From 85fd1c9fa7dad716a265a811f68c667414704785 Mon Sep 17 00:00:00 2001 From: James Swaro Date: Sun, 26 Jul 2015 12:46:45 -0500 Subject: [PATCH 01/12] Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin This commit introduces a new hook, HookAddToAnalyzerTree, which allows plugins to add a new analyzer to the analyzer tree during analyzer tree creation. This hook is necessary to support the TCPRS plugin. Additionally, the order in which the scripts were loaded has been changed to address a problem with undefined variable errors due to load order issues. Signed-off-by: James Swaro --- src/analyzer/Manager.cc | 2 ++ src/plugin/Manager.cc | 34 +++++++++++++++++++++++++++++++--- src/plugin/Manager.h | 2 ++ src/plugin/Plugin.cc | 5 +++++ src/plugin/Plugin.h | 3 +++ 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index bc8fceaf39..11ea418269 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -505,6 +505,8 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( ! analyzed ) conn->SetLifetime(non_analyzed_lifetime); + PLUGIN_HOOK_VOID(HOOK_ADD_TO_ANALYZER_TREE, HookAddToAnalyzerTree(conn)); + return true; } diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 8e58c1296b..91a523aca3 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -183,8 +183,9 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ } // Load {bif,scripts}/__load__.bro automatically. - - string init = dir + "lib/bif/__load__.bro"; + // Load scripts/__load__.bro first to avoid issue with undefined variables + // from the plugin + string init = dir + "scripts/__load__.bro"; if ( is_file(init) ) { @@ -192,7 +193,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_ scripts_to_load.push_back(init); } - init = dir + "scripts/__load__.bro"; + init = dir + "lib/bif/__load__.bro"; if ( is_file(init) ) { @@ -660,6 +661,33 @@ void Manager::HookDrainEvents() const } +void Manager::HookAddToAnalyzerTree(Connection *conn) const + { + HookArgumentList args; + + if ( HavePluginForHook(META_HOOK_PRE) ) + { + args.push_back(conn); + MetaHookPre(HOOK_ADD_TO_ANALYZER_TREE, args); + } + + hook_list *l = hooks[HOOK_ADD_TO_ANALYZER_TREE]; + + if ( l ) + { + for (hook_list::iterator i = l->begin() ; i != l->end(); ++i) + { + Plugin *p = (*i).second; + p->HookAddToAnalyzerTree(conn); + } + } + + if ( HavePluginForHook(META_HOOK_POST) ) + { + MetaHookPost(HOOK_ADD_TO_ANALYZER_TREE, args, HookArgument()); + } + } + void Manager::HookUpdateNetworkTime(double network_time) const { HookArgumentList args; diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index db812b6a8c..28add51e3b 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -264,6 +264,8 @@ public: */ void HookUpdateNetworkTime(double network_time) const; + void HookAddToAnalyzerTree(Connection *conn) const; + /** * Hook that informs plugins that the event queue is being drained. */ diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index f05378eb84..3c0d96e29e 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -23,6 +23,7 @@ const char* plugin::hook_name(HookType h) "DrainEvents", "UpdateNetworkTime", "BroObjDtor", + "AddToAnalyzerTree", // MetaHooks "MetaHookPre", "MetaHookPost", @@ -310,6 +311,10 @@ void Plugin::HookUpdateNetworkTime(double network_time) { } +void Plugin::HookAddToAnalyzerTree(Connection *conn) + { + } + void Plugin::HookBroObjDtor(void* obj) { } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 3562891e84..ebd62ef1aa 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -39,6 +39,7 @@ enum HookType { HOOK_DRAIN_EVENTS, //< Activates Plugin::HookDrainEvents() HOOK_UPDATE_NETWORK_TIME, //< Activates Plugin::HookUpdateNetworkTime. HOOK_BRO_OBJ_DTOR, //< Activates Plugin::HookBroObjDtor. + HOOK_ADD_TO_ANALYZER_TREE, // Activates Plugin::HookAddToAnalyzerTree // Meta hooks. META_HOOK_PRE, //< Activates Plugin::MetaHookPre(). @@ -636,6 +637,8 @@ protected: */ virtual void HookUpdateNetworkTime(double network_time); + virtual void HookAddToAnalyzerTree(Connection *conn); + /** * Hook for destruction of objects registered with * RequestBroObjDtor(). When Bro's reference counting triggers the From 33cebe11500177706e33e8055109e28411472f27 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 3 Aug 2015 15:10:06 -0500 Subject: [PATCH 02/12] Fix a test that is failing very frequently --- testing/btest/broker/master_store.