious at one site might be
fully acceptable at another.
@ -40,7 +40,7 @@ More information about raising notices can be found in the `Raising Notices`_
section.
Once a notice is raised, it can have any number of actions applied to it by
the :bro:see:`Notice::policy` set which is described in the `Notice Policy`_
writing :bro:see:`Notice::policy` hooks which is described in the `Notice Policy`_
section below. Such actions can be to send a mail to the configured
address(es) or to simply ignore the notice. Currently, the following actions
are defined:
@ -68,12 +68,6 @@ are defined:
- Send an email to the email address or addresses given in the
:bro:see:`Notice::mail_page_dest` variable.
* - Notice::ACTION_NO_SUPPRESS
- This action will disable the built in notice suppression for the
notice. Keep in mind that this action will need to be applied to
every notice that shouldn't be suppressed including each of the future
notices that would have normally been suppressed.
How these notice actions are applied to notices is discussed in the
`Notice Policy`_ and `Notice Policy Shortcuts`_ sections.
@ -83,26 +77,24 @@ Processing Notices
Notice Policy
*************
The predefined set :bro:see:`Notice::policy` provides the mechanism for
applying actions and other behavior modifications to notices. Each entry
of :bro:see:`Notice::policy` is a record of the type
:bro:see:`Notice::PolicyItem` which defines a condition to be matched
against all raised notices and one or more of a variety of behavior
modifiers. The notice policy is defined by adding any number of
:bro:see:`Notice::PolicyItem` records to the :bro:see:`Notice::policy`
set.
The hook :bro:see:`Notice::policy` provides the mechanism for applying
actions and generally modifying the notice before it's sent onward to
the action plugins. Hooks can be thought of as multi-bodied functions
and using them looks very similar to handling events. The difference
is that they don't go through the event queue like events. Users should
directly make modifications to the :bro:see:`Notice::Info` record
given as the argument to the hook.
Here's a simple example which tells Bro to send an email for all notices of
type :bro:see:`SSH::Login` if the server is 10.0.0.1:
.. code:: bro
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
},
$action = Notice::ACTION_EMAIL]
};
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
add n$actions[Notice::ACTION_EMAIL];
}
.. note::
@ -110,78 +102,21 @@ type :bro:see:`SSH::Login` if the server is 10.0.0.1:
such that it is only raised when Bro heuristically detects a successful
login. No apparently failed logins will raise this notice.
While the syntax might look a bit convoluted at first, it provides a lot of
flexibility due to having access to Bro's full programming language.
Predicate Field
^^^^^^^^^^^^^^^
The :bro:see:`Notice::PolicyItem` record type has a field name ``$pred``
which defines the entry's condition in the form of a predicate written
as a Bro function. The function is passed the notice as a
:bro:see:`Notice::Info` record and it returns a boolean value indicating
if the entry is applicable to that particular notice.
.. note::
The lack of a predicate in a ``Notice::PolicyItem`` is implicitly true
(``T``) since an implicit false (``F``) value would never be used.
Bro evaluates the predicates of each entry in the order defined by the
``$priority`` field in :bro:see:`Notice::PolicyItem` records. The valid
values are 0-10 with 10 being earliest evaluated. If ``$priority`` is
omitted, the default priority is 5.
Behavior Modification Fields
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There are a set of fields in the :bro:see:`Notice::PolicyItem` record type that
indicate ways that either the notice or notice processing should be modified
if the predicate field (``$pred``) evaluated to true (``T``). Those fields are
explained in more detail in the following table.
.. list-table::
:widths: 20 30 20
:header-rows: 1
* - Field
- Description
- Example
* - ``$action=<Notice::Action>``
- Each :bro:see:`Notice::PolicyItem` can have a single action
applied to the notice with this field.
- ``$action = Notice::ACTION_EMAIL``
* - ``$suppress_for=<interval>``
- This field makes it possible for a user to modify the behavior of the
notice framework's automated suppression of intrinsically similar
notices. More information about the notice framework's automated
suppression can be found in the `Automated Suppression`_ section of
this document.
- ``$suppress_for = 10mins``
* - ``$halt=<bool>``
- This field can be used for modification of the notice policy
evaluation. To stop processing of notice policy items before
evaluating all of them, set this field to ``T`` and make the ``$pred``
field return ``T``. :bro:see:`Notice::PolicyItem` records defined at
a higher priority as defined by the ``$priority`` field will still be
evaluated but those at a lower priority won't.
- ``$halt = T``
Hooks can also have priorities applied to order their execution like events
with a default priority of 0. Greater values are executed first. Setting
a hook body to run before default hook bodies might look like this:
.. code:: bro
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
},
$action = Notice::ACTION_EMAIL,
$priority=5]
};
hook Notice::policy(n: Notice::Info) &priority=5
{
if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
add n$actions[Notice::ACTION_EMAIL];
}
Hooks can also abort later hook bodies with the ``break`` keyword. This
is primarily useful if one wants to completely preempt processing by
lower priority :bro:see:`Notice::policy` hooks.
Notice Policy Shortcuts
***********************
@ -189,7 +124,7 @@ Notice Policy Shortcuts
Although the notice framework provides a great deal of flexibility and
configurability there are many times that the full expressiveness isn't needed
and actually becomes a hindrance to achieving results. The framework provides
a default :bro:see:`Notice::policy` suite as a way of giving users the
a default :bro:see:`Notice::policy` hook body as a way of giving users the
shortcuts to easily apply many common actions to notices.
These are implemented as sets and tables indexed with a
@ -377,19 +312,45 @@ Setting the ``$identifier`` field is left to those raising notices because
it's assumed that the script author who is raising the notice understands the
full problem set and edge cases of the notice which may not be readily
apparent to users. If users don't want the suppression to take place or simply
want a different interval, they can always modify it with the
:bro:see:`Notice::policy`.
want a different interval, they can set a notice's suppression
interval to ``0secs`` or delete the value from the ``$identifier`` field in
a :bro:see:`Notice::policy` hook.
Extending Notice Framework
--------------------------
Adding Custom Notice Actions
****************************
There are a couple of mechanism currently for extending the notice framework
and adding new capability.
Extending Notice Emails
***********************
If there is extra information that you would like to add to emails, that is
possible to add by writing :bro:see:`Notice::policy` hooks.
There is a field in the :bro:see:`Notice::Info` record named
``$email_body_sections`` which will be included verbatim when email is being
sent. An example of including some information from an HTTP request is
included below.
.. code:: bro
hook Notice::policy(n: Notice::Info)
{
if ( n?$conn && n$conn?$http && n$conn$http?$host )
n$email_body_sections[|email_body_sections|] = fmt("HTTP host header: %s", n$conn$http$host);
}
Cluster Considerations
----------------------
As a user/developer of Bro, the main cluster concern with the notice framework
is understanding what runs where. When a notice is generated on a worker, the
worker checks to see if the notice shoudl be suppressed based on information
locally maintained in the worker process. If it's not being
suppressed, the worker forwards the notice directly to the manager and does no more
local processing. The manager then runs the :bro:see:`Notice::policy` hook and
executes all of the actions determined to be run.

2
doc/quickstart.rst
View file

@ -111,7 +111,7 @@ protocol-dependent activity that's occurring. E.g. ``http.log``'s next few
columns (shortened for brevity) show a request to the root of Bro website::
# method host uri referrer user_agent
GET bro-ids.org / - <...>Chrome/12.0.742.122<...>
GET bro.org / - <...>Chrome/12.0.742.122<...>
Some logs are worth explicit mention:

2
doc/reporting-problems.rst
View file

@ -19,7 +19,7 @@ Reporting Problems
Generally, when you encounter a problem with Bro, the best thing to do
is opening a new ticket in `Bro's issue tracker
<http://tracker.bro-ids.org/>`__ and include information on how to
<http://tracker.bro.org/>`__ and include information on how to
reproduce the issue. Ideally, your ticket should come with the
following:

1
doc/scripts/DocSourcesList.cmake
View file

@ -57,6 +57,7 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
rest_target(${psd} base/frameworks/notice/cluster.bro)
rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
rest_target(${psd} base/frameworks/notice/main.bro)
rest_target(${psd} base/frameworks/notice/non-cluster.bro)
rest_target(${psd} base/frameworks/notice/weird.bro)
rest_target(${psd} base/frameworks/packet-filter/main.bro)
rest_target(${psd} base/frameworks/packet-filter/netstats.bro)

4
doc/upgrade.rst
View file

@ -254,7 +254,7 @@ Variable Naming
- Identifiers may have been renamed to conform to new `scripting
conventions
<http://www.bro-ids.org/development/script-conventions.html>`_
<http://www.bro.org/development/script-conventions.html>`_
BroControl
@ -296,7 +296,7 @@ Development Infrastructure
Bro development has moved from using SVN to Git for revision control.
Users that want to use the latest Bro development snapshot by checking it out
from the source repositories should see the `development process
<http://www.bro-ids.org/development/process.html>`_. Note that all the various
<http://www.bro.org/development/process.html>`_. Note that all the various
sub-components now reside in their own repositories. However, the
top-level Bro repository includes them as git submodules so it's easy
to check them all out simultaneously.

2
scripts/base/frameworks/cluster/main.bro
View file

@ -39,7 +39,7 @@ export {
## The node type doing all the actual traffic analysis.
WORKER,
## A node acting as a traffic recorder using the
## `Time Machine <http://tracker.bro-ids.org/time-machine>`_ software.
## `Time Machine <http://tracker.bro.org/time-machine>`_ software.
TIME_MACHINE,
};

2
scripts/base/frameworks/notice/__load__.bro
View file

@ -17,6 +17,8 @@
@if ( Cluster::is_enabled() )
@load ./cluster
@else
@load ./non-cluster
@endif
# Load here so that it can check whether clustering is enabled.

15
scripts/base/frameworks/notice/actions/add-geodata.bro
View file

@ -27,18 +27,17 @@ export {
## Notice types which should have the "remote" location looked up.
## If GeoIP support is not built in, this does nothing.
const lookup_location_types: set[Notice::Type] = {} &redef;
## Add a helper to the notice policy for looking up GeoIP data.
redef Notice::policy += {
[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
$action = ACTION_ADD_GEODATA,
$priority = 10],
};
}
hook policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::lookup_location_types )
add n$actions[ACTION_ADD_GEODATA];
}
# This is handled at a high priority in case other notice handlers
# want to use the data.
event notice(n: Notice::Info) &priority=10
hook notice(n: Notice::Info) &priority=10
{
if ( ACTION_ADD_GEODATA in n$actions &&
|Site::local_nets| > 0 &&

21
scripts/base/frameworks/notice/actions/drop.bro
View file

@ -17,20 +17,13 @@ export {
};
}
# This is a little awkward because we want to inject drop along with the
# synchronous functions.
event bro_init()
hook notice(n: Notice::Info)
{
local drop_func = function(n: Notice::Info)
if ( ACTION_DROP in n$actions )
{
if ( ACTION_DROP in n$actions )
{
#local drop = React::drop_address(n$src, "");
#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
#n$dropped = drop$note != Drop::AddressDropIgnored;
#n$msg += fmt(" [%s%s]", drop$note, addl);
}
};
add Notice::sync_functions[drop_func];
#local drop = React::drop_address(n$src, "");
#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
#n$dropped = drop$note != Drop::AddressDropIgnored;
#n$msg += fmt(" [%s%s]", drop$note, addl);
}
}

2
scripts/base/frameworks/notice/actions/email_admin.bro
View file

@ -18,7 +18,7 @@ export {
};
}
event notice(n: Notice::Info) &priority=-5
hook notice(n: Notice::Info) &priority=-5
{
if ( |Site::local_admins| > 0 &&
ACTION_EMAIL_ADMIN in n$actions )

2
scripts/base/frameworks/notice/actions/page.bro
View file

@ -15,7 +15,7 @@ export {
const mail_page_dest = "" &redef;
}
event notice(n: Notice::Info) &priority=-5
hook notice(n: Notice::Info) &priority=-5
{
if ( ACTION_PAGE in n$actions )
email_notice_to(n, mail_page_dest, F);

2
scripts/base/frameworks/notice/actions/pp-alarms.bro
View file

@ -105,7 +105,7 @@ event bro_init()
$postprocessor=pp_postprocessor]);
}
event notice(n: Notice::Info) &priority=-5
hook notice(n: Notice::Info) &priority=-5
{
if ( ! want_pp() )
return;

36
scripts/base/frameworks/notice/cluster.bro
View file

@ -21,30 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
redef Cluster::worker2manager_events += /Notice::cluster_notice/;
@if ( Cluster::local_node_type() != Cluster::MANAGER )
# The notice policy is completely handled by the manager and shouldn't be
# done by workers or proxies to save time for packet processing.
redef Notice::policy = table();
event Notice::begin_suppression(n: Notice::Info)
{
suppressing[n$note, n$identifier] = n;
}
event Notice::notice(n: Notice::Info)
{
# Send the locally generated notice on to the manager.
event Notice::cluster_notice(n);
}
event bro_init() &priority=-3
{
# Workers and proxies need to disable the notice streams because notice
# events are forwarded directly instead of being logged remotely.
Log::disable_stream(Notice::LOG);
Log::disable_stream(Notice::POLICY_LOG);
Log::disable_stream(Notice::ALARM_LOG);
}
@endif
@if ( Cluster::local_node_type() == Cluster::MANAGER )
@ -54,3 +34,19 @@ event Notice::cluster_notice(n: Notice::Info)
NOTICE(n);
}
@endif
module GLOBAL;
## This is the entry point in the global namespace for the notice framework.
function NOTICE(n: Notice::Info)
{
# Suppress this notice if necessary.
if ( Notice::is_being_suppressed(n) )
return;
if ( Cluster::local_node_type() == Cluster::MANAGER )
Notice::internal_NOTICE(n);
else
# For non-managers, send the notice on to the manager.
event Notice::cluster_notice(n);
}

