diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 8e6a807c24..7c15fb4fae 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -38,7 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); - Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1b26d56575..c54abea7a6 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -152,8 +152,6 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -binpac_target(syslog.pac - syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) @@ -349,7 +347,6 @@ set(bro_SRCS Stats.cc SteppingStone.cc Stmt.cc - Syslog-binpac.cc TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc diff --git a/src/event.bif b/src/event.bif index 65ff3a5731..8a44e8723e 100644 --- a/src/event.bif +++ b/src/event.bif @@ -5828,23 +5828,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); -## Generated for monitored Syslog messages. -## -## See `Wikipedia `__ for more -## information about the Syslog protocol. -## -## c: The connection record for the underlying transport-layer session/flow. -## -## facility: The "facility" included in the message. -## -## severity: The "severity" included in the message. -## -## msg: The message logged. -## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP -## syslog will be added soon. -event syslog_message%(c: connection, facility: count, severity: count, msg: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 39e8eefac0..3bc15621fd 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -37,7 +37,6 @@ #include "POP3.h" #include "SOCKS.h" #include "SSH.h" -#include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" #include "GTPv1.h" @@ -90,7 +89,6 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); diff --git a/src/protocols/CMakeLists.txt b/src/protocols/CMakeLists.txt index 35db6549fa..19dda0c770 100644 --- a/src/protocols/CMakeLists.txt +++ b/src/protocols/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(http) add_subdirectory(ssl) +add_subdirectory(syslog) diff --git a/src/protocols/syslog/CMakeLists.txt b/src/protocols/syslog/CMakeLists.txt new file mode 100644 index 0000000000..3fc6b9ea69 --- /dev/null +++ b/src/protocols/syslog/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Syslog) +bro_plugin_cc(Syslog.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) +bro_plugin_end() diff --git a/src/protocols/syslog/Plugin.cc b/src/protocols/syslog/Plugin.cc new file mode 100644 index 0000000000..a0a2934411 --- /dev/null +++ b/src/protocols/syslog/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Syslog.h" + +BRO_PLUGIN_BEGIN(Syslog) + BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)"; + BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Syslog-binpac.cc b/src/protocols/syslog/Syslog.cc similarity index 62% rename from src/Syslog-binpac.cc rename to src/protocols/syslog/Syslog.cc index 37449004c7..137cecbd18 100644 --- a/src/Syslog-binpac.cc +++ b/src/protocols/syslog/Syslog.cc @@ -1,21 +1,22 @@ -#include "Syslog-binpac.h" + +#include "Syslog.h" #include "TCP_Reassembler.h" -Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer("SYSLOG_BINPAC", conn) +Syslog_Analyzer::Syslog_Analyzer(Connection* conn) +: Analyzer("SYSLOG", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; - //ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, + //ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); } -Syslog_Analyzer_binpac::~Syslog_Analyzer_binpac() +Syslog_Analyzer::~Syslog_Analyzer() { delete interp; } -void Syslog_Analyzer_binpac::Done() +void Syslog_Analyzer::Done() { Analyzer::Done(); @@ -23,13 +24,13 @@ void Syslog_Analyzer_binpac::Done() Event(udp_session_done); } -void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) +void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->NewData(orig, data, data + len); } -//void Syslog_Analyzer_binpac::ExpireTimer(double t) +//void Syslog_Analyzer::ExpireTimer(double t) // { // // The - 1.0 in the following is to allow 1 second for the // // common case of a single request followed by a single reply, @@ -40,22 +41,22 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // sessions->Remove(Conn()); // } // else -// ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, +// ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) +//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) //: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac() +//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer_binpac::Done() +//void Syslog_TCP_Analyzer::Done() // { // TCP_ApplicationAnalyzer::Done(); // @@ -63,13 +64,13 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) // { // TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, +//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { // TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); @@ -83,7 +84,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) +//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { // TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); diff --git a/src/Syslog-binpac.h b/src/protocols/syslog/Syslog.h similarity index 63% rename from src/Syslog-binpac.h rename to src/protocols/syslog/Syslog.h index 176f2d5b70..2a96bd8ae6 100644 --- a/src/Syslog-binpac.h +++ b/src/protocols/syslog/Syslog.h @@ -1,22 +1,23 @@ -#ifndef Syslog_binpac_h -#define Syslog_binpac_h + +#ifndef Syslog_h +#define Syslog_h #include "UDP.h" #include "TCP.h" #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public analyzer::Analyzer { +class Syslog_Analyzer : public analyzer::Analyzer { public: - Syslog_Analyzer_binpac(Connection* conn); - virtual ~Syslog_Analyzer_binpac(); + Syslog_Analyzer(Connection* conn); + virtual ~Syslog_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new Syslog_Analyzer_binpac(conn); } + { return new Syslog_Analyzer(conn); } protected: void ExpireTimer(double t); @@ -28,10 +29,10 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { +//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer_binpac(Connection* conn); -// virtual ~Syslog_TCP_Analyzer_binpac(); +// Syslog_TCP_Analyzer(Connection* conn); +// virtual ~Syslog_TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); @@ -39,7 +40,7 @@ protected: // virtual void EndpointEOF(TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer_binpac(conn); } +// { return new Syslog_TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; diff --git a/src/protocols/syslog/events.bif b/src/protocols/syslog/events.bif new file mode 100644 index 0000000000..f82adc7e69 --- /dev/null +++ b/src/protocols/syslog/events.bif @@ -0,0 +1,17 @@ + +## Generated for monitored Syslog messages. +## +## See `Wikipedia `__ for more +## information about the Syslog protocol. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## facility: The "facility" included in the message. +## +## severity: The "severity" included in the message. +## +## msg: The message logged. +## +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. +event syslog_message%(c: connection, facility: count, severity: count, msg: string%); diff --git a/src/syslog-analyzer.pac b/src/protocols/syslog/syslog-analyzer.pac similarity index 100% rename from src/syslog-analyzer.pac rename to src/protocols/syslog/syslog-analyzer.pac diff --git a/src/syslog-protocol.pac b/src/protocols/syslog/syslog-protocol.pac similarity index 100% rename from src/syslog-protocol.pac rename to src/protocols/syslog/syslog-protocol.pac diff --git a/src/syslog.pac b/src/protocols/syslog/syslog.pac similarity index 79% rename from src/syslog.pac rename to src/protocols/syslog/syslog.pac index 3c0ecfb10d..5e7176da2a 100644 --- a/src/syslog.pac +++ b/src/protocols/syslog/syslog.pac @@ -1,3 +1,8 @@ + +%extern{ + #include "events.bif.h" +%} + %include binpac.pac %include bro.pac diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log new file mode 100644 index 0000000000..df53ef42f6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open 2013-04-05-20-06-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +1365191811.424495 UWkUyAuUGXf 127.0.0.1 57067 127.0.0.1 514 udp LOCAL0 NOTICE Apr 5 12:56:51 robin: Hello, syslog!\x00 +#close 2013-04-05-20-06-27 diff --git a/testing/btest/Traces/syslog-single-udp.trace b/testing/btest/Traces/syslog-single-udp.trace new file mode 100644 index 0000000000..9e1505a38a Binary files /dev/null and b/testing/btest/Traces/syslog-single-udp.trace differ diff --git a/testing/btest/scripts/base/protocols/syslog/trace.test b/testing/btest/scripts/base/protocols/syslog/trace.test new file mode 100644 index 0000000000..78b681a9d8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/syslog/trace.test @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/syslog-single-udp.trace %INPUT +# @TEST-EXEC: btest-diff syslog.log + +@load base/protocols/syslog