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/broker/master_store.bro b/testing/btest/broker/master_store.bro index 3863822988..2536addc0f 100644 --- a/testing/btest/broker/master_store.bro +++ b/testing/btest/broker/master_store.bro @@ -1,6 +1,6 @@ # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt -# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace %INPUT >out" +# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out" # @TEST-EXEC: btest-bg-wait 60 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out From 8fc44e7e86fe57d3ca32a99dc8eaa0680a1b659c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Aug 2015 22:14:48 -0400 Subject: [PATCH 03/12] CID 1312751: Removing redundant assignment. --- aux/plugins | 2 +- src/iosource/Packet.cc | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/aux/plugins b/aux/plugins index 2799b2a135..fcf1ccfa9d 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 2799b2a13577fc70eea1da6192879a25c58902de +Subproject commit fcf1ccfa9d2bfd8036a917d12b43ebe45d351927 diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 396192562f..d40941095a 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -310,9 +310,8 @@ void Packet::ProcessLayer2() } - // We've now determined (a) L3_IPV4 vs (b) L3_IPV6 vs - // (c) L3_ARP vs (d) L3_UNKNOWN. - l3_proto = l3_proto; + // We've now determined (a) L3_IPV4 vs (b) L3_IPV6 vs (c) L3_ARP vs + // (d) L3_UNKNOWN. // Calculate how much header we've used up. hdr_size = (pdata - data); From 068b7d1f8b46e6513cb33fcea2f0f31bef99524d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Aug 2015 22:17:15 -0400 Subject: [PATCH 04/12] CID 1312752: Add comment to mark 'case' fallthrough as ok. --- src/analyzer/protocol/pop3/POP3.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 05ff3c317d..159675a8b9 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -722,6 +722,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line) case CAPA: ProtocolConfirmation(); + // Fall-through. + case UIDL: case LIST: if (requestForMultiLine == true) From 67d529585c23c8e277322822fd1da8a438dacddd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Aug 2015 22:19:49 -0400 Subject: [PATCH 05/12] CID 1314754: Fixing unreachable code in RSH analyzer. --- src/analyzer/protocol/login/RSH.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index e849b476d0..ff8e6bad3e 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -93,8 +93,7 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) case RSH_LINE_MODE: case RSH_UNKNOWN: case RSH_PRESUMED_REJECTED: - if ( state == RSH_LINE_MODE && - state == RSH_PRESUMED_REJECTED ) + if ( state == RSH_PRESUMED_REJECTED ) { Conn()->Weird("rsh_text_after_rejected"); state = RSH_UNKNOWN; From 9efd54a08a06e778ef70fa43ef9c6f6d5f781f3f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Aug 2015 22:25:19 -0400 Subject: [PATCH 06/12] Merge remote-tracking branch 'origin/topic/dnthayer/ticket1440' * origin/topic/dnthayer/ticket1440: Remove build dependency on perl --- CHANGES | 13 ++++ CMakeLists.txt | 2 +- NEWS | 2 + VERSION | 2 +- aux/bro-aux | 2 +- configure | 6 +- doc/install/install.rst | 6 +- src/CMakeLists.txt | 10 +-- src/make_dbg_constants.pl | 143 -------------------------------------- src/make_dbg_constants.py | 114 ++++++++++++++++++++++++++++++ 10 files changed, 141 insertions(+), 159 deletions(-) delete mode 100644 src/make_dbg_constants.pl create mode 100644 src/make_dbg_constants.py diff --git a/CHANGES b/CHANGES index 77f6c889b5..42db368d81 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,17 @@ +2.4-78 | 2015-08-06 22:25:19 -0400 + + * Remove build dependency on Perl (now requiring Python instad). + (Daniel Thayer) + + * CID 1314754: Fixing unreachable code in RSH analyzer. (Robin + Sommer) + + * CID 1312752: Add comment to mark 'case' fallthrough as ok. (Robin + Sommer) + + * CID 1312751: Removing redundant assignment. (Robin Sommer) + 2.4-73 | 2015-07-31 08:53:49 -0700 * BIT-1429: SMTP logs now include CC: addresses. (Albert