2
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -13,7 +13,7 @@ module Notice;
# reference to the original notice)
global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
event Notice::notice(n: Notice::Info) &priority=10
hook notice(n: Notice::Info) &priority=10
{
if ( ! n?$src && ! n?$dst )
return;

195
scripts/base/frameworks/notice/main.bro
View file

@ -10,9 +10,6 @@ export {
redef enum Log::ID += {
## This is the primary logging stream for notices.
LOG,
## This is the notice policy auditing log. It records what the current
## notice policy is at Bro init time.
POLICY_LOG,
## This is the alarm stream.
ALARM_LOG,
};
@ -42,9 +39,6 @@ export {
## version of the alarm log is emailed in bulk to the address(es)
## configured in :bro:id:`Notice::mail_dest`.
ACTION_ALARM,
## Indicates that the notice should not be supressed by the normal
## duplicate notice suppression that the notice framework does.
ACTION_NO_SUPPRESS,
};
## The notice framework is able to do automatic notice supression by
@ -102,10 +96,6 @@ export {
## The actions which have been applied to this notice.
actions: set[Notice::Action] &log &optional;
## These are policy items that returned T and applied their action
## to the notice.
policy_items: set[count] &log &optional;
## By adding chunks of text into this element, other scripts can
## expand on notices that are being emailed. The normal way to add text
## is to extend the vector by handling the :bro:id:`Notice::notice`
@ -142,9 +132,8 @@ export {
identifier: string &optional;
## This field indicates the length of time that this
## unique notice should be suppressed. This field is automatically
## filled out and should not be written to by any other script.
suppress_for: interval &log &optional;
## unique notice should be suppressed.
suppress_for: interval &log &default=default_suppression_interval;
};
## Ignored notice types.
@ -159,58 +148,8 @@ export {
## intervals for entire notice types.
const type_suppression_intervals: table[Notice::Type] of interval = {} &redef;
## This is the record that defines the items that make up the notice policy.
type PolicyItem: record {
## This is the exact positional order in which the
## :bro:type:`Notice::PolicyItem` records are checked.
## This is set internally by the notice framework.
position: count &log &optional;
## Define the priority for this check. Items are checked in ordered
## from highest value (10) to lowest value (0).
priority: count &log &default=5;
## An action given to the notice if the predicate return true.
action: Notice::Action &log &default=ACTION_NONE;
## The pred (predicate) field is a function that returns a boolean T
## or F value. If the predicate function return true, the action in
## this record is applied to the notice that is given as an argument
## to the predicate function. If no predicate is supplied, it's
## assumed that the PolicyItem always applies.
pred: function(n: Notice::Info): bool &log &optional;
## Indicates this item should terminate policy processing if the
## predicate returns T.
halt: bool &log &default=F;
## This defines the length of time that this particular notice should
## be supressed.
suppress_for: interval &log &optional;
};
## Defines a notice policy that is extensible on a per-site basis.
## All notice processing is done through this variable.
const policy: set[PolicyItem] = {
[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
$halt=T, $priority = 9],
[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
$action = ACTION_NO_SUPPRESS,
$priority = 9],
[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
$action = ACTION_ALARM,
$priority = 8],
[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
$action = ACTION_EMAIL,
$priority = 8],
[$pred(n: Notice::Info) = {
if (n$note in Notice::type_suppression_intervals)
{
n$suppress_for=Notice::type_suppression_intervals[n$note];
return T;
}
return F;
},
$action = ACTION_NONE,
$priority = 8],
[$action = ACTION_LOG,
$priority = 0],
} &redef;
## The hook to modify notice handling.
global policy: hook(n: Notice::Info);
## Local system sendmail program.
const sendmail = "/usr/sbin/sendmail" &redef;
@ -240,25 +179,11 @@ export {
## This is the event that is called as the entry point to the
## notice framework by the global :bro:id:`NOTICE` function. By the time
## this event is generated, default values have already been filled out in
## the :bro:type:`Notice::Info` record and synchronous functions in the
## :bro:id:`Notice::sync_functions` have already been called. The notice
## the :bro:type:`Notice::Info` record and the notice
## policy has also been applied.
##
## n: The record containing notice data.
global notice: event(n: Info);
## This is a set of functions that provide a synchronous way for scripts
## extending the notice framework to run before the normal event based
## notice pathway that most of the notice framework takes. This is helpful
## in cases where an action against a notice needs to happen immediately
## and can't wait the short time for the event to bubble up to the top of
## the event queue. An example is the IP address dropping script that
## can block IP addresses that have notices generated because it
## needs to operate closer to real time than the event queue allows it to.
## Normally the event based extension model using the
## :bro:id:`Notice::notice` event will work fine if there aren't harder
## real time constraints.
const sync_functions: set[function(n: Notice::Info)] = set() &redef;
global notice: hook(n: Info);
## This event is generated when a notice begins to be suppressed.
##
@ -266,6 +191,11 @@ export {
## about to be suppressed.
global begin_suppression: event(n: Notice::Info);
## A function to determine if an event is supposed to be suppressed.
##
## n: The record containing the notice in question.
global is_being_suppressed: function(n: Notice::Info): bool;
## This event is generated on each occurence of an event being suppressed.
##
## n: The record containing notice data regarding the notice type
@ -338,10 +268,6 @@ global suppressing: table[Type, string] of Notice::Info = {}
&create_expire=0secs
&expire_func=per_notice_suppression_interval;
# This is an internal variable used to store the notice policy ordered by
# priority.
global ordered_policy: vector of PolicyItem = vector();
function log_mailing_postprocessor(info: Log::RotationInfo): bool
{
if ( ! reading_traces() && mail_dest != "" )
@ -424,9 +350,7 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
}
else
{
event reporter_info(network_time(),
fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
"");
Reporter::info(fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens));
}
}
}
@ -468,7 +392,26 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
piped_exec(fmt("%s -t -oi", sendmail), email_text);
}
event notice(n: Notice::Info) &priority=-5
hook Notice::policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::ignored_types )
break;
if ( n$note in Notice::not_suppressed_types )
n$suppress_for=0secs;
if ( n$note in Notice::alarmed_types )
add n$actions[ACTION_ALARM];
if ( n$note in Notice::emailed_types )
add n$actions[ACTION_EMAIL];
if ( n$note in Notice::type_suppression_intervals )
n$suppress_for=Notice::type_suppression_intervals[n$note];
# Logging is a default action. It can be removed in a later hook if desired.
add n$actions[ACTION_LOG];
}
hook Notice::notice(n: Notice::Info) &priority=-5
{
if ( ACTION_EMAIL in n$actions )
email_notice_to(n, mail_dest, T);
@ -480,7 +423,6 @@ event notice(n: Notice::Info) &priority=-5
# Normally suppress further notices like this one unless directed not to.
# n$identifier *must* be specified for suppression to function at all.
if ( n?$identifier &&
ACTION_NO_SUPPRESS !in n$actions &&
[n$note, n$identifier] !in suppressing &&
n$suppress_for != 0secs )
{
@ -565,27 +507,8 @@ function apply_policy(n: Notice::Info)
if ( ! n?$email_delay_tokens )
n$email_delay_tokens = set();
if ( ! n?$policy_items )
n$policy_items = set();
for ( i in ordered_policy )
{
# If there's no predicate or the predicate returns F.
if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
{
add n$actions[ordered_policy[i]$action];
add n$policy_items[int_to_count(i)];
# If the predicate matched and there was a suppression interval,
# apply it to the notice now.
if ( ordered_policy[i]?$suppress_for )
n$suppress_for = ordered_policy[i]$suppress_for;
# If the policy item wants to halt policy processing, do it now!
if ( ordered_policy[i]$halt )
break;
}
}
# Apply the hook based policy.
hook Notice::policy(n);
# Apply the suppression time after applying the policy so that policy
# items can give custom suppression intervals. If there is no
@ -602,61 +525,15 @@ function apply_policy(n: Notice::Info)
delete n$iconn;
}
# Create the ordered notice policy automatically which will be used at runtime
# for prioritized matching of the notice policy.
event bro_init() &priority=10
{
# Create the policy log here because it's only written to in this handler.
Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]);
local tmp: table[count] of set[PolicyItem] = table();
for ( pi in policy )
{
if ( pi$priority < 0 || pi$priority > 10 )
Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10");
if ( pi$priority !in tmp )
tmp[pi$priority] = set();
add tmp[pi$priority][pi];
}
local rev_count = vector(10,9,8,7,6,5,4,3,2,1,0);
for ( i in rev_count )
{
local j = rev_count[i];
if ( j in tmp )
{
for ( pi in tmp[j] )
{
pi$position = |ordered_policy|;
ordered_policy[|ordered_policy|] = pi;
Log::write(Notice::POLICY_LOG, pi);
}
}
}
}
function internal_NOTICE(n: Notice::Info)
{
# Suppress this notice if necessary.
if ( is_being_suppressed(n) )
return;
# Fill out fields that might be empty and do the policy processing.
apply_policy(n);
# Run the synchronous functions with the notice.
for ( func in sync_functions )
func(n);
# Generate the notice event with the notice.
event Notice::notice(n);
hook Notice::notice(n);
}
module GLOBAL;
## This is the entry point in the global namespace for notice framework.
function NOTICE(n: Notice::Info)
{
Notice::internal_NOTICE(n);
}
global NOTICE: function(n: Notice::Info);

14
scripts/base/frameworks/notice/non-cluster.bro Normal file
View file

@ -0,0 +1,14 @@
@load ./main
module GLOBAL;
## This is the entry point in the global namespace for notice framework.
function NOTICE(n: Notice::Info)
{
# Suppress this notice if necessary.
if ( Notice::is_being_suppressed(n) )
return;
Notice::internal_NOTICE(n);
}

6
scripts/base/frameworks/signatures/main.bro
View file

@ -161,7 +161,7 @@ event signature_match(state: signature_state, msg: string, data: string)
return;
# Trim the matched data down to something reasonable
if ( byte_len(data) > 140 )
if ( |data| > 140 )
data = fmt("%s...", sub_bytes(data, 0, 140));
local src_addr: addr;
@ -259,8 +259,8 @@ event signature_match(state: signature_state, msg: string, data: string)
add vert_table[orig, resp][sig_id];
local hcount = length(horiz_table[orig, sig_id]);
local vcount = length(vert_table[orig, resp]);
local hcount = |horiz_table[orig, sig_id]|;
local vcount = |vert_table[orig, resp]|;
if ( hcount in horiz_scan_thresholds && hcount != last_hthresh[orig] )
{

6
scripts/base/frameworks/tunnels/main.bro
View file

@ -88,10 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
const teredo_ports = { 3544/udp };
redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
const gtpv1u_ports = { 2152/udp };
redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
const gtpv1_ports = { 2152/udp, 2123/udp };
redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
event bro_init() &priority=5
{

