Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add pacf plugin that directly outputs messages to broker.

Browse source 
Also fix a few problems in pacf in the process of doing this.
This commit is contained in:
Johanna Amann 2015-05-26 11:19:55 -07:00
parent 94fbd492ca
commit 0a49b8cdf6
10 changed files with 288 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

8
testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
View file

@ -1,4 +1,4 @@
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin=<uninitialized>]
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin=<uninitialized>]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=<uninitialized>]
pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=<uninitialized>]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]