Zaharovits) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7dbf8109ad..2a3251d111 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -61,7 +61,7 @@ if (NOT SED_EXE) endif () endif () -FindRequiredPackage(Perl) +FindRequiredPackage(PythonInterp) FindRequiredPackage(FLEX) FindRequiredPackage(BISON) FindRequiredPackage(PCAP) diff --git a/NEWS b/NEWS index 071677010f..726c6032bf 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,8 @@ New Dependencies - Bro now requires the C++ Actor Framework, CAF, which must be installed first. See http://actor-framework.org. +- Bro now requires Python instead of Perl to compile the source code. + New Functionality ----------------- diff --git a/VERSION b/VERSION index 5e220b92fd..7e806db48f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-73 +2.4-78 diff --git a/aux/bro-aux b/aux/bro-aux index 07af9748f4..7012f7bb77 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 07af9748f40dc47d3a2b3290db494a90dcbddbdc +Subproject commit 7012f7bb7768ffd56282e0d453c5f919b2142551 diff --git a/configure b/configure index ae2f337117..3e844735a5 100755 --- a/configure +++ b/configure @@ -55,7 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-binpac=PATH path to BinPAC install root --with-flex=PATH path to flex executable --with-bison=PATH path to bison executable - --with-perl=PATH path to perl executable + --with-python=PATH path to Python executable --with-libcaf=PATH path to C++ Actor Framework installation (a required Broker dependency) @@ -63,7 +63,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-geoip=PATH path to the libGeoIP install root --with-perftools=PATH path to Google Perftools install root --with-jemalloc=PATH path to jemalloc install root - --with-python=PATH path to Python interpreter --with-python-lib=PATH path to libpython --with-python-inc=PATH path to Python headers --with-ruby=PATH path to ruby interpreter @@ -239,9 +238,6 @@ while [ $# -ne 0 ]; do --with-bison=*) append_cache_entry BISON_EXECUTABLE PATH $optarg ;; - --with-perl=*) - append_cache_entry PERL_EXECUTABLE PATH $optarg - ;; --with-geoip=*) append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg ;; diff --git a/doc/install/install.rst b/doc/install/install.rst index eff3ec9728..ff8d83ad97 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -45,7 +45,7 @@ To build Bro from source, the following additional dependencies are required: * Libpcap headers (http://www.tcpdump.org) * OpenSSL headers (http://www.openssl.org) * zlib headers - * Perl + * Python .. todo:: @@ -72,7 +72,7 @@ To install the required dependencies, you can use: .. console:: - sudo pkg install bash cmake swig bison python perl5 py27-sqlite3 + sudo pkg install bash cmake swig bison python py27-sqlite3 Note that in older versions of FreeBSD, you might have to use the "pkg_add -r" command instead of "pkg install". @@ -166,7 +166,7 @@ run ``./configure --help``): make install The default installation path is ``/usr/local/bro``, which would typically -require root privileges when doing the ``make install``. A different +require root privileges when doing the ``make install``. A different installation path can be chosen by specifying the ``--prefix`` option. Note that ``/usr`` and ``/opt/bro`` are the standard prefixes for binary Bro packages to be installed, so those are diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bdbd3839ce..9a807b3182 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -223,16 +223,16 @@ endmacro(COLLECT_HEADERS _var) cmake_policy(POP) -# define a command that's used to run the make_dbg_constants.pl script +# define a command that's used to run the make_dbg_constants.py script # building the bro binary depends on the outputs of this script add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdInfoConstants.cc - COMMAND ${PERL_EXECUTABLE} - ARGS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.pl + COMMAND ${PYTHON_EXECUTABLE} + ARGS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in - DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.pl + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/make_dbg_constants.py ${CMAKE_CURRENT_SOURCE_DIR}/DebugCmdInfoConstants.in - COMMENT "[Perl] Processing debug commands" + COMMENT "[Python] Processing debug commands" WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} ) diff --git a/src/make_dbg_constants.pl b/src/make_dbg_constants.pl deleted file mode 100644 index 29efac8050..0000000000 --- a/src/make_dbg_constants.pl +++ /dev/null @@ -1,143 +0,0 @@ -# Build the DebugCmdConstants.h and DebugCmdInfoConstants.h files from the -# DebugCmdInfoConstants.in file. -# -# We do this via a script rather than maintaining them directly because -# the struct is a little complicated, so has to be initialized from code, -# plus we want to make adding new constants somewhat less painful. -# -# The input filename should be supplied as an argument -# -# DebugCmds are printed to DebugCmdConstants.h -# DebugCmdInfos are printed to DebugCmdInfoConstants.h -# -# The input format is: -# -# cmd: [DebugCmd] -# names: [space delimited names of cmd] -# resume: ['true' or 'false': should execution resume after this command?] -# help: [some help text] -# -# Blank lines are skipped. -# Comments should start with // and should be on a line by themselves. - -use strict; - -open INPUT, $ARGV[0] or die "Input file $ARGV[0] not found."; -open DEBUGCMDS, ">DebugCmdConstants.h" - or die "Unable to open DebugCmdConstants.h"; -open DEBUGCMDINFOS, ">DebugCmdInfoConstants.cc" - or die "Unable to open DebugCmdInfoConstants.cc"; - -my $init_tmpl = -' - { - DebugCmdInfo* info; - @@name_init - info = new DebugCmdInfo (@@cmd, names, @@num_names, @@resume, "@@help", - @@repeatable); - g_DebugCmdInfos.push_back(info); - } -'; - -my $enum_str = " -// -// This file was automatically generated from $ARGV[0] -// DO NOT EDIT. -// -enum DebugCmd { -"; - -my $init_str = " -// -// This file was automatically generated from $ARGV[0] -// DO NOT EDIT. -// - -#include \"util.h\" -void init_global_dbg_constants () { -"; - -my %dbginfo; -# { cmd, num_names, \@names, name_init, resume, help, repeatable } - -no strict "refs"; -sub OutputRecord { - $dbginfo{name_init} .= "const char * const names[] = {\n\t"; - $_ = "\"$_\"" foreach @{$dbginfo{names}}; # put quotes around the strings - my $name_strs = join ",\n\t", @{$dbginfo{names}}; - $dbginfo{name_init} .= "$name_strs\n };\n"; - - $dbginfo{num_names} = scalar @{$dbginfo{names}}; - - # substitute into template - my $init = $init_tmpl; - $init =~ s/(\@\@(\w+))/defined $dbginfo{$2} ? $dbginfo{$2} : ""/eg; - - $init_str .= $init; - - $enum_str .= "\t$dbginfo{cmd},\n"; -} -use strict "refs"; - -sub InitDbginfo - { - my $dbginfo = shift; - %$dbginfo = ( num_names => 0, names => [], resume => 'false', help => '', - repeatable => 'false' ); - } - - -InitDbginfo(\%dbginfo); - -while () { - chomp ($_); - next if $_ =~ /^\s*$/; # skip blank - next if $_ =~ /^\s*\/\//; # skip comments - - $_ =~ /^\s*([a-z]+):\s*(.*)$/ or - die "Error in debug constant file on line: $_"; - - if ($1 eq 'cmd') - { - my $newcmd = $2; - if (defined $dbginfo{cmd}) { # output the previous record - OutputRecord(); - InitDbginfo(\%dbginfo); - } - - $dbginfo{cmd} = $newcmd; - } - elsif ($1 eq 'names') - { - my @names = split / /, $2; - $dbginfo{names} = \@names; - } - elsif ($1 eq 'resume') - { - $dbginfo{resume} = $2; - } - elsif ($1 eq 'help') - { - $dbginfo{help} = $2; - $dbginfo{help} =~ s{\"}{\\\"}g; # escape quotation marks - } - elsif ($1 eq 'repeatable') - { - $dbginfo{repeatable} = $2; - } - else { - die "Unknown command: $_\n"; - } -} - -# output the last record -OutputRecord(); - -$init_str .= " \n}\n"; -$enum_str .= " dcLast\n};\n"; - -print DEBUGCMDS $enum_str; -close DEBUGCMDS; - -print DEBUGCMDINFOS $init_str; -close DEBUGCMDINFOS; diff --git a/src/make_dbg_constants.py b/src/make_dbg_constants.py new file mode 100644 index 0000000000..e18330db87 --- /dev/null +++ b/src/make_dbg_constants.py @@ -0,0 +1,114 @@ +# Build the DebugCmdConstants.h and DebugCmdInfoConstants.cc files from the +# DebugCmdInfoConstants.in file. +# +# We do this via a script rather than maintaining them directly because +# the struct is a little complicated, so has to be initialized from code, +# plus we want to make adding new constants somewhat less