140
scripts/base/init-bare.bro
View file

@ -1488,6 +1488,146 @@ type gtpv1_hdr: record {
next_type: count &optional;
};
type gtp_cause: count;
type gtp_imsi: count;
type gtp_teardown_ind: bool;
type gtp_nsapi: count;
type gtp_recovery: count;
type gtp_teid1: count;
type gtp_teid_control_plane: count;
type gtp_charging_id: count;
type gtp_charging_gateway_addr: addr;
type gtp_trace_reference: count;
type gtp_trace_type: count;
type gtp_tft: string;
type gtp_trigger_id: string;
type gtp_omc_id: string;
type gtp_reordering_required: bool;
type gtp_proto_config_options: string;
type gtp_charging_characteristics: count;
type gtp_selection_mode: count;
type gtp_access_point_name: string;
type gtp_msisdn: string;
type gtp_gsn_addr: record {
## If the GSN Address information element has length 4 or 16, then this
## field is set to be the informational element's value interpreted as
## an IPv4 or IPv6 address, respectively.
ip: addr &optional;
## This field is set if it's not an IPv4 or IPv6 address.
other: string &optional;
};
type gtp_end_user_addr: record {
pdp_type_org: count;
pdp_type_num: count;
## Set if the End User Address information element is IPv4/IPv6.
pdp_ip: addr &optional;
## Set if the End User Address information element isn't IPv4/IPv6.
pdp_other_addr: string &optional;
};
type gtp_rai: record {
mcc: count;
mnc: count;
lac: count;
rac: count;
};
type gtp_qos_profile: record {
priority: count;
data: string;
};
type gtp_private_extension: record {
id: count;
value: string;
};
type gtp_create_pdp_ctx_request_elements: record {
imsi: gtp_imsi &optional;
rai: gtp_rai &optional;
recovery: gtp_recovery &optional;
select_mode: gtp_selection_mode &optional;
data1: gtp_teid1;
cp: gtp_teid_control_plane &optional;
nsapi: gtp_nsapi;
linked_nsapi: gtp_nsapi &optional;
charge_character: gtp_charging_characteristics &optional;
trace_ref: gtp_trace_reference &optional;
trace_type: gtp_trace_type &optional;
end_user_addr: gtp_end_user_addr &optional;
ap_name: gtp_access_point_name &optional;
opts: gtp_proto_config_options &optional;
signal_addr: gtp_gsn_addr;
user_addr: gtp_gsn_addr;
msisdn: gtp_msisdn &optional;
qos_prof: gtp_qos_profile;
tft: gtp_tft &optional;
trigger_id: gtp_trigger_id &optional;
omc_id: gtp_omc_id &optional;
ext: gtp_private_extension &optional;
};
type gtp_create_pdp_ctx_response_elements: record {
cause: gtp_cause;
reorder_req: gtp_reordering_required &optional;
recovery: gtp_recovery &optional;
data1: gtp_teid1 &optional;
cp: gtp_teid_control_plane &optional;
charging_id: gtp_charging_id &optional;
end_user_addr: gtp_end_user_addr &optional;
opts: gtp_proto_config_options &optional;
cp_addr: gtp_gsn_addr &optional;
user_addr: gtp_gsn_addr &optional;
qos_prof: gtp_qos_profile &optional;
charge_gateway: gtp_charging_gateway_addr &optional;
ext: gtp_private_extension &optional;
};
type gtp_update_pdp_ctx_request_elements: record {
imsi: gtp_imsi &optional;
rai: gtp_rai &optional;
recovery: gtp_recovery &optional;
data1: gtp_teid1;
cp: gtp_teid_control_plane &optional;
nsapi: gtp_nsapi;
trace_ref: gtp_trace_reference &optional;
trace_type: gtp_trace_type &optional;
cp_addr: gtp_gsn_addr;
user_addr: gtp_gsn_addr;
qos_prof: gtp_qos_profile;
tft: gtp_tft &optional;
trigger_id: gtp_trigger_id &optional;
omc_id: gtp_omc_id &optional;
ext: gtp_private_extension &optional;
end_user_addr: gtp_end_user_addr &optional;
};
type gtp_update_pdp_ctx_response_elements: record {
cause: gtp_cause;
recovery: gtp_recovery &optional;
data1: gtp_teid1 &optional;
cp: gtp_teid_control_plane &optional;
charging_id: gtp_charging_id &optional;
cp_addr: gtp_gsn_addr &optional;
user_addr: gtp_gsn_addr &optional;
qos_prof: gtp_qos_profile &optional;
charge_gateway: gtp_charging_gateway_addr &optional;
ext: gtp_private_extension &optional;
};
type gtp_delete_pdp_ctx_request_elements: record {
teardown_ind: gtp_teardown_ind &optional;
nsapi: gtp_nsapi;
ext: gtp_private_extension &optional;
};
type gtp_delete_pdp_ctx_response_elements: record {
cause: gtp_cause;
ext: gtp_private_extension &optional;
};
## Definition of "secondary filters". A secondary filter is a BPF filter given as
## index in this table. For each such filter, the corresponding event is raised for
## all matching packets.

2
scripts/base/utils/paths.bro
View file

@ -27,7 +27,7 @@ function compress_path(dir: string): string
const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/;
local parts = split_n(dir, cdup_sep, T, 1);
if ( length(parts) > 1 )
if ( |parts| > 1 )
{
# reaching a point with two parent dir references back-to-back means
# we don't know about anything higher in the tree to pop off

2
scripts/base/utils/strings.bro
View file

@ -6,7 +6,7 @@
## characters.
function is_string_binary(s: string): bool
{
return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / |s| >= 25;
return |gsub(s, /[\x00-\x7f]/, "")| * 100 / |s| >= 25;
}
## Joins a set of string together, with elements delimited by a constant string.

2
scripts/policy/protocols/http/detect-MHR.bro
View file

@ -32,7 +32,7 @@ event log_http(rec: HTTP::Info)
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /);
if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
if ( |MHR_answer| == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
{
local url = HTTP::build_url_http(rec);
local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);

2
src/BroString.cc
View file

@ -369,7 +369,7 @@ VectorVal* BroString:: VecToPolicy(Vec* vec)
BroString* string = (*vec)[i];
StringVal* val = new StringVal(string->Len(),
(const char*) string->Bytes());
result->Assign(i+1, val, 0);
result->Assign(i+1, val);
}
return result;

2
src/CompHash.cc
View file

@ -856,7 +856,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
if ( have_val )
kp1 = RecoverOneVal(k, kp1, k_end, vt->YieldType(), value,
false);
vv->Assign(index, value, 0);
vv->Assign(index, value);
}
pval = vv;

2
src/Debug.cc
View file

@ -763,7 +763,7 @@ int dbg_handle_debug_input()
Frame* curr_frame = g_frame_stack.back();
const BroFunc* func = curr_frame->GetFunction();
if ( func )
current_module = func->GetID()->ModuleName();
current_module = extract_module_name(func->Name());
else
current_module = GLOBAL_MODULE_NAME;

71
src/Expr.cc
View file

@ -485,7 +485,7 @@ Val* UnaryExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_op->Size(); ++i )
{
Val* v_i = v_op->Lookup(i);
result->Assign(i, v_i ? Fold(v_i) : 0, this);
result->Assign(i, v_i ? Fold(v_i) : 0);
}
Unref(v);
@ -625,10 +625,9 @@ Val* BinaryExpr::Eval(Frame* f) const
if ( v_op1->Lookup(i) && v_op2->Lookup(i) )
v_result->Assign(i,
Fold(v_op1->Lookup(i),
v_op2->Lookup(i)),
this);
v_op2->Lookup(i)));
else
v_result->Assign(i, 0, this);
v_result->Assign(i, 0);
// SetError("undefined element in vector operation");
}
@ -648,10 +647,9 @@ Val* BinaryExpr::Eval(Frame* f) const
if ( vv_i )
v_result->Assign(i,
is_vec1 ?
Fold(vv_i, v2) : Fold(v1, vv_i),
this);
Fold(vv_i, v2) : Fold(v1, vv_i));
else
v_result->Assign(i, 0, this);
v_result->Assign(i, 0);
// SetError("Undefined element in vector operation");
}
@ -1049,10 +1047,10 @@ Val* IncrExpr::Eval(Frame* f) const
if ( elt )
{
Val* new_elt = DoSingleEval(f, elt);
v_vec->Assign(i, new_elt, this, OP_INCR);
v_vec->Assign(i, new_elt, OP_INCR);
}
else
v_vec->Assign(i, 0, this, OP_INCR);
v_vec->Assign(i, 0, OP_INCR);
}
op->Assign(f, v_vec, OP_INCR);
}
@ -1919,7 +1917,7 @@ Val* BoolExpr::Eval(Frame* f) const
result = new VectorVal(Type()->AsVectorType());
result->Resize(vector_v->Size());
result->AssignRepeat(0, result->Size(),
scalar_v, this);
scalar_v);
}
else
result = vector_v->Ref()->AsVectorVal();
@ -1957,10 +1955,10 @@ Val* BoolExpr::Eval(Frame* f) const
(! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero());
result->Assign(i, new Val(local_result, TYPE_BOOL), this);
result->Assign(i, new Val(local_result, TYPE_BOOL));
}
else
result->Assign(i, 0, this);
result->Assign(i, 0);
}
Unref(v1);
@ -2334,10 +2332,9 @@ Val* CondExpr::Eval(Frame* f) const
if ( local_cond )
result->Assign(i,
local_cond->IsZero() ?
b->Lookup(i) : a->Lookup(i),
this);
b->Lookup(i) : a->Lookup(i));
else
result->Assign(i, 0, this);
result->Assign(i, 0);
}
return result;
@ -2507,15 +2504,27 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
attr_copy->append((*attrs)[i]);
}
op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
if ( op1->Type()->IsSet() )
op2 = new SetConstructorExpr(op2->AsListExpr(), attr_copy);
else
op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
return true;
}
if ( bt1 == TYPE_VECTOR && bt2 == bt1 &&
op2->Type()->AsVectorType()->IsUnspecifiedVector() )
if ( bt1 == TYPE_VECTOR )
{
op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
return true;
if ( bt2 == bt1 && op2->Type()->AsVectorType()->IsUnspecifiedVector() )
{
op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
return true;
}
if ( op2->Tag() == EXPR_LIST )
{
op2 = new VectorConstructorExpr(op2->AsListExpr());
return true;
}
}
if ( op1->Type()->Tag() == TYPE_RECORD &&
@ -2961,7 +2970,7 @@ Val* IndexExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_v2->Size(); ++i )
{
if ( v_v2->Lookup(i)->AsBool() )
v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i), this);
v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i));
}
}
else
@ -2971,7 +2980,7 @@ Val* IndexExpr::Eval(Frame* f) const
// Probably only do this if *all* are negative.
v_result->Resize(v_v2->Size());
for ( unsigned int i = 0; i < v_v2->Size(); ++i )
v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()), this);
v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()));
}
}
else
@ -3048,7 +3057,7 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
switch ( v1->Type()->Tag() ) {
case TYPE_VECTOR:
if ( ! v1->AsVectorVal()->Assign(v2, v, this, op) )
if ( ! v1->AsVectorVal()->Assign(v2, v, op) )
Internal("assignment failed");
break;
@ -3620,7 +3629,7 @@ Val* VectorConstructorExpr::Eval(Frame* f) const
{
Expr* e = exprs[i];
Val* v = e->Eval(f);
if ( ! vec->Assign(i, v, e) )
if ( ! vec->Assign(i, v) )
{
Error(fmt("type mismatch at index %d", i), e);
return 0;
@ -3644,7 +3653,7 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
Expr* e = exprs[i];
Val* v = check_and_promote(e->Eval(0), t->YieldType(), 1);
if ( ! v || ! vec->Assign(i, v, e) )
if ( ! v || ! vec->Assign(i, v) )
{
Error(fmt("initialization type mismatch at index %d", i), e);
return 0;
@ -3865,9 +3874,9 @@ Val* ArithCoerceExpr::Fold(Val* v) const
{
Val* elt = vv->Lookup(i);
if ( elt )
result->Assign(i, FoldSingleVal(elt, t), this);
result->Assign(i, FoldSingleVal(elt, t));
else
result->Assign(i, 0, this);
result->Assign(i, 0);
}
return result;
@ -4639,12 +4648,16 @@ Val* CallExpr::Eval(Frame* f) const
{
const ::Func* func = func_val->AsFunc();
calling_expr = this;
const CallExpr* current_call = f ? f->GetCall() : 0;
if ( f )
f->SetCall(this);
ret = func->Call(v, f); // No try/catch here; we pass exceptions upstream.
if ( f )
f->ClearCall();
f->SetCall(current_call);
// Don't Unref() the arguments, as Func::Call already did that.
delete v;
@ -5042,7 +5055,7 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
Expr* e = exprs[i];
check_and_promote_expr(e, vec->Type()->AsVectorType()->YieldType());
Val* v = e->Eval(0);
if ( ! vec->Assign(i, v, e) )
if ( ! vec->Assign(i, v) )
{
e->Error(fmt("type mismatch at index %d", i));
return 0;

27
src/FileAnalyzer.cc
View file

@ -2,6 +2,7 @@
#include "FileAnalyzer.h"
#include "Reporter.h"
#include "util.h"
magic_t File_Analyzer::magic = 0;
magic_t File_Analyzer::magic_mime = 0;
@ -11,11 +12,8 @@ File_Analyzer::File_Analyzer(Connection* conn)
{
buffer_len = 0;
if ( ! magic )
{
InitMagic(&magic, MAGIC_NONE);
InitMagic(&magic_mime, MAGIC_MIME);
}
bro_init_magic(&magic, MAGIC_NONE);
bro_init_magic(&magic_mime, MAGIC_MIME);
}
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
@ -49,10 +47,10 @@ void File_Analyzer::Identify()
const char* mime = 0;
if ( magic )
descr = magic_buffer(magic, buffer, buffer_len);
descr = bro_magic_buffer(magic, buffer, buffer_len);
if ( magic_mime )
mime = magic_buffer(magic_mime, buffer, buffer_len);
mime = bro_magic_buffer(magic_mime, buffer, buffer_len);
val_list* vl = new val_list;
vl->append(BuildConnVal());
@ -61,18 +59,3 @@ void File_Analyzer::Identify()
vl->append(new StringVal(mime ? mime : "<unknown>"));
ConnectionEvent(file_transferred, vl);
}
void File_Analyzer::InitMagic(magic_t* magic, int flags)
{
*magic = magic_open(flags);
if ( ! *magic )
reporter->Error("can't init libmagic: %s", magic_error(*magic));
else if ( magic_load(*magic, 0) < 0 )
{
reporter->Error("can't load magic file: %s", magic_error(*magic));
magic_close(*magic);
*magic = 0;
}
}

2
src/FileAnalyzer.h
View file

@ -29,8 +29,6 @@ protected:
char buffer[BUFFER_SIZE];
int buffer_len;
static void InitMagic(magic_t* magic, int flags);
static magic_t magic;
static magic_t magic_mime;
};

3
src/Frame.cc
View file

@ -87,8 +87,11 @@ Frame* Frame::Clone()
void Frame::SetTrigger(Trigger* arg_trigger)
{
ClearTrigger();
if ( arg_trigger )
Ref(arg_trigger);
trigger = arg_trigger;
}

84
src/Func.cc
View file

@ -54,13 +54,13 @@ bool did_builtin_init = false;
vector<Func*> Func::unique_ids;
Func::Func() : scope(0), id(0), return_value(0)
Func::Func() : scope(0), type(0)
{
unique_id = unique_ids.size();
unique_ids.push_back(this);
}
Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), id(0), return_value(0)
Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), type(0)
{
unique_id = unique_ids.size();
unique_ids.push_back(this);
@ -68,6 +68,7 @@ Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), id(0), return_value(0)
Func::~Func()
{
Unref(type);
}
void Func::AddBody(Stmt* /* new_body */, id_list* /* new_inits */,
@ -129,6 +130,12 @@ bool Func::DoSerialize(SerialInfo* info) const
if ( ! SERIALIZE(char(kind) ) )
return false;
if ( ! type->Serialize(info) )
return false;
if ( ! SERIALIZE(Name()) )
return false;
// We don't serialize scope as only global functions are considered here
// anyway.
return true;
@ -160,12 +167,25 @@ bool Func::DoUnserialize(UnserialInfo* info)
return false;
kind = (Kind) c;
type = BroType::Unserialize(info);
if ( ! type )
return false;
const char* n;
if ( ! UNSERIALIZE_STR(&n, 0) )
return false;
name = n;
delete [] n;
return true;
}
void Func::DescribeDebug(ODesc* d, const val_list* args) const
{
id->Describe(d);
d->Add(Name());
RecordType* func_args = FType()->Args();
if ( args )
@ -196,21 +216,6 @@ void Func::DescribeDebug(ODesc* d, const val_list* args) const
}
}
void Func::SetID(ID *arg_id)
{
id = arg_id;
return_value =
new ID(string(string(id->Name()) + "_returnvalue").c_str(),
SCOPE_FUNCTION, false);
return_value->SetType(FType()->YieldType()->Ref());
}
ID* Func::GetReturnValueID() const
{
return return_value;
}
TraversalCode Func::Traverse(TraversalCallback* cb) const
{
// FIXME: Make a fake scope for builtins?
@ -226,12 +231,6 @@ TraversalCode Func::Traverse(TraversalCallback* cb) const
tc = scope->Traverse(cb);
HANDLE_TC_STMT_PRE(tc);
if ( GetReturnValueID() )
{
tc = GetReturnValueID()->Traverse(cb);
HANDLE_TC_STMT_PRE(tc);
}
for ( unsigned int i = 0; i < bodies.size(); ++i )
{
tc = bodies[i].stmts->Traverse(cb);
@ -249,7 +248,8 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
int arg_frame_size, int priority)
: Func(BRO_FUNC)
{
id = arg_id;
name = arg_id->Name();
type = arg_id->Type()->Ref();
frame_size = arg_frame_size;
if ( arg_body )
@ -263,7 +263,6 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
BroFunc::~BroFunc()
{
Unref(id);
for ( unsigned int i = 0; i < bodies.size(); ++i )
Unref(bodies[i].stmts);
}
@ -378,7 +377,8 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
(flow != FLOW_RETURN /* we fell off the end */ ||
! result /* explicit return with no result */) &&
! f->HasDelayed() )
reporter->Warning("non-void function returns without a value: %s", id->Name());
reporter->Warning("non-void function returns without a value: %s",
Name());
if ( result && g_trace_state.DoTrace() )
{
@ -421,8 +421,7 @@ void BroFunc::AddBody(Stmt* new_body, id_list* new_inits, int new_frame_size,
void BroFunc::Describe(ODesc* d) const
{
if ( id )
id->Describe(d);
d->Add(Name());
d->NL();
d->AddCount(frame_size);
@ -450,14 +449,14 @@ IMPLEMENT_SERIAL(BroFunc, SER_BRO_FUNC);
bool BroFunc::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_BRO_FUNC, Func);
return id->Serialize(info) && SERIALIZE(frame_size);
return SERIALIZE(frame_size);
}
bool BroFunc::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(Func);
id = ID::Unserialize(info);
return id && UNSERIALIZE(&frame_size);
return UNSERIALIZE(&frame_size);
}
BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
@ -465,15 +464,16 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
: Func(BUILTIN_FUNC)
{
func = arg_func;
name = copy_string(make_full_var_name(GLOBAL_MODULE_NAME, arg_name).c_str());
name = make_full_var_name(GLOBAL_MODULE_NAME, arg_name);
is_pure = arg_is_pure;
id = lookup_ID(name, GLOBAL_MODULE_NAME, false);
ID* id = lookup_ID(Name(), GLOBAL_MODULE_NAME, false);
if ( ! id )
reporter->InternalError("built-in function %s missing", name);
reporter->InternalError("built-in function %s missing", Name());
if ( id->HasVal() )
reporter->InternalError("built-in function %s multiply defined", name);
reporter->InternalError("built-in function %s multiply defined", Name());
type = id->Type()->Ref();
id->SetVal(new Val(this));
}
@ -491,7 +491,7 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
#ifdef PROFILE_BRO_FUNCTIONS
DEBUG_MSG("Function: %s\n", Name());
#endif
SegmentProfiler(segment_logger, name);
SegmentProfiler(segment_logger, Name());
if ( sample_logger )
sample_logger->FunctionSeen(this);
@ -522,8 +522,7 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
void BuiltinFunc::Describe(ODesc* d) const
{
if ( id )
id->Describe(d);
d->Add(Name());
d->AddCount(is_pure);
}
@ -532,16 +531,13 @@ IMPLEMENT_SERIAL(BuiltinFunc, SER_BUILTIN_FUNC);
bool BuiltinFunc::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_BUILTIN_FUNC, Func);
// We ignore the ID. Func::Serialize() will rebind us anyway.
return SERIALIZE(name);
return true;
}
bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(Func);
id = 0;
return UNSERIALIZE_STR(&name, 0);
return true;
}
void builtin_error(const char* msg, BroObj* arg)

17
src/Func.h
View file

@ -47,15 +47,11 @@ public:
virtual void SetScope(Scope* newscope) { scope = newscope; }
virtual Scope* GetScope() const { return scope; }
virtual FuncType* FType() const
{
return (FuncType*) id->Type()->AsFuncType();
}
virtual FuncType* FType() const { return type->AsFuncType(); }
Kind GetKind() const { return kind; }
const ID* GetID() const { return id; }
void SetID(ID *arg_id);
const char* Name() const { return name.c_str(); }
virtual void Describe(ODesc* d) const = 0;
virtual void DescribeDebug(ODesc* d, const val_list* args) const;
@ -64,7 +60,6 @@ public:
bool Serialize(SerialInfo* info) const;
static Func* Unserialize(UnserialInfo* info);
ID* GetReturnValueID() const;
virtual TraversalCode Traverse(TraversalCallback* cb) const;
uint32 GetUniqueFuncID() const { return unique_id; }
@ -79,8 +74,8 @@ protected:
vector<Body> bodies;
Scope* scope;
Kind kind;
ID* id;
ID* return_value;
BroType* type;
string name;
uint32 unique_id;
static vector<Func*> unique_ids;
};
@ -119,18 +114,16 @@ public:
int IsPure() const;
Val* Call(val_list* args, Frame* parent) const;
const char* Name() const { return name; }
built_in_func TheFunc() const { return func; }
void Describe(ODesc* d) const;
protected:
BuiltinFunc() { func = 0; name = 0; is_pure = 0; }
BuiltinFunc() { func = 0; is_pure = 0; }
DECLARE_SERIAL(BuiltinFunc);
built_in_func func;
const char* name;
int is_pure;
};

2
src/ICMP.cc
View file

@ -829,7 +829,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
data += length;
caplen -= length;
vv->Assign(vv->Size(), rv, 0);
vv->Assign(vv->Size(), rv);
}
return vv;

4
src/IP.cc
View file

@ -63,7 +63,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
len -= opt->ip6o_len + off;
}
vv->Assign(vv->Size(), rv, 0);
vv->Assign(vv->Size(), rv);
}
return vv;
@ -626,7 +626,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
reporter->InternalError("IPv6_Hdr_Chain bad header %d", type);
break;
}
rval->Assign(rval->Size(), ext_hdr, 0);
rval->Assign(rval->Size(), ext_hdr);
}
return rval;

2
src/NFS.cc
View file

@ -599,7 +599,7 @@ RecordVal* NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
entry->Assign(4, nfs3_post_op_fh(buf,n));
}
entries->Assign(pos, entry, 0);
entries->Assign(pos, entry);
pos++;
}

2
src/NetVar.cc
View file

@ -5,7 +5,6 @@
#include "Var.h"
#include "NetVar.h"
RecordType* gtpv1_hdr_type;
RecordType* conn_id;
RecordType* endpoint;
RecordType* endpoint_stats;
@ -309,7 +308,6 @@ void init_net_var()
#include "input.bif.netvar_init"
#include "reporter.bif.netvar_init"
gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType();
conn_id = internal_type("conn_id")->AsRecordType();
endpoint = internal_type("endpoint")->AsRecordType();
endpoint_stats = internal_type("endpoint_stats")->AsRecordType();

1
src/NetVar.h
View file

@ -8,7 +8,6 @@
#include "EventRegistry.h"
#include "Stats.h"
extern RecordType* gtpv1_hdr_type;
extern RecordType* conn_id;
extern RecordType* endpoint;
extern RecordType* endpoint_stats;

2
src/RE.cc
View file

@ -496,7 +496,7 @@ static RE_Matcher* matcher_merge(const RE_Matcher* re1, const RE_Matcher* re2,
safe_snprintf(merge_text, n, "(%s)%s(%s)", text1, merge_op, text2);
RE_Matcher* merge = new RE_Matcher(merge_text);
delete merge_text;
delete [] merge_text;
merge->Compile();

2
src/SerialObj.cc
View file

@ -155,7 +155,7 @@ SerialObj* SerialObj::Unserialize(UnserialInfo* info, SerialType type)
else
{
// Broccoli compatibility mode with 32bit pids.
uint32 tmp;
uint32 tmp = 0;
result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&tmp);
pid = tmp;
}

4
src/SmithWaterman.cc
View file

@ -96,12 +96,12 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
align_val->Assign(0, new StringVal(new BroString(*align.string)));
align_val->Assign(1, new Val(align.index, TYPE_COUNT));
aligns->Assign(j+1, align_val, 0);
aligns->Assign(j+1, align_val);
}
st_val->Assign(1, aligns);
st_val->Assign(2, new Val(bst->IsNewAlignment(), TYPE_BOOL));
result->Assign(i+1, st_val, 0);
result->Assign(i+1, st_val);
}
}

17
src/StateAccess.cc
View file

@ -371,7 +371,7 @@ void StateAccess::Replay()
CheckOld("index assign", target.id, op1.val, op3,
v->AsVectorVal()->Lookup(index));
v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0, 0);
v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0);
}
else
@ -421,7 +421,7 @@ void StateAccess::Replay()
Val* lookup_op1 = v->AsVectorVal()->Lookup(index);
int delta = lookup_op1->CoerceToInt() + amount;
Val* new_val = new Val(delta, t);
v->AsVectorVal()->Assign(index, new_val, 0);
v->AsVectorVal()->Assign(index, new_val);
}
else
@ -926,17 +926,22 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
DBG_LOG(DBG_NOTIFIERS, "registering ID %s for notifier %s",
id->Name(), notifier->Name());
Attr* attr = new Attr(ATTR_TRACKED);
if ( id->Attrs() )
id->Attrs()->AddAttr(new Attr(ATTR_TRACKED));
{
if ( ! id->Attrs()->FindAttr(ATTR_TRACKED) )
id->Attrs()->AddAttr(attr);
}
else
{
attr_list* a = new attr_list;
Attr* attr = new Attr(ATTR_TRACKED);
a->append(attr);
id->SetAttrs(new Attributes(a, id->Type(), false));
Unref(attr);
}
Unref(attr);
NotifierMap::iterator i = ids.find(id->Name());
if ( i != ids.end() )
@ -967,7 +972,9 @@ void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
if ( i == ids.end() )
return;
Attr* attr = id->Attrs()->FindAttr(ATTR_TRACKED);
id->Attrs()->RemoveAttr(ATTR_TRACKED);
Unref(attr);
NotifierSet* s = i->second;
s->erase(notifier);

2
src/Stats.cc
View file

@ -338,7 +338,7 @@ SampleLogger::~SampleLogger()
void SampleLogger::FunctionSeen(const Func* func)
{
load_samples->Assign(new StringVal(func->GetID()->Name()), 0);
load_samples->Assign(new StringVal(func->Name()), 0);
}
void SampleLogger::LocationSeen(const Location* loc)

8
src/Trigger.cc
View file

@ -242,6 +242,7 @@ bool Trigger::Eval()
trigger->Cache(frame->GetCall(), v);
trigger->Release();
frame->ClearTrigger();
}
Unref(v);
@ -330,6 +331,7 @@ void Trigger::Timeout()
#endif
trigger->Cache(frame->GetCall(), v);
trigger->Release();
frame->ClearTrigger();
}
Unref(v);
@ -424,6 +426,12 @@ Val* Trigger::Lookup(const CallExpr* expr)
return (i != cache.end()) ? i->second : 0;
}
void Trigger::Disable()
{
UnregisterAll();
disabled = true;
}
const char* Trigger::Name() const
{
assert(location);

3
src/Trigger.h
View file

@ -49,7 +49,7 @@ public:
// Disable this trigger completely. Needed because Unref'ing the trigger
// may not immediately delete it as other references may still exist.
void Disable() { disabled = true; }
void Disable();
virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
@ -79,7 +79,6 @@ private:
friend class TriggerTimer;
void Init();
void DeleteTrigger();
void Register(ID* id);
void Register(Val* val);
void UnregisterAll();