painful. +# +# The input filename should be supplied as an argument. +# +# DebugCmds are printed to DebugCmdConstants.h +# DebugCmdInfos are printed to DebugCmdInfoConstants.cc +# +# The input format is: +# +# cmd: [DebugCmd] +# names: [space delimited names of cmd] +# resume: ['true' or 'false': should execution resume after this command?] +# help: [some help text] +# +# Blank lines are skipped. +# Comments should start with // and should be on a line by themselves. + +import sys + +inputfile = sys.argv[1] + +init_tmpl = ''' + { + DebugCmdInfo* info; + %(name_init)s + info = new DebugCmdInfo (%(cmd)s, names, %(num_names)s, %(resume)s, "%(help)s", + %(repeatable)s); + g_DebugCmdInfos.push_back(info); + } +''' + +enum_str = ''' +// +// This file was automatically generated from %s +// DO NOT EDIT. +// +enum DebugCmd { +''' % inputfile + +init_str = ''' +// +// This file was automatically generated from %s +// DO NOT EDIT. +// + +#include "util.h" +void init_global_dbg_constants () { +''' % inputfile + +def outputrecord(): + global init_str, enum_str + + dbginfo["name_init"] = "const char * const names[] = {\n\t%s\n };\n" % ",\n\t".join(dbginfo["names"]) + + dbginfo["num_names"] = len(dbginfo["names"]) + + # substitute into template + init_str += init_tmpl % dbginfo + + enum_str += "\t%s,\n" % dbginfo["cmd"] + +def initdbginfo(): + return {"cmd": "", "name_init": "", "num_names": 0, "names": [], + "resume": "false", "help": "", "repeatable": "false"} + +dbginfo = initdbginfo() + +inputf = open(inputfile, "r") +for line in inputf: + line = line.strip() + if not line or line.startswith("//"): # skip empty lines and comments + continue + + fields = line.split(":", 1) + if len(fields) != 2: + raise RuntimeError("Error in debug constant file on line: %s" % line) + + f1, f2 = fields + f2 = f2.strip() + + if f1 == "cmd": + if dbginfo[f1]: # output the previous record + outputrecord() + dbginfo = initdbginfo() + + dbginfo[f1] = f2 + elif f1 == "names": + # put quotes around the strings + dbginfo[f1] = [ '"%s"' % n for n in f2.split() ] + elif f1 == "help": + dbginfo[f1] = f2.replace('"', '\\"') # escape quotation marks + elif f1 in ("resume", "repeatable"): + dbginfo[f1] = f2 + else: + raise RuntimeError("Unknown command: %s" % line) + +# output the last record +outputrecord() + +init_str += " \n}\n" +enum_str += " dcLast\n};\n" + +debugcmds = open("DebugCmdConstants.h", "w") +debugcmds.write(enum_str) +debugcmds.close() + +debugcmdinfos = open("DebugCmdInfoConstants.cc", "w") +debugcmdinfos.write(init_str) +debugcmdinfos.close() From 0beed7132891b0a341754b860ffa710489cdb727 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Aug 2015 14:04:31 -0700 Subject: [PATCH 07/12] Updating submodule. --- aux/bro-aux | 2 +- aux/plugins | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index 7012f7bb77..440f7897e5 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 7012f7bb7768ffd56282e0d453c5f919b2142551 +Subproject commit 440f7897e5afceddc8b813b074028d8d256d3083 diff --git a/aux/plugins b/aux/plugins index fcf1ccfa9d..2799b2a135 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit fcf1ccfa9d2bfd8036a917d12b43ebe45d351927 +Subproject commit 2799b2a13577fc70eea1da6192879a25c58902de From a6704db3ba67a3b2d3c62b54d16fb2687b6566df Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Aug 2015 14:14:24 -0700 Subject: [PATCH 08/12] Updating submodule(s). [nomail] --- NEWS | 1 + aux/plugins | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 726c6032bf..3b9efd1912 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,7 @@ New Functionality - New Bro plugins in aux/plugins: - pf_ring: Native PF_RING support. + - redis: An experimental log writer for Redis. Bro 2.4 ======= diff --git a/aux/plugins b/aux/plugins index 2799b2a135..bb86ad945c 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 2799b2a13577fc70eea1da6192879a25c58902de +Subproject commit bb86ad945c823c94ea8385ec4ebb9546ba5198af From 8c235d91a770edd86c23e1b0d65cd18af06b1b0a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 10 Aug 2015 13:00:36 -0700 Subject: [PATCH 09/12] Updating submodule(s). [nomail] --- aux/bro-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/bro-aux