2
src/TunnelEncapsulation.h
View file

@ -186,7 +186,7 @@ public:
if ( conns )
{
for ( size_t i = 0; i < conns->size(); ++i )
vv->Assign(i, (*conns)[i].GetRecordVal(), 0);
vv->Assign(i, (*conns)[i].GetRecordVal());
}
return vv;

8
src/Type.cc
View file

@ -696,7 +696,9 @@ string FuncType::FlavorString() const
FuncType::~FuncType()
{
Unref(args);
Unref(arg_types);
Unref(yield);
}
BroType* FuncType::YieldType()
@ -710,7 +712,7 @@ int FuncType::MatchesIndex(ListExpr*& index) const
MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
}
int FuncType::CheckArgs(const type_list* args) const
int FuncType::CheckArgs(const type_list* args, bool is_init) const
{
const type_list* my_args = arg_types->Types();
@ -718,7 +720,7 @@ int FuncType::CheckArgs(const type_list* args) const
return 0;
for ( int i = 0; i < my_args->length(); ++i )
if ( ! same_type((*args)[i], (*my_args)[i]) )
if ( ! same_type((*args)[i], (*my_args)[i], is_init) )
return 0;
return 1;
@ -1720,7 +1722,7 @@ int same_type(const BroType* t1, const BroType* t2, int is_init)
return 0;
}
return same_type(ft1->Args(), ft2->Args(), is_init);
return ft1->CheckArgs(ft2->ArgTypes()->Types(), is_init);
}
case TYPE_RECORD:

6
src/Type.h
View file

@ -370,11 +370,9 @@ public:
{ Unref(yield); yield = 0; flavor = arg_flav; }
int MatchesIndex(ListExpr*& index) const;
int CheckArgs(const type_list* args) const;
int CheckArgs(const type_list* args, bool is_init = false) const;
TypeList* ArgTypes() { return arg_types; }
ID* GetReturnValueID() const;
TypeList* ArgTypes() const { return arg_types; }
void Describe(ODesc* d) const;
void DescribeReST(ODesc* d) const;

9
src/Val.cc
View file

@ -2921,8 +2921,7 @@ VectorVal::~VectorVal()
delete val.vector_val;
}
bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
Opcode op)
bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
{
if ( element &&
! same_type(element->Type(), vector_type->YieldType(), 0) )
@ -2983,12 +2982,12 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
}
bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
Val* element, const Expr* assigner)
Val* element)
{
ResizeAtLeast(index + how_many);
for ( unsigned int i = index; i < index + how_many; ++i )
if ( ! Assign(i, element, assigner) )
if ( ! Assign(i, element ) )
return false;
return true;
@ -3089,7 +3088,7 @@ bool VectorVal::DoUnserialize(UnserialInfo* info)
{
Val* v;
UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
Assign(i, v, 0);
Assign(i, v);
}
return true;

10
src/Val.h
View file

@ -968,18 +968,16 @@ public:
// Note: does NOT Ref() the element! Remember to do so unless
// the element was just created and thus has refcount 1.
//
bool Assign(unsigned int index, Val* element, const Expr* assigner,
Opcode op = OP_ASSIGN);
bool Assign(Val* index, Val* element, const Expr* assigner,
Opcode op = OP_ASSIGN)
bool Assign(unsigned int index, Val* element, Opcode op = OP_ASSIGN);
bool Assign(Val* index, Val* element, Opcode op = OP_ASSIGN)
{
return Assign(index->AsListVal()->Index(0)->CoerceToUnsigned(),
element, assigner, op);
element, op);
}
// Assigns the value to how_many locations starting at index.
bool AssignRepeat(unsigned int index, unsigned int how_many,
Val* element, const Expr* assigner);
Val* element);
// Returns nil if no element was at that value.
// Lookup does NOT grow the vector to this size.

63
src/bro.bif
View file

@ -16,6 +16,7 @@
#include "digest.h"
#include "Reporter.h"
#include "IPAddr.h"
#include "util.h"
using namespace std;
@ -844,38 +845,21 @@ extern "C" {
## return_mime: If true, the function returns a short MIME type string (e.g.,
## ``text/plain`` instead of a more elaborate textual description).
##
## Returns: The MIME type of *data*.
## Returns: The MIME type of *data*, or "<unknown>" if there was an error.
function identify_data%(data: string, return_mime: bool%): string
%{
const char* descr = "";
static magic_t magic_mime = 0;
static magic_t magic_descr = 0;
magic_t* magic = return_mime ? &magic_mime : &magic_descr;
bro_init_magic(magic, return_mime ? MAGIC_MIME : MAGIC_NONE);
if( ! *magic )
{
*magic = magic_open(return_mime ? MAGIC_MIME : MAGIC_NONE);
return new StringVal("<unknown>");
if ( ! *magic )
{
reporter->Error("can't init libmagic: %s", magic_error(*magic));
return new StringVal("");
}
const char* desc = bro_magic_buffer(*magic, data->Bytes(), data->Len());
if ( magic_load(*magic, 0) < 0 )
{
reporter->Error("can't load magic file: %s", magic_error(*magic));
magic_close(*magic);
*magic = 0;
return new StringVal("");
}
}
descr = magic_buffer(*magic, data->Bytes(), data->Len());
return new StringVal(descr);
return new StringVal(desc ? desc : "<unknown>");
%}
## Performs an entropy test on the given data.
@ -1033,29 +1017,6 @@ function clear_table%(v: any%): any
return 0;
%}
## Returns the number of elements in a container. This function works with all
## container types, i.e., sets, tables, and vectors.
##
## v: The container whose elements are counted.
##
## Returns: The number of elements in *v*.
function length%(v: any%): count
%{
TableVal* tv = v->Type()->Tag() == TYPE_TABLE ? v->AsTableVal() : 0;
if ( tv )
return new Val(tv->Size(), TYPE_COUNT);
else if ( v->Type()->Tag() == TYPE_VECTOR )
return new Val(v->AsVectorVal()->Size(), TYPE_COUNT);
else
{
builtin_error("length() requires a table/set/vector argument");
return new Val(0, TYPE_COUNT);
}
%}
## Checks whether two objects reference the same internal object. This function
## uses equality comparison of C++ raw pointer values to determine if the two
## objects are the same.
@ -1349,7 +1310,7 @@ function order%(v: any, ...%) : index_vec
for ( i = 0; i < n; ++i )
{
int ind = ind_vv[i];
result_v->Assign(i, new Val(ind, TYPE_COUNT), 0);
result_v->Assign(i, new Val(ind, TYPE_COUNT));
}
return result_v;
@ -1633,7 +1594,7 @@ function record_type_to_vector%(rt: string%): string_vec
for ( int i = 0; i < type->NumFields(); ++i )
{
StringVal* val = new StringVal(type->FieldName(i));
result->Assign(i+1, val, 0);
result->Assign(i+1, val);
}
}
@ -2139,7 +2100,7 @@ function routing0_data_to_addrs%(s: string%): addr_vec
while ( len > 0 )
{
IPAddr a(IPv6, (const uint32*) bytes, IPAddr::Network);
rval->Assign(rval->Size(), new AddrVal(a), 0);
rval->Assign(rval->Size(), new AddrVal(a));
bytes += 16;
len -= 16;
}
@ -2162,7 +2123,7 @@ function addr_to_counts%(a: addr%): index_vec
int len = a->AsAddr().GetBytes(&bytes);
for ( int i = 0; i < len; ++i )
rval->Assign(i, new Val(ntohl(bytes[i]), TYPE_COUNT), 0);
rval->Assign(i, new Val(ntohl(bytes[i]), TYPE_COUNT));
return rval;
%}
@ -3574,7 +3535,7 @@ function lookup_addr%(host: addr%) : string
## Issues an asynchronous TEXT DNS lookup and delays the function result.
## This function can therefore only be called inside a ``when`` condition,
## e.g., ``when ( local h = lookup_hostname_txt("www.bro-ids.org") ) { f(h); }``.
## e.g., ``when ( local h = lookup_hostname_txt("www.bro.org") ) { f(h); }``.
##
## host: The hostname to lookup.
##
@ -3603,7 +3564,7 @@ function lookup_hostname_txt%(host: string%) : string
## Issues an asynchronous DNS lookup and delays the function result.
## This function can therefore only be called inside a ``when`` condition,
## e.g., ``when ( local h = lookup_hostname("www.bro-ids.org") ) { f(h); }``.
## e.g., ``when ( local h = lookup_hostname("www.bro.org") ) { f(h); }``.
##
## host: The hostname to lookup.
##

1
src/bro_inet_ntop.h
View file

@ -5,6 +5,7 @@
extern "C" {
#endif
#include <sys/types.h>
#include <sys/socket.h>
const char *

61
src/event.bif
View file

@ -577,6 +577,13 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
## it may become particularly expensive for real-time analysis.
event teredo_bubble%(outer: connection, inner: teredo_hdr%);
## Generated for any GTP message with a GTPv1 header.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
## that includes a GTP header followed by an IPv4 or IPv6 packet.
##
@ -590,6 +597,60 @@ event teredo_bubble%(outer: connection, inner: teredo_hdr%);
## it may become particularly expensive for real-time analysis.
event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
## Generated for GTPv1-C Create PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
## Generated for GTPv1-C Create PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
## Generated for GTPv1-C Update PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
## Generated for GTPv1-C Update PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
## Generated for GTPv1-C Delete PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
## Generated for GTPv1-C Delete PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
## Generated for every packet that has a non-empty transport-layer payload.
## This is a very low-level and expensive event that should be avoided when
## at all possible. It's usually infeasible to handle when processing even

699
src/gtpv1-analyzer.pac
View file

@ -1,4 +1,607 @@
%code{
RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
rv->Assign(0, new Val(pdu->version(), TYPE_COUNT));
rv->Assign(1, new Val(pdu->pt_flag(), TYPE_BOOL));
rv->Assign(2, new Val(pdu->rsv(), TYPE_BOOL));
rv->Assign(3, new Val(pdu->e_flag(), TYPE_BOOL));
rv->Assign(4, new Val(pdu->s_flag(), TYPE_BOOL));
rv->Assign(5, new Val(pdu->pn_flag(), TYPE_BOOL));
rv->Assign(6, new Val(pdu->msg_type(), TYPE_COUNT));
rv->Assign(7, new Val(pdu->length(), TYPE_COUNT));
rv->Assign(8, new Val(pdu->teid(), TYPE_COUNT));
if ( pdu->has_opt() )
{
rv->Assign(9, new Val(pdu->opt_hdr()->seq(), TYPE_COUNT));
rv->Assign(10, new Val(pdu->opt_hdr()->n_pdu(), TYPE_COUNT));
rv->Assign(11, new Val(pdu->opt_hdr()->next_type(), TYPE_COUNT));
}
return rv;
}
Val* BuildIMSI(const InformationElement* ie)
{
return new Val(ie->imsi()->value(), TYPE_COUNT);
}
Val* BuildRAI(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_rai);
ev->Assign(0, new Val(ie->rai()->mcc(), TYPE_COUNT));
ev->Assign(1, new Val(ie->rai()->mnc(), TYPE_COUNT));
ev->Assign(2, new Val(ie->rai()->lac(), TYPE_COUNT));
ev->Assign(3, new Val(ie->rai()->rac(), TYPE_COUNT));
return ev;
}
Val* BuildRecovery(const InformationElement* ie)
{
return new Val(ie->recovery()->restart_counter(), TYPE_COUNT);
}
Val* BuildSelectionMode(const InformationElement* ie)
{
return new Val(ie->selection_mode()->mode(), TYPE_COUNT);
}
Val* BuildTEID1(const InformationElement* ie)
{
return new Val(ie->teid1()->value(), TYPE_COUNT);
}
Val* BuildTEID_ControlPlane(const InformationElement* ie)
{
return new Val(ie->teidcp()->value(), TYPE_COUNT);
}
Val* BuildNSAPI(const InformationElement* ie)
{
return new Val(ie->nsapi()->nsapi(), TYPE_COUNT);
}
Val* BuildChargingCharacteristics(const InformationElement* ie)
{
return new Val(ie->charging_characteristics()->value(), TYPE_COUNT);
}
Val* BuildTraceReference(const InformationElement* ie)
{
return new Val(ie->trace_reference()->value(), TYPE_COUNT);
}
Val* BuildTraceType(const InformationElement* ie)
{
return new Val(ie->trace_type()->value(), TYPE_COUNT);
}
Val* BuildEndUserAddr(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
ev->Assign(0, new Val(ie->end_user_addr()->pdp_type_org(), TYPE_COUNT));
ev->Assign(1, new Val(ie->end_user_addr()->pdp_type_num(), TYPE_COUNT));
int len = ie->end_user_addr()->pdp_addr().length();
if ( len > 0 )
{
const uint8* d = ie->end_user_addr()->pdp_addr().data();
switch ( ie->end_user_addr()->pdp_type_num() ) {
case 0x21:
ev->Assign(2, new AddrVal(
IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
break;
case 0x57:
ev->Assign(2, new AddrVal(
IPAddr(IPv6, (const uint32*) d, IPAddr::Network)));
break;
default:
ev->Assign(3, new StringVal(
new BroString((const u_char*) d, len, 0)));
break;
}
}
return ev;
}
Val* BuildAccessPointName(const InformationElement* ie)
{
BroString* bs = new BroString((const u_char*) ie->ap_name()->value().data(),
ie->ap_name()->value().length(), 0);
return new StringVal(bs);
}
Val* BuildProtoConfigOptions(const InformationElement* ie)
{
const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
int len = ie->proto_config_opts()->value().length();
return new StringVal(new BroString(d, len, 0));
}
Val* BuildGSN_Addr(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_gsn_addr);
int len = ie->gsn_addr()->value().length();
const uint8* d = ie->gsn_addr()->value().data();
if ( len == 4 )
ev->Assign(0, new AddrVal(
IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
else if ( len == 16 )
ev->Assign(0, new AddrVal(
IPAddr(IPv6, (const uint32*) d, IPAddr::Network)));
else
ev->Assign(1, new StringVal(new BroString((const u_char*) d, len, 0)));
return ev;
}
Val* BuildMSISDN(const InformationElement* ie)
{
const u_char* d = (const u_char*) ie->msisdn()->value().data();
int len = ie->msisdn()->value().length();
return new StringVal(new BroString(d, len, 0));
}
Val* BuildQoS_Profile(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_qos_profile);
const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length();
ev->Assign(0, new Val(ie->qos_profile()->alloc_retention_priority(),
TYPE_COUNT));
ev->Assign(1, new StringVal(new BroString(d, len, 0)));
return ev;
}
Val* BuildTrafficFlowTemplate(const InformationElement* ie)
{
const uint8* d = ie->traffic_flow_template()->value().data();
int len = ie->traffic_flow_template()->value().length();
return new StringVal(new BroString((const u_char*) d, len, 0));
}
Val* BuildTriggerID(const InformationElement* ie)
{
const uint8* d = ie->trigger_id()->value().data();
int len = ie->trigger_id()->value().length();
return new StringVal(new BroString((const u_char*) d, len, 0));
}
Val* BuildOMC_ID(const InformationElement* ie)
{
const uint8* d = ie->omc_id()->value().data();
int len = ie->omc_id()->value().length();
return new StringVal(new BroString((const u_char*) d, len, 0));
}
Val* BuildPrivateExt(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_private_extension);
const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length();
ev->Assign(0, new Val(ie->private_ext()->id(), TYPE_COUNT));
ev->Assign(1, new StringVal(new BroString((const u_char*) d, len, 0)));
return ev;
}
Val* BuildCause(const InformationElement* ie)
{
return new Val(ie->cause()->value(), TYPE_COUNT);
}
Val* BuildReorderReq(const InformationElement* ie)
{
return new Val(ie->reorder_req()->req(), TYPE_BOOL);
}
Val* BuildChargingID(const InformationElement* ie)
{
return new Val(ie->charging_id()->value(), TYPE_COUNT);;
}
Val* BuildChargingGatewayAddr(const InformationElement* ie)
{
const uint8* d = ie->charging_gateway_addr()->value().data();
int len = ie->charging_gateway_addr()->value().length();
if ( len == 4 )
return new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network));
else if ( len == 16 )
return new AddrVal(IPAddr(IPv6, (const uint32*) d, IPAddr::Network));
else
return 0;
}
Val* BuildTeardownInd(const InformationElement* ie)
{
return new Val(ie->teardown_ind()->ind(), TYPE_BOOL);
}
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
bool second_nsapi = false;
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_IMSI:
rv->Assign(0, BuildIMSI(ie));
break;
case GTPv1::TYPE_RAI:
rv->Assign(1, BuildRAI(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_SELECTION_MODE:
rv->Assign(3, BuildSelectionMode(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(4, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(5, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_NSAPI:
if ( second_nsapi )
rv->Assign(7, BuildNSAPI(ie));
else
{
second_nsapi = true;
rv->Assign(6, BuildNSAPI(ie));
}
break;
case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
rv->Assign(8, BuildChargingCharacteristics(ie));
break;
case GTPv1::TYPE_TRACE_REFERENCE:
rv->Assign(9, BuildTraceReference(ie));
break;
case GTPv1::TYPE_TRACE_TYPE:
rv->Assign(10, BuildTraceType(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(11, BuildEndUserAddr(ie));
break;
case GTPv1::TYPE_ACCESS_POINT_NAME:
rv->Assign(12, BuildAccessPointName(ie));
break;
case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
rv->Assign(13, BuildProtoConfigOptions(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(15, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(14, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_MSISDN:
rv->Assign(16, BuildMSISDN(ie));
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(17, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
rv->Assign(18, BuildTrafficFlowTemplate(ie));
break;
case GTPv1::TYPE_TRIGGER_ID:
rv->Assign(19, BuildTriggerID(ie));
break;
case GTPv1::TYPE_OMC_ID:
rv->Assign(20, BuildOMC_ID(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(21, BuildPrivateExt(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_REORDER_REQ:
rv->Assign(1, BuildReorderReq(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(3, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(4, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_CHARGING_ID:
rv->Assign(5, BuildChargingID(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(6, BuildEndUserAddr(ie));
break;
case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
rv->Assign(7, BuildProtoConfigOptions(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(9, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(8, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(10, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
rv->Assign(11, BuildChargingGatewayAddr(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(12, BuildPrivateExt(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_IMSI:
rv->Assign(0, BuildIMSI(ie));
break;
case GTPv1::TYPE_RAI:
rv->Assign(1, BuildRAI(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(2, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(3, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(4, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_NSAPI:
rv->Assign(5, BuildNSAPI(ie));
break;
case GTPv1::TYPE_TRACE_REFERENCE:
rv->Assign(6, BuildTraceReference(ie));
break;
case GTPv1::TYPE_TRACE_TYPE:
rv->Assign(7, BuildTraceType(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(9, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(8, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(10, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
rv->Assign(11, BuildTrafficFlowTemplate(ie));
break;
case GTPv1::TYPE_TRIGGER_ID:
rv->Assign(12, BuildTriggerID(ie));
break;
case GTPv1::TYPE_OMC_ID:
rv->Assign(13, BuildOMC_ID(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(14, BuildPrivateExt(ie));
break;
case GTPv1::TYPE_END_USER_ADDR:
rv->Assign(15, BuildEndUserAddr(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
bool second_gsn_addr = false;
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_RECOVERY:
rv->Assign(1, BuildRecovery(ie));
break;
case GTPv1::TYPE_TEID1:
rv->Assign(2, BuildTEID1(ie));
break;
case GTPv1::TYPE_TEID_CONTROL_PLANE:
rv->Assign(3, BuildTEID_ControlPlane(ie));
break;
case GTPv1::TYPE_CHARGING_ID:
rv->Assign(4, BuildChargingID(ie));
break;
case GTPv1::TYPE_GSN_ADDR:
if ( second_gsn_addr )
rv->Assign(6, BuildGSN_Addr(ie));
else
{
second_gsn_addr = true;
rv->Assign(5, BuildGSN_Addr(ie));
}
break;
case GTPv1::TYPE_QOS_PROFILE:
rv->Assign(7, BuildQoS_Profile(ie));
break;
case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
rv->Assign(8, BuildChargingGatewayAddr(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(9, BuildPrivateExt(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_TEARDOWN_IND:
rv->Assign(0, BuildTeardownInd(ie));
break;
case GTPv1::TYPE_NSAPI:
rv->Assign(1, BuildNSAPI(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(2, BuildPrivateExt(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
for ( size_t i = 0; i < v->size(); ++i )
{
const InformationElement* ie = (*v)[i];
switch ( ie->type() ) {
case GTPv1::TYPE_CAUSE:
rv->Assign(0, BuildCause(ie));
break;
case GTPv1::TYPE_PRIVATE_EXT:
rv->Assign(1, BuildPrivateExt(ie));
break;
default:
a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
break;
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
}
%}
connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
{
upflow = GTPv1_Flow(true);
@ -27,17 +630,17 @@ connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
%}
}
%code{
inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p)
{
a->ProtocolViolation(r, (const char*) p.data(), p.length());
}
%}
flow GTPv1_Flow(is_orig: bool)
{
datagram = GTPv1_Header withcontext(connection, this);
function violate(r: string, pdu: GTPv1_Header): void
%{
BroAnalyzer a = connection()->bro_analyzer();
const_bytestring b = ${pdu.sourcedata};
a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
%}
function process_gtpv1(pdu: GTPv1_Header): bool
%{
BroAnalyzer a = connection()->bro_analyzer();
@ -55,14 +658,14 @@ flow GTPv1_Flow(is_orig: bool)
if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
{
// GTP is never tunneled in GTP so, this must be a regular packet
violate("GTP-in-GTP", a, ${pdu.packet});
violate("GTP-in-GTP", pdu);
return false;
}
if ( ${pdu.version} != 1 )
{
// Only know of GTPv1 with Version == 1
violate("GTPv1 bad Version", a, ${pdu.packet});
violate("GTPv1 bad Version", pdu);
return false;
}
@ -72,21 +675,46 @@ flow GTPv1_Flow(is_orig: bool)
return false;
}
if ( ${pdu.e_flag} )
{
// TODO: can't currently parse past extension headers
return false;
}
if ( ::gtpv1_message )
BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
if ( ${pdu.msg_type} != 0xff )
{
// Only interested in decapsulating user plane data beyond here.
switch ( ${pdu.msg_type} ) {
case 16:
CreatePDP_Request(a, pdu);
return true;
case 17:
CreatePDP_Response(a, pdu);
return true;
case 18:
UpdatePDP_Request(a, pdu);
return true;
case 19:
UpdatePDP_Response(a, pdu);
return true;
case 20:
DeletePDP_Request(a, pdu);
return true;
case 21:
DeletePDP_Response(a, pdu);
return true;
case 255:
return process_g_pdu(pdu);
default:
return false;
}
}
return false;
%}
function process_g_pdu(pdu: GTPv1_Header): bool
%{
BroAnalyzer a = connection()->bro_analyzer();
Connection *c = a->Conn();
const EncapsulationStack* e = c->GetEncapsulation();
if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
{
violate("Truncated GTPv1", a, ${pdu.packet});
violate("Truncated GTPv1", pdu);
return false;
}
@ -94,7 +722,7 @@ flow GTPv1_Flow(is_orig: bool)
if ( ip->ip_v != 4 && ip->ip_v != 6 )
{
violate("non-IP packet in GTPv1", a, ${pdu.packet});
violate("non-IP packet in GTPv1", pdu);
return false;
}
@ -113,10 +741,10 @@ flow GTPv1_Flow(is_orig: bool)
}
else if ( result < 0 )
violate("Truncated GTPv1", a, ${pdu.packet});
violate("Truncated GTPv1", pdu);
else
violate("GTPv1 payload length", a, ${pdu.packet});
violate("GTPv1 payload length", pdu);
if ( result != 0 )
{
@ -125,37 +753,16 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_g_pdu_packet )
{
RecordVal* rv = new RecordVal(gtpv1_hdr_type);
rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT));
rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL));
rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL));
rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL));
rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL));
rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL));
rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT));
rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT));
rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT));
if ( ${pdu.has_opt} )
{
rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT));
rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT));
rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT));
}
BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv,
BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
inner->BuildPktHdrVal());
}
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
return (result == 0) ? true : false;
return true;
%}
};
refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };

477
src/gtpv1-protocol.pac
View file

@ -4,11 +4,27 @@ type GTPv1_Header = record {
msg_type: uint8;
length: uint16;
teid: uint32;
opt: case has_opt of {
true -> opt_hdr: GTPv1_Opt_Header;
false -> no_opt: empty;
} &requires(has_opt);
packet: bytestring &restofdata;
};
ext: case e_flag of {
true -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
false -> no_ext: empty;
};
msg: case msg_type of {
16 -> create_pdp_ctx_request: InformationElement[];
17 -> create_pdp_ctx_response: InformationElement[];
18 -> update_pdp_ctx_request: InformationElement[];
19 -> update_pdp_ctx_response: InformationElement[];
20 -> delete_pdp_ctx_request: InformationElement[];
21 -> delete_pdp_ctx_response: InformationElement[];
255 -> packet: bytestring &restofdata;
default -> unknown: bytestring &restofdata;
};
} &let {
version: uint8 = (flags & 0xE0) >> 5;
@ -18,10 +34,463 @@ type GTPv1_Header = record {
s_flag: bool = flags & 0x02;
pn_flag: bool = flags & 0x01;
has_opt: bool = flags & 0x07;
} &byteorder = littleendian;
} &byteorder = bigendian, &exportsourcedata;
type GTPv1_Opt_Header = record {
seq: uint16;
n_pdu: uint8;
next_type: uint8;
}
};
type GTPv1_Ext_Header = record {
length: uint8;
contents: bytestring &length=(length * 4 - 2);
next_type: uint8;
};
enum InfoElementType {
TYPE_CAUSE = 1,
TYPE_IMSI = 2,
TYPE_RAI = 3,
TYPE_TLLI = 4,
TYPE_P_TMSI = 5,
TYPE_REORDER_REQ = 8,
TYPE_AUTHN_TRIPLET = 9,
TYPE_MAP_CAUSE = 11,
TYPE_P_TMSI_SIG = 12,
TYPE_MS_VALID = 13,
TYPE_RECOVERY = 14,
TYPE_SELECTION_MODE = 15,
TYPE_TEID1 = 16,
TYPE_TEID_CONTROL_PLANE = 17,
TYPE_TEID2 = 18,
TYPE_TEARDOWN_IND = 19,
TYPE_NSAPI = 20,
TYPE_RANAP_CAUSE = 21,
TYPE_RAB_CTX = 22,
TYPE_RADIO_PRIORITY_SMS = 23,
TYPE_RADIO_PRIORITY = 24,
TYPE_PACKET_FLOW_ID = 25,
TYPE_CHARGING_CHARACTERISTICS = 26,
TYPE_TRACE_REFERENCE = 27,
TYPE_TRACE_TYPE = 28,
TYPE_MS_NOT_REACHABLE_REASON = 29,
TYPE_CHARGING_ID = 127,
TYPE_END_USER_ADDR = 128,
TYPE_MM_CTX = 129,
TYPE_PDP_CTX = 130,
TYPE_ACCESS_POINT_NAME = 131,
TYPE_PROTO_CONFIG_OPTIONS = 132,
TYPE_GSN_ADDR = 133,
TYPE_MSISDN = 134,
TYPE_QOS_PROFILE = 135,
TYPE_AUTHN_QUINTUPLET = 136,
TYPE_TRAFFIC_FLOW_TEMPLATE = 137,
TYPE_TARGET_ID = 138,
TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
TYPE_RAB_SETUP_INFO = 140,
TYPE_EXT_HEADER_TYPE_LIST = 141,
TYPE_TRIGGER_ID = 142,
TYPE_OMC_ID = 143,
TYPE_CHARGING_GATEWAY_ADDR = 251,
TYPE_PRIVATE_EXT = 255,
};
type InformationElement = record {
type: uint8;
len: case is_tlv of {
true -> tlv_len: uint16;
false -> no_len: empty;
};
value: case type of {
TYPE_CAUSE -> cause: Cause;
TYPE_IMSI -> imsi: IMSI;
TYPE_RAI -> rai: RAI;
TYPE_TLLI -> tlli: TLLI;
TYPE_P_TMSI -> p_tmsi: P_TMSI;
TYPE_REORDER_REQ -> reorder_req: ReorderReq;
TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
TYPE_MS_VALID -> ms_valid: MS_Valid;
TYPE_RECOVERY -> recovery: Recovery;
TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
TYPE_TEID1 -> teid1: TEID1;
TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
TYPE_TEID2 -> teid2: TEID2;
TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
TYPE_NSAPI -> nsapi: NSAPI;
TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
TYPE_TRACE_TYPE -> trace_type: TraceType;
TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
TYPE_CHARGING_ID -> charging_id: ChargingID;
TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
TYPE_MSISDN -> msisdn: MSISDN(length);
TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
TYPE_TARGET_ID -> target_id: TargetID(length);
TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
TYPE_OMC_ID -> omc_id: OMC_ID(length);
TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
default -> unknown: bytestring &length=length;
} &requires(length);
} &let {
is_tlv: bool = (type & 0x80);
length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
};
type Cause = record {
value: uint8;
};
function decode_imsi(v: uint8[8]): uint64
%{
uint64 rval = 0;
uint8 digits[16];
for ( size_t i = 0; i < v->size(); ++i )
{
digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
digits[2 * i] = (*v)[i] & 0x0f;
}
int power = 0;
for ( int i = 15; i >= 0; --i )
{
if ( digits[i] == 0x0f ) continue;
rval += digits[i] * pow(10, power);
++power;
}
return rval;
%}
type IMSI = record {
tbcd_encoded_value: uint8[8];
} &let {
value: uint64 = decode_imsi(tbcd_encoded_value);
};
type RAI = record {
mcc2_mcc1: uint8;
mnc3_mcc3: uint8;
mnc2_mnc1: uint8;
lac: uint16;
rac: uint8;
} &let {
mcc1: uint8 = (mcc2_mcc1 & 0x0f);
mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
mcc3: uint8 = (mnc3_mcc3 & 0x0f);
mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
mnc1: uint8 = (mnc2_mnc1 & 0x0f);
mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
};
type TLLI = record {
value: uint32;
};
type P_TMSI = record {
value: uint32;
};
type ReorderReq = record {
value: uint8;
} &let {
req: bool = value & 0x01;
};
type AuthN_Triplet = record {
rand: bytestring &length=16;
sres: uint32;
kc: uint64;
};
type MAP_Cause = record {
value: uint8;
};
type P_TMSI_Sig = record {
value: bytestring &length=3;
};
type MS_Valid = record {
value: uint8;
};
type Recovery = record {
restart_counter: uint8;
};
type SelectionMode = record {
value: uint8;
} &let {
mode: uint8 = value & 0x01;
};
type TEID1 = record {
value: uint32;
};
type TEID_ControlPlane = record {
value: uint32;
};
type TEID2 = record {
spare_nsapi: uint8;
teid2: uint32;
};
type TeardownInd = record {
value: uint8;
} &let {
ind: bool = value & 0x01;
};
type NSAPI = record {
xxxx_nsapi: uint8;
} &let {
nsapi: uint8 = xxxx_nsapi & 0x0f;
};
type RANAP_Cause = record {
value: uint8;
};
type RAB_Ctx = record {
spare_nsapi: uint8;
dl_gtpu_seq_num: uint16;
ul_gtpu_seq_num: uint16;
dl_pdcp_seq_num: uint16;
ul_pdcp_seq_num: uint16;
};
type RadioPrioritySMS = record {
value: uint8;
};
type RadioPriority = record {
nsapi_radio_priority: uint8;
};
type PacketFlowID = record {
rsv_nsapi: uint8;
packet_flow_id: uint8;
};
type ChargingCharacteristics = record {
value: uint16;
};
type TraceReference = record {
value: uint16;
};
type TraceType = record {
value: uint16;
};
type MS_Not_Reachable_Reason = record {
value: uint8;
};
type ChargingID = record {
value: uint32;
};
type EndUserAddr(n: uint16) = record {
spare_pdp_type_org: uint8;
pdp_type_num: uint8;
pdp_addr: bytestring &length=(n-2);
} &let {
pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
};
type MM_Ctx(n: uint16) = record {
spare_cksn_ksi: uint8;
security_params: uint8;
keys: case gsm_keys of {
true -> kc: uint64;
false -> ck_ik: bytestring &length=32;
};
vector_len: case have_triplets of {
true -> no_quint_len: empty;
false -> quint_len: uint16;
};
vectors: case have_triplets of {
true -> triplets: AuthN_Triplet[num_vectors];
false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
} &requires(num_vectors);
drx_param: uint16;
ms_net_capability_len: uint8;
ms_net_capability: bytestring &length=ms_net_capability_len;
container_len: uint16;
container: bytestring &length=container_len;
} &let {
security_mode: uint8 = security_params >> 6;
gsm_keys: bool = security_mode & 0x01;
have_triplets: bool = (security_mode == 1);
num_vectors: uint8 = (security_params & 0x38) >> 3;
};
type PDP_Ctx(n: uint16) = record {
rsv_nsapi: uint8;
xxxx_sapi: uint8;
qos_sub_len: uint8;
qos_sub: QoS_Profile(qos_sub_len);
qos_req_len: uint8;
qos_req: QoS_Profile(qos_req_len);
qos_neg_len: uint8;
qos_neg: QoS_Profile(qos_neg_len);
snd: uint16;
snu: uint16;
send_npdu_num: uint8;
recv_npdu_num: uint8;
ul_teid_cp: TEID_ControlPlane;
ul_teid_data1: TEID1;
pdp_ctx_id: uint8;
spare_pdp_type_org: uint8;
pdp_type_num: uint8;
pdp_addr_len: uint8;
pdp_addr: bytestring &length=pdp_addr_len;
ggsn_addr_control_plane_len: uint8;
ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
ggsn_addr_user_traffic_len: uint8;
ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
apn_len: uint8;
apn: AP_Name(apn_len);
spare_transaction_id: uint8;
transaction_id: uint8;
};
type AP_Name(n: uint16) = record {
value: bytestring &length=n;
};
type ProtoConfigOpts(n: uint16) = record {
value: bytestring &length=n;
};
type GSN_Addr(n: uint16) = record {
value: bytestring &length=n;
};
type MSISDN(n: uint16) = record {
value: bytestring &length=n;
};
type QoS_Profile(n: uint16) = record {
alloc_retention_priority: uint8;
data: bytestring &length=n-1;
};
type AuthN_Quintuplet(n: uint16) = record {
rand: bytestring &length=16;
xres_len: uint8;
xres: bytestring &length=xres_len;
ck: bytestring &length=16;
ik: bytestring &length=16;
autn_len: uint8;
autn: bytestring &length=autn_len;
};
type TrafficFlowTemplate(n: uint16) = record {
value: bytestring &length=n;
};
type TargetID(n: uint16) = record {
value: bytestring &length=n;
};
type UTRAN_TransparentContainer(n: uint16) = record {
value: bytestring &length=n;
};
type RAB_SetupInfo(n: uint16) = record {
xxxx_nsapi: uint8;
have_teid: case n of {
1 -> no_teid: empty;
default -> teid: TEID1;
};
have_addr: case n of {
1 -> no_addr: empty;
default -> rnc_addr: bytestring &length=n-5;
};
};
type ExtHdrTypeList(n: uint16) = record {
value: uint8[n];
};
type TriggerID(n: uint16) = record {
value: bytestring &length=n;
};
type OMC_ID(n: uint16) = record {
value: bytestring &length=n;
};
type ChargingGatewayAddr(n: uint16) = record {
value: bytestring &length=n;
};
type PrivateExt(n: uint16) = record {
id: uint16;
value: bytestring &length=n-2;
};
function Get_IE_Len(t: uint8): uint16 =
case t of {
TYPE_CAUSE -> 1;
TYPE_IMSI -> 8;
TYPE_RAI -> 6;
TYPE_TLLI -> 4;
TYPE_P_TMSI -> 4;
TYPE_REORDER_REQ -> 1;
TYPE_AUTHN_TRIPLET -> 28;
TYPE_MAP_CAUSE -> 1;
TYPE_P_TMSI_SIG -> 3;
TYPE_MS_VALID -> 1;
TYPE_RECOVERY -> 1;
TYPE_SELECTION_MODE -> 1;
TYPE_TEID1 -> 4;
TYPE_TEID_CONTROL_PLANE -> 4;
TYPE_TEID2 -> 5;
TYPE_TEARDOWN_IND -> 1;
TYPE_NSAPI -> 1;
TYPE_RANAP_CAUSE -> 1;
TYPE_RAB_CTX -> 9;
TYPE_RADIO_PRIORITY_SMS -> 1;
TYPE_RADIO_PRIORITY -> 1;
TYPE_PACKET_FLOW_ID -> 2;
TYPE_CHARGING_CHARACTERISTICS -> 2;
TYPE_TRACE_REFERENCE -> 2;
TYPE_TRACE_TYPE -> 2;
TYPE_MS_NOT_REACHABLE_REASON -> 1;
TYPE_CHARGING_ID -> 4;
};

6
src/input/Manager.cc
View file

@ -483,7 +483,7 @@ bool Manager::CreateEventStream(RecordVal* fval)
Unref(fields); // ref'd by lookupwithdefault
stream->num_fields = fieldsV.size();
stream->fields = fields->Ref()->AsRecordType();
stream->event = event_registry->Lookup(event->GetID()->Name());
stream->event = event_registry->Lookup(event->Name());
stream->want_record = ( want_record->InternalInt() == 1 );
Unref(want_record); // ref'd by lookupwithdefault
@ -644,7 +644,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
stream->tab = dst->AsTableVal();
stream->rtype = val ? val->AsRecordType() : 0;
stream->itype = idx->AsRecordType();
stream->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
stream->event = event ? event_registry->Lookup(event->Name()) : 0;
stream->currDict = new PDict(InputHash);
stream->currDict->SetDeleteFunc(input_hash_delete_func);
stream->lastDict = new PDict(InputHash);
@ -2107,7 +2107,7 @@ Val* Manager::ValueToVal(const Value* val, BroType* request_type)
VectorType* vt = new VectorType(type->Ref());
VectorVal* v = new VectorVal(vt);
for ( int i = 0; i < val->val.vector_val.size; i++ )
v->Assign(i, ValueToVal( val->val.set_val.vals[i], type ), 0);
v->Assign(i, ValueToVal( val->val.set_val.vals[i], type ));
Unref(vt);
return v;

2
src/logging/Manager.cc
View file

@ -365,7 +365,7 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
streams[idx]->id = id->Ref()->AsEnumVal();
streams[idx]->enabled = true;
streams[idx]->name = id->Type()->AsEnumType()->Lookup(idx);
streams[idx]->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
streams[idx]->event = event ? event_registry->Lookup(event->Name()) : 0;
streams[idx]->columns = columns->Ref()->AsRecordType();
DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",

2
src/logging/writers/DataSeries.cc
View file

@ -167,7 +167,7 @@ string DataSeries::BuildDSSchemaFromFieldTypes(const vector<SchemaValue>& vals,
string xmlschema = "<ExtentType name=\""
+ sTitle
+ "\" version=\"1.0\" namespace=\"bro-ids.org\">\n";
+ "\" version=\"1.0\" namespace=\"bro.org\">\n";
for( size_t i = 0; i < vals.size(); ++i )
{