b/aux/bro-aux index 440f7897e5..1a525eef91 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 440f7897e5afceddc8b813b074028d8d256d3083 +Subproject commit 1a525eef9132855c2dfaf5ba62fcc572d97873d5 From 7d71f0047f7af2a8ae5c28ab971c8b9109070b5d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 10 Aug 2015 15:16:16 -0700 Subject: [PATCH 10/12] Updating submodule(s). [nomail] --- aux/plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/plugins b/aux/plugins index 09cd828ba8..bb86ad945c 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit 09cd828ba80a0df69a78e64743aedf23a29e6bdc +Subproject commit bb86ad945c823c94ea8385ec4ebb9546ba5198af From a9867c706db5e47172c35ce0e03efc37176db4c2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 12 Aug 2015 17:02:24 -0700 Subject: [PATCH 11/12] Make Teredo DPD signature more precise. Contributed by Martina Balint in https://github.com/bro/bro/pull/39. (I didn't merge the github branch, as that has some more stuff in its history. Instead I applied the single-line change directly.) --- CHANGES | 4 ++++ VERSION | 2 +- scripts/base/protocols/tunnels/dpd.sig | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index ff97b9c2a1..e61c32f9eb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.4-86 | 2015-08-12 17:02:24 -0700 + + * Make Teredo DPD signature more precise. (Martina Balint.) + 2.4-84 | 2015-08-10 14:44:39 -0700 * Add hook 'HookSetupAnalyzerTree' to allow plugins access to a diff --git a/VERSION b/VERSION index b8af263b9a..3470468254 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-84 +2.4-86 diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig index 0c66775f5d..9c4bddeffd 100644 --- a/scripts/base/protocols/tunnels/dpd.sig +++ b/scripts/base/protocols/tunnels/dpd.sig @@ -9,6 +9,6 @@ signature dpd_ayiya { signature dpd_teredo { ip-proto = udp - payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/ + payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/ enable "teredo" } From ac5c4f117f662cd493dd33ef74690a08a3f14b99 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 14 Aug 2015 08:34:41 -0700 Subject: [PATCH 12/12] Removing the yielding_teredo_decapsulation option. With the more precise Teredo option, it seems no longer needed, and it was a bit of a fragile mechanism to begin with. --- CHANGES | 6 +++- VERSION | 2 +- scripts/base/init-bare.bro | 11 +------ src/analyzer/protocol/teredo/Teredo.cc | 31 +------------------ src/const.bif | 1 - .../core.tunnels.false-teredo/weird.log | 15 --------- .../known_services.log | 10 ------ testing/btest/core/tunnels/false-teredo.bro | 3 -- .../core/tunnels/teredo-known-services.test | 4 --- 9 files changed, 8 insertions(+), 75 deletions(-) delete mode 100644 testing/btest/Baseline/core.tunnels.false-teredo/weird.log delete mode 100644 testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log diff --git a/CHANGES b/CHANGES index e61c32f9eb..8471ba869e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,11 @@ +2.4-87 | 2015-08-14 08:34:41 -0700 + + * Removing the yielding_teredo_decapsulation option. (Robin Sommer) + 2.4-86 | 2015-08-12 17:02:24 -0700 - * Make Teredo DPD signature more precise. (Martina Balint.) + * Make Teredo DPD signature more precise. (Martina Balint) 2.4-84 | 2015-08-10 14:44:39 -0700 diff --git a/VERSION b/VERSION index 3470468254..02038082a5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-86 +2.4-87 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 24c6f6f5f1..40f518b682 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3662,20 +3662,11 @@ export { ## Toggle whether to do GRE decapsulation. const enable_gre = T &redef; - ## With this option set, the Teredo analysis will first check to see if - ## other protocol analyzers have confirmed that they think they're - ## parsing the right protocol and only continue with Teredo tunnel - ## decapsulation if nothing else has yet confirmed. This can help - ## reduce false positives of UDP traffic (e.g. DNS) that also happens - ## to have a valid Teredo encapsulation. - const yielding_teredo_decapsulation = T &redef; - ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing ## a :bro:see:`protocol_confirmation`. If it's false, the first ## occurrence of a packet with valid Teredo encapsulation causes a - ## confirmation. Both cases are still subject to effects of - ## :bro:see:`Tunnel::yielding_teredo_decapsulation`. + ## confirmation. const delay_teredo_confirmation = T &redef; ## With this set, the GTP analyzer waits until the most-recent upflow diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc index 400f38839e..6ad00a82dc 100644 --- a/src/analyzer/protocol/teredo/Teredo.cc +++ b/src/analyzer/protocol/teredo/Teredo.cc @@ -189,36 +189,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, else valid_resp = true; - if ( BifConst::Tunnel::yielding_teredo_decapsulation && - ! ProtocolConfirmed() ) - { - // Only confirm the Teredo tunnel and start decapsulating packets - // when no other sibling analyzer thinks it's already parsing the - // right protocol. - bool sibling_has_confirmed = false; - if ( Parent() ) - { - LOOP_OVER_GIVEN_CONST_CHILDREN(i, Parent()->GetChildren()) - { - if ( (*i)->ProtocolConfirmed() ) - { - sibling_has_confirmed = true; - break; - } - } - } - - if ( ! sibling_has_confirmed ) - Confirm(); - else - { - delete inner; - return; - } - } - else - // Aggressively decapsulate anything with valid Teredo encapsulation. - Confirm(); + Confirm(); } else diff --git a/src/const.bif b/src/const.bif index 0ba168ca85..2d062d854a 100644 --- a/src/const.bif +++ b/src/const.bif @@ -19,7 +19,6 @@ const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; const Tunnel::enable_gtpv1: bool; const Tunnel::enable_gre: bool; -const Tunnel::yielding_teredo_decapsulation: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log deleted file mode 100644 index a84d469660..0000000000 --- a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log +++ /dev/null @@ -1,15 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path weird -#open 2009-11-18-17-59-51 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer -#types time string addr port addr port string string bool string -1258567191.405770 - - - - - truncated_header_in_tunnel - F bro -1258578181.260420 - - - - - truncated_header_in_tunnel - F bro -1258579063.557927 - - - - - truncated_header_in_tunnel - F bro -1258581768.568451 - - - - - truncated_header_in_tunnel - F bro -1258584478.859853 - - - - - truncated_header_in_tunnel - F bro -1258600683.934458 - - - - - truncated_header_in_tunnel - F bro -#close 2009-11-19-03-18-03 diff --git a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log b/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log deleted file mode 100644 index 1330c6c505..0000000000 --- a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path known_services -#open 2014-04-01-22-57-25 -#fields ts host port_num port_proto service -#types time addr port enum set[string] -1258567191.405770 192.168.1.1 53 udp TEREDO -#close 2014-04-01-22-57-25 diff --git a/testing/btest/core/tunnels/false-teredo.bro b/testing/btest/core/tunnels/false-teredo.bro index 381478bd54..5622e05204 100644 --- a/testing/btest/core/tunnels/false-teredo.bro +++ b/testing/btest/core/tunnels/false-teredo.bro @@ -1,9 +1,6 @@ # @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT >output # @TEST-EXEC: test ! -e weird.log # @TEST-EXEC: test ! -e dpd.log -# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT Tunnel::yielding_teredo_decapsulation=F >output -# @TEST-EXEC: btest-diff weird.log -# @TEST-EXEC: test ! -e dpd.log # In the first case, there isn't any weird or protocol violation logged # since the teredo analyzer recognizes that the DNS analyzer has confirmed diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index da3a538515..db42996eb2 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,11 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" -# @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce # a known services.log since valid Teredo encapsulations from both endpoints # of a connection is never witnessed and a protocol_confirmation never issued. -# The second case issues protocol_confirmations more hastily and so bogus -# entries in known-services.log are more likely to appear.