36
src/modbus-analyzer.pac
View file

@ -149,7 +149,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{
Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
@ -192,7 +192,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{
Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
@ -335,7 +335,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{
Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
@ -371,13 +371,13 @@ refine flow ModbusTCP_Flow += {
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
// t->Assign(i, r, 0, OP_ASSIGN);
// t->Assign(i, r);
//
// Val* k = new Val((${message.references[i].file_num}), TYPE_COUNT);
// t->Assign(i, k, 0, OP_ASSIGN);
// t->Assign(i, k);
//
// Val* l = new Val((${message.references[i].record_num}), TYPE_COUNT);
// t->Assign(i, l, 0, OP_ASSIGN);
// t->Assign(i, l);
// }
BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
@ -398,7 +398,7 @@ refine flow ModbusTCP_Flow += {
// {
// //TODO: work the reference type in here somewhere
// Val* r = new Val(${message.references[i].record_data}), TYPE_COUNT);
// t->Assign(i, r, 0, OP_ASSIGN);
// t->Assign(i, r);
// }
BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
@ -418,18 +418,18 @@ refine flow ModbusTCP_Flow += {
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
// t->Assign(i, r, 0, OP_ASSIGN);
// t->Assign(i, r);
//
// Val* k = new Val((${message.references[i].file_num}), TYPE_COUNT);
// t->Assign(i, k, 0, OP_ASSIGN);
// t->Assign(i, k);
//
// Val* n = new Val((${message.references[i].record_num}), TYPE_COUNT);
// t->Assign(i, n, 0, OP_ASSIGN);
// t->Assign(i, n);
//
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
// {
// k = new Val((${message.references[i].register_value[j]}), TYPE_COUNT);
// t->Assign(i, k, 0, OP_ASSIGN);
// t->Assign(i, k);
// }
// }
@ -451,18 +451,18 @@ refine flow ModbusTCP_Flow += {
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// {
// Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
// t->Assign(i, r, 0, OP_ASSIGN);
// t->Assign(i, r);
//
// Val* f = new Val((${message.references[i].file_num}), TYPE_COUNT);
// t->Assign(i, f, 0, OP_ASSIGN);
// t->Assign(i, f);
//
// Val* rn = new Val((${message.references[i].record_num}), TYPE_COUNT);
// t->Assign(i, rn, 0, OP_ASSIGN);
// t->Assign(i, rn);
//
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
// {
// Val* k = new Val((${message.references[i].register_value[j]}), TYPE_COUNT);
// t->Assign(i, k, 0, OP_ASSIGN);
// t->Assign(i, k);
// }
BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
@ -519,7 +519,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{
Val* r = new Val(${message.write_register_values[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
@ -550,7 +550,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{
Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
@ -593,7 +593,7 @@ refine flow ModbusTCP_Flow += {
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{
Val* r = new Val(${message.register_data[i]}, TYPE_COUNT);
t->Assign(i, r, 0, OP_ASSIGN);
t->Assign(i, r);
}
BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),

2
src/netflow-analyzer.pac
View file

@ -38,7 +38,7 @@ flow NetFlow_Flow {
# %cleanup does not only put the cleanup code into the destructor,
# but also at the end of the catch clause in NewData(). This is
# different from the documentation at
# http://www.bro-ids.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
# http://www.bro.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
#
# Unfortunately this means that we cannot clean up the identifier
# string. Note that IOSource destructors seemingly are never

2
src/patricia.c
View file

@ -336,7 +336,7 @@ ascii2prefix (int family, char *string)
memcpy (save, string, cp - string);
save[cp - string] = '\0';
string = save;
if (bitlen < 0 || bitlen > maxbitlen)
if (bitlen > maxbitlen)
bitlen = maxbitlen;
}
else {

15
src/strings.bif
View file

@ -265,19 +265,6 @@ function edit%(arg_s: string, arg_edit_char: string%): string
return new StringVal(new BroString(1, byte_vec(new_s), ind));
%}
## Returns the number of characters (bytes) in the given string. The
## length computation includes any embedded NULs, and also a trailing NUL,
## if any (which is why the function isn't called ``strlen``; to remind
## the user that Bro strings can include NULs).
##
## s: The string to compute the length for.
##
## Returns: The number of characters in *s*.
function byte_len%(s: string%): count
%{
return new Val(s->Len(), TYPE_COUNT);
%}
## Get a substring from a string, given a starting position and length.
##
## s: The string to obtain a substring from.
@ -866,7 +853,7 @@ function str_split%(s: string, idx: index_vec%): string_vec
for ( BroString::VecIt it = result->begin();
it != result->end(); ++it, ++i )
result_v->Assign(i, new StringVal(*it), 0);
result_v->Assign(i, new StringVal(*it));
// StringVal now possesses string.
delete result;

1
src/threading/SerialTypes.h
View file

@ -2,6 +2,7 @@
#ifndef THREADING_SERIALIZATIONTYPES_H
#define THREADING_SERIALIZATIONTYPES_H
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

14
src/types.bif
View file

@ -211,3 +211,17 @@ enum Mode %{
%}
module GLOBAL;
type gtpv1_hdr: record;
type gtp_create_pdp_ctx_request_elements: record;
type gtp_create_pdp_ctx_response_elements: record;
type gtp_update_pdp_ctx_request_elements: record;
type gtp_update_pdp_ctx_response_elements: record;
type gtp_delete_pdp_ctx_request_elements: record;
type gtp_delete_pdp_ctx_response_elements: record;
type gtp_end_user_addr: record;
type gtp_rai: record;
type gtp_qos_profile: record;
type gtp_private_extension: record;
type gtp_gsn_addr: record;

34
src/util.cc
View file

@ -1527,3 +1527,37 @@ void operator delete[](void* v)
}
#endif
void bro_init_magic(magic_t* cookie_ptr, int flags)
{
if ( ! cookie_ptr || *cookie_ptr )
return;
*cookie_ptr = magic_open(flags);
if ( ! *cookie_ptr )
{
const char* err = magic_error(*cookie_ptr);
reporter->Error("can't init libmagic: %s", err ? err : "unknown");
}
else if ( magic_load(*cookie_ptr, 0) < 0 )
{
const char* err = magic_error(*cookie_ptr);
reporter->Error("can't load magic file: %s", err ? err : "unknown");
magic_close(*cookie_ptr);
*cookie_ptr = 0;
}
}
const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length)
{
const char* rval = magic_buffer(cookie, buffer, length);
if ( ! rval )
{
const char* err = magic_error(cookie);
reporter->Error("magic_buffer error: %s", err ? err : "unknown");
}
return rval;
}

6
src/util.h
View file

@ -15,6 +15,7 @@
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <magic.h>
#include "config.h"
#if __STDC__
@ -75,7 +76,7 @@ typedef int32 ptr_compat_int;
#define PRI_PTR_COMPAT_INT PRId32
#define PRI_PTR_COMPAT_UINT PRIu32
#else
# error "Unusual pointer size. Please report to bro@bro-ids.org."
# error "Unusual pointer size. Please report to bro@bro.org."
#endif
extern "C"
@ -364,4 +365,7 @@ struct CompareString
}
};
void bro_init_magic(magic_t* cookie_ptr, int flags);
const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length);
#endif

1
testing/btest/Baseline/bifs.byte_len/out
View file

@ -1 +0,0 @@
11

6
testing/btest/Baseline/bifs.length/out
View file

@ -1,6 +0,0 @@
1
4
2
0
0
0

2
testing/btest/Baseline/core.tunnels.gtp.ext_header/out Normal file
View file

@ -0,0 +1,2 @@
gtpv1_message, [orig_h=10.155.148.149, orig_p=9000/udp, resp_h=10.155.148.157, resp_p=2152/udp]
[version=1, pt_flag=T, rsv=F, e_flag=T, s_flag=T, pn_flag=F, msg_type=255, length=1508, teid=1050199, seq=5, n_pdu=0, next_type=192]

2
testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
View file

@ -1 +1 @@
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...]

24
testing/btest/Baseline/core.tunnels.gtp.pdp_ctx_messages/out Normal file
View file

@ -0,0 +1,24 @@
gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
gtp create request, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
[imsi=460004100000101, rai=[mcc=460, mnc=6, lac=65534, rac=255], recovery=176, select_mode=1, data1=854600697, cp=854600697, nsapi=5, linked_nsapi=<uninitialized>, charge_character=<uninitialized>, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Feetest, opts=\x80\x80!^V^A^A\0^V^C^F\0\0\0\0\x81^F\0\0\0\0\x83^F\0\0\0\0, signal_addr=[ip=192.169.100.1, other=<uninitialized>], user_addr=[ip=192.169.100.1, other=<uninitialized>], msisdn=\x91hQ"^A\0^A\xf1, qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=[id=10923, value=^B^A^C]]
gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
gtp create response, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=24, data1=268435589, cp=268435584, charging_id=103000009, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.252.130, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^D^A\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0\x80!^J^C^A\0^J^C^F\xc0\xa8\xfc\x82, cp_addr=[ip=10.100.200.34, other=<uninitialized>], user_addr=[ip=10.100.200.49, other=<uninitialized>], qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], charge_gateway=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=1, length=4, teid=0, seq=3072, n_pdu=0, next_type=0]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=2, length=6, teid=0, seq=3072, n_pdu=0, next_type=0]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
gtp create request, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
[imsi=240010123456789, rai=<uninitialized>, recovery=3, select_mode=1, data1=1, cp=1, nsapi=0, linked_nsapi=<uninitialized>, charge_character=2048, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Hinternet, opts=\x80\xc0#^Q^A^A\0^Q^Cmig^Hhemmelig, signal_addr=[ip=127.0.0.2, other=<uninitialized>], user_addr=[ip=127.0.0.2, other=<uninitialized>], msisdn=\x91d^G^R2T\xf6, qos_prof=[priority=0, data=^K\x92\x1f], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
gtp create response, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=1, data1=1, cp=1, charging_id=1, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.0.2, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^B\0\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0, cp_addr=[ip=127.0.0.1, other=<uninitialized>], user_addr=[ip=127.0.0.1, other=<uninitialized>], qos_prof=[priority=0, data=^K\x92\x1f], charge_gateway=<uninitialized>, ext=<uninitialized>]

6
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dpd
#open 2012-10-19-17-38-54
#open 2013-01-25-21-49-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
#close 2012-10-19-17-38-54
1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\xff\x00\xac\x98\x13\x01LE\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eV...]
#close 2013-01-25-21-49-19

4
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-38-54
#open 2013-01-25-21-49-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-38-54
#close 2013-01-25-21-49-19

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2012-11-20-06-11-08
#open 2013-02-11-18-44-43
#fields name
#types string
scripts/base/init-bare.bro
@ -54,6 +54,7 @@ scripts/base/init-default.bro
scripts/base/frameworks/cluster/./main.bro
scripts/base/frameworks/control/__load__.bro
scripts/base/frameworks/control/./main.bro
scripts/base/frameworks/notice/./non-cluster.bro
scripts/base/frameworks/notice/./actions/pp-alarms.bro
scripts/base/frameworks/dpd/__load__.bro
scripts/base/frameworks/dpd/./main.bro
@ -119,4 +120,4 @@ scripts/base/init-default.bro
scripts/base/protocols/syslog/./main.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/policy/misc/loaded-scripts.bro
#close 2012-11-20-06-11-08
#close 2013-02-11-18-44-43

44
testing/btest/Baseline/language.container-ctor-scope/out Normal file
View file

@ -0,0 +1,44 @@
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
2/tcp,
1/tcp,
3/tcp
}
{
2/tcp,
1/tcp,
3/tcp
}
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
2/tcp,
1/tcp,
3/tcp
}
{
2/tcp,
1/tcp,
3/tcp
}
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
[1/tcp, 2/tcp, 3/tcp, 1/tcp]

4
testing/btest/Baseline/language.func-assignment/out Normal file
View file

@ -0,0 +1,4 @@
Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
BROGRAMMERS, LIKE BOWTIES, ARE COOL.
BROGRAMMERS, LIKE BOWTIES, ARE COOL.

12
testing/btest/Baseline/language.returnwhen/bro..stdout Normal file
View file

@ -0,0 +1,12 @@
dummy from async_func() from bro_init()
async_func() return result in bro_init(), flag in my_set
dummy from bro_init() when block
hi!
dummy from async_func() from do_another()
async_func() return result in do_another(), flag in my_set
dummy from do_another() when block
hi!
dummy from async_func() from do_another()
async_func() return result in do_another(), timeout
dummy from do_another() when block
hi!

168
testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out
View file

@ -1,189 +1,21 @@
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=1]
T
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=2]
T
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=3]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=4]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=5]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=6]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=7]
T

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.options/ssh.ds.xml
View file

@ -1,4 +1,4 @@
<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
<ExtentType name="ssh" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

20
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.rotate/out
View file

@ -19,7 +19,7 @@ test.2011-03-07-12-00-05.ds test 11-03-07_12.00.05 11-03-07_12.59.55 1 dataserie
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -47,7 +47,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -75,7 +75,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -103,7 +103,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -131,7 +131,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -159,7 +159,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -187,7 +187,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -215,7 +215,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -243,7 +243,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -271,7 +271,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.test-logging/ssh.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
<ExtentType name="ssh" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
<ExtentType name="conn" version="1.0" namespace="bro.org">
<field type="int64" name="ts" pack_relative="ts" units="microseconds" epoch="unix"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
<ExtentType name="conn" version="1.0" namespace="bro.org">
<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="http" version="1.0" namespace="bro-ids.org">
<ExtentType name="http" version="1.0" namespace="bro.org">
<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

10
testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-07-20-01-50-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1342749059.978651 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - -
#close 2012-07-20-01-51-08
#open 2013-02-11-18-41-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - -
#close 2013-02-11-18-41-03

10
testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-46-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1353393982.260495 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-46-22
#open 2013-02-11-18-45-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-45-43

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-45-52
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1353393952.489496 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-45-56
#open 2013-02-11-18-45-14
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-45-17

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-07-20-01-49-23
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1342748963.685754 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-07-20-01-49-23
#open 2013-02-11-18-32-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double
1360607559.193954 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2013-02-11-18-32-39

10
testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-09-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-09-07
#open 2013-02-11-18-33-41
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-33-41

Some files were not shown because too many files have changed in